Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify XMLDSig in iOS #1612

Closed
SmartLayer opened this issue Dec 10, 2019 · 9 comments
Closed

Verify XMLDSig in iOS #1612

SmartLayer opened this issue Dec 10, 2019 · 9 comments
Assignees

Comments

@SmartLayer
Copy link
Member

SmartLayer commented Dec 10, 2019

It seems non-trivial:

https://stackoverflow.com/questions/5914508/how-to-verify-an-xml-signature-in-an-ios-application

The answer to that question uses xmlsec1 library which is big itself. In the iOS security practise, the keys never leave the security perimeter, which means we need more adaptation to xmlsec1 than the answer suggested.

I propose to shrink the size of the project by quite a bit by only implementing the functions we need. Clue:

  1. The StackOverflow answer suggested that libxml2 can be compiled in iOS.
  2. libxml2 has a c14n module and an XPATH module.

Hence:

If we could get libxml2 working in iOS, we probably can manually write the code to verify XMLDSig.

This is a theory only. To verify that, we need:

  1. Verify that one can write (without too much trouble) an XMLDSig verifier with just libxml2, without libxmlsec (weiwu comment†)
  2. Verify that one can compile libxml2 in iOS.

This seems to be rather a big undertaking. Taking this approach has one draw back, that is:

drawback

Although code produced in this fashion is usable for iOS, one could argue that for the command line signer it's easier to just use libxmlsec, and for Android it would be additional work to adapt C code when it already supports signature verification with native libraries, leading to us having 3 separate ways to deal with XMLDsig.

--

Regarding 1), If I (weiwu) were to do it, I might experiment doing so with rust using the libxml2 wrapper which seems to include xpath and c14n.to add the signing later, for use as a replacement of the current Makefile. The value of doing it such way is questionable since it might be easiser to just use libxmlsec for signing and skipping all the rusty stuff.

@hboon
Copy link
Member

hboon commented Dec 10, 2019

Verify that one can compile libxml2 in iOS.

It's available —

We already use libxml2 indirectly via a XML parser wrapper library [1], so we definitely have access to libxml2. We also have access to XPath through that library. I don't know though how modular libxml2 is to know if c14n is always included in libxml2 — and if it will be available.

I remember that one of the other hurdles was getting OpenSSL to build and using it. I don't remember how far I got getting signature verification to work (I certainly didn't get it working), but it was quite painful.

[1] https://github.com/tid-kijyun/Kanna

@hboon
Copy link
Member

hboon commented Dec 10, 2019

I might experiment doing so with rust using the libxml2 wrapper

I wonder if that will work with WASM? Do you know @colourful-land ?

@SmartLayer
Copy link
Member Author

I might experiment doing so with rust using the libxml2 wrapper

I wonder if that will work with WASM? Do you know @colourful-land ?

No, I don't think that will work in WASM.

@hboon
Copy link
Member

hboon commented Apr 7, 2021

Closed due to inactivity and pending changes.

@hboon hboon closed this as completed Apr 7, 2021
@SmartLayer
Copy link
Member Author

SmartLayer commented Apr 8, 2021

No!!! I haven't given this one up! This is what you need (I found a pure js way to do the crypto so binary dependency is gone)

(Optional) witness that xmldsig verification with JS works on commandline

Follow the instructions here:

https://github.com/TokenScript/TokenScript/tree/main/xmldsig/js

This way you can be sure the code demonstrated in https://github.com/TokenScript/TokenScript/blob/main/xmldsig/js/src/xmldsigverifier.js can verify XML signature.

include the webpack

Create a webpack. There is the instruction in README but I already created one on my PC which you can use here, saving you the trouble of running webpack. This webpack should contain the verify function called from the said xmldsigverifier.js but not the xmldsigverifier.js itself.

main.js.gz

Note, that if you managed to verify an xmldsig on iOS using the webpack, don't publish it in appstore yet until SmartTokenLabs/TokenScript#372 is solved.

@SmartLayer SmartLayer reopened this Apr 8, 2021
@hboon hboon self-assigned this Apr 8, 2021
@hboon
Copy link
Member

hboon commented Apr 8, 2021

@colourful-land I haven't checked, but is there a TokenScript file which should verify successfully with this that we can test with?

@SmartLayer
Copy link
Member Author

@colourful-land I haven't checked, but is there a TokenScript file which should verify successfully with this that we can test with?

The readme gave an example that you can run through all files in TokenScript-Repo . read this line in the project folder https://github.com/TokenScript/TokenScript/tree/main/xmldsig/js

src$ node xmldsigverifier.js ../../../TokenScript-Repo/aw.app/2020/06/*

@SmartLayer
Copy link
Member Author

Added an issue SmartTokenLabs/TokenScript#420 to see to make the code (from TokenScript repo) into the most ready-to-be-used-by-iOS way.

@hboon
Copy link
Member

hboon commented Dec 7, 2021

Outdated

@hboon hboon closed this as completed Dec 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants