diff --git a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift index e071e0f..7a8f641 100644 --- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift +++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift @@ -162,11 +162,11 @@ extension SecureEnclave { throw KeychainError(statusCode: errSecSuccess) } let key = untypedSafe as! SecKey - let signature = SecKeyVerifySignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, signature as CFData, &verifyError) - if !signature { + let verified = SecKeyVerifySignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, signature as CFData, &verifyError) + if !verified, let verifyError { throw SigningError(error: verifyError) } - return signature + return verified } public func existingPersistedAuthenticationContext(secret: Secret) -> PersistedAuthenticationContext? { diff --git a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift index c6ea705..7cd9bec 100644 --- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift +++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift @@ -111,11 +111,11 @@ extension SmartCard { default: fatalError() } - let signature = SecKeyVerifySignature(key, signatureAlgorithm, data as CFData, signature as CFData, &verifyError) - if !signature { + let verified = SecKeyVerifySignature(key, signatureAlgorithm, data as CFData, signature as CFData, &verifyError) + if !verified, let verifyError { throw SigningError(error: verifyError) } - return signature + return verified } public func existingPersistedAuthenticationContext(secret: SmartCard.Secret) -> PersistedAuthenticationContext? { diff --git a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift index cc6cb3b..20d2c52 100644 --- a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift +++ b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift @@ -70,6 +70,39 @@ extension Stub { return SecKeyCreateSignature(privateKey, signatureAlgorithm, data as CFData, nil)! as Data } + public func verify(data: Data, signature: Data, with secret: Stub.Secret) throws -> Bool { + let attributes = KeychainDictionary([ + kSecAttrKeyType: secret.algorithm.secAttrKeyType, + kSecAttrKeySizeInBits: secret.keySize, + kSecAttrKeyClass: kSecAttrKeyClassPublic + ]) + var verifyError: Unmanaged? + let untyped: CFTypeRef? = SecKeyCreateWithData(secret.publicKey as CFData, attributes, &verifyError) + guard let untypedSafe = untyped else { + throw NSError(domain: "test", code: 0, userInfo: nil) + } + let key = untypedSafe as! SecKey + let signatureAlgorithm: SecKeyAlgorithm + switch (secret.algorithm, secret.keySize) { + case (.ellipticCurve, 256): + signatureAlgorithm = .ecdsaSignatureMessageX962SHA256 + case (.ellipticCurve, 384): + signatureAlgorithm = .ecdsaSignatureMessageX962SHA384 + case (.rsa, 1024): + signatureAlgorithm = .rsaSignatureMessagePKCS1v15SHA512 + case (.rsa, 2048): + signatureAlgorithm = .rsaSignatureMessagePKCS1v15SHA512 + default: + fatalError() + } + let verified = SecKeyVerifySignature(key, signatureAlgorithm, data as CFData, signature as CFData, &verifyError) + if verifyError != nil { + print(verifyError!.takeUnretainedValue()) + throw NSError(domain: "test", code: 0, userInfo: nil) + } + return verified + } + public func existingPersistedAuthenticationContext(secret: Stub.Secret) -> PersistedAuthenticationContext? { nil }