From e3938caecb7b2b143db14f4ee929e54bf2a331c9 Mon Sep 17 00:00:00 2001 From: Max Goedjen Date: Sat, 23 Aug 2025 15:26:40 -0700 Subject: [PATCH] Remove unused verify functions. (#621) --- .../SecretKit/Erasers/AnySecretStore.swift | 6 ---- .../Sources/SecretKit/Types/SecretStore.swift | 8 ----- .../SecureEnclaveStore.swift | 35 ------------------- .../SmartCardSecretKit/SmartCardStore.swift | 23 ------------ .../SecretAgentKitTests/AgentTests.swift | 16 +++------ .../Tests/SecretAgentKitTests/StubStore.swift | 23 ------------ .../Preview Content/PreviewStore.swift | 8 ----- 7 files changed, 4 insertions(+), 115 deletions(-) diff --git a/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift b/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift index f62bab1..4259846 100644 --- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift +++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift @@ -10,7 +10,6 @@ public class AnySecretStore: SecretStore, @unchecked Sendable { private let _name: @MainActor @Sendable () -> String private let _secrets: @MainActor @Sendable () -> [AnySecret] private let _sign: @Sendable (Data, AnySecret, SigningRequestProvenance) async throws -> Data - private let _verify: @Sendable (Data, Data, AnySecret) async throws -> Bool private let _existingPersistedAuthenticationContext: @Sendable (AnySecret) async -> PersistedAuthenticationContext? private let _persistAuthentication: @Sendable (AnySecret, TimeInterval) async throws -> Void private let _reloadSecrets: @Sendable () async -> Void @@ -22,7 +21,6 @@ public class AnySecretStore: SecretStore, @unchecked Sendable { _id = { secretStore.id } _secrets = { secretStore.secrets.map { AnySecret($0) } } _sign = { try await secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) } - _verify = { try await secretStore.verify(signature: $0, for: $1, with: $2.base as! SecretStoreType.SecretType) } _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType) } _persistAuthentication = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) } _reloadSecrets = { await secretStore.reloadSecrets() } @@ -48,10 +46,6 @@ public class AnySecretStore: SecretStore, @unchecked Sendable { try await _sign(data, secret, provenance) } - public func verify(signature: Data, for data: Data, with secret: AnySecret) async throws -> Bool { - try await _verify(signature, data, secret) - } - public func existingPersistedAuthenticationContext(secret: AnySecret) async -> PersistedAuthenticationContext? { await _existingPersistedAuthenticationContext(secret) } diff --git a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift index c47c17e..9bf80ce 100644 --- a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift +++ b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift @@ -23,14 +23,6 @@ public protocol SecretStore: Identifiable, Sendable { /// - Returns: The signed data. func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) async throws -> Data - /// Verifies that a signature is valid over a specified payload. - /// - Parameters: - /// - signature: The signature over the data. - /// - data: The data to verify the signature of. - /// - secret: The secret whose signature to verify. - /// - Returns: Whether the signature was verified. - func verify(signature: Data, for data: Data, with secret: SecretType) async throws -> Bool - /// Checks to see if there is currently a valid persisted authentication for a given secret. /// - Parameters: /// - secret: The ``Secret`` to check if there is a persisted authentication for. diff --git a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift index f999b7e..6b64c1d 100644 --- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift +++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift @@ -136,41 +136,6 @@ extension SecureEnclave { return signature as Data } - public func verify(signature: Data, for data: Data, with secret: Secret) throws -> Bool { - let context = LAContext() - context.localizedReason = String(localized: .authContextRequestVerifyDescription(secretName: secret.name)) - context.localizedCancelTitle = String(localized: .authContextRequestDenyButton) - let attributes = KeychainDictionary([ - kSecClass: kSecClassKey, - kSecAttrKeyClass: kSecAttrKeyClassPrivate, - kSecAttrApplicationLabel: secret.id as CFData, - kSecAttrKeyType: Constants.keyType, - kSecAttrTokenID: kSecAttrTokenIDSecureEnclave, - kSecAttrApplicationTag: Constants.keyTag, - kSecUseAuthenticationContext: context, - kSecReturnRef: true - ]) - var verifyError: SecurityError? - var untyped: CFTypeRef? - let status = SecItemCopyMatching(attributes, &untyped) - if status != errSecSuccess { - throw KeychainError(statusCode: status) - } - guard let untypedSafe = untyped else { - throw KeychainError(statusCode: errSecSuccess) - } - let key = untypedSafe as! SecKey - let verified = SecKeyVerifySignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, signature as CFData, &verifyError) - if !verified, let verifyError { - if verifyError.takeUnretainedValue() ~= .verifyError { - return false - } else { - throw SigningError(error: verifyError) - } - } - return verified - } - public func existingPersistedAuthenticationContext(secret: Secret) async -> PersistedAuthenticationContext? { await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret) } diff --git a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift index 3f06773..2b96dbd 100644 --- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift +++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift @@ -89,29 +89,6 @@ extension SmartCard { return signature as Data } - public func verify(signature: Data, for data: Data, with secret: Secret) throws -> Bool { - let attributes = KeychainDictionary([ - kSecAttrKeyType: secret.algorithm.secAttrKeyType, - kSecAttrKeySizeInBits: secret.keySize, - kSecAttrKeyClass: kSecAttrKeyClassPublic - ]) - var verifyError: SecurityError? - let untyped: CFTypeRef? = SecKeyCreateWithData(secret.publicKey as CFData, attributes, &verifyError) - guard let untypedSafe = untyped else { - throw KeychainError(statusCode: errSecSuccess) - } - let key = untypedSafe as! SecKey - let verified = SecKeyVerifySignature(key, signatureAlgorithm(for: secret, allowRSA: true), data as CFData, signature as CFData, &verifyError) - if !verified, let verifyError { - if verifyError.takeUnretainedValue() ~= .verifyError { - return false - } else { - throw SigningError(error: verifyError) - } - } - return verified - } - public func existingPersistedAuthenticationContext(secret: Secret) -> PersistedAuthenticationContext? { nil } diff --git a/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift b/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift index 63734ef..7cd519e 100644 --- a/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift +++ b/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift @@ -60,18 +60,10 @@ import CryptoKit } var rs = r rs.append(s) - let signature = try! P256.Signing.ECDSASignature(rawRepresentation: rs) - let referenceValid = try! P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey).isValidSignature(signature, for: dataToSign) - let store = await list.stores.first! - let derVerifies = try await store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret)) - let invalidRandomSignature = try await store.verify(signature: "invalid".data(using: .utf8)!, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret)) - let invalidRandomData = try await store.verify(signature: signature.derRepresentation, for: "invalid".data(using: .utf8)!, with: AnySecret(Constants.Secrets.ecdsa256Secret)) - let invalidWrongKey = try await store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa384Secret)) - #expect(referenceValid) - #expect(derVerifies) - #expect(invalidRandomSignature == false) - #expect(invalidRandomData == false) - #expect(invalidWrongKey == false) + let signature = try P256.Signing.ECDSASignature(rawRepresentation: rs) + // Correct signature + #expect(try P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey) + .isValidSignature(signature, for: dataToSign)) } // MARK: Witness protocol diff --git a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift index a390e25..b168614 100644 --- a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift +++ b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift @@ -61,29 +61,6 @@ extension Stub { return SecKeyCreateSignature(privateKey, signatureAlgorithm(for: secret), data as CFData, nil)! as Data } - public func verify(signature: Data, for data: Data, with secret: Stub.Secret) throws -> Bool { - let attributes = KeychainDictionary([ - kSecAttrKeyType: secret.algorithm.secAttrKeyType, - kSecAttrKeySizeInBits: secret.keySize, - kSecAttrKeyClass: kSecAttrKeyClassPublic - ]) - var verifyError: Unmanaged? - let untyped: CFTypeRef? = SecKeyCreateWithData(secret.publicKey as CFData, attributes, &verifyError) - guard let untypedSafe = untyped else { - throw NSError(domain: "test", code: 0, userInfo: nil) - } - let key = untypedSafe as! SecKey - let verified = SecKeyVerifySignature(key, signatureAlgorithm(for: secret), data as CFData, signature as CFData, &verifyError) - if let verifyError { - if verifyError.takeUnretainedValue() ~= .verifyError { - return false - } else { - throw NSError(domain: "test", code: 0, userInfo: nil) - } - } - return verified - } - public func existingPersistedAuthenticationContext(secret: Stub.Secret) -> PersistedAuthenticationContext? { nil } diff --git a/Sources/Secretive/Preview Content/PreviewStore.swift b/Sources/Secretive/Preview Content/PreviewStore.swift index c0bdd85..4cbcac6 100644 --- a/Sources/Secretive/Preview Content/PreviewStore.swift +++ b/Sources/Secretive/Preview Content/PreviewStore.swift @@ -40,10 +40,6 @@ extension Preview { return data } - func verify(signature data: Data, for signature: Data, with secret: Preview.Secret) throws -> Bool { - true - } - func existingPersistedAuthenticationContext(secret: Preview.Secret) -> PersistedAuthenticationContext? { nil } @@ -76,10 +72,6 @@ extension Preview { return data } - func verify(signature data: Data, for signature: Data, with secret: Preview.Secret) throws -> Bool { - true - } - func existingPersistedAuthenticationContext(secret: Preview.Secret) -> PersistedAuthenticationContext? { nil }