keejef
/
session-ios
mirror of https://github.com/oxen-io/session-ios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Finish signature verification.

Browse Source
pull/1/head
Matthew Chen 7 years ago
parent 7476ef123d
commit 7acf9b15e1
2 changed files with 15 additions and 43 deletions
Show Stats Download Patch File Download Diff File

50
SignalServiceKit/src/Contacts/CDSSigningCertificate.m
Unescape Escape View File

@ -5,6 +5,7 @@
#import "CDSSigningCertificate.h" #import "CDSSigningCertificate.h"
#import "NSData+Base64.h" #import "NSData+Base64.h"
#import "NSData+OWS.h" #import "NSData+OWS.h"
#import <CommonCrypto/CommonCrypto.h>
NS_ASSUME_NONNULL_BEGIN NS_ASSUME_NONNULL_BEGIN
@ -95,14 +96,12 @@ NS_ASSUME_NONNULL_BEGIN
return nil; return nil;
} }
// TODO:
status = SecTrustSetNetworkFetchAllowed(trust, NO); status = SecTrustSetNetworkFetchAllowed(trust, NO);
if (status != errSecSuccess) { if (status != errSecSuccess) {
DDLogError(@"%@ trust fetch could not be configured.", self.logTag); DDLogError(@"%@ trust fetch could not be configured.", self.logTag);
return nil; return nil;
} }
// TODO:
status = SecTrustSetAnchorCertificatesOnly(trust, YES); status = SecTrustSetAnchorCertificatesOnly(trust, YES);
if (status != errSecSuccess) { if (status != errSecSuccess) {
DDLogError(@"%@ trust anchor certs could not be configured.", self.logTag); DDLogError(@"%@ trust anchor certs could not be configured.", self.logTag);
@ -229,54 +228,29 @@ NS_ASSUME_NONNULL_BEGIN
return certificateData; return certificateData;
} }
- (BOOL)verifySignatureOfBody:(NSString *)body signature:(NSData *)theirSignature - (BOOL)verifySignatureOfBody:(NSString *)body signature:(NSData *)signature
{ {
BOOL result = NO;
// TODO: Which algorithm should we be using?
DDLogVerbose(@"%@ kSecKeyAlgorithmRSASignatureDigestPSSSHA256.", self.logTag);
result = result ||
[self verifySignatureOfBody:body
signature:theirSignature
algorithm:kSecKeyAlgorithmRSASignatureDigestPSSSHA256];
DDLogVerbose(@"%@ kSecKeyAlgorithmRSASignatureMessagePSSSHA256.", self.logTag);
result = result ||
[self verifySignatureOfBody:body
signature:theirSignature
algorithm:kSecKeyAlgorithmRSASignatureMessagePSSSHA256];
return result;
}
// TODO: This method requires iOS 10.
- (BOOL)verifySignatureOfBody:(NSString *)body signature:(NSData *)signature algorithm:(SecKeyAlgorithm)algorithm
{
OWSAssert(body.length > 0);
OWSAssert(signature.length > 0);
OWSAssert(self.publicKey); OWSAssert(self.publicKey);
NSData *bodyData = [body dataUsingEncoding:NSUTF8StringEncoding]; NSData *bodyData = [body dataUsingEncoding:NSUTF8StringEncoding];
BOOL canSign = SecKeyIsAlgorithmSupported(self.publicKey, kSecKeyOperationTypeVerify, algorithm); size_t signedHashBytesSize = SecKeyGetBlockSize(self.publicKey);
if (!canSign) { const void *signedHashBytes = [signature bytes];
OWSProdLogAndFail(@"%@ signature algorithm is not supported.", self.logTag); size_t hashBytesSize = CC_SHA256_DIGEST_LENGTH;
uint8_t hashBytes[hashBytesSize];
if (!CC_SHA256([bodyData bytes], (CC_LONG)[bodyData length], hashBytes)) {
OWSProdLogAndFail(@"%@ could not SHA256 for signature verification.", self.logTag);
return NO; return NO;
} }
CFErrorRef error = NULL; OSStatus status = SecKeyRawVerify(
BOOL isValid = SecKeyVerifySignature( self.publicKey, kSecPaddingPKCS1SHA256, hashBytes, hashBytesSize, signedHashBytes, signedHashBytesSize);
self.publicKey, algorithm, (__bridge CFDataRef)bodyData, (__bridge CFDataRef)signature, &error);
if (error) { BOOL isValid = status == errSecSuccess;
NSError *nsError = CFBridgingRelease(error);
// TODO:
DDLogError(@"%@ signature verification failed: %@.", self.logTag, nsError);
// OWSProdLogAndFail(@"%@ signature verification failed: %@.", self.logTag, nsError);
return NO;
}
if (!isValid) { if (!isValid) {
OWSProdLogAndFail(@"%@ signatures do not match.", self.logTag); OWSProdLogAndFail(@"%@ signatures do not match.", self.logTag);
return NO; return NO;
} }
DDLogVerbose(@"%@ signature verification succeeded.", self.logTag);
return YES; return YES;
} }

8
SignalServiceKit/src/Contacts/ContactDiscoveryService.m
Unescape Escape View File

@ -297,7 +297,7 @@ NS_ASSUME_NONNULL_BEGIN
authToken:auth.authToken]; authToken:auth.authToken];
[[TSNetworkManager sharedManager] makeRequest:request [[TSNetworkManager sharedManager] makeRequest:request
success:^(NSURLSessionDataTask *task, id responseJson) { success:^(NSURLSessionDataTask *task, id responseJson) {
DDLogVerbose(@"%@ remote attestation success: %@", self.logTag, responseJson); DDLogVerbose(@"%@ remote attestation success.", self.logTag);
dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
// TODO: Handle result. // TODO: Handle result.
@ -482,10 +482,8 @@ NS_ASSUME_NONNULL_BEGIN
return NO; return NO;
} }
if (![certificate verifySignatureOfBody:signatureBody signature:signature]) { if (![certificate verifySignatureOfBody:signatureBody signature:signature]) {
// TODO: OWSProdLogAndFail(@"%@ could not verify signature.", self.logTag);
DDLogError(@"%@ could not verify signature.", self.logTag); return NO;
// OWSProdLogAndFail(@"%@ could not verify signature.", self.logTag);
// return NO;
} }
SignatureBodyEntity *_Nullable signatureBodyEntity = [self parseSignatureBodyEntity:signatureBody]; SignatureBodyEntity *_Nullable signatureBodyEntity = [self parseSignatureBodyEntity:signatureBody];

Write Preview
Loading…
Cancel
Save