From a7ca7f404736a88a67aa8c17793894033d0a87f6 Mon Sep 17 00:00:00 2001 From: Raul Metsma Date: Wed, 15 Nov 2023 16:35:26 +0200 Subject: [PATCH] Verify given signature validity WE2-818 Signed-off-by: Raul Metsma --- lib/libelectronic-id | 2 +- src/controller/command-handlers/authenticate.cpp | 11 ++++++----- src/controller/command-handlers/sign.cpp | 12 ++++++++---- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/lib/libelectronic-id b/lib/libelectronic-id index 0b5e58cf..34a6b354 160000 --- a/lib/libelectronic-id +++ b/lib/libelectronic-id @@ -1 +1 @@ -Subproject commit 0b5e58cf8141df49a1fd14b5e0c588bc6bae410a +Subproject commit 34a6b354b09c1f65aac3613556f7aa495ef94a28 diff --git a/src/controller/command-handlers/authenticate.cpp b/src/controller/command-handlers/authenticate.cpp index e87787bd..428c91b0 100644 --- a/src/controller/command-handlers/authenticate.cpp +++ b/src/controller/command-handlers/authenticate.cpp @@ -55,8 +55,9 @@ QVariantMap createAuthenticationToken(const QString& signatureAlgorithm, }; } -QByteArray createSignature(const QString& origin, const QString& challengeNonce, - const ElectronicID& eid, const pcsc_cpp::byte_vector& pin) +QByteArray createSignature(const QString& origin, const QByteArray& cert, + const QString& challengeNonce, const ElectronicID& eid, + const pcsc_cpp::byte_vector& pin) { static const auto SIGNATURE_ALGO_TO_HASH = std::map { @@ -83,7 +84,7 @@ QByteArray createSignature(const QString& origin, const QString& challengeNonce, const auto hashToBeSigned = pcsc_cpp::byte_vector {hashToBeSignedQBytearray.cbegin(), hashToBeSignedQBytearray.cend()}; - const auto signature = eid.signWithAuthKey(pin, hashToBeSigned); + const auto signature = eid.signWithAuthKey({cert.cbegin(), cert.cend()}, pin, hashToBeSigned); return QByteArray::fromRawData(reinterpret_cast(signature.data()), int(signature.size())) @@ -122,8 +123,8 @@ QVariantMap Authenticate::onConfirm(WebEidUI* window, auto pin = getPin(cardCertAndPin.cardInfo->eid().smartcard(), window); try { - const auto signature = - createSignature(origin.url(), challengeNonce, cardCertAndPin.cardInfo->eid(), pin); + const auto signature = createSignature(origin.url(), cardCertAndPin.certificateBytesInDer, + challengeNonce, cardCertAndPin.cardInfo->eid(), pin); // Erase the PIN memory. // TODO: Use a scope guard. Verify that the buffers are actually zeroed and no copies diff --git a/src/controller/command-handlers/sign.cpp b/src/controller/command-handlers/sign.cpp index 42277b2d..d728aff9 100644 --- a/src/controller/command-handlers/sign.cpp +++ b/src/controller/command-handlers/sign.cpp @@ -30,11 +30,13 @@ using namespace electronic_id; namespace { -QPair signHash(const ElectronicID& eid, const pcsc_cpp::byte_vector& pin, - const QByteArray& docHash, const HashAlgorithm hashAlgo) +QPair signHash(const ElectronicID& eid, const QByteArray& cert, + const pcsc_cpp::byte_vector& pin, const QByteArray& docHash, + const HashAlgorithm hashAlgo) { const auto hashBytes = pcsc_cpp::byte_vector {docHash.begin(), docHash.end()}; - const auto signature = eid.signWithSigningKey(pin, hashBytes, hashAlgo); + const auto signature = + eid.signWithSigningKey({cert.cbegin(), cert.cend()}, pin, hashBytes, hashAlgo); const auto signatureBase64 = QByteArray::fromRawData(reinterpret_cast(signature.first.data()), @@ -98,7 +100,9 @@ QVariantMap Sign::onConfirm(WebEidUI* window, const CardCertificateAndPinInfo& c auto pin = getPin(cardCertAndPin.cardInfo->eid().smartcard(), window); try { - const auto signature = signHash(cardCertAndPin.cardInfo->eid(), pin, docHash, hashAlgo); + const auto signature = + signHash(cardCertAndPin.cardInfo->eid(), cardCertAndPin.certificateBytesInDer, pin, + docHash, hashAlgo); // Erase PIN memory. // TODO: Use a scope guard. Verify that the buffers are actually zeroed