Remove unused verify functions. (#621)

2025-08-26 23:20:57 +00:00 · 2025-08-23 15:26:40 -07:00 · 2025-08-23 15:26:40 -07:00 · e3938caecb
commit e3938caecb
parent bd096c3012
7 changed files with 4 additions and 115 deletions
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
@ -10,7 +10,6 @@ public class AnySecretStore: SecretStore, @unchecked Sendable {
    private let _name: @MainActor @Sendable () -> String
    private let _secrets: @MainActor @Sendable () -> [AnySecret]
    private let _sign: @Sendable (Data, AnySecret, SigningRequestProvenance) async throws -> Data
    private let _verify: @Sendable (Data, Data, AnySecret) async throws -> Bool
    private let _existingPersistedAuthenticationContext: @Sendable (AnySecret) async -> PersistedAuthenticationContext?
    private let _persistAuthentication: @Sendable (AnySecret, TimeInterval) async throws -> Void
    private let _reloadSecrets: @Sendable () async -> Void
@ -22,7 +21,6 @@ public class AnySecretStore: SecretStore, @unchecked Sendable {
        _id = { secretStore.id }
        _secrets = { secretStore.secrets.map { AnySecret($0) } }
        _sign = { try await secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
        _verify = { try await secretStore.verify(signature: $0, for: $1, with: $2.base as! SecretStoreType.SecretType) }
        _existingPersistedAuthenticationContext = { await secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType) }
        _persistAuthentication = { try await secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
        _reloadSecrets = { await secretStore.reloadSecrets() }
@ -48,10 +46,6 @@ public class AnySecretStore: SecretStore, @unchecked Sendable {
        try await _sign(data, secret, provenance)
    }
    public func verify(signature: Data, for data: Data, with secret: AnySecret) async throws -> Bool {
        try await _verify(signature, data, secret)
    }
    public func existingPersistedAuthenticationContext(secret: AnySecret) async -> PersistedAuthenticationContext? {
        await _existingPersistedAuthenticationContext(secret)
    }
--- a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
@ -23,14 +23,6 @@ public protocol SecretStore: Identifiable, Sendable {
    /// - Returns: The signed data.
    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) async throws -> Data
    /// Verifies that a signature is valid over a specified payload.
    /// - Parameters:
    ///   - signature: The signature over the data.
    ///   - data: The data to verify the signature of.
    ///   - secret: The secret whose signature to verify.
    /// - Returns: Whether the signature was verified.
    func verify(signature: Data, for data: Data, with secret: SecretType) async throws -> Bool
    /// Checks to see if there is currently a valid persisted authentication for a given secret.
    /// - Parameters:
    ///   - secret: The ``Secret`` to check if there is a persisted authentication for.
--- a/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
+++ b/Sources/Packages/Sources/SecureEnclaveSecretKit/SecureEnclaveStore.swift
@ -136,41 +136,6 @@ extension SecureEnclave {
            return signature as Data
        }
        public func verify(signature: Data, for data: Data, with secret: Secret) throws -> Bool {
            let context = LAContext()
            context.localizedReason = String(localized: .authContextRequestVerifyDescription(secretName: secret.name))
            context.localizedCancelTitle = String(localized: .authContextRequestDenyButton)
            let attributes = KeychainDictionary([
                kSecClass: kSecClassKey,
                kSecAttrKeyClass: kSecAttrKeyClassPrivate,
                kSecAttrApplicationLabel: secret.id as CFData,
                kSecAttrKeyType: Constants.keyType,
                kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
                kSecAttrApplicationTag: Constants.keyTag,
                kSecUseAuthenticationContext: context,
                kSecReturnRef: true
                ])
            var verifyError: SecurityError?
            var untyped: CFTypeRef?
            let status = SecItemCopyMatching(attributes, &untyped)
            if status != errSecSuccess {
                throw KeychainError(statusCode: status)
            }
            guard let untypedSafe = untyped else {
                throw KeychainError(statusCode: errSecSuccess)
            }
            let key = untypedSafe as! SecKey
            let verified = SecKeyVerifySignature(key, .ecdsaSignatureMessageX962SHA256, data as CFData, signature as CFData, &verifyError)
            if !verified, let verifyError {
                if verifyError.takeUnretainedValue() ~= .verifyError {
                    return false
                } else {
                    throw SigningError(error: verifyError)
                }
            }
            return verified
        }
        public func existingPersistedAuthenticationContext(secret: Secret) async -> PersistedAuthenticationContext? {
            await persistentAuthenticationHandler.existingPersistedAuthenticationContext(secret: secret)
        }
--- a/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
+++ b/Sources/Packages/Sources/SmartCardSecretKit/SmartCardStore.swift
@ -89,29 +89,6 @@ extension SmartCard {
            return signature as Data
        }
        public func verify(signature: Data, for data: Data, with secret: Secret) throws -> Bool {
            let attributes = KeychainDictionary([
                kSecAttrKeyType: secret.algorithm.secAttrKeyType,
                kSecAttrKeySizeInBits: secret.keySize,
                kSecAttrKeyClass: kSecAttrKeyClassPublic
            ])
            var verifyError: SecurityError?
            let untyped: CFTypeRef? = SecKeyCreateWithData(secret.publicKey as CFData, attributes, &verifyError)
            guard let untypedSafe = untyped else {
                throw KeychainError(statusCode: errSecSuccess)
            }
            let key = untypedSafe as! SecKey
            let verified = SecKeyVerifySignature(key, signatureAlgorithm(for: secret, allowRSA: true), data as CFData, signature as CFData, &verifyError)
            if !verified, let verifyError {
                if verifyError.takeUnretainedValue() ~= .verifyError {
                    return false
                } else {
                    throw SigningError(error: verifyError)
                }
            }
            return verified
        }
        public func existingPersistedAuthenticationContext(secret: Secret) -> PersistedAuthenticationContext? {
            nil
        }
--- a/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/AgentTests.swift
@ -60,18 +60,10 @@ import CryptoKit
        }
        var rs = r
        rs.append(s)
-        let signature = try! P256.Signing.ECDSASignature(rawRepresentation: rs)
+        let signature = try P256.Signing.ECDSASignature(rawRepresentation: rs)
-        let referenceValid = try! P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey).isValidSignature(signature, for: dataToSign)
+        // Correct signature
-        let store = await list.stores.first!
+        #expect(try P256.Signing.PublicKey(x963Representation: Constants.Secrets.ecdsa256Secret.publicKey)
-        let derVerifies = try await store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret))
+            .isValidSignature(signature, for: dataToSign))
        let invalidRandomSignature = try await store.verify(signature: "invalid".data(using: .utf8)!, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa256Secret))
        let invalidRandomData = try await store.verify(signature: signature.derRepresentation, for: "invalid".data(using: .utf8)!, with: AnySecret(Constants.Secrets.ecdsa256Secret))
        let invalidWrongKey = try await store.verify(signature: signature.derRepresentation, for: dataToSign, with: AnySecret(Constants.Secrets.ecdsa384Secret))
        #expect(referenceValid)
        #expect(derVerifies)
        #expect(invalidRandomSignature == false)
        #expect(invalidRandomData == false)
        #expect(invalidWrongKey == false)
    }
    // MARK: Witness protocol
--- a/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift
+++ b/Sources/Packages/Tests/SecretAgentKitTests/StubStore.swift
@ -61,29 +61,6 @@ extension Stub {
            return SecKeyCreateSignature(privateKey, signatureAlgorithm(for: secret), data as CFData, nil)! as Data
        }
        public func verify(signature: Data, for data: Data, with secret: Stub.Secret) throws -> Bool {
            let attributes = KeychainDictionary([
                kSecAttrKeyType: secret.algorithm.secAttrKeyType,
                kSecAttrKeySizeInBits: secret.keySize,
                kSecAttrKeyClass: kSecAttrKeyClassPublic
            ])
            var verifyError: Unmanaged<CFError>?
            let untyped: CFTypeRef? = SecKeyCreateWithData(secret.publicKey as CFData, attributes, &verifyError)
            guard let untypedSafe = untyped else {
                throw NSError(domain: "test", code: 0, userInfo: nil)
            }
            let key = untypedSafe as! SecKey
            let verified = SecKeyVerifySignature(key, signatureAlgorithm(for: secret), data as CFData, signature as CFData, &verifyError)
            if let verifyError {
                if verifyError.takeUnretainedValue() ~= .verifyError {
                    return false
                } else {
                    throw NSError(domain: "test", code: 0, userInfo: nil)
                }
            }
            return verified
        }
        public func existingPersistedAuthenticationContext(secret: Stub.Secret) -> PersistedAuthenticationContext? {
            nil
        }
--- a/Content/PreviewStore.swift
+++ b/Content/PreviewStore.swift
@ -40,10 +40,6 @@ extension Preview {
            return data
        }
        func verify(signature data: Data, for signature: Data, with secret: Preview.Secret) throws -> Bool {
            true
        }
        func existingPersistedAuthenticationContext(secret: Preview.Secret) -> PersistedAuthenticationContext? {
            nil
        }
@ -76,10 +72,6 @@ extension Preview {
            return data
        }
        func verify(signature data: Data, for signature: Data, with secret: Preview.Secret) throws -> Bool {
            true
        }
        func existingPersistedAuthenticationContext(secret: Preview.Secret) -> PersistedAuthenticationContext? {
            nil
        }