secretive/SecretKit/SmartCard/SmartCardStore.swift

import Foundation
import Security
import CryptoTokenKit
import LocalAuthentication

// TODO: Might need to split this up into "sub-stores?"
// ie, each token has its own Store.
extension SmartCard {

    public class Store: SecretStore {

        // TODO: Read actual smart card name, eg "YubiKey 5c"
        @Published public var isAvailable: Bool = false
        public let id = UUID()
        public private(set) var name = NSLocalizedString("Smart Card", comment: "Smart Card")
        @Published public private(set) var secrets: [Secret] = []
        private let watcher = TKTokenWatcher()
        private var tokenID: String?

        public init() {
            tokenID = watcher.nonSecureEnclaveTokens.first
            watcher.setInsertionHandler { string in
                guard self.tokenID == nil else { return }
                guard !string.contains("setoken") else { return }

                self.tokenID = string
                self.reloadSecrets()
                self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: string)
            }
            if let tokenID = tokenID {
                self.isAvailable = true
                self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: tokenID)
            }
            loadSecrets()
        }

        // MARK: Public API

        public func create(name: String) throws {
            fatalError("Keys must be created on the smart card.")
        }

        public func delete(secret: Secret) throws {
            fatalError("Keys must be deleted on the smart card.")
        }

        public func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> Data {
            guard let tokenID = tokenID else { fatalError() }
            let context = LAContext()
            context.localizedReason = "sign a request from \"\(provenance.origin.displayName)\" using secret \"\(secret.name)\""
            context.localizedCancelTitle = "Deny"
            let attributes = [
                kSecClass: kSecClassKey,
                kSecAttrKeyClass: kSecAttrKeyClassPrivate,
                kSecAttrApplicationLabel: secret.id as CFData,
                kSecAttrTokenID: tokenID,
                kSecUseAuthenticationContext: context,
                kSecReturnRef: true
                ] as CFDictionary
            var untyped: CFTypeRef?
            let status = SecItemCopyMatching(attributes, &untyped)
            if status != errSecSuccess {
                throw KeychainError(statusCode: status)
            }
            guard let untypedSafe = untyped else {
                throw KeychainError(statusCode: errSecSuccess)
            }
            let key = untypedSafe as! SecKey
            var signError: SecurityError?
            let signatureAlgorithm: SecKeyAlgorithm
            switch (secret.algorithm, secret.keySize) {
            case (.ellipticCurve, 256):
                signatureAlgorithm = .ecdsaSignatureMessageX962SHA256
            case (.ellipticCurve, 384):
                signatureAlgorithm = .ecdsaSignatureMessageX962SHA384
            default:
                fatalError()
            }
            guard let signature = SecKeyCreateSignature(key, signatureAlgorithm, data as CFData, &signError) else {
                throw SigningError(error: signError)
            }
            return signature as Data
        }

    }

}

extension SmartCard.Store {

    private func smartcardRemoved(for tokenID: String? = nil) {
        self.tokenID = nil
        reloadSecrets()
    }

    private func reloadSecrets() {
        DispatchQueue.main.async {
            self.isAvailable = self.tokenID != nil
            self.secrets.removeAll()
            self.loadSecrets()
        }
    }

    private func loadSecrets() {
        guard let tokenID = tokenID else { return }
        // Hack to read name if there's only one smart card
        let slotNames = TKSmartCardSlotManager().slotNames
        if watcher.nonSecureEnclaveTokens.count == 1 && slotNames.count == 1 {
            name = slotNames.first!
        } else {
            name = NSLocalizedString("Smart Card", comment: "Smart Card")
        }

        let attributes = [
            kSecClass: kSecClassKey,
            kSecAttrTokenID: tokenID,
            kSecAttrKeyType: kSecAttrKeyTypeEC, // Restrict to EC
            kSecReturnRef: true,
            kSecMatchLimit: kSecMatchLimitAll,
            kSecReturnAttributes: true
            ] as CFDictionary
        var untyped: CFTypeRef?
        SecItemCopyMatching(attributes, &untyped)
        guard let typed = untyped as? [[CFString: Any]] else { return }
        let wrapped: [SmartCard.Secret] = typed.map {
            let name = $0[kSecAttrLabel] as? String ?? "Unnamed"
            let tokenID = $0[kSecAttrApplicationLabel] as! Data
            let algorithm = Algorithm(secAttr: $0[kSecAttrKeyType] as! NSNumber)
            let keySize = $0[kSecAttrKeySizeInBits] as! Int
            let publicKeyRef = $0[kSecValueRef] as! SecKey
            let publicKeySecRef = SecKeyCopyPublicKey(publicKeyRef)!
            let publicKeyAttributes = SecKeyCopyAttributes(publicKeySecRef) as! [CFString: Any]
            let publicKey = publicKeyAttributes[kSecValueData] as! Data
            return SmartCard.Secret(id: tokenID, name: name, algorithm: algorithm, keySize: keySize, publicKey: publicKey)
        }
        secrets.append(contentsOf: wrapped)
    }

}

extension TKTokenWatcher {

    fileprivate var nonSecureEnclaveTokens: [String] {
        tokenIDs.filter { !$0.contains("setoken") }
    }

}

extension SmartCard {

    public struct KeychainError: Error {
        public let statusCode: OSStatus
    }

    public struct SigningError: Error {
        public let error: SecurityError?
    }

}

extension SmartCard {

    public typealias SecurityError = Unmanaged<CFError>

}
Secure enclave implementation 2020-03-04 07:14:38 +00:00			`import Foundation`
			`import Security`
			`import CryptoTokenKit`
Show request details in Secure prompts (#146) 2020-09-24 04:51:48 +00:00			`import LocalAuthentication`
Secure enclave implementation 2020-03-04 07:14:38 +00:00
Dump 2020-03-06 06:47:13 +00:00			`// TODO: Might need to split this up into "sub-stores?"`
			`// ie, each token has its own Store.`
Secure enclave implementation 2020-03-04 07:14:38 +00:00			`extension SmartCard {`

			`public class Store: SecretStore {`

			`// TODO: Read actual smart card name, eg "YubiKey 5c"`
Availibilty 2020-03-07 23:42:40 +00:00			`@Published public var isAvailable: Bool = false`
More progress. 2020-03-09 03:03:40 +00:00			`public let id = UUID()`
Fileprivate -> private (#91) 2020-05-16 06:19:00 +00:00			`public private(set) var name = NSLocalizedString("Smart Card", comment: "Smart Card")`
			`@Published public private(set) var secrets: [Secret] = []`
			`private let watcher = TKTokenWatcher()`
			`private var tokenID: String?`
Secure enclave implementation 2020-03-04 07:14:38 +00:00
			`public init() {`
Hacky fix for #16 2020-03-18 03:41:37 +00:00			`tokenID = watcher.nonSecureEnclaveTokens.first`
Smart card working 2020-03-06 08:52:44 +00:00			`watcher.setInsertionHandler { string in`
More progress. 2020-03-09 03:03:40 +00:00			`guard self.tokenID == nil else { return }`
Dump 2020-03-06 06:47:13 +00:00			`guard !string.contains("setoken") else { return }`
Hacky fix for #16 2020-03-18 03:41:37 +00:00
More progress. 2020-03-09 03:03:40 +00:00			`self.tokenID = string`
Remove changes 2020-03-07 23:20:59 +00:00			`self.reloadSecrets()`
Availibilty 2020-03-07 23:42:40 +00:00			`self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: string)`
Remove changes 2020-03-07 23:20:59 +00:00			`}`
More progress. 2020-03-09 03:03:40 +00:00			`if let tokenID = tokenID {`
Availibilty 2020-03-07 23:42:40 +00:00			`self.isAvailable = true`
More progress. 2020-03-09 03:03:40 +00:00			`self.watcher.addRemovalHandler(self.smartcardRemoved, forTokenID: tokenID)`
Secure enclave implementation 2020-03-04 07:14:38 +00:00			`}`
Smart card working 2020-03-06 08:52:44 +00:00			`loadSecrets()`
			`}`

			`// MARK: Public API`

			`public func create(name: String) throws {`
			`fatalError("Keys must be created on the smart card.")`
Secure enclave implementation 2020-03-04 07:14:38 +00:00			`}`

Smart card working 2020-03-06 08:52:44 +00:00			`public func delete(secret: Secret) throws {`
			`fatalError("Keys must be deleted on the smart card.")`
Secure enclave implementation 2020-03-04 07:14:38 +00:00			`}`

Show request details in Secure prompts (#146) 2020-09-24 04:51:48 +00:00			`public func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> Data {`
More progress. 2020-03-09 03:03:40 +00:00			`guard let tokenID = tokenID else { fatalError() }`
Show request details in Secure prompts (#146) 2020-09-24 04:51:48 +00:00			`let context = LAContext()`
Move app name + iconurl to tracer. (#149) 2020-09-28 06:09:23 +00:00			`context.localizedReason = "sign a request from \"\(provenance.origin.displayName)\" using secret \"\(secret.name)\""`
Show request details in Secure prompts (#146) 2020-09-24 04:51:48 +00:00			`context.localizedCancelTitle = "Deny"`
Smart card working 2020-03-06 08:52:44 +00:00			`let attributes = [`
			`kSecClass: kSecClassKey,`
			`kSecAttrKeyClass: kSecAttrKeyClassPrivate,`
			`kSecAttrApplicationLabel: secret.id as CFData,`
More progress. 2020-03-09 03:03:40 +00:00			`kSecAttrTokenID: tokenID,`
Show request details in Secure prompts (#146) 2020-09-24 04:51:48 +00:00			`kSecUseAuthenticationContext: context,`
Smart card working 2020-03-06 08:52:44 +00:00			`kSecReturnRef: true`
			`] as CFDictionary`
			`var untyped: CFTypeRef?`
			`let status = SecItemCopyMatching(attributes, &untyped)`
			`if status != errSecSuccess {`
			`throw KeychainError(statusCode: status)`
			`}`
			`guard let untypedSafe = untyped else {`
			`throw KeychainError(statusCode: errSecSuccess)`
			`}`
			`let key = untypedSafe as! SecKey`
			`var signError: SecurityError?`
Supporting different EC sizes, RSA not working yet 2020-03-09 05:17:59 +00:00			`let signatureAlgorithm: SecKeyAlgorithm`
			`switch (secret.algorithm, secret.keySize) {`
			`case (.ellipticCurve, 256):`
			`signatureAlgorithm = .ecdsaSignatureMessageX962SHA256`
			`case (.ellipticCurve, 384):`
			`signatureAlgorithm = .ecdsaSignatureMessageX962SHA384`
			`default:`
			`fatalError()`
			`}`
			`guard let signature = SecKeyCreateSignature(key, signatureAlgorithm, data as CFData, &signError) else {`
Smart card working 2020-03-06 08:52:44 +00:00			`throw SigningError(error: signError)`
			`}`
			`return signature as Data`
Secure enclave implementation 2020-03-04 07:14:38 +00:00			`}`

			`}`
Smart card working 2020-03-06 08:52:44 +00:00
			`}`

			`extension SmartCard.Store {`

Fileprivate -> private (#91) 2020-05-16 06:19:00 +00:00			`private func smartcardRemoved(for tokenID: String? = nil) {`
More progress. 2020-03-09 03:03:40 +00:00			`self.tokenID = nil`
Availibilty 2020-03-07 23:42:40 +00:00			`reloadSecrets()`
			`}`

Fileprivate -> private (#91) 2020-05-16 06:19:00 +00:00			`private func reloadSecrets() {`
Remove changes 2020-03-07 23:20:59 +00:00			`DispatchQueue.main.async {`
More progress. 2020-03-09 03:03:40 +00:00			`self.isAvailable = self.tokenID != nil`
Remove changes 2020-03-07 23:20:59 +00:00			`self.secrets.removeAll()`
			`self.loadSecrets()`
			`}`
			`}`

Fileprivate -> private (#91) 2020-05-16 06:19:00 +00:00			`private func loadSecrets() {`
More progress. 2020-03-09 03:03:40 +00:00			`guard let tokenID = tokenID else { return }`
Hacky fix for #16 2020-03-18 03:41:37 +00:00			`// Hack to read name if there's only one smart card`
			`let slotNames = TKSmartCardSlotManager().slotNames`
			`if watcher.nonSecureEnclaveTokens.count == 1 && slotNames.count == 1 {`
			`name = slotNames.first!`
			`} else {`
			`name = NSLocalizedString("Smart Card", comment: "Smart Card")`
			`}`

Smart card working 2020-03-06 08:52:44 +00:00			`let attributes = [`
			`kSecClass: kSecClassKey,`
More progress. 2020-03-09 03:03:40 +00:00			`kSecAttrTokenID: tokenID,`
Restrict to EC only 2020-03-10 05:06:51 +00:00			`kSecAttrKeyType: kSecAttrKeyTypeEC, // Restrict to EC`
Smart card working 2020-03-06 08:52:44 +00:00			`kSecReturnRef: true,`
			`kSecMatchLimit: kSecMatchLimitAll,`
			`kSecReturnAttributes: true`
			`] as CFDictionary`
			`var untyped: CFTypeRef?`
Cleanup 2020-03-06 09:05:20 +00:00			`SecItemCopyMatching(attributes, &untyped)`
Smart card working 2020-03-06 08:52:44 +00:00			`guard let typed = untyped as? [[CFString: Any]] else { return }`
			`let wrapped: [SmartCard.Secret] = typed.map {`
			`let name = $0[kSecAttrLabel] as? String ?? "Unnamed"`
More progress. 2020-03-09 03:03:40 +00:00			`let tokenID = $0[kSecAttrApplicationLabel] as! Data`
Supporting different EC sizes, RSA not working yet 2020-03-09 05:17:59 +00:00			`let algorithm = Algorithm(secAttr: $0[kSecAttrKeyType] as! NSNumber)`
			`let keySize = $0[kSecAttrKeySizeInBits] as! Int`
Smart card working 2020-03-06 08:52:44 +00:00			`let publicKeyRef = $0[kSecValueRef] as! SecKey`
			`let publicKeySecRef = SecKeyCopyPublicKey(publicKeyRef)!`
			`let publicKeyAttributes = SecKeyCopyAttributes(publicKeySecRef) as! [CFString: Any]`
			`let publicKey = publicKeyAttributes[kSecValueData] as! Data`
Supporting different EC sizes, RSA not working yet 2020-03-09 05:17:59 +00:00			`return SmartCard.Secret(id: tokenID, name: name, algorithm: algorithm, keySize: keySize, publicKey: publicKey)`
Smart card working 2020-03-06 08:52:44 +00:00			`}`
			`secrets.append(contentsOf: wrapped)`
			`}`

			`}`

Hacky fix for #16 2020-03-18 03:41:37 +00:00			`extension TKTokenWatcher {`

			`fileprivate var nonSecureEnclaveTokens: [String] {`
			`tokenIDs.filter { !$0.contains("setoken") }`
			`}`

			`}`

Smart card working 2020-03-06 08:52:44 +00:00			`extension SmartCard {`

			`public struct KeychainError: Error {`
			`public let statusCode: OSStatus`
			`}`

			`public struct SigningError: Error {`
			`public let error: SecurityError?`
			`}`

			`}`

			`extension SmartCard {`

			`public typealias SecurityError = Unmanaged<CFError>`

Secure enclave implementation 2020-03-04 07:14:38 +00:00			`}`