ECC key support

IB-8381

Signed-off-by: Raul Metsma <raul@metsma.ee>

Author: metsma

CMakeLists.txt

@@ -14,12 +14,13 @@ set(VERSION ${PROJECT_VERSION}.${BUILD_NUMBER})
 set_env( CONFIG_URL "https://id.eesti.ee/config.json" CACHE STRING "Set Config URL" )
 set_env( SIGNCERT "" CACHE STRING "Common name of certificate to used sign binaries, empty skip signing" )
 add_definitions( -DCONFIG_URL="${CONFIG_URL}" )
-string( REPLACE ".json" ".pub" PUB_URL ${CONFIG_URL} )
-file( DOWNLOAD ${PUB_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.pub )
+string( REPLACE ".json" ".ecpub" PUB_URL ${CONFIG_URL} )
+message("Fetching pub key: ${PUB_URL}")
+file(DOWNLOAD ${PUB_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.ecpub)
 
 if( APPLE )
 	add_custom_command( OUTPUT config.h
-		COMMAND xxd -i config.pub config.h
+		COMMAND xxd -i config.ecpub config.h
 		COMMENT "Generating config.h"
 	)
 	include_directories( ${CMAKE_CURRENT_BINARY_DIR} )
@@ -93,9 +94,9 @@ else()
 	if(NOT EXISTS ${CMAKE_SOURCE_DIR}/common/CMakeLists.txt)
 		message(FATAL_ERROR "cmake submodule directory empty, did you 'git clone --recursive'?")
 	endif()
-	file( DOWNLOAD ${CONFIG_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.json )
-	string( REPLACE ".json" ".rsa" RSA_URL ${CONFIG_URL} )
-	file( DOWNLOAD ${RSA_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.rsa )
+	file(DOWNLOAD ${CONFIG_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.json)
+	string(REPLACE ".json" ".ecc" ECC_URL ${CONFIG_URL})
+	file(DOWNLOAD ${ECC_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.ecc)
 	set(CONFIG_DIR ${CMAKE_CURRENT_BINARY_DIR})
 
 	find_package(OpenSSL 3.0.0 REQUIRED)
@@ -142,7 +143,7 @@ else()
 	)
 	qt_add_resources(${PROJECT_NAME} icon FILES appicon.png)
 	qt_add_resources(${PROJECT_NAME} config BASE ${CONFIG_DIR} PREFIX / FILES
-		${CONFIG_DIR}/config.json ${CONFIG_DIR}/config.rsa ${CONFIG_DIR}/config.pub
+		${CONFIG_DIR}/config.json ${CONFIG_DIR}/config.ecc ${CONFIG_DIR}/config.ecpub
 	)
 
 	if(OPENSSL_ROOT_DIR)

common

@@ -18,7 +18,6 @@
  */
 
 #import "update.h"
-#include <CoreFoundation/CoreFoundation.h>
 
 #import <CryptoTokenKit/CryptoTokenKit.h>
 #import <Security/Security.h>
@@ -35,15 +34,23 @@ @implementation Update {
 
 - (instancetype)init {
     NSString *pem = @((char*)config_pub);
-    pem = [pem stringByReplacingOccurrencesOfString:@"-----BEGIN RSA PUBLIC KEY-----" withString:@""];
-    pem = [pem stringByReplacingOccurrencesOfString:@"-----END RSA PUBLIC KEY-----" withString:@""];
+    pem = [pem stringByReplacingOccurrencesOfString:@"-----BEGIN PUBLIC KEY-----" withString:@""];
+    pem = [pem stringByReplacingOccurrencesOfString:@"-----END PUBLIC KEY-----" withString:@""];
     NSData *keyData = [[NSData alloc] initWithBase64EncodedString:pem options:NSDataBase64DecodingIgnoreUnknownCharacters];
+    TKTLVRecord *record = [TKBERTLVRecord recordFromData:keyData];
+    NSData *eckey;
+    for (TKTLVRecord *nestedRecord in [TKBERTLVRecord sequenceOfRecordsFromData:record.value]) {
+        if (nestedRecord.tag == 0x03) {
+            eckey = nestedRecord.value;
+            eckey = [eckey subdataWithRange:NSMakeRange(1, eckey.length - 1)];
+        }
+    }
     NSDictionary *parameters = @{
-        (__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeRSA,
-        (__bridge id)kSecAttrKeyClass: (__bridge id)kSecAttrKeyClassPublic
+        (__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeEC,
+        (__bridge id)kSecAttrKeyClass: (__bridge id)kSecAttrKeyClassPublic,
     };
     CFErrorRef err = nil;
-    key = CFBridgingRelease(SecKeyCreateWithData((__bridge CFDataRef)keyData, (__bridge CFDictionaryRef)parameters, &err));
+    key = CFBridgingRelease(SecKeyCreateWithData((__bridge CFDataRef)eckey, (__bridge CFDictionaryRef)parameters, &err));
     if (key == nil) {
         NSLog(@"Failed to create key: %@", err);
         CFRelease(err);
@@ -90,7 +97,7 @@ - (BOOL)checkCertificatePinning:(NSURLAuthenticationChallenge *)challenge {
 
 - (void)request {
     NSURL *url = [NSURL URLWithString:@CONFIG_URL];
-    url = [url.URLByDeletingLastPathComponent URLByAppendingPathComponent:@"config.rsa"];
+    url = [url.URLByDeletingLastPathComponent URLByAppendingPathComponent:@"config.ecc"];
     NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url
         cachePolicy:NSURLRequestReloadIgnoringLocalCacheData timeoutInterval:10];
     [request addValue:[self userAgent:YES] forHTTPHeaderField:@"User-Agent"];
@@ -191,9 +198,17 @@ - (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticat
 }
 
 - (void)receivedData:(NSData *)data withSignature:(NSData *)signature {
+    NSDictionary<NSString*, id> *attributes = CFBridgingRelease(SecKeyCopyAttributes((__bridge SecKeyRef)key));
+    NSNumber *keySize = attributes[(__bridge NSString*)kSecAttrKeySizeInBits];
+    SecKeyAlgorithm algorithm = kSecKeyAlgorithmECDSASignatureMessageX962SHA512;
+    switch (keySize.unsignedIntValue) {
+        case 256: algorithm = kSecKeyAlgorithmECDSASignatureMessageX962SHA256; break;
+        case 384: algorithm = kSecKeyAlgorithmECDSASignatureMessageX962SHA384; break;
+        default: break;
+    }
     CFErrorRef err = nil;
-    BOOL isValid = SecKeyVerifySignature((__bridge SecKeyRef)key, kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512,
-                                         (__bridge CFDataRef)data, (__bridge CFDataRef)signature, &err);
+    BOOL isValid = SecKeyVerifySignature((__bridge SecKeyRef)key, algorithm, (__bridge CFDataRef)data,
+                                         (__bridge CFDataRef)signature, &err);
     if (!isValid) {
         NSLog(@"Verify error: %@", err);
         CFRelease(err);