keejef
/
session-ios
mirror of https://github.com/oxen-io/session-ios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Respond to CR.

Browse Source
pull/1/head
Matthew Chen 7 years ago
parent 3cac5bbfee
commit 8e18f40572
2 changed files with 14 additions and 66 deletions
Show Stats Download Patch File Download Diff File

24
SignalServiceKit/src/Contacts/CDSSigningCertificate.m
Unescape Escape View File

@ -69,6 +69,17 @@ NS_ASSUME_NONNULL_BEGIN
return nil; return nil;
} }
// The leaf is always the first certificate.
NSData *_Nullable leafCertificateData = [certificateDerDatas firstObject];
if (!leafCertificateData) {
DDLogError(@"%@ Could not extract leaf certificate data.", self.logTag);
return nil;
}
if (![self verifyDistinguishedNameOfCertificate:leafCertificateData]) {
OWSProdLogAndFail(@"%@ Leaf certificate has invalid name.", self.logTag);
return nil;
}
NSMutableArray *certificates = [NSMutableArray new]; NSMutableArray *certificates = [NSMutableArray new];
for (NSData *certificateDerData in certificateDerDatas) { for (NSData *certificateDerData in certificateDerDatas) {
SecCertificateRef certificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)(certificateDerData)); SecCertificateRef certificate = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)(certificateDerData));
@ -117,10 +128,6 @@ NS_ASSUME_NONNULL_BEGIN
OWSProdLogAndFail(@"%@ Could not load DER.", self.logTag); OWSProdLogAndFail(@"%@ Could not load DER.", self.logTag);
return nil; return nil;
} }
if (![self verifyDistinguishedNameOfCertificate:certificateData]) {
OWSProdLogAndFail(@"%@ Certificate has invalid name.", self.logTag);
return nil;
}
[pinnedCertificates addObject:(__bridge_transfer id)certificate]; [pinnedCertificates addObject:(__bridge_transfer id)certificate];
} }
@ -271,11 +278,9 @@ NS_ASSUME_NONNULL_BEGIN
} }
// NSString *expectedDistinguishedName // NSString *expectedDistinguishedName
// = @"CN=Intel SGX Attestation Report Signing,O=Intel Corporation,L=Santa Clara,ST=CA,C=US"; // = @"CN=Intel SGX Attestation Report Signing,O=Intel Corporation,L=Santa Clara,ST=CA,C=US";
// NOTE: "Intel SGX Attestation Report Signing CA" is not the same as:
// "Intel SGX Attestation Report Signing"
NSDictionary<NSString *, NSString *> *expectedProperties = @{ NSDictionary<NSString *, NSString *> *expectedProperties = @{
@(SN_commonName) : // "CN" @(SN_commonName) : // "CN"
@"Intel SGX Attestation Report Signing CA", @"Intel SGX Attestation Report Signing",
@(SN_organizationName) : // "O" @(SN_organizationName) : // "O"
@"Intel Corporation", @"Intel Corporation",
@(SN_localityName) : // "L" @(SN_localityName) : // "L"
@ -285,6 +290,7 @@ NS_ASSUME_NONNULL_BEGIN
@(SN_countryName) : // "C" @(SN_countryName) : // "C"
@"US", @"US",
}; };
if (![properties isEqualToDictionary:expectedProperties]) { if (![properties isEqualToDictionary:expectedProperties]) {
OWSFail(@"%@ Unexpected certificate properties. %@ != %@", self.logTag, expectedProperties, properties); OWSFail(@"%@ Unexpected certificate properties. %@ != %@", self.logTag, expectedProperties, properties);
return NO; return NO;
@ -307,7 +313,7 @@ NS_ASSUME_NONNULL_BEGIN
return nil; return nil;
} }
X509_NAME *_Nullable subjectName = X509_get_issuer_name(certificateX509); X509_NAME *_Nullable subjectName = X509_get_subject_name(certificateX509);
if (!subjectName) { if (!subjectName) {
OWSFail(@"%@ could not extract subject name.", self.logTag); OWSFail(@"%@ could not extract subject name.", self.logTag);
return nil; return nil;
@ -346,8 +352,6 @@ NS_ASSUME_NONNULL_BEGIN
OWSFail(@"%@ could not parse entry name data.", self.logTag); OWSFail(@"%@ could not parse entry name data.", self.logTag);
return nil; return nil;
} }
DDLogVerbose(@"%@ certificate[%@]: %@", self.logTag, oid, entryString);
[DDLog flushLog];
certificateProperties[oid] = entryString; certificateProperties[oid] = entryString;
} }
return certificateProperties; return certificateProperties;

56
SignalServiceKit/src/Contacts/ContactDiscoveryService.m
Unescape Escape View File

@ -470,29 +470,6 @@ NS_ASSUME_NONNULL_BEGIN
DDLogVerbose(@"%@ remote attestation complete.", self.logTag); DDLogVerbose(@"%@ remote attestation complete.", self.logTag);
//+ RemoteAttestation remoteAttestation = new RemoteAttestation(requestId, keys);
//+ List<String> addressBook = new LinkedList<>();
//+
//+ for (String e164number : e164numbers) {
//+ addressBook.add(e164number.substring(1));
//+ }
//+
//+ DiscoveryRequest request = cipher.createDiscoveryRequest(addressBook, remoteAttestation);
//+ DiscoveryResponse response = this.pushServiceSocket.getContactDiscoveryRegisteredUsers(authorization,
//request, attestationResponse.second(), mrenclave);
//+ byte[] data = cipher.getDiscoveryResponseData(response, remoteAttestation);
//+
//+ Iterator<String> addressBookIterator = addressBook.iterator();
//+ List<String> results = new LinkedList<>();
//+
//+ for (byte aData : data) {
//+ String candidate = addressBookIterator.next();
//+
//+ if (aData != 0) results.add('+' + candidate);
//+ }
//+
//+ return results;
return result; return result;
} }
@ -679,39 +656,6 @@ NS_ASSUME_NONNULL_BEGIN
return decryptedData; return decryptedData;
} }
// A successful (HTTP 200) response json object consists of:
// serverEphemeralPublic: (32 bytes, base64) an ephemeral curve25519 public key generated by the server
// serverStaticPublic: (32 bytes, base64) a static curve25519 public key generated by the server
// ciphertext: (variable length, base64) a "request id" to be decrypted by the client (see below for derivation
// of server_key) (ciphertext, tag) = AES-256-GCM(key=server_key, plaintext=requestId, AAD=(), iv) iv: (12
// bytes, base64) an IV for encrypted ciphertext tag: (16 bytes, base64) a MAC for encrypted ciphertext
// quote: (variable length, base64) a binary structure from an Intel CPU containing runtime information
// about a running enclave signatureBody: (json object) a response from Intel Attestation Services attesting to
// the genuineness of the Quote signature: (base64) a signature over signatureBody, with public key in
// corresponding signing certificate certificates: (url-encoded PEM) signing certificate chain The response also
// contains HTTP session cookies which must be preserved for exactly one corresponding Contact Discovery request.
//
// After this PUT response is received, the client must:
// parse and verify fields in quote (see sample client code for parsing details):
// report_data: (64 bytes) must equal (serverStaticPublic || 0 ...)
// mrenclave: (32 bytes) must equal the request's enclaveId
// flags: (8 bytes) debug flag must be unset, as well as being validated against expected values during
// parsing all other fields must be validated against a range of expected values during parsing (as shown in example
// parsing code), but are otherwise ignored See client/src/main/java/org/whispersystems/contactdiscovery/Quote.java parse
// and verify fields in signatureBody json object: isvEnclaveQuoteBody: (base64) must equal quote
// isvEnclaveQuoteStatus: (ascii) must equal "OK"
//"GROUP_OUT_OF_DATE" may be allowed for testing only
// timestamp: (ascii) UTC timestamp formatted as "yyyy-MM-dd'T'HH:mm:ss.SSSSSS" which must fall within the
// last 24h verify validity of signature over signatureBody using the public key contained in the leaf signing
// certificate in certificates verify signing certificates chain, with fixed trust anchors to be hard-coded in clients
// client/src/main/java/org/whispersystems/contactdiscovery/SigningCertificate.java contains X.509 PKI certificate chain
// validation code to follow
//
// After Curve25519-DH/HKDF key derivation upon the three public keys (client ephemeral private key, server ephemeral
// public key, and server static public key, described below), the client can now decrypt the ciphertext in the Remote
// Attestation Response containing a requestId to be sent along with a Contact Discovery request, and encrypt the body of
// a Contact Discovery request using client_key, bound for the enclave it performed attestation with.
@end @end
NS_ASSUME_NONNULL_END NS_ASSUME_NONNULL_END

Write Preview
Loading…
Cancel
Save