From a1d6161ac067deaf768bc0f4460cb1f14f4dbd80 Mon Sep 17 00:00:00 2001 From: Goncalo Frade Date: Sat, 7 Dec 2024 14:22:20 +0000 Subject: [PATCH] fix: use case where RSA to and from JWK would cause an issue PR submitted for the fix https://github.com/krzyzanowskim/CryptoSwift/pull/1060 --- Package.swift | 7 ++- .../KeyManagement/JWKRepresentable.swift | 11 +++++ .../RSA/RSA15KeyUnwrap+KeyUnwrapping.swift | 29 +++++++------ .../RSAOAEP256KeyUnwrap+KeyUnwrapping.swift | 29 +++++++------ .../RSA/RSAOAEPKeyUnwrap+KeyUnwrapping.swift | 43 +++++++------------ .../Signatures/RSA/Helpers/RSA+Security.swift | 3 +- 6 files changed, 67 insertions(+), 55 deletions(-) diff --git a/Package.swift b/Package.swift index 9f7e02a..d878b09 100644 --- a/Package.swift +++ b/Package.swift @@ -34,7 +34,8 @@ let package = Package( // For `secp256k1` support .package(url: "https://github.com/GigaBitcoin/secp256k1.swift.git", .upToNextMinor(from: "0.15.0")), // For `AES_CBC_HMAC_SHA2`, `PBES2` and RSA DER encoding support - .package(url: "https://github.com/krzyzanowskim/CryptoSwift.git", .upToNextMinor(from: "1.8.1")) + // Changing to a fork I made while I create a PR, since I found a bug + .package(url: "https://github.com/beatt83/CryptoSwift.git", .upToNextMinor(from: "1.8.5")) // FOR `A256_CBC_HS512` with `ECDH-1PU-A256KW` ], targets: [ @@ -98,6 +99,10 @@ let package = Package( name: "JWTTests", dependencies: ["JSONWebToken", "Tools"] ), + .testTarget( + name: "ExampleTests", + dependencies: ["JSONWebToken", "JSONWebKey", "JSONWebEncryption", "JSONWebSignature", "Tools"] + ), .target( name: "Tools" ), diff --git a/Sources/JSONWebAlgorithms/KeyManagement/JWKRepresentable.swift b/Sources/JSONWebAlgorithms/KeyManagement/JWKRepresentable.swift index 41ecafe..0f40014 100644 --- a/Sources/JSONWebAlgorithms/KeyManagement/JWKRepresentable.swift +++ b/Sources/JSONWebAlgorithms/KeyManagement/JWKRepresentable.swift @@ -342,6 +342,15 @@ extension Curve25519.Signing.PrivateKey: JWKRepresentable { } } +extension SymmetricKey: JWKRepresentable { + public var jwkRepresentation: JWK { + JWK( + keyType: .octetSequence, + key: Data(bytes) + ) + } +} + extension Curve25519.Signing.PublicKey: JWKRepresentable { /// Returns the JWK representation of a `Curve25519.KeyAgreement.PublicKey` instance. public var jwkRepresentation: JWK { @@ -359,6 +368,8 @@ extension CryptoSwift.RSA: JWKRepresentable { JWK( keyType: .rsa, e: e.serialize(), + p: primes?.p.serialize(), + q: primes?.q.serialize(), n: n.serialize(), d: d?.serialize() ) diff --git a/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSA15KeyUnwrap+KeyUnwrapping.swift b/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSA15KeyUnwrap+KeyUnwrapping.swift index 0726450..15493c2 100644 --- a/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSA15KeyUnwrap+KeyUnwrapping.swift +++ b/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSA15KeyUnwrap+KeyUnwrapping.swift @@ -40,20 +40,23 @@ public struct RSA15KeyUnwrap: KeyUnwrapping { guard let e = using.e else { throw JWK.Error.missingEComponent } - guard let d = using.d else { - throw JWK.Error.missingDComponent - } - guard let p = using.p, let q = using.q else { - throw JWK.Error.missingPrimesComponent - } - let rsaPrivateKey = try CryptoSwift.RSA( - n: BigUInteger(n), - e: BigUInteger(e), - d: BigUInteger(d), - p: BigUInteger(p), - q: BigUInteger(q) - ) + let rsaPrivateKey: CryptoSwift.RSA + if let p = using.p, let q = using.q, let d = using.d { + rsaPrivateKey = try CryptoSwift.RSA( + n: BigUInteger(n), + e: BigUInteger(e), + d: BigUInteger(d), + p: BigUInteger(p), + q: BigUInteger(q) + ) + } else { + rsaPrivateKey = CryptoSwift.RSA( + n: BigUInteger(n), + e: BigUInteger(e), + d: using.d.map { BigUInteger($0) } + ) + } let derEncodedRSAPrivateKey = try rsaPrivateKey.externalRepresentation() let attributes: [String: Any] = [ kSecAttrKeyType as String: kSecAttrKeyTypeRSA, diff --git a/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSAOAEP256KeyUnwrap+KeyUnwrapping.swift b/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSAOAEP256KeyUnwrap+KeyUnwrapping.swift index bcda825..1c67d4f 100644 --- a/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSAOAEP256KeyUnwrap+KeyUnwrapping.swift +++ b/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSAOAEP256KeyUnwrap+KeyUnwrapping.swift @@ -40,20 +40,23 @@ public struct RSAOAEP256KeyUnwrap: KeyUnwrapping { guard let e = using.e else { throw JWK.Error.missingEComponent } - guard let d = using.d else { - throw JWK.Error.missingDComponent - } - guard let p = using.p, let q = using.q else { - throw JWK.Error.missingPrimesComponent + + let rsaPrivateKey: CryptoSwift.RSA + if let p = using.p, let q = using.q, let d = using.d { + rsaPrivateKey = try CryptoSwift.RSA( + n: BigUInteger(n), + e: BigUInteger(e), + d: BigUInteger(d), + p: BigUInteger(p), + q: BigUInteger(q) + ) + } else { + rsaPrivateKey = CryptoSwift.RSA( + n: BigUInteger(n), + e: BigUInteger(e), + d: using.d.map { BigUInteger($0) } + ) } - - let rsaPrivateKey = try CryptoSwift.RSA( - n: BigUInteger(n), - e: BigUInteger(e), - d: BigUInteger(d), - p: BigUInteger(p), - q: BigUInteger(q) - ) let derEncodedRSAPrivateKey = try rsaPrivateKey.externalRepresentation() let attributes: [String: Any] = [ kSecAttrKeyType as String: kSecAttrKeyTypeRSA, diff --git a/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSAOAEPKeyUnwrap+KeyUnwrapping.swift b/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSAOAEPKeyUnwrap+KeyUnwrapping.swift index 4c95411..330363c 100644 --- a/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSAOAEPKeyUnwrap+KeyUnwrapping.swift +++ b/Sources/JSONWebAlgorithms/KeyManagement/KeyEncryption/RSA/RSAOAEPKeyUnwrap+KeyUnwrapping.swift @@ -40,35 +40,24 @@ public struct RSAOAEPKeyUnwrap: KeyUnwrapping { guard let e = using.e else { throw JWK.Error.missingEComponent } - guard let d = using.d else { - throw JWK.Error.missingDComponent - } - guard let p = using.p, let q = using.q else { - throw JWK.Error.missingPrimesComponent + let rsaPrivateKey: CryptoSwift.RSA + if let p = using.p, let q = using.q, let d = using.d { + rsaPrivateKey = try CryptoSwift.RSA( + n: BigUInteger(n), + e: BigUInteger(e), + d: BigUInteger(d), + p: BigUInteger(p), + q: BigUInteger(q) + ) + } else { + rsaPrivateKey = CryptoSwift.RSA( + n: BigUInteger(n), + e: BigUInteger(e), + d: using.d.map { BigUInteger($0) } + ) } - let rsaPrivateKey = try CryptoSwift.RSA( - n: BigUInteger(n), - e: BigUInteger(e), - d: BigUInteger(d), - p: BigUInteger(p), - q: BigUInteger(q) - ) - let derEncodedRSAPrivateKey = try rsaPrivateKey.externalRepresentation() - let attributes: [String: Any] = [ - kSecAttrKeyType as String: kSecAttrKeyTypeRSA, - kSecAttrKeyClass as String: kSecAttrKeyClassPrivate, - kSecAttrKeySizeInBits as String: n.count * 8, - kSecAttrIsPermanent as String: false, - ] - var error: Unmanaged? - guard let rsaSecKey = SecKeyCreateWithData( - derEncodedRSAPrivateKey as CFData, - attributes as CFDictionary, - &error - ) else { - throw CryptoError.securityLayerError(internalStatus: nil, internalError: error?.takeRetainedValue()) - } + let rsaSecKey = try rsaPrivateKey.getSecKey() let secKeyAlgorithm = SecKeyAlgorithm.rsaEncryptionOAEPSHA1 var decryptionError: Unmanaged? guard let plaintext = SecKeyCreateDecryptedData( diff --git a/Sources/JSONWebAlgorithms/Signatures/RSA/Helpers/RSA+Security.swift b/Sources/JSONWebAlgorithms/Signatures/RSA/Helpers/RSA+Security.swift index caf9732..657d001 100644 --- a/Sources/JSONWebAlgorithms/Signatures/RSA/Helpers/RSA+Security.swift +++ b/Sources/JSONWebAlgorithms/Signatures/RSA/Helpers/RSA+Security.swift @@ -20,10 +20,11 @@ import Security extension RSA { func getSecKey() throws -> SecKey { + // CryptoSwift doesnt make much sense here, if you call externalRepresentation the condiction for public or private is if the primes exist let raw = try externalRepresentation() let attributes: [String: Any] = [ kSecAttrKeyType as String: kSecAttrKeyTypeRSA, - kSecAttrKeyClass as String: d != nil ? kSecAttrKeyClassPrivate : kSecAttrKeyClassPublic, + kSecAttrKeyClass as String: d == nil ? kSecAttrKeyClassPublic : kSecAttrKeyClassPrivate, kSecAttrKeySizeInBits as String: keySize, kSecAttrIsPermanent as String: false ]