-
Notifications
You must be signed in to change notification settings - Fork 1.4k
/
Copy pathSigningIdentity.swift
123 lines (105 loc) · 3.86 KB
/
SigningIdentity.swift
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
//===----------------------------------------------------------------------===//
//
// This source file is part of the Swift open source project
//
// Copyright (c) 2023 Apple Inc. and the Swift project authors
// Licensed under Apache License v2.0 with Runtime Library Exception
//
// See http://swift.org/LICENSE.txt for license information
// See http://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
//
//===----------------------------------------------------------------------===//
#if USE_IMPL_ONLY_IMPORTS
#if canImport(Security)
internal import Security
#endif
internal import Crypto
internal import X509
#else
#if canImport(Security)
import Security
#endif
import Crypto
import X509
#endif
import Basics
public protocol SigningIdentity {}
// MARK: - SecIdentity conformance to SigningIdentity
#if canImport(Security)
extension SecIdentity: SigningIdentity {}
#endif
// MARK: - SwiftSigningIdentity is created using raw private key and certificate bytes
public struct SwiftSigningIdentity: SigningIdentity {
let certificate: Certificate
let privateKey: Certificate.PrivateKey
// for testing
init(certificate: Certificate, privateKey: Certificate.PrivateKey) {
self.certificate = certificate
self.privateKey = privateKey
}
public init(
derEncodedCertificate certificate: [UInt8],
derEncodedPrivateKey privateKey: [UInt8],
privateKeyType: SigningKeyType
) throws {
do {
self.certificate = try Certificate(certificate)
} catch {
throw StringError("Invalid certificate: \(error.interpolationDescription)")
}
do {
switch privateKeyType {
case .p256:
self.privateKey = try Certificate.PrivateKey(P256.Signing.PrivateKey(derRepresentation: privateKey))
}
} catch let error as StringError {
throw error
} catch {
throw StringError("Invalid key: \(error.interpolationDescription)")
}
}
}
// MARK: - SigningIdentity store
public struct SigningIdentityStore {
private let observabilityScope: ObservabilityScope
public init(observabilityScope: ObservabilityScope) {
self.observabilityScope = observabilityScope
}
public func find(by label: String) -> [SigningIdentity] {
#if os(macOS)
// Find in Keychain
let query: [String: Any] = [
// Use kSecClassCertificate instead of kSecClassIdentity because the latter
// seems to always return all results, whether matching given label or not.
kSecClass as String: kSecClassCertificate,
kSecReturnRef as String: true,
kSecAttrLabel as String: label,
// TODO: too restrictive to require kSecAttrCanSign == true?
// kSecAttrCanSign as String: true,
kSecMatchLimit as String: kSecMatchLimitAll,
]
var result: CFTypeRef?
let status = SecItemCopyMatching(query as CFDictionary, &result)
guard status == errSecSuccess else {
self.observabilityScope.emit(warning: "Failed to search for '\(label)' in Keychain: status \(status)")
return []
}
let certificates = result as? [SecCertificate] ?? []
return certificates.compactMap { secCertificate in
var identity: SecIdentity?
let status = SecIdentityCreateWithCertificate(nil, secCertificate, &identity)
guard status == errSecSuccess, let identity else {
self.observabilityScope
.emit(
warning: "Failed to create SecIdentity from SecCertificate[\(secCertificate)]: status \(status)"
)
return nil
}
return identity
}
#else
// No identity store support on other platforms
return []
#endif
}
}