Rounded out the rest of the SmartCardStore API (#450)

* Rounded out the rest of the SmartCardStore API. * Comments and shuffling around * Expose verify as public api * Verification * Tweak verify signature * Cleanup and tests --------- Co-authored-by: Max Goedjen <max.goedjen@gmail.com>
2026-03-13 13:07:22 +01:00 · 2023-03-12 10:21:09 +10:00
parent f54b2a33bf
commit 43a9e287c3
10 changed files with 266 additions and 17 deletions
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
@@ -10,6 +10,7 @@ public class AnySecretStore: SecretStore {
    private let _name: () -> String
    private let _secrets: () -> [AnySecret]
    private let _sign: (Data, AnySecret, SigningRequestProvenance) throws -> Data
+    private let _verify: (Data, Data, AnySecret) throws -> Bool
    private let _existingPersistedAuthenticationContext: (AnySecret) -> PersistedAuthenticationContext?
    private let _persistAuthentication: (AnySecret, TimeInterval) throws -> Void
    private let _reloadSecrets: () -> Void
@@ -23,6 +24,7 @@ public class AnySecretStore: SecretStore {
        _id = { secretStore.id }
        _secrets = { secretStore.secrets.map { AnySecret($0) } }
        _sign = { try secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
+        _verify = { try secretStore.verify(signature: $0, for: $1, with: $2.base as! SecretStoreType.SecretType) }
        _existingPersistedAuthenticationContext = { secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType) }
        _persistAuthentication = { try secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
        _reloadSecrets = { secretStore.reloadSecrets() }
@@ -51,6 +53,10 @@ public class AnySecretStore: SecretStore {
        try _sign(data, secret, provenance)
    }

+    public func verify(signature: Data, for data: Data, with secret: AnySecret) throws -> Bool {
+        try _verify(signature, data, secret)
+    }
+
    public func existingPersistedAuthenticationContext(secret: AnySecret) -> PersistedAuthenticationContext? {
        _existingPersistedAuthenticationContext(secret)
    }
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
@@ -64,6 +64,10 @@ extension OpenSSHKeyWriter {
        switch algorithm {
        case .ellipticCurve:
            return "ecdsa-sha2-nistp" + String(describing: length)
+        case .rsa:
+            // All RSA keys use the same 512 bit hash function, per
+            // https://security.stackexchange.com/questions/255074/why-are-rsa-sha2-512-and-rsa-sha2-256-supported-but-not-reported-by-ssh-q-key
+            return "rsa-sha2-512"
        }
    }

@@ -76,6 +80,9 @@ extension OpenSSHKeyWriter {
        switch algorithm {
        case .ellipticCurve:
            return "nistp" + String(describing: length)
+        case .rsa:
+            // All RSA keys use the same 512 bit hash function
+            return "rsa-sha2-512"
        }
    }

--- a/Sources/Packages/Sources/SecretKit/Types/Secret.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/Secret.swift
@@ -20,6 +20,7 @@ public protocol Secret: Identifiable, Hashable {
 public enum Algorithm: Hashable {

    case ellipticCurve
+    case rsa

    /// Initializes the Algorithm with a secAttr representation of an algorithm.
    /// - Parameter secAttr: the secAttr, represented as an NSNumber.
@@ -28,8 +29,19 @@ public enum Algorithm: Hashable {
        switch secAttrString {
        case kSecAttrKeyTypeEC:
            self = .ellipticCurve
+        case kSecAttrKeyTypeRSA:
+            self = .rsa
        default:
            fatalError()
        }
    }
+    
+    public var secAttrKeyType: CFString {
+        switch self {
+        case .ellipticCurve:
+            return kSecAttrKeyTypeEC
+        case .rsa:
+            return kSecAttrKeyTypeRSA
+        }
+    }
 }
--- a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
@@ -23,6 +23,14 @@ public protocol SecretStore: ObservableObject, Identifiable {
    /// - Returns: The signed data.
    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> Data

+    /// Verifies that a signature is valid over a specified payload.
+    /// - Parameters:
+    ///   - signature: The signature over the data.
+    ///   - data: The data to verify the signature of.
+    ///   - secret: The secret whose signature to verify.
+    /// - Returns: Whether the signature was verified.
+    func verify(signature: Data, for data: Data, with secret: SecretType) throws -> Bool
+
    /// Checks to see if there is currently a valid persisted authentication for a given secret.
    /// - Parameters:
    ///   - secret: The ``Secret`` to check if there is a persisted authentication for.
@@ -71,3 +79,15 @@ extension NSNotification.Name {
    public static let secretStoreReloaded = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.reloaded")

 }
+
+public typealias SecurityError = Unmanaged<CFError>
+
+extension CFError {
+
+    public static let verifyError = CFErrorCreate(nil, NSOSStatusErrorDomain as CFErrorDomain, CFIndex(errSecVerifyFailed), nil)!
+
+    static public func ~=(lhs: CFError, rhs: CFError) -> Bool {
+        CFErrorGetDomain(lhs) == CFErrorGetDomain(rhs) && CFErrorGetCode(lhs) == CFErrorGetCode(rhs)
+    }
+
+}