From d241151ec77ccec82f820f209b60b508090959d7 Mon Sep 17 00:00:00 2001 From: Lucwousin Date: Sat, 18 May 2019 23:08:35 +0200 Subject: [PATCH] Re-enable certificate checking for gamepack and remove unused method (#300) --- .../net/runelite/client/rs/ClientLoader.java | 44 +++++++++++-------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/runelite-client/src/main/java/net/runelite/client/rs/ClientLoader.java b/runelite-client/src/main/java/net/runelite/client/rs/ClientLoader.java index 8c5c8a14e7..599ab9889b 100644 --- a/runelite-client/src/main/java/net/runelite/client/rs/ClientLoader.java +++ b/runelite-client/src/main/java/net/runelite/client/rs/ClientLoader.java @@ -33,19 +33,22 @@ import com.google.gson.Gson; import io.sigpipe.jbsdiff.InvalidHeaderException; import io.sigpipe.jbsdiff.Patch; import java.applet.Applet; -import java.io.BufferedInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.lang.reflect.InvocationTargetException; import java.net.URL; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.util.Arrays; +import java.util.Collection; import java.util.HashMap; import java.util.Map; import java.util.jar.Attributes; import java.util.jar.JarEntry; import java.util.jar.JarInputStream; -import java.util.jar.JarOutputStream; import java.util.jar.Manifest; import javax.inject.Inject; import javax.inject.Named; @@ -91,6 +94,7 @@ public class ClientLoader Map zipFile = new HashMap<>(); { + Certificate[] jagexCertificateChain = getJagexCertificateChain(); String codebase = config.getCodeBase(); String initialJar = config.getInitialJar(); URL url = new URL(codebase + initialJar); @@ -124,6 +128,20 @@ public class ClientLoader buffer.write(tmp, 0, n); } + if (!Arrays.equals(metadata.getCertificates(), jagexCertificateChain)) + { + if (metadata.getName().startsWith("META-INF/")) + { + // META-INF/JAGEXLTD.SF and META-INF/JAGEXLTD.RSA are not signed, but we don't need + // anything in META-INF anyway. + continue; + } + else + { + throw new VerificationException("Unable to verify jar entry: " + metadata.getName()); + } + } + zipFile.put(metadata.getName(), buffer.toByteArray()); } } @@ -240,7 +258,7 @@ public class ClientLoader rs.setStub(new RSAppletStub(config)); return rs; } - catch (IOException | ClassNotFoundException | InstantiationException | IllegalAccessException | CompressorException | InvalidHeaderException | SecurityException | NoSuchMethodException | InvocationTargetException e) + catch (IOException | ClassNotFoundException | InstantiationException | IllegalAccessException | CompressorException | InvalidHeaderException | SecurityException | NoSuchMethodException | InvocationTargetException | CertificateException | VerificationException e) { if (e instanceof ClassNotFoundException) { @@ -254,22 +272,10 @@ public class ClientLoader } } - private void add(byte[] bytes, String entryName, JarOutputStream target) throws IOException + private static Certificate[] getJagexCertificateChain() throws CertificateException { - BufferedInputStream in = null; - try - { - JarEntry entry = new JarEntry(entryName); - target.putNextEntry(entry); - target.write(bytes); - target.closeEntry(); - } - finally - { - if (in != null) - { - in.close(); - } - } + CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); + Collection certificates = certificateFactory.generateCertificates(ClientLoader.class.getResourceAsStream("jagex.crt")); + return certificates.toArray(new Certificate[0]); } }