SecCertificateCopyPublicKey is deprecated in iOS 12 and macOS 10.14 in favor of SecCertificateCopyKey. This change introduces the use of the new API for all platforms that support it.

Description

Simply uses the new API when available and falls back to the legacy API when not. Keeps support for pre-4.2 Swift, but wraps everything in compiler directives to allow builds on platforms that have no reference to the deprecated API.

The changes to the xcode project are from opening the project in a newer version of XCode. Content from 9.3 release notes:

Xcode 9.3 adds a new IDEWorkspaceChecks.plist file to a workspace's shared data, to store the state of necessary workspace checks. Committing this file to source control will prevent unnecessary rerunning of those checks for each user opening the workspace. (37293167)

Motivation and Context

Previous to this patch, BlueRSA did not compile on macOS Catalyst. There is an existing pull request open, but the author has not responded in some time. Moreover, it appears SecCertificateCopyKey is already used for clients that support it, however, the codepath using the deprecated API was not wrapped in a compiler directive and the compiler still failed.

Resolves #59

How Has This Been Tested?

Built and run on macOS and iOS. Ran tests on the macOS target.

Checklist:

• [x] I have submitted a CLA form
• [x] If applicable, I have updated the documentation accordingly.
• [x] If applicable, I have added tests to cover my changes.

Starting with starting with Swift 4.0 all CF types already conform to Hashable. Therefore this extension is not needed anymore.

Description

Pre Swift 4.0 this extension was required but since the minimal swift version of this package is 4.0 this part of the code is not needed anymore. The corresponding implementation in the swift stdlib can be found here.

Motivation and Context

Recent changes in the Swift runtime indicate that the order in which protocol conformances are loaded is not guaranteed and might change with swift 5.4 which will ship with the upcoming Xcode release (12.5). Therefore the CFString extension of this package might produce unwanted side-effects for the application which is using this package.

How Has This Been Tested?

Built and run on macOS and iOS. Ran tests on the macOS target.

We had reports of a memory leak when using this repo on Linux. I have tracked down places where we allocate memory and added deallocate functions to fix the leaks.

In order to use this package in catalyst projects SecCertificateCopyPublicKey was deprecated and needed to change to the supported Method SecCertificateCopyKey(certData) Method.

Description

In order to use this package in catalyst projects SecCertificateCopyPublicKey was deprecated and needed to change to the supported Method SecCertificateCopyKey(certData) Method.

Resources: Deprecation - https://developer.apple.com/documentation/security/1396096-seccertificatecopypublickey New Method - https://developer.apple.com/documentation/security/2963103-seccertificatecopykey

Motivation and Context

I'd like to use it in my macOS, iPadOS and iOS project suppored by Catalyst.

How Has This Been Tested?

I have a project which has iOS, iPadOS and macOS as deployment targets. I use the deployment version iOS 13.1 and macOS 10.15 (catalina). The dependency management is Swift Package Manager. My dynamic framwork has the SwiftJWT package as dependency and uses BlueRSA in order to create the JWT.

Building and running the project on iOS works fine but macOS catalyst does not know the deprecated method SecCertificateCopyPublicKey. Since catalyst the new method SecCertificateCopyKey has to be used in order to support catalyst.

Resources: Deprecation - https://developer.apple.com/documentation/security/1396096-seccertificatecopypublickey New Method - https://developer.apple.com/documentation/security/2963103-seccertificatecopykey

Checklist:

• [ ] I have submitted a CLA form (Just changed to the new method and remove the deprecation.)
• [x] If applicable, I have updated the documentation accordingly. (no changes necessary)
• [x] If applicable, I have added tests to cover my changes. (see above)

When trying to use the BlueRSA pod for iOS I get the following error:

The platform of the target `CocoapodsTest` (iOS 12.0) is not compatible with `BlueRSA (1.0.17)`, which does not support `ios`

when comparing the podspec of BlueRSA to BlueCryptor I saw that:

s.ios.deployment_target = "10.0"

Was missing. In the readme it states the BlueRSA runs on iOS 10 or higher so I would expect this to work.

There is not a reference to the BlueRSA pod but I assume it is intended to support this?

Description

This pull request adds usePSS flag to sign and verify. This allows you to use RSA-PSS for signing and verifying. If the flag is set to true the functions will use RSA_PKCS1_PSS_PADDING, a salt the length of the digest and MGF1 mask generation function to sign or verify.

Motivation and Context

This change is required because "In general, RSA-PSS should be used as a replacement for RSA-PKCS#1 v1.5".

It also allows us to support PS256 and PS384 signing/verifying with JWTs as requested by SwiftJWT issue #55

How Has This Been Tested?

Tests have been added covering the new algorithms and the produced signatures have been tested against JWT.io both that one we create is valid and we can verify a valid one created by JWT.io.

Checklist:

• [x] I have submitted a CLA form
• [x] If applicable, I have updated the documentation accordingly.
• [x] If applicable, I have added tests to cover my changes.

I removed header and footer lines in my private key file and use:

let privateKey = try CryptorRSA.createPrivateKey(withBase64: base64String)

it works well on Mac OS but on Linux it crashes with error:

Fatal error: Unexpectedly found nil while unwrapping an Optional value

When you encrypt some data using a public key on MacOS into an Encrypted data, you can decrypt this data on MacOS, However if you try to decrypt the same data on Linux it doesn't work. This means that is data is encrypted on MacOS it cannot be decrypted on Linux.

You can replicate this with the following code:

let publicKey = """
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpbnF5g5bt9mjweE5nZioLAPKI
l31qj5/ht4i62gsEg/6R/GMBIAhUEgfr9n3H0jIKRoI0BvVH6+fUB9pKoMUdRu3V
sAF9ExkuhwazpE1uIfRbf2IJHIAz5zX3emUdymHaPZPucQUF7G/XmOMK86qKl8Zd
d8Gl8cTFpRVMoSs4lwIDAQAB
-----END PUBLIC KEY-----
"""

let privateKey = """
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDpbnF5g5bt9mjweE5nZioLAPKIl31qj5/ht4i62gsEg/6R/GMB
IAhUEgfr9n3H0jIKRoI0BvVH6+fUB9pKoMUdRu3VsAF9ExkuhwazpE1uIfRbf2IJ
HIAz5zX3emUdymHaPZPucQUF7G/XmOMK86qKl8Zdd8Gl8cTFpRVMoSs4lwIDAQAB
AoGAcs/ZjDTGxWAPGUdy+LRtNWBP6hLoosLllnVZEN4x0RTC3zbN0z3YGtGLh+mC
0Ad4iUlIvSI2/hrvuX/rRA1zJRSWqmUi+K/IQtRqH4L29xfDT9yxVd5X61vb5dGs
nruBHBSdcfsLKrQZClAqGKNElVfLn5+vaf48hsm9de5lSRECQQD+WcQHRSEyuuWl
dW0qhfRBXjtqnvS1VQ+CmS4nzeAVfNLV8KzJvx/evoQ9KxbnwfN/fQkyniK0RzNs
kcXNZFsLAkEA6vHzWrQVtiQ5b8itwn3er7FWWy53SFLiy2MJCUBmm0Z2uJXox4Ym
nH2SoUVMHJOvqgdqcwz53RJIlMPkAMgwJQJAbYTDZon6qHhXR65PSh8RtE/Z76fw
IGA25HoGqLb6BOaRdfNCwz/bfjK0iA4Ut8gIi92P5062DMAXwWjnLfBHTwJBAM0E
p2xeO5f+0lQ2lVJkDj/Yi1f0G0j0c04yNL9rAF69RXpb7o62BNmIRr0OQJWrVp4T
7JNLHnsIqmeO7Va1WjUCQQDcY8s947hfiISXQ9o6auz33WyIRQWt/x0WdujVsxjM
JNHkkGxCfEjy9Z74EO8MoSddiM4+u7gPZsr5f6AZvMsj
-----END RSA PRIVATE KEY-----
"""

// Generate encrypted data
let key = try CryptorRSA.createPublicKey(withPEM: publicKey)
            let plaintext = try CryptorRSA.createPlaintext(with: "Hello World", using: .utf8)
            let encrypted = try plaintext.encrypted(with: key, algorithm: .sha256)

// encrypted.base64String on linux (216 char)
let linuxEncryptedHelloWorld = "VyG6sYjAAH3FtuOfN5BJWnScjVl5gAXTfThXbFNA0pU50pgPXEffV+T/4e9CchWHp6/8gpKNfuP7J2ly5577zwxnsLTHU3K2VlH2eq4UMEmKi3aZ9sUVzea3I5xvIoBVK0JVluNW4Wjld8Er1dB/1ZDwN94Qq9/TamNhiTD4a10XN5byzBn5D+lOFJ6RTk16Z4svXV3OjjvANYowxvXIeg=="

// encrypted.base64String on mac (208 char)
let macEncryptedHelloWorld = "JaLeZ4VhVoAENpa7EZZhsUpm2YmzfG9L496m0rtau4vR6wGKZ432l0xcfOkYjZeGN93/Fav82VNQEDonrWCUjEQuiodapbyne2r3HElhPwbbtEBVqeSI3XmJwTE8PH3Q7qGH9DxPxZf0dEhQAyoYNKQHVr4vumYanDNR+rGSvIQqPW37+JIt1zb0wjFaJVRUUsB8ELQzRD0yogM="

if let decryptedString = self.decrypt(base64EncryptedData: linuxEncryptedHelloWorld) {
    print("Successfully decrypted the Linux encrypted word: \(decryptedString)")
}
if let decryptedString = self.decrypt(base64EncryptedData: macEncryptedHelloWorld) {
    print("Successfully decrypted the Mac encrypted word: \(decryptedString)")
}
// Only the operating system you are currently running will be able to decode the encrypted word

On linux OpenSSL envelopes are used similar to this article On mac Security is used similar to this article

I did notice that the aes digest is different here. However, when you change to EVP_aes_128_gcm() the test fail.

There is an issue where systems using an older version of OpenSSL are not able to build, due to a type mismatch. The PR links to a branch I have made of the OpenSSL module map which now has a wrapper around the method in question (EVP_DigestVerifyFinal) to stop Swift complaining due to a type mismatch.

When the OpenSSL branch is merged into master, I will update this PR to point to the release that contains the fix, rather than the branch. Opening this now so Travis can do some testing.

Would it be possible to create a new release that contains https://github.com/Kitura/BlueRSA/pull/70.

Our Project is using https://github.com/Kitura/Swift-JWT which references this repository. Therefore we need a new version of this package to be published in order that the fix will get included.

Thanks for your work.

Description

A user was trying to build Swfit-JWT using Carthage and it wouldn't compile. They raised issue #64 which shows the compile error that:

'SecCertificateCopyPublicKey' is only available on iOS 10.3 or newer

This fix updates the @available tag to be:

@available(macOS 10.12, iOS 10.3, *)

Which allows the project to compile.

How Has This Been Tested?

The project was compiled and tested using the iOS simulator.

SecKeyGeneratePair was deprecated with iOS 15

Upgraded to support building with Xcode 14 - with no warnings

Updated minimum supported versions -

• MacOS - 11.5
• iOS - 14.5
• TVOS - 14.5
• WatchOS - 7.5

Testing

• Converted to use xctestplans
• Added support to do iOS testing
  • Had to add compiler flags to enable successful testing on a simulator

Updating to switch from the deprecated SecKeyGeneratePair to SecKeyCreateRandomKey

Description

SecKeyCreateRandomKey

• Removed use of the SecKeyGeneratePair API (that was deprecated with iOS 15.0) to now use the SecKeyCreateRandomKey

Minimum Versions

• Updated the minimum OS Versions to more recent versions to address additional build warnings

Unit Testing

• Added a test target to run unit tests on an iOS device
• As part of this, had to use some compiler directives to support successfully running tests on the simulator
• Also converted to using xctestplans - as that is the new standard for Xcode

Motivation and Context

It was done to eliminate warnings that we see in our application, and also to just update the repo to more recent standards

Issue: https://github.com/Kitura/BlueRSA/issues/77

How Has This Been Tested?

Tested locally by confirming successful unit tests. Also tested in our application to verify change was passive

Checklist:

• [x] If applicable, I have updated the documentation accordingly.
• [x] If applicable, I have added tests to cover my changes.

iOS 15.0 deprecated SecKeyGeneratePair, so would appreciate updating to SecKeyCreateRandomKey to eliminate a warning.

Pretty easy to change over -

    var privateKey: SecKey?
    var publicKey: SecKey?

    do {
        var error: Unmanaged<CFError>?

        // The keys are automatically stored in the keychain
        guard let privKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else {
            throw error!.takeRetainedValue() as Error
        }
        privateKey = privKey
        publicKey = SecKeyCopyPublicKey(privateKey!)
    } catch {
        ulog.error(error: error, "Error creating public/private keys")
    }

Hi there,

can I use this lib also to generate a certificate with a private key that was created? Something like:

let keypair = try CryptorRSA.makeKeyPair(CryptorRSA.RSAKey.KeySize.bits2048)
var cert = createCertificate()
cert.publicKey = keypair.publicKey
cert.sign(keypair.privateKey, sha256)

is it possible? thanks

OS: Linux OpenSSL Version: 1.1.1

I am using the same exact code on MacOS and on Linux:

guard let decryptedData = try CryptorRSA.createEncrypted(with: data).decrypted(with: privateKey, algorithm: .sha1)?.data

I am attempting to decrypt data with a private key. It works properly on MacOS, but when running on Linux I get a crash with error:

Fatal error: Can't form Range with upperBound < lowerBound: file Swift/Range.swift, line 728

I noticed this is coming from line 697 in Sources/CryptorRSA.swift during the step with the comment "Extract encryptedKey, encryptedData, encryptedIV from data"

getting this error when trying to decrypt.

Error Domain=NSOSStatusErrorDomain Code=-50 "RSA-WRAP too short input data" UserInfo={NSDescription=RSA-WRAP too short input data}

how should I resolve it????