ECC key support

IB-8381

Signed-off-by: Raul Metsma <raul@metsma.ee>

Author: metsma

.github/workflows/build.yml

@@ -14,7 +14,7 @@ jobs:
       uses: actions/checkout@v4
     - name: Build
       run: |
-        cmake -DCMAKE_OSX_ARCHITECTURES="x86_64;arm64" -S . -B build
+        cmake -DCMAKE_OSX_ARCHITECTURES="x86_64;arm64" -DCMAKE_BUILD_TYPE=RelWithDebInfo -S . -B build
         cmake --build build --target pkgbuild
     - name: Archive artifacts
       uses: actions/upload-artifact@v4
@@ -43,19 +43,19 @@ jobs:
     - name: Install Qt
       uses: jurplel/install-qt-action@v4
       with:
-        version: 6.9.1
+        version: 6.9.2
         arch: win64_msvc2022_64
     - name: Setup dev env
       uses: ilammy/msvc-dev-cmd@v1
       with:
         arch: x64
     - name: Install WiX
       run: |
-        dotnet tool install -g wix --version 6.0.1
-        wix extension -g add WixToolset.UI.wixext/6.0.1
+        dotnet tool install -g wix --version 6.0.2
+        wix extension -g add WixToolset.UI.wixext/6.0.2
     - name: Build
       run: |
-        cmake -S . -B build `
+        cmake -S . -B build -DCMAKE_BUILD_TYPE=RelWithDebInfo `
           -DCMAKE_TOOLCHAIN_FILE=${{ env.RUNVCPKG_VCPKG_ROOT }}/scripts/buildsystems/vcpkg.cmake
         cmake --build build --target installer
     - name: Archive artifacts

CMakeLists.txt

@@ -14,12 +14,13 @@ set(VERSION ${PROJECT_VERSION}.${BUILD_NUMBER})
 set_env( CONFIG_URL "https://id.eesti.ee/config.json" CACHE STRING "Set Config URL" )
 set_env( SIGNCERT "" CACHE STRING "Common name of certificate to used sign binaries, empty skip signing" )
 add_definitions( -DCONFIG_URL="${CONFIG_URL}" )
-string( REPLACE ".json" ".pub" PUB_URL ${CONFIG_URL} )
-file( DOWNLOAD ${PUB_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.pub )
+string(REPLACE ".json" ".ecpub" PUB_URL ${CONFIG_URL})
+message("Fetching pub key: ${PUB_URL}")
+file(DOWNLOAD ${PUB_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.ecpub)
 
 if( APPLE )
 	add_custom_command( OUTPUT config.h
-		COMMAND xxd -i config.pub config.h
+		COMMAND xxd -i config.ecpub config.h
 		COMMENT "Generating config.h"
 	)
 	include_directories( ${CMAKE_CURRENT_BINARY_DIR} )
@@ -118,9 +119,9 @@ else()
 	if(NOT EXISTS ${CMAKE_SOURCE_DIR}/common/CMakeLists.txt)
 		message(FATAL_ERROR "cmake submodule directory empty, did you 'git clone --recursive'?")
 	endif()
-	file( DOWNLOAD ${CONFIG_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.json )
-	string( REPLACE ".json" ".rsa" RSA_URL ${CONFIG_URL} )
-	file( DOWNLOAD ${RSA_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.rsa )
+	file(DOWNLOAD ${CONFIG_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.json)
+	string(REPLACE ".json" ".ecc" ECC_URL ${CONFIG_URL})
+	file(DOWNLOAD ${ECC_URL} ${CMAKE_CURRENT_BINARY_DIR}/config.ecc)
 	set(CONFIG_DIR ${CMAKE_CURRENT_BINARY_DIR})
 
 	find_package(OpenSSL 3.0.0 REQUIRED)
@@ -167,7 +168,7 @@ else()
 	)
 	qt_add_resources(${PROJECT_NAME} icon FILES appicon.png)
 	qt_add_resources(${PROJECT_NAME} config BASE ${CONFIG_DIR} PREFIX / FILES
-		${CONFIG_DIR}/config.json ${CONFIG_DIR}/config.rsa ${CONFIG_DIR}/config.pub
+		${CONFIG_DIR}/config.json ${CONFIG_DIR}/config.ecc ${CONFIG_DIR}/config.ecpub
 	)
 
 	if(OPENSSL_ROOT_DIR)

common

@@ -235,6 +235,45 @@ - (void)updateAvailable:(NSString *)_available filename:(NSString *)_filename {
     });
 }
 
+- (BOOL)verifyCMSSignature:(NSData *)signatureData data:(NSData *)data cert:(NSData *)cert {
+    #define RETURN_IF_OERROR(MSG) if (oserr) { NSLog(MSG); return false; }
+    CMSDecoderRef decoderRef;
+    OSStatus oserr = CMSDecoderCreate(&decoderRef);
+    RETURN_IF_OERROR(@"CMSDecoderCreate")
+    id decoder = CFBridgingRelease(decoderRef);
+
+    oserr = CMSDecoderUpdateMessage((__bridge CMSDecoderRef)decoder, signatureData.bytes, signatureData.length);
+    RETURN_IF_OERROR(@"CMSDecoderUpdateMessage")
+    oserr = CMSDecoderFinalizeMessage((__bridge CMSDecoderRef)decoder);
+    RETURN_IF_OERROR(@"CMSDecoderFinalizeMessage")
+    oserr = CMSDecoderSetDetachedContent((__bridge CMSDecoderRef)decoder, (__bridge CFDataRef)data);
+    RETURN_IF_OERROR(@"CMSDecoderSetDetachedContent")
+
+    size_t numSignersOut = 0;
+    oserr = CMSDecoderGetNumSigners((__bridge CMSDecoderRef)decoder, &numSignersOut);
+    RETURN_IF_OERROR(@"CMSDecoderGetNumSigners")
+    if (numSignersOut != 1) {
+        NSLog(@"Invalid number of signers: %lu", numSignersOut);
+        return false;
+    }
+
+    SecPolicyRef policy = SecPolicyCreateBasicX509();
+    CMSSignerStatus status;
+    oserr = CMSDecoderCopySignerStatus((__bridge CMSDecoderRef)decoder, 0, policy, TRUE, &status, nil, nil);
+    CFRelease(policy);
+    RETURN_IF_OERROR(@"CMSDecoderCopySignerStatus")
+    bool isValid = status == kCMSSignerValid;
+
+    SecCertificateRef signerCert;
+    oserr = CMSDecoderCopySignerCert((__bridge CMSDecoderRef)decoder, 0, &signerCert);
+    RETURN_IF_OERROR(@"CMSDecoderCopySignerCert")
+    bool isSameCert = [cert isEqualToData:CFBridgingRelease(SecCertificateCopyData(signerCert))];
+    CFRelease(signerCert);
+
+    NSLog(@"Signature is (%d) and cert is equal(%d)", isValid, isSameCert);
+    return isValid && isSameCert;
+}
+
 #pragma mark - Connection delegate
 
 - (void)URLSession:(NSURLSession *)session downloadTask:(NSURLSessionDownloadTask *)downloadTask didWriteData:(int64_t)bytesWritten totalBytesWritten:(int64_t)totalBytesWritten totalBytesExpectedToWrite:(int64_t)totalBytesExpectedToWrite {
@@ -309,7 +348,7 @@ - (void)URLSession:(NSURLSession *)session downloadTask:(NSURLSessionDownloadTas
     }
 
     if([signatureType isEqualToString:@"CMS"]) {
-        if ([update verifyCMSSignature:signature data:data cert:certData])
+        if ([self verifyCMSSignature:signature data:data cert:certData])
             [NSTask launchedTaskWithLaunchPath:@"/usr/bin/open" arguments:@[path]];
         else
         {
@@ -371,7 +410,7 @@ - (IBAction)diagnostics:(id)sender {
     NSDictionary *versions = @{
         @"DigiDoc4": update.digidoc4,
         @"Open-EID": update.baseversion,
-        @"ID-Updater": [update versionInfo:@"ee.ria.ID-updater"],
+        @"ID-Updater": update.updaterversion,
         NSLocalizedString(@"Safari (Extensions) browser plugin", nil): [update versionInfo:@"ee.ria.safari-token-signing"],
         NSLocalizedString(@"Safari (NPAPI) browser plugin", nil): [update versionInfo:@"ee.ria.firefox-token-signing"],
         NSLocalizedString(@"Chrome/Firefox browser plugin", nil): [update versionInfo:@"ee.ria.chrome-token-signing"],

prefPane/id-updater.m

@@ -39,13 +39,11 @@ enum {
 - (BOOL)checkCertificatePinning:(NSURLAuthenticationChallenge *)challenge;
 - (void)request;
 - (NSString *)userAgent:(BOOL)diagnostics;
-- (BOOL)verifyCMSSignature:(NSData *)signatureData data:(NSData *)data cert:(NSData *)cert;
 - (NSString*)versionInfo:(NSString *)pkg;
 
 @property(nonatomic, readonly, getter=getBaseversion) NSString *baseversion;
 @property(retain) NSString *updaterversion;
 @property(retain) NSString *digidoc4;
-@property(retain) NSDictionary *centralConfig;
 @property(retain) NSArray *cert_bundle;
 @property(assign) id <UpdateDelegate> delegate;
 @end