Respond to CR.

6 years ago · 8e18f40572
parent 3cac5bbfee
commit 8e18f40572
2 changed files with 14 additions and 66 deletions
--- a/SignalServiceKit/src/Contacts/CDSSigningCertificate.m
+++ b/SignalServiceKit/src/Contacts/CDSSigningCertificate.m
@ -69,6 +69,17 @@ NS_ASSUME_NONNULL_BEGIN
        return nil;
    }

+    // The leaf is always the first certificate.
+    NSData *_Nullable leafCertificateData = [certificateDerDatas firstObject];
+    if (!leafCertificateData) {
+        DDLogError(@"%@ Could not extract leaf certificate data.", self.logTag);
+        return nil;
+    }
+    if (![self verifyDistinguishedNameOfCertificate:leafCertificateData]) {
+        OWSProdLogAndFail(@"%@ Leaf certificate has invalid name.", self.logTag);
+        return nil;
+    }
+
    NSMutableArray *certificates = [NSMutableArray new];
    for (NSData *certificateDerData in certificateDerDatas) {
        SecCertificateRef certificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)(certificateDerData));
@ -117,10 +128,6 @@ NS_ASSUME_NONNULL_BEGIN
            OWSProdLogAndFail(@"%@ Could not load DER.", self.logTag);
            return nil;
        }
-        if (![self verifyDistinguishedNameOfCertificate:certificateData]) {
-            OWSProdLogAndFail(@"%@ Certificate has invalid name.", self.logTag);
-            return nil;
-        }

        [pinnedCertificates addObject:(__bridge_transfer id)certificate];
    }
@ -271,11 +278,9 @@ NS_ASSUME_NONNULL_BEGIN
    }
    //    NSString *expectedDistinguishedName
    //    = @"CN=Intel SGX Attestation Report Signing,O=Intel Corporation,L=Santa Clara,ST=CA,C=US";
-    // NOTE: "Intel SGX Attestation Report Signing CA" is not the same as:
-    //       "Intel SGX Attestation Report Signing"
    NSDictionary<NSString *, NSString *> *expectedProperties = @{
        @(SN_commonName) : // "CN"
-            @"Intel SGX Attestation Report Signing CA",
+            @"Intel SGX Attestation Report Signing",
        @(SN_organizationName) : // "O"
            @"Intel Corporation",
        @(SN_localityName) : // "L"
@ -285,6 +290,7 @@ NS_ASSUME_NONNULL_BEGIN
        @(SN_countryName) : // "C"
            @"US",
    };
+
    if (![properties isEqualToDictionary:expectedProperties]) {
        OWSFail(@"%@ Unexpected certificate properties. %@ != %@", self.logTag, expectedProperties, properties);
        return NO;
@ -307,7 +313,7 @@ NS_ASSUME_NONNULL_BEGIN
        return nil;
    }

-    X509_NAME *_Nullable subjectName = X509_get_issuer_name(certificateX509);
+    X509_NAME *_Nullable subjectName = X509_get_subject_name(certificateX509);
    if (!subjectName) {
        OWSFail(@"%@ could not extract subject name.", self.logTag);
        return nil;
@ -346,8 +352,6 @@ NS_ASSUME_NONNULL_BEGIN
            OWSFail(@"%@ could not parse entry name data.", self.logTag);
            return nil;
        }
-        DDLogVerbose(@"%@ certificate[%@]: %@", self.logTag, oid, entryString);
-        [DDLog flushLog];
        certificateProperties[oid] = entryString;
    }
    return certificateProperties;
--- a/SignalServiceKit/src/Contacts/ContactDiscoveryService.m
+++ b/SignalServiceKit/src/Contacts/ContactDiscoveryService.m
@ -470,29 +470,6 @@ NS_ASSUME_NONNULL_BEGIN

    DDLogVerbose(@"%@ remote attestation complete.", self.logTag);

-    //+      RemoteAttestation remoteAttestation = new RemoteAttestation(requestId, keys);
-    //+      List<String>      addressBook       = new LinkedList<>();
-    //+
-    //+      for (String e164number : e164numbers) {
-    //+        addressBook.add(e164number.substring(1));
-    //+      }
-    //+
-    //+      DiscoveryRequest  request  = cipher.createDiscoveryRequest(addressBook, remoteAttestation);
-    //+      DiscoveryResponse response = this.pushServiceSocket.getContactDiscoveryRegisteredUsers(authorization,
-    //request, attestationResponse.second(), mrenclave);
-    //+      byte[]            data     = cipher.getDiscoveryResponseData(response, remoteAttestation);
-    //+
-    //+      Iterator<String> addressBookIterator = addressBook.iterator();
-    //+      List<String>     results             = new LinkedList<>();
-    //+
-    //+      for (byte aData : data) {
-    //+        String candidate = addressBookIterator.next();
-    //+
-    //+        if (aData != 0) results.add('+' + candidate);
-    //+      }
-    //+
-    //+      return results;
-
    return result;
 }

@ -679,39 +656,6 @@ NS_ASSUME_NONNULL_BEGIN
    return decryptedData;
 }

-// A successful (HTTP 200) response json object consists of:
-// serverEphemeralPublic:    (32 bytes, base64) an ephemeral curve25519 public key generated by the server
-// serverStaticPublic:    (32 bytes, base64) a static curve25519 public key generated by the server
-// ciphertext:         (variable length, base64) a "request id" to be decrypted by the client (see below for derivation
-// of server_key) (ciphertext, tag) = AES-256-GCM(key=server_key, plaintext=requestId, AAD=(), iv) iv:                (12
-// bytes, base64) an IV for encrypted ciphertext tag:                (16 bytes, base64) a MAC for encrypted ciphertext
-// quote:             (variable length, base64) a binary structure from an Intel CPU containing runtime information
-// about a running enclave signatureBody:        (json object) a response from Intel Attestation Services attesting to
-// the genuineness of the Quote signature:            (base64) a signature over signatureBody, with public key in
-// corresponding signing certificate certificates:        (url-encoded PEM) signing certificate chain The response also
-// contains HTTP session cookies which must be preserved for exactly one corresponding Contact Discovery request.
-//
-// After this PUT response is received, the client must:
-// parse and verify fields in quote (see sample client code for parsing details):
-// report_data:        (64 bytes) must equal (serverStaticPublic || 0 ...)
-// mrenclave:            (32 bytes) must equal the request's enclaveId
-// flags:            (8 bytes) debug flag must be unset, as well as being validated against expected values during
-// parsing all other fields must be validated against a range of expected values during parsing (as shown in example
-// parsing code), but are otherwise ignored See client/src/main/java/org/whispersystems/contactdiscovery/Quote.java parse
-// and verify fields in signatureBody json object: isvEnclaveQuoteBody:    (base64) must equal quote
-// isvEnclaveQuoteStatus:    (ascii) must equal "OK"
-//"GROUP_OUT_OF_DATE" may be allowed for testing only
-// timestamp:            (ascii) UTC timestamp formatted as "yyyy-MM-dd'T'HH:mm:ss.SSSSSS" which must fall within the
-// last 24h verify validity of signature over signatureBody using the public key contained in the leaf signing
-// certificate in certificates verify signing certificates chain, with fixed trust anchors to be hard-coded in clients
-// client/src/main/java/org/whispersystems/contactdiscovery/SigningCertificate.java contains X.509 PKI certificate chain
-// validation code to follow
-//
-// After Curve25519-DH/HKDF key derivation upon the three public keys (client ephemeral private key, server ephemeral
-// public key, and server static public key, described below), the client can now decrypt the ciphertext in the Remote
-// Attestation Response containing a requestId to be sent along with a Contact Discovery request, and encrypt the body of
-// a Contact Discovery request using client_key, bound for the enclave it performed attestation with.
-
@end

 NS_ASSUME_NONNULL_END