From 74136da0c5e73207ec2e3b3470c0af6ef3f22612 Mon Sep 17 00:00:00 2001 From: Max Goedjen Date: Sat, 11 Mar 2023 15:54:39 -0800 Subject: [PATCH] Verification --- .../SecureEnclaveStore.swift | 6 ++-- .../SmartCardSecretKit/SmartCardStore.swift | 6 ++-- .../Tests/SecretAgentKitTests/StubStore.swift | 33 +++++++++++++++++++ 3 files changed, 39 insertions(+), 6 deletions(-) diff --git a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift index e071e0f..7a8f641 100644 --- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift +++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift @@ -162,11 +162,11 @@ extension SecureEnclave { throw KeychainError(statusCode: errSecSuccess) } let key = untypedSafe as! SecKey - let signature = SecKeyVerifySignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, signature as CFData, &verifyError) - if !signature { + let verified = SecKeyVerifySignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, signature as CFData, &verifyError) + if !verified, let verifyError { throw SigningError(error: verifyError) } - return signature + return verified } public func existingPersistedAuthenticationContext(secret: Secret) -> PersistedAuthenticationContext? { diff --git a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift index c6ea705..7cd9bec 100644 --- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift +++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift @@ -111,11 +111,11 @@ extension SmartCard { default: fatalError() } - let signature = SecKeyVerifySignature(key, signatureAlgorithm, data as CFData, signature as CFData, &verifyError) - if !signature { + let verified = SecKeyVerifySignature(key, signatureAlgorithm, data as CFData, signature as CFData, &verifyError) + if !verified, let verifyError { throw SigningError(error: verifyError) } - return signature + return verified } public func existingPersistedAuthenticationContext(secret: SmartCard.Secret) -> PersistedAuthenticationContext? { diff --git a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift index cc6cb3b..20d2c52 100644 --- a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift +++ b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift @@ -70,6 +70,39 @@ extension Stub { return SecKeyCreateSignature(privateKey, signatureAlgorithm, data as CFData, nil)! as Data } + public func verify(data: Data, signature: Data, with secret: Stub.Secret) throws -> Bool { + let attributes = KeychainDictionary([ + kSecAttrKeyType: secret.algorithm.secAttrKeyType, + kSecAttrKeySizeInBits: secret.keySize, + kSecAttrKeyClass: kSecAttrKeyClassPublic + ]) + var verifyError: Unmanaged? + let untyped: CFTypeRef? = SecKeyCreateWithData(secret.publicKey as CFData, attributes, &verifyError) + guard let untypedSafe = untyped else { + throw NSError(domain: "test", code: 0, userInfo: nil) + } + let key = untypedSafe as! SecKey + let signatureAlgorithm: SecKeyAlgorithm + switch (secret.algorithm, secret.keySize) { + case (.ellipticCurve, 256): + signatureAlgorithm = .ecdsaSignatureMessageX962SHA256 + case (.ellipticCurve, 384): + signatureAlgorithm = .ecdsaSignatureMessageX962SHA384 + case (.rsa, 1024): + signatureAlgorithm = .rsaSignatureMessagePKCS1v15SHA512 + case (.rsa, 2048): + signatureAlgorithm = .rsaSignatureMessagePKCS1v15SHA512 + default: + fatalError() + } + let verified = SecKeyVerifySignature(key, signatureAlgorithm, data as CFData, signature as CFData, &verifyError) + if verifyError != nil { + print(verifyError!.takeUnretainedValue()) + throw NSError(domain: "test", code: 0, userInfo: nil) + } + return verified + } + public func existingPersistedAuthenticationContext(secret: Stub.Secret) -> PersistedAuthenticationContext? { nil }