ios - iOS 中的 SecKeyRawVerify 收到误报

Question

我正在使用 RSASHA-256 签署 JWT 并尝试在我的 iOS SDK 上验证它。

发送完整数据时，验证通过。

但是，当篡改收到的数据时，我仍然收到误报。

在此处添加代码:

//
//  NSData+VerifySignature.m
//  InsertFramework
//
//  Created by yaniv1 on 1/13/16.
//  Copyright © 2016 Insert. All rights reserved.
//

#import "NSData+VerifySignature.h"
#import "IIOStringEncoder.h"
#import "IIOLog.h"
#import "IIORSA.h"

@implementation NSData (VerifySignature)

-(NSArray *)createComponents{
    NSString *data =[[NSString alloc] initWithData:self    encoding:NSUTF8StringEncoding];
NSArray *components = [data componentsSeparatedByString:@"."];
if (!components || [components count] != 3) {
    IIOErrorLog(@"Invalid JWT received for verification");
    return nil;
}

return components;
}

-(NSData *)verifySignature:(NSHTTPURLResponse *)urlResponse {

//Getting response header content-type and checking if it is jwt
NSString *contentType = [[[urlResponse allHeaderFields][@"Content-Type"] componentsSeparatedByString:@";"] objectAtIndex:0];

if (![contentType isEqualToString:@"insert/jwt"])
{
    return nil;
}

NSArray *signatureComponents = [self createComponents];
if (!signatureComponents) {
    return nil;
}

//JWT is seperated into his 3 components
NSString *header = signatureComponents[0];
NSString *payload = signatureComponents[1];
NSString *signature = signatureComponents[2];

//Turining signature received in base64 to base64UrlEncoded
NSData *base64UrlEncodedSig = [IIOStringEncoder dataWithBase64UrlEncodedString:signature];

SecKeyRef pKey = [IIORSA addPublicKey];
if (!pKey) {
    IIOErrorLog(@"Failed to create public key, which results in verification failure");
    return nil;
}

//Creating the data to verify the signature, meaning the header.payload
NSString *headerAndPayload = [[header stringByAppendingString:@"."] stringByAppendingString:payload];
NSData *dataHeaderAndPayload = [headerAndPayload dataUsingEncoding:NSUTF8StringEncoding];

//Verify the signature. For further details, go to
BOOL status = SecKeyRawVerify (pKey,
                      kSecPaddingPKCS1SHA1,
                      (const uint8_t *)[dataHeaderAndPayload bytes],
                      (size_t)[dataHeaderAndPayload length],
                      (const uint8_t *)[base64UrlEncodedSig bytes],
                      (size_t)[base64UrlEncodedSig length]
                      );

if (!status) {
    IIOErrorLog(@"Failed to verify signature");
    return nil;
}

NSData *payloadDecodedData = [[NSData alloc]   initWithBase64EncodedString:payload options:0];

    return payloadDecodedData;
}

@end

有人可以建议吗？

Answer 1

该方法不返回 BOOL。查看reference :

OSStatus SecKeyRawVerify(SecKeyRef key,
    SecPadding padding,
    const uint8_t *signedData,
    size_t signedDataLen,
    const uint8_t *sig,
    size_t sigLen);