Fix the CDS version checking.

7 years ago · b6a14ea014
parent bcb882f5aa
commit b6a14ea014
2 changed files with 26 additions and 6 deletions
--- a/SignalServiceKit/src/Contacts/CDSQuote.m
+++ b/SignalServiceKit/src/Contacts/CDSQuote.m
@ -48,6 +48,7 @@ static const long SGX_XFRM_RESERVED = 0xFFFFFFFFFFFFFFF8L;
 {
    ByteParser *_Nullable parser = [[ByteParser alloc] initWithData:quoteData littleEndian:YES];

+    // NOTE: This version is separate from and does _NOT_ match the signature body entity version.
    uint16_t version = parser.nextShort;
    if (version < 1 || version > 2) {
        OWSFailDebug(@"unexpected quote version: %d", (int)version);
--- a/SignalServiceKit/src/Contacts/ContactDiscoveryService.m
+++ b/SignalServiceKit/src/Contacts/ContactDiscoveryService.m
@ -171,6 +171,7 @@ NS_ASSUME_NONNULL_BEGIN
@property (nonatomic) NSData *isvEnclaveQuoteBody;
@property (nonatomic) NSString *isvEnclaveQuoteStatus;
@property (nonatomic) NSString *timestamp;
+@property (nonatomic) NSNumber *version;

@end

@ -200,6 +201,16 @@ NS_ASSUME_NONNULL_BEGIN
    return valueString;
 }

+- (nullable NSNumber *)numberForKey:(NSString *)key
+{
+    NSNumber *_Nullable value = self[key];
+    if (![value isKindOfClass:[NSNumber class]]) {
+        OWSFailDebug(@"couldn't parse number for key: %@", key);
+        return nil;
+    }
+    return value;
+}
+
 - (nullable NSData *)base64DataForKey:(NSString *)key
 {
    NSString *_Nullable valueString = self[key];
@ -339,7 +350,6 @@ NS_ASSUME_NONNULL_BEGIN
 {
    ECKeyPair *keyPair = [Curve25519 generateKeyPair];

-    // TODO:
    NSString *enclaveId = @"cd6cfc342937b23b1bdd3bbf9721aa5615ac9ff50a75c5527d441cd3276826c9";

    TSRequest *request = [OWSRequestFactory remoteAttestationRequest:keyPair
@ -530,6 +540,12 @@ NS_ASSUME_NONNULL_BEGIN
        OWSFailDebug(@"isvEnclaveQuoteBody has unexpected length.");
        return NO;
    }
+    // NOTE: This version is separate from and does _NOT_ match the CDS quote version.
+    const NSUInteger kSignatureBodyVersion = 3;
+    if (![signatureBodyEntity.version isEqual:@(kSignatureBodyVersion)]) {
+        OWSFailDebug(@"signatureBodyEntity has unexpected version.");
+        return NO;
+    }
    if (quoteData.length < kQuoteBodyComparisonLength) {
        OWSFailDebug(@"quoteData has unexpected length.");
        return NO;
@ -542,9 +558,7 @@ NS_ASSUME_NONNULL_BEGIN
        return NO;
    }

-    // TODO: Before going to production, remove GROUP_OUT_OF_DATE.
-    if (![@"OK" isEqualToString:signatureBodyEntity.isvEnclaveQuoteStatus]
-        && ![@"GROUP_OUT_OF_DATE" isEqualToString:signatureBodyEntity.isvEnclaveQuoteStatus]) {
+    if (![@"OK" isEqualToString:signatureBodyEntity.isvEnclaveQuoteStatus]) {
        OWSFailDebug(@"invalid isvEnclaveQuoteStatus: %@.", signatureBodyEntity.isvEnclaveQuoteStatus);
        return NO;
    }
@ -604,11 +618,17 @@ NS_ASSUME_NONNULL_BEGIN
        OWSFailDebug(@"could not parse signature isvEnclaveQuoteStatus.");
        return nil;
    }
+    NSNumber *_Nullable version = [jsonDict numberForKey:@"version"];
+    if (!version) {
+        OWSFailDebug(@"could not parse signature version.");
+        return nil;
+    }

    SignatureBodyEntity *result = [SignatureBodyEntity new];
    result.isvEnclaveQuoteBody = isvEnclaveQuoteBody;
    result.isvEnclaveQuoteStatus = isvEnclaveQuoteStatus;
    result.timestamp = timestamp;
+    result.version = version;
    return result;
 }

@ -644,8 +664,7 @@ NS_ASSUME_NONNULL_BEGIN
        OWSFailDebug(@"enclave ids do not match.");
        return NO;
    }
-    // TODO: Reverse this condition in production.
-    if (!quote.isDebugQuote) {
+    if (quote.isDebugQuote) {
        OWSFailDebug(@"quote has invalid isDebugQuote value.");
        return NO;
    }