mirror
/
CryptoSwift
mirror of https://github.com/krzyzanowskim/CryptoSwift.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228
							//
//  CryptoSwift
//
//  Copyright (C) 2014-2021 Marcin Krzyżanowski <marcin@krzyzanowskim.com>
//  This software is provided 'as-is', without any express or implied warranty.
//
//  In no event will the authors be held liable for any damages arising from the use of this software.
//
//  Permission is granted to anyone to use this software for any purpose,including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
//
//  - The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation is required.
//  - Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
//  - This notice may not be removed or altered from any source or binary distribution.
//

import Foundation

// MARK: Signatures & Verification

extension RSA: Signature {
  public func sign(_ bytes: ArraySlice<UInt8>) throws -> Array<UInt8> {
    try self.sign(Array(bytes), variant: .message_pkcs1v15_SHA256)
  }

  /// Signs the data using the Private key and the specified signature variant
  /// - Parameters:
  ///   - bytes: The data to be signed
  ///   - variant: The variant to use (`digest` variants expect a pre-hashed digest matching that of the specified hash function, `message` variants will hash the data using the specified hash function before signing it)
  /// - Returns: The signature of the data
  public func sign(_ bytes: Array<UInt8>, variant: SignatureVariant) throws -> Array<UInt8> {
    // Check for Private Exponent presence
    guard let d = d else { throw RSA.Error.noPrivateKey }

    // Hash & Encode Message
    let hashedAndEncoded = try RSA.hashedAndEncoded(bytes, variant: variant, keySizeInBytes: self.keySize / 8)

    /// Calculate the Signature
    let signedData = BigUInteger(Data(hashedAndEncoded)).power(d, modulus: self.n).serialize().bytes

    return signedData
  }

  public func verify(signature: ArraySlice<UInt8>, for expectedData: ArraySlice<UInt8>) throws -> Bool {
    try self.verify(signature: Array(signature), for: Array(expectedData), variant: .message_pkcs1v15_SHA256)
  }

  /// Verifies whether a Signature is valid for the provided data
  /// - Parameters:
  ///   - signature: The signature to verify
  ///   - expectedData: The original data that you expected to have been signed
  ///   - variant: The variant used to sign the data
  /// - Returns: `True` when the signature is valid for the expected data, `False` otherwise.
  ///
  /// [IETF Verification Spec](https://datatracker.ietf.org/doc/html/rfc8017#section-8.2.2)
  public func verify(signature: Array<UInt8>, for bytes: Array<UInt8>, variant: SignatureVariant) throws -> Bool {
    /// Step 1: Ensure the signature is the same length as the key's modulus
    guard signature.count == (self.keySize / 8) || (signature.count - 1) == (self.keySize / 8) else { throw Error.invalidSignatureLength }

    let expectedData = try Array<UInt8>(RSA.hashedAndEncoded(bytes, variant: variant, keySizeInBytes: self.keySize / 8).dropFirst())

    /// Step 2: 'Decrypt' the signature
    let signatureResult = BigUInteger(Data(signature)).power(self.e, modulus: self.n).serialize().bytes

    /// Step 3: Compare the 'decrypted' signature with the prepared / encoded expected message....
    guard signatureResult == expectedData else { return false }

    return true
  }

  /// Hashes and Encodes a message for signing and verifying
  ///
  /// - Note: [EMSA-PKCS1-v1_5](https://datatracker.ietf.org/doc/html/rfc8017#section-9.2)
  fileprivate static func hashedAndEncoded(_ bytes: [UInt8], variant: SignatureVariant, keySizeInBytes: Int) throws -> Array<UInt8> {
    /// 1.  Apply the hash function to the message M to produce a hash
    let hashedMessage = variant.calculateHash(bytes)

    guard variant.enforceLength(hashedMessage) else { throw RSA.Error.invalidMessageLengthForSigning }

    /// 2. Encode the algorithm ID for the hash function and the hash value into an ASN.1 value of type DigestInfo
    /// PKCS#1_15 DER Structure (OID == sha256WithRSAEncryption)
    let asn: ASN1.Node = .sequence(nodes: [
      .sequence(nodes: [
        .objectIdentifier(data: Data(variant.identifier)),
        .null
      ]),
      .octetString(data: Data(hashedMessage))
    ])

    let t = ASN1.Encoder.encode(asn)

    /// 3.  If emLen < tLen + 11, output "intended encoded message length too short" and stop
    //print("Checking Key Size: \(keySizeInBytes) < \(t.count + 11)")
    if keySizeInBytes < t.count + 11 { throw RSA.Error.invalidMessageLengthForSigning }

    /// 4.  Generate an octet string PS consisting of emLen - tLen - 3
    /// octets with hexadecimal value 0xff. The length of PS will be
    /// at least 8 octets.
    /// 5.  Concatenate PS, the DER encoding T, and other padding to form
    /// the encoded message EM as EM = 0x00 || 0x01 || PS || 0x00 || T.
    let padded = variant.pad(bytes: t, to: keySizeInBytes)

    /// Ensure the signature is of the correct length
    guard padded.count == keySizeInBytes else { throw RSA.Error.invalidMessageLengthForSigning }

    return padded
  }
}

extension RSA {
  public enum SignatureVariant {
    /// Hashes the raw message using MD5 before signing the data
    case message_pkcs1v15_MD5
    /// Hashes the raw message using SHA1 before signing the data
    case message_pkcs1v15_SHA1
    /// Hashes the raw message using SHA224 before signing the data
    case message_pkcs1v15_SHA224
    /// Hashes the raw message using SHA256 before signing the data
    case message_pkcs1v15_SHA256
    /// Hashes the raw message using SHA384 before signing the data
    case message_pkcs1v15_SHA384
    /// Hashes the raw message using SHA512 before signing the data
    case message_pkcs1v15_SHA512
    /// Hashes the raw message using SHA512-224 before signing the data
    case message_pkcs1v15_SHA512_224
    /// Hashes the raw message using SHA512-256 before signing the data
    case message_pkcs1v15_SHA512_256
    /// This variant isn't supported yet
    case digest_pkcs1v15_RAW
    /// This variant expects that the data to be signed is a valid MD5 Hash Digest
    case digest_pkcs1v15_MD5
    /// This variant expects that the data to be signed is a valid SHA1 Hash Digest
    case digest_pkcs1v15_SHA1
    /// This variant expects that the data to be signed is a valid SHA224 Hash Digest
    case digest_pkcs1v15_SHA224
    /// This variant expects that the data to be signed is a valid SHA256 Hash Digest
    case digest_pkcs1v15_SHA256
    /// This variant expects that the data to be signed is a valid SHA384 Hash Digest
    case digest_pkcs1v15_SHA384
    /// This variant expects that the data to be signed is a valid SHA512 Hash Digest
    case digest_pkcs1v15_SHA512
    /// This variant expects that the data to be signed is a valid SHA512-224 Hash Digest
    case digest_pkcs1v15_SHA512_224
    /// This variant expects that the data to be signed is a valid SHA512-256 Hash Digest
    case digest_pkcs1v15_SHA512_256

    internal var identifier: Array<UInt8> {
      switch self {
        case .digest_pkcs1v15_RAW: return []
        case .message_pkcs1v15_MD5, .digest_pkcs1v15_MD5: return Array<UInt8>(arrayLiteral: 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05)
        case .message_pkcs1v15_SHA1, .digest_pkcs1v15_SHA1: return Array<UInt8>(arrayLiteral: 0x2b, 0x0e, 0x03, 0x02, 0x1a)
        case .message_pkcs1v15_SHA256, .digest_pkcs1v15_SHA256: return Array<UInt8>(arrayLiteral: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01)
        case .message_pkcs1v15_SHA384, .digest_pkcs1v15_SHA384: return Array<UInt8>(arrayLiteral: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02)
        case .message_pkcs1v15_SHA512, .digest_pkcs1v15_SHA512: return Array<UInt8>(arrayLiteral: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03)
        case .message_pkcs1v15_SHA224, .digest_pkcs1v15_SHA224: return Array<UInt8>(arrayLiteral: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04)
        case .message_pkcs1v15_SHA512_224, .digest_pkcs1v15_SHA512_224: return Array<UInt8>(arrayLiteral: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05)
        case .message_pkcs1v15_SHA512_256, .digest_pkcs1v15_SHA512_256: return Array<UInt8>(arrayLiteral: 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x06)
      }
    }

    internal func calculateHash(_ bytes: Array<UInt8>) -> Array<UInt8> {
      switch self {
        case .message_pkcs1v15_MD5:
          return Digest.md5(bytes)
        case .message_pkcs1v15_SHA1:
          return Digest.sha1(bytes)
        case .message_pkcs1v15_SHA224:
          return Digest.sha224(bytes)
        case .message_pkcs1v15_SHA256:
          return Digest.sha256(bytes)
        case .message_pkcs1v15_SHA384:
          return Digest.sha384(bytes)
        case .message_pkcs1v15_SHA512:
          return Digest.sha512(bytes)
        case .message_pkcs1v15_SHA512_224:
          return Digest.sha2(bytes, variant: .sha224)
        case .message_pkcs1v15_SHA512_256:
          return Digest.sha2(bytes, variant: .sha256)
        case .digest_pkcs1v15_RAW,
             .digest_pkcs1v15_MD5,
             .digest_pkcs1v15_SHA1,
             .digest_pkcs1v15_SHA224,
             .digest_pkcs1v15_SHA256,
             .digest_pkcs1v15_SHA384,
             .digest_pkcs1v15_SHA512,
             .digest_pkcs1v15_SHA512_224,
             .digest_pkcs1v15_SHA512_256:
          return bytes
      }
    }

    internal func enforceLength(_ bytes: Array<UInt8>) -> Bool {
      switch self {
        case .digest_pkcs1v15_MD5:
          return bytes.count <= 16
        case .digest_pkcs1v15_SHA1:
          return bytes.count <= 20
        case .digest_pkcs1v15_SHA224:
          return bytes.count <= 28
        case .digest_pkcs1v15_SHA256:
          return bytes.count <= 32
        case .digest_pkcs1v15_SHA384:
          return bytes.count <= 48
        case .digest_pkcs1v15_SHA512:
          return bytes.count <= 64
        case .digest_pkcs1v15_SHA512_224:
          return bytes.count <= 28
        case .digest_pkcs1v15_SHA512_256:
          return bytes.count <= 32
        case .message_pkcs1v15_MD5,
             .message_pkcs1v15_SHA1,
             .message_pkcs1v15_SHA224,
             .message_pkcs1v15_SHA256,
             .message_pkcs1v15_SHA384,
             .message_pkcs1v15_SHA512,
             .message_pkcs1v15_SHA512_224,
             .message_pkcs1v15_SHA512_256:
          return true
        default:
          return false
      }
    }

    /// Right now the only Padding Scheme supported is [EMCS-PKCS1v15](https://www.rfc-editor.org/rfc/rfc8017#section-9.2) (others include [EMSA-PSS](https://www.rfc-editor.org/rfc/rfc8017#section-9.1))
    internal func pad(bytes: Array<UInt8>, to blockSize: Int) -> Array<UInt8> {
      return Padding.emsa_pkcs1v15.add(to: bytes, blockSize: blockSize)
    }
  }
}