Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can you support ES256? #145

Open
nico-WX opened this issue Sep 20, 2017 · 13 comments

Comments

Projects
None yet
4 participants
@nico-WX
Copy link

commented Sep 20, 2017

New Issue Checklist

Issue Info

Info Value
Platform Name e.g. ios / osx / tvos / watchos
Platform Version e.g. 8.0
CocoaLumberjack Version e.g. 2.3.0
Integration Method e.g. carthage / cocoapods / manually
Xcode Version e.g. Xcode 7.3
Repro rate e.g. all the time (100%) / sometimes x% / only once
Demo project link e.g. link to a demo project that highlights the issue

Issue Description and Steps

Please fill in the detailed description of the issue (full output of any stack trace, compiler error, ...) and the steps to reproduce the issue.

@lolgear

This comment has been minimized.

Copy link
Collaborator

commented Sep 20, 2017

@nico-WX I didn't investigate this feature for a long time.
In previous versions ( prior to iOS 10 and macOS 12 ) Security framework doesn't have this feature.

@nico-WX

This comment has been minimized.

Copy link
Author

commented Sep 20, 2017

I looked at the AppleMusicKit to create the developer token, and I need to specify the JWT algorithm as ES256, so I would like to know if I can support ES256 😄😄

@lolgear

This comment has been minimized.

Copy link
Collaborator

commented Sep 20, 2017

@nico-WX Any help will be appreciated :)

Nevertheless, it seems that they added EC support in os 13 and, I suppose, in iOS 11.

// iOS 11 Security / SecKey.h
#if SEC_OS_OSX
/*!
    @typedef SecKeySizes
    @abstract Supported key lengths.
*/
typedef CF_ENUM(uint32_t, SecKeySizes)
{
    kSecDefaultKeySize  = 0,

    // Symmetric Keysizes - default is currently kSecAES128 for AES.
    kSec3DES192         = 192,
    kSecAES128          = 128,
    kSecAES192          = 192,
    kSecAES256          = 256,

    // Supported ECC Keys for Suite-B from RFC 4492 section 5.1.1.
    // default is currently kSecp256r1
    kSecp192r1          = 192,
    kSecp256r1          = 256,
    kSecp384r1          = 384,
    kSecp521r1          = 521,  // Yes, 521

    // Boundaries for RSA KeySizes - default is currently 2048
    // RSA keysizes must be multiples of 8
    kSecRSAMin          = 1024,
    kSecRSAMax          = 4096
};
#endif /* SEC_OS_OSX */
@JanC

This comment has been minimized.

Copy link

commented Sep 24, 2017

Hi,
I think this is a duplicate of #116 ;)

@lolgear

This comment has been minimized.

Copy link
Collaborator

commented Sep 24, 2017

@JanC Right!
Do you know how to mark issues as duplicates?

@JanC

This comment has been minimized.

Copy link

commented Sep 24, 2017

I think you can simply close it :)

@lolgear lolgear added this to the RS and ES Algorithms milestone Oct 1, 2017

@lolgear

This comment has been minimized.

Copy link
Collaborator

commented Mar 12, 2018

@JanC could you check latest master?
I have added ( no tests, haha ) support for ES by using Apple API.

@JanC

This comment has been minimized.

Copy link

commented Mar 13, 2018

I tried using the private key I get directly from Apple's APNS. (I revoked the key so that I can post it here)

-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgpnX9ZXmgLCWQ+Hkpvae2PLU68XEzJdp+NjswuBS9RHWgCgYIKoZIzj0DAQehRANCAARMSO6bkKjLT+9Mx9wJRXoqUx+CbeOhAbVGS+3fgvVNGv3QM3NlMou3uguMrITwVvpWjuocXbSzjTwMstMMjsZg
-----END PRIVATE KEY-----

I used this code snippet but I'm getting the error

Error Domain=NSOSStatusErrorDomain Code=-50 "EC public key creation from data failed" UserInfo={NSDescription=EC public key creation from data failed}`
- (void)signWithAppleAPNS
{
    NSString *algorithmName = @"ES256";
    NSString *privateKey = @"-----BEGIN PRIVATE KEY-----\n"
                           "MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgpnX9ZXmgLCWQ+Hkpvae2PLU68XEzJdp+NjswuBS9RHWgCgYIKoZIzj0DAQehRANCAARMSO6bkKjLT+9Mx9wJRXoqUx+CbeOhAbVGS+3fgvVNGv3QM3NlMou3uguMrITwVvpWjuocXbSzjTwMstMMjsZg\n"
                           "-----END PRIVATE KEY-----";

    id <JWTAlgorithmDataHolderProtocol> signDataHolder = [JWTAlgorithmRSFamilyDataHolder new]
            .keyExtractorType([JWTCryptoKeyExtractor privateKeyWithPEMBase64].type)
            .algorithmName(algorithmName)
            .secret(privateKey);


    // sign
    NSDictionary *payloadDictionary = @{ @"hello": @"world" };

    JWTCodingBuilder *signBuilder = [JWTEncodingBuilder encodePayload:payloadDictionary].addHolder(signDataHolder);
    JWTCodingResultType *signResult = signBuilder.result;
    NSString *token = nil;
    if (signResult.successResult) {
        // success
        NSLog(@"%@ success: %@", self.debugDescription, signResult.successResult.encoded);
        token = signResult.successResult.encoded;
    } else {
        // error
        NSLog(@"%@ error: %@", self.debugDescription, signResult.errorResult.error);
    }

    // verify
    if (token == nil) {
        NSLog(@"something wrong");
    }
}
@lolgear

This comment has been minimized.

Copy link
Collaborator

commented Mar 13, 2018

@JanC
very strange.
I ran tests which verified that public parameter is not passed.
However, error is:

EC public key creation from data failed

I even drop prefix of key to determine correct header to strip off - no luck.

very strange and interesting.

@lolgear

This comment has been minimized.

Copy link
Collaborator

commented Mar 13, 2018

@JanC
are you sure that this is a private key?

Online checker says that this key type is public. ( Or I do not understand it output )

I do not understand what what happens. I try to create public key from your key and it is created!

By Apple API :(

@JanC

This comment has been minimized.

Copy link

commented Mar 13, 2018

When I use the OpenSSL api PEM_read_PrivateKey on that pem encoded file, I can extract both public and private keys:

PEM content: 
-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgpnX9ZXmgLCWQ+Hkpvae2PLU68XEzJdp+NjswuBS9RHWgCgYIKoZIzj0DAQehRANCAARMSO6bkKjLT+9Mx9wJRXoqUx+CbeOhAbVGS+3fgvVNGv3QM3NlMou3uguMrITwVvpWjuocXbSzjTwMstMMjsZg
-----END PRIVATE KEY-----

EC_KEY_get0_private_key: 
00A675FD6579A02C2590F87929BDA7B63CB53AF1713325DA7E363B30B814BD4475

EC_KEY_get0_private_key base64: 
AKZ1/WV5oCwlkPh5Kb2ntjy1OvFxMyXafjY7MLgUvUR1

i2o_ECPublicKey: 
044c48ee9b90a8cb4fef4cc7dc09457a2a531f826de3a101b5464beddf82f54d1afdd0337365328bb7ba0b8cac84f056fa568eea1c5db4b38d3c0cb2d30c8ec660

i2o_ECPublicKey base64: 
BExI7puQqMtP70zH3AlFeipTH4Jt46EBtUZL7d+C9U0a/dAzc2Uyi7e6C4yshPBW+laO6hxdtLONPAyy0wyOxmA=

I used this source for testing: https://github.com/matthijs2704/vapor-apns/blob/master/Sources/VaporAPNS/String%2BAPNS.swift

@AyeChanPyaeSone

This comment has been minimized.

Copy link

commented Mar 7, 2019

Hi any luck for ES256? I also get same error.

@lolgear

This comment has been minimized.

Copy link
Collaborator

commented Mar 8, 2019

@AyeChanPyaeSone
From Apple Documentation

/*!
    @function SecKeyCreateWithData
    @abstract Create a SecKey from a well-defined external representation.
    @param keyData CFData representing the key. The format of the data depends on the type of key being created.
    @param attributes Dictionary containing attributes describing the key to be imported. The keys in this dictionary
    are kSecAttr* constants from SecItem.h.  Mandatory attributes are:
     * kSecAttrKeyType
     * kSecAttrKeyClass
    @param error On error, will be populated with an error object describing the failure.
    See "Security Error Codes" (SecBase.h).
    @result A SecKey object representing the key, or NULL on failure.
    @discussion This function does not add keys to any keychain, but the SecKey object it returns can be added
    to keychain using the SecItemAdd function.
    The requested data format depend on the type of key (kSecAttrKeyType) being created:
     * kSecAttrKeyTypeRSA               PKCS#1 format, public key can be also in x509 public key format
     * kSecAttrKeyTypeECSECPrimeRandom  ANSI X9.63 format (04 || X || Y [ || K])
 */
SecKeyRef _Nullable SecKeyCreateWithData(CFDataRef keyData, CFDictionaryRef attributes, CFErrorRef *error)
__OSX_AVAILABLE(10.12) __IOS_AVAILABLE(10.0) __TVOS_AVAILABLE(10.0) __WATCHOS_AVAILABLE(3.0);

And we have limitations:

  • available(macOS 10.12, iOS 10.0, tvOS 10.0, watchOS 3.0).
  • EC key should be in correct format: ANSI X9.63 format (04 || X || Y [ || K]).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.