Finish signature verification.

2018-07-19 16:45:01 -04:00 · 2018-07-19 16:45:01 -04:00 · 7acf9b15e1
parent 7476ef123d
commit 7acf9b15e1
2 changed files with 15 additions and 43 deletions
--- a/SignalServiceKit/src/Contacts/CDSSigningCertificate.m
+++ b/SignalServiceKit/src/Contacts/CDSSigningCertificate.m
@ -5,6 +5,7 @@
 #import "CDSSigningCertificate.h"
 #import "NSData+Base64.h"
 #import "NSData+OWS.h"
+#import <CommonCrypto/CommonCrypto.h>

 NS_ASSUME_NONNULL_BEGIN

@ -95,14 +96,12 @@ NS_ASSUME_NONNULL_BEGIN
        return nil;
    }

-    // TODO:
    status = SecTrustSetNetworkFetchAllowed(trust, NO);
    if (status != errSecSuccess) {
        DDLogError(@"%@ trust fetch could not be configured.", self.logTag);
        return nil;
    }

-    // TODO:
    status = SecTrustSetAnchorCertificatesOnly(trust, YES);
    if (status != errSecSuccess) {
        DDLogError(@"%@ trust anchor certs could not be configured.", self.logTag);
@ -229,54 +228,29 @@ NS_ASSUME_NONNULL_BEGIN
    return certificateData;
 }

- (BOOL)verifySignatureOfBody:(NSString *)body signature:(NSData *)theirSignature
+- (BOOL)verifySignatureOfBody:(NSString *)body signature:(NSData *)signature
 {
-    BOOL result = NO;
-
-    // TODO: Which algorithm should we be using?
-    DDLogVerbose(@"%@ kSecKeyAlgorithmRSASignatureDigestPSSSHA256.", self.logTag);
-    result = result ||
-        [self verifySignatureOfBody:body
-                          signature:theirSignature
-                          algorithm:kSecKeyAlgorithmRSASignatureDigestPSSSHA256];
-    DDLogVerbose(@"%@ kSecKeyAlgorithmRSASignatureMessagePSSSHA256.", self.logTag);
-    result = result ||
-        [self verifySignatureOfBody:body
-                          signature:theirSignature
-                          algorithm:kSecKeyAlgorithmRSASignatureMessagePSSSHA256];
-    return result;
-}
-
-// TODO: This method requires iOS 10.
- (BOOL)verifySignatureOfBody:(NSString *)body signature:(NSData *)signature algorithm:(SecKeyAlgorithm)algorithm
-{
-    OWSAssert(body.length > 0);
-    OWSAssert(signature.length > 0);
    OWSAssert(self.publicKey);

    NSData *bodyData = [body dataUsingEncoding:NSUTF8StringEncoding];

-    BOOL canSign = SecKeyIsAlgorithmSupported(self.publicKey, kSecKeyOperationTypeVerify, algorithm);
-    if (!canSign) {
-        OWSProdLogAndFail(@"%@ signature algorithm is not supported.", self.logTag);
+    size_t signedHashBytesSize = SecKeyGetBlockSize(self.publicKey);
+    const void *signedHashBytes = [signature bytes];
+    size_t hashBytesSize = CC_SHA256_DIGEST_LENGTH;
+    uint8_t hashBytes[hashBytesSize];
+    if (!CC_SHA256([bodyData bytes], (CC_LONG)[bodyData length], hashBytes)) {
+        OWSProdLogAndFail(@"%@ could not SHA256 for signature verification.", self.logTag);
        return NO;
    }

-    CFErrorRef error = NULL;
-    BOOL isValid = SecKeyVerifySignature(
-        self.publicKey, algorithm, (__bridge CFDataRef)bodyData, (__bridge CFDataRef)signature, &error);
-    if (error) {
-        NSError *nsError = CFBridgingRelease(error);
-        // TODO:
-        DDLogError(@"%@ signature verification failed: %@.", self.logTag, nsError);
-        //        OWSProdLogAndFail(@"%@ signature verification failed: %@.", self.logTag, nsError);
-        return NO;
-    }
+    OSStatus status = SecKeyRawVerify(
+        self.publicKey, kSecPaddingPKCS1SHA256, hashBytes, hashBytesSize, signedHashBytes, signedHashBytesSize);
+
+    BOOL isValid = status == errSecSuccess;
    if (!isValid) {
        OWSProdLogAndFail(@"%@ signatures do not match.", self.logTag);
        return NO;
    }
-    DDLogVerbose(@"%@ signature verification succeeded.", self.logTag);
    return YES;
 }

--- a/SignalServiceKit/src/Contacts/ContactDiscoveryService.m
+++ b/SignalServiceKit/src/Contacts/ContactDiscoveryService.m
@ -297,7 +297,7 @@ NS_ASSUME_NONNULL_BEGIN
                                                           authToken:auth.authToken];
    [[TSNetworkManager sharedManager] makeRequest:request
        success:^(NSURLSessionDataTask *task, id responseJson) {
-            DDLogVerbose(@"%@ remote attestation success: %@", self.logTag, responseJson);
+            DDLogVerbose(@"%@ remote attestation success.", self.logTag);

            dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
                // TODO: Handle result.
@ -482,10 +482,8 @@ NS_ASSUME_NONNULL_BEGIN
        return NO;
    }
    if (![certificate verifySignatureOfBody:signatureBody signature:signature]) {
-        // TODO:
-        DDLogError(@"%@ could not verify signature.", self.logTag);
-        //        OWSProdLogAndFail(@"%@ could not verify signature.", self.logTag);
-        //        return NO;
+        OWSProdLogAndFail(@"%@ could not verify signature.", self.logTag);
+        return NO;
    }

    SignatureBodyEntity *_Nullable signatureBodyEntity = [self parseSignatureBodyEntity:signatureBody];