Rounded out the rest of the SmartCardStore API (#450)

* Rounded out the rest of the SmartCardStore API.

* Comments and shuffling around

* Expose verify as public api

* Verification

* Tweak verify signature

* Cleanup and tests

---------

Co-authored-by: Max Goedjen <max.goedjen@gmail.com>

Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift

@@ -61,8 +61,17 @@ class AgentTests: XCTestCase {
         var rs = r
         rs.append(s)
         let signature = try! P256.Signing.ECDSASignature(rawRepresentation: rs)
-        let valid = try! P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey).isValidSignature(signature, for: dataToSign)
-        XCTAssertTrue(valid)
+        let referenceValid = try! P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey).isValidSignature(signature, for: dataToSign)
+        let store = list.stores.first!
+        let derVerifies = try! store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret))
+        let invalidRandomSignature = try? store.verify(signature: "invalid".data(using: .utf8)!, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret))
+        let invalidRandomData = try? store.verify(signature: signature.derRepresentation, for: "invalid".data(using: .utf8)!, with: AnySecret(Constants.Secrets.ecdsa256Secret))
+        let invalidWrongKey = try? store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa384Secret))
+        XCTAssertTrue(referenceValid)
+        XCTAssertTrue(derVerifies)
+        XCTAssert(invalidRandomSignature == false)
+        XCTAssert(invalidRandomData == false)
+        XCTAssert(invalidWrongKey == false)
     }
 
     // MARK: Witness protocol

Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift

@@ -70,6 +70,42 @@ extension Stub {
             return SecKeyCreateSignature(privateKey, signatureAlgorithm, data as CFData, nil)! as Data
         }
 
+        public func verify(signature: Data, for data: Data, with secret: Stub.Secret) throws -> Bool {
+            let attributes = KeychainDictionary([
+                kSecAttrKeyType: secret.algorithm.secAttrKeyType,
+                kSecAttrKeySizeInBits: secret.keySize,
+                kSecAttrKeyClass: kSecAttrKeyClassPublic
+            ])
+            var verifyError: Unmanaged<CFError>?
+            let untyped: CFTypeRef? = SecKeyCreateWithData(secret.publicKey as CFData, attributes, &verifyError)
+            guard let untypedSafe = untyped else {
+                throw NSError(domain: "test", code: 0, userInfo: nil)
+            }
+            let key = untypedSafe as! SecKey
+            let signatureAlgorithm: SecKeyAlgorithm
+            switch (secret.algorithm, secret.keySize) {
+            case (.ellipticCurve, 256):
+                signatureAlgorithm = .ecdsaSignatureMessageX962SHA256
+            case (.ellipticCurve, 384):
+                signatureAlgorithm = .ecdsaSignatureMessageX962SHA384
+            case (.rsa, 1024):
+                signatureAlgorithm = .rsaSignatureMessagePKCS1v15SHA512
+            case (.rsa, 2048):
+                signatureAlgorithm = .rsaSignatureMessagePKCS1v15SHA512
+            default:
+                fatalError()
+            }
+            let verified = SecKeyVerifySignature(key, signatureAlgorithm, data as CFData, signature as CFData, &verifyError)
+            if let verifyError {
+                if verifyError.takeUnretainedValue() ~= .verifyError {
+                    return false
+                } else {
+                    throw NSError(domain: "test", code: 0, userInfo: nil)
+                }
+            }
+            return verified
+        }
+
         public func existingPersistedAuthenticationContext(secret: Stub.Secret) -> PersistedAuthenticationContext? {
             nil
         }