diff --git a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift index f780201..954fe21 100644 --- a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift +++ b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift @@ -79,3 +79,15 @@ extension NSNotification.Name { public static let secretStoreReloaded = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.reloaded") } + +public typealias SecurityError = Unmanaged + +extension CFError { + + public static let verifyError = CFErrorCreate(nil, NSOSStatusErrorDomain as CFErrorDomain, CFIndex(errSecVerifyFailed), nil)! + + static public func ~=(lhs: CFError, rhs: CFError) -> Bool { + CFErrorGetDomain(lhs) == CFErrorGetDomain(rhs) && CFErrorGetCode(lhs) == CFErrorGetCode(rhs) + } + +} diff --git a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift index 7e4685a..4cd32f9 100644 --- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift +++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift @@ -164,7 +164,11 @@ extension SecureEnclave { let key = untypedSafe as! SecKey let verified = SecKeyVerifySignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, signature as CFData, &verifyError) if !verified, let verifyError { - throw SigningError(error: verifyError) + if verifyError.takeUnretainedValue() ~= .verifyError { + return false + } else { + throw SigningError(error: verifyError) + } } return verified } @@ -313,11 +317,6 @@ extension SecureEnclave { } -extension SecureEnclave { - - public typealias SecurityError = Unmanaged - -} extension SecureEnclave { diff --git a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift index 8c170ba..156bc99 100644 --- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift +++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift @@ -113,7 +113,11 @@ extension SmartCard { } let verified = SecKeyVerifySignature(key, signatureAlgorithm, data as CFData, signature as CFData, &verifyError) if !verified, let verifyError { - throw SigningError(error: verifyError) + if verifyError.takeUnretainedValue() ~= .verifyError { + return false + } else { + throw SigningError(error: verifyError) + } } return verified } @@ -218,7 +222,7 @@ extension SmartCard.Store { kSecAttrKeyClass: kSecAttrKeyClassPublic, kSecUseAuthenticationContext: context ]) - var encryptError: SmartCard.SecurityError? + var encryptError: SecurityError? let untyped: CFTypeRef? = SecKeyCreateWithData(secret.publicKey as CFData, attributes, &encryptError) guard let untypedSafe = untyped else { throw SmartCard.KeychainError(statusCode: errSecSuccess) @@ -271,7 +275,7 @@ extension SmartCard.Store { throw SmartCard.KeychainError(statusCode: errSecSuccess) } let key = untypedSafe as! SecKey - var encryptError: SmartCard.SecurityError? + var encryptError: SecurityError? let signatureAlgorithm: SecKeyAlgorithm switch (secret.algorithm, secret.keySize) { case (.ellipticCurve, 256): @@ -315,9 +319,3 @@ extension SmartCard { } } - -extension SmartCard { - - public typealias SecurityError = Unmanaged - -} diff --git a/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift b/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift index a7fcc11..398da9f 100644 --- a/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift +++ b/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift @@ -61,13 +61,17 @@ class AgentTests: XCTestCase { var rs = r rs.append(s) let signature = try! P256.Signing.ECDSASignature(rawRepresentation: rs) - let refereneceValid = try! P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey).isValidSignature(signature, for: dataToSign) + let referenceValid = try! P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey).isValidSignature(signature, for: dataToSign) let store = list.stores.first! - let valid = try? store.verify(signature: rs, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret)) - let invalid = try? store.verify(signature: rs, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret)) - XCTAssertTrue(refereneceValid) - XCTAssert(valid == true) - XCTAssert(invalid == false) + let derVerifies = try! store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret)) + let invalidRandomSignature = try? store.verify(signature: "invalid".data(using: .utf8)!, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret)) + let invalidRandomData = try? store.verify(signature: signature.derRepresentation, for: "invalid".data(using: .utf8)!, with: AnySecret(Constants.Secrets.ecdsa256Secret)) + let invalidWrongKey = try? store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa384Secret)) + XCTAssertTrue(referenceValid) + XCTAssertTrue(derVerifies) + XCTAssert(invalidRandomSignature == false) + XCTAssert(invalidRandomData == false) + XCTAssert(invalidWrongKey == false) } // MARK: Witness protocol diff --git a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift index e4b1ae0..acbda1d 100644 --- a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift +++ b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift @@ -96,9 +96,12 @@ extension Stub { fatalError() } let verified = SecKeyVerifySignature(key, signatureAlgorithm, data as CFData, signature as CFData, &verifyError) - if verifyError != nil { - print(verifyError!.takeUnretainedValue()) - throw NSError(domain: "test", code: 0, userInfo: nil) + if let verifyError { + if verifyError.takeUnretainedValue() ~= .verifyError { + return false + } else { + throw NSError(domain: "test", code: 0, userInfo: nil) + } } return verified }