I'm making an Application with a java backend and a Swift front-end. Using a REST Api to move data. I wish to encrypt the data with AES 128 CBC. The encrypting method is working, but the decrypting method is not.
First off all, this is the Swift code for de AES encrypting and decrypting:
import Foundation
import CommonCrypto
struct AES {
private let key: Data
private let iv: Data
init?() {
let ivProduct: String = "dkghepfowntislqn"
let keyProduct: String = "2949382094230487"
guard keyProduct.count == kCCKeySizeAES128 || keyProduct.count == kCCKeySizeAES256, let keyData = keyProduct.data(using: .utf8) else {
debugPrint("Error: Failed to set a key.")
return nil
}
guard ivProduct.count == kCCBlockSizeAES128, let ivData = ivProduct.data(using: .utf8) else {
debugPrint("Error: Failed to set an initial vector.")
return nil
}
self.key = keyData
self.iv = ivData
}
func encrypt(string: String) -> Data? {
return crypt(data: string.data(using: .utf8), option: CCOperation(kCCEncrypt))
}
func decrypt(data: Data?) -> String? {
guard let decryptedData = crypt(data: data, option: CCOperation(kCCDecrypt)) else { return nil }
return String(bytes: decryptedData, encoding: .utf8)
}
func crypt(data: Data?, option: CCOperation) -> Data? {
guard let data = data else { return nil }
let cryptLength = data.count + kCCBlockSizeAES128
var cryptData = Data(count: cryptLength)
let keyLength = key.count
let options = CCOptions(kCCOptionPKCS7Padding)
var bytesLength = Int(0)
let status = cryptData.withUnsafeMutableBytes { cryptBytes in
data.withUnsafeBytes { dataBytes in
iv.withUnsafeBytes { ivBytes in
key.withUnsafeBytes { keyBytes in
CCCrypt(option, CCAlgorithm(kCCAlgorithmAES), options, keyBytes.baseAddress, keyLength, ivBytes.baseAddress, dataBytes.baseAddress, data.count, cryptBytes.baseAddress, cryptLength, &bytesLength)
}
}
}
}
guard UInt32(status) == UInt32(kCCSuccess) else {
debugPrint("Error: Failed to crypt data. Status \(status)")
return nil
}
cryptData.removeSubrange(bytesLength..<cryptData.count)
return cryptData
}
}
The data is gathered from the REST API like so:
func getTestAllPayments(_ completion: #escaping ([Payment]) -> ()) {
let aes128 = AES()
if let url = URL(string: "\(localhostUrl)/payment") {
URLSession.shared.dataTask(with: url) { data, response, error in
if let data = data {
do {
let res = try JSONDecoder().decode([Payment].self, from: (data))
print(res.self)
completion(res)
return
} catch let error {
print(error)
}
}
}.resume()
}
}
Now for the problem. I've ran a couple of test:
first check if the encrypt and decrypt methods work together:
let aes128 = AES()
let dataEncrypt = aes128?.encrypt(string:"Hello") //Will be :lG7Bqk0nwx732eOQLAzhqQ==
let dataDecrypt = aes128?.decrypt(data:dataEncrypt) //Will be: "Hello"
print(dataDecrypt) --> //output = "Hello"
First test works like a charm. For the second test:
let aes128 = AES()
if let url = URL(string: "\(localhostUrl)/payment") {
URLSession.shared.dataTask(with: url) { data, response, error in
if let data = data {
print(String(data: data, encoding: .utf8)) //Output = lG7Bqk0nwx732eOQLAzhqQ==
let dataDecrypt = aes128?.decrypt(data: data)
print(dataDecrypt) --> //output = nil
This is where it goes wrong. When fetching the data with the exact same encoding string, it'll always return nil. Has it something to do with the data format that URLSession returns?
I'm trying to sign and verify a challenge with elliptic curve algorithms using Apple tools.
Using the SecKeyCreateWithData I can use/import already generated public/private keys, this works great. Then I call the sign() function which takes SecKeyAlgorithm parameter. In my case is ecdsaSignatureDigestX962 because I use secp256r1 curve (NIST P-256). So the signature doesn't failed but then the verify always crash with :
Can't verify/wrong signature Unmanaged<CFErrorRef>(_value: Error Domain=NSOSStatusErrorDomain Code=-67808 "EC signature verification failed (ccerr -7)" UserInfo={NSDescription=EC signature verification failed (ccerr -7)})
Here is my complete code if someone has an idea :
import UIKit
class SecureEnclave: UIViewController {
var publicKey: SecKey!
var privateKey: SecKey!
var signature: Data!
override func viewDidLoad() {
super.viewDidLoad()
if #available(iOS 10.0, *) {
var error: Unmanaged<CFError>?
//Step 1: Private Key
let privKeyUInt8: [UInt8] = [0x04,0x**,0x**,0x**,0x**,0x**,0x**,0x**,0x**,0x**,0x**,0x**,0x**,0x**,0x**,0x**,0xde,0x0a,0x37,0x02,0xfc,0xc6,0x04,0x5b,0x03,0xd7,0x12,0x03,0x26,0x6a,0x4b,0x3d,0x05,0x55,0x5d,0x90,0xe1,0xa4,0xcf,0xd1,0x78,0xf7,0x95,0xda,0xa3,0x9c,0x**,0x2c,0x37,0x4f,0x**,0xfa,0x28,0x2e,0x64,0x7a,0x22,0x7f,0x47,0x9a,0x98,0x1a,0x2c,0x9b,0x2d,0x28,0x96,0xe0,0x**,0x07,0x33,0x06,0x10,0x5a,0x95,0x85,0x9c,0xc3,0xfd,0x43,0xf4,0x81,0x95,0xf4,0xe5,0x6d,0xb2,0x**,0x**,0x**,0x87,0x6d,0xc1,0x52,0x89,0xd3,0x05]
let CFPrivData = CFDataCreate(nil, privKeyUInt8, privKeyUInt8.count)
let optionsPrivKey: [String: Any] = [
kSecAttrKeyType as String : kSecAttrKeyTypeEC,
kSecAttrKeyClass as String : kSecAttrKeyClassPrivate,
]
guard let privKey = SecKeyCreateWithData(CFPrivData!, optionsPrivKey as CFDictionary, &error) else {
let error = error!.takeRetainedValue() as Error
return print(error)
}
self.privateKey = privKey
//Step 2: Public Key
let pubKeyUInt8: [UInt8] = [0x04,0x09,0x44,0x11,0xc6,0xbe,0x9f,0x31,0x88,0xa0,0x23,0xe7,0xf1,0x77,0x13,0xef,0xde,0x0a,0x37,0x02,0xfc,0xc6,0x04,0x5b,0x03,0xd7,0x12,0x03,0x26,0x6a,0x4b,0x3d,0x05,0x55,0x5d,0x90,0xe1,0xa4,0xcf,0xd1,0x78,0xf7,0x95,0xda,0xa3,0x9c,0x18,0x2c,0x37,0x4f,0x1b,0xfa,0x28,0x2e,0x64,0x7a,0x22,0x7f,0x47,0x9a,0x98,0x1a,0x2c,0x9b,0x2d]
let CFPubData = CFDataCreate(nil, pubKeyUInt8, pubKeyUInt8.count)
let optionsPubKey: [String: Any] = [kSecAttrKeyType as String: kSecAttrKeyTypeEC,
kSecAttrKeyClass as String: kSecAttrKeyClassPublic,
kSecAttrKeySizeInBits as String: 256]
guard let pubKey = SecKeyCreateWithData(CFPubData!, optionsPubKey as CFDictionary, &error) else {
let error = error!.takeRetainedValue() as Error
return print(error)
}
self.publicKey = pubKey
//Step 3: Signing/Verifing
let challengeString = "Hello"
let challengeData = challengeString.data(using: .utf8)
self.sign(algorithm: .ecdsaSignatureDigestX962, data: challengeData!)
} else {
print("unsupported")
}
}
private func sign(algorithm: SecKeyAlgorithm, data: Data) {
guard SecKeyIsAlgorithmSupported(self.privateKey!, .sign, algorithm) else {
print("Algorith not supported - Can't sign")
return
}
// SecKeyCreateSignature call is blocking when the used key
// is protected by biometry authentication. If that's not the case,
// dispatching to a background thread isn't necessary.
DispatchQueue.global().async {
var error: Unmanaged<CFError>?
let signature = SecKeyCreateSignature(self.privateKey!, algorithm, data as CFData, &error) as Data?
DispatchQueue.main.async {
self.signature = signature
guard signature != nil else {
print((error!.takeRetainedValue() as Error).localizedDescription)
return
}
print("Signature : OK !")
//Step 4: Verifing
let algorithm: SecKeyAlgorithm = .ecdsaSignatureDigestX962
guard SecKeyIsAlgorithmSupported(self.publicKey, .verify, algorithm) else {
print("Algorith not supported - Can't verify")
return
}
var error: Unmanaged<CFError>?
guard SecKeyVerifySignature(self.publicKey, algorithm, data as CFData, self.signature as CFData, &error) else {
print("Can't verify/wrong signature \(error!)")
return
}
print("Signature check: OK")
}
}
}
}
I has a problem when I try to implementing JWT in swift 4.
I use JWT library from jwt.io.
I am trying to encrypt the payload with the PKCS8 pem filetype and RSA256 algorithm certificate.
but always error with message "The operation could not be completed. (OSStatus error -50 - RSA private key creation from data failed)"
can someone help me?
code:
let payload: [AnyHashable:Any] = ["payload":"hiden_information"]
let algorithmName = "RS256"
let path = Bundle.main.path(forResource: "priv", ofType: "pem")
let privateKeySecretData = try? Data(contentsOf: URL(fileURLWithPath: path!))
let privateKey = String(data: privateKeySecretData!, encoding: .utf8)!
let signDataHolder: JWTAlgorithmRSFamilyDataHolder = JWTAlgorithmRSFamilyDataHolder()
_ = signDataHolder.keyExtractorType(JWTCryptoKeyExtractor.privateKeyWithPEMBase64().type)
_ = signDataHolder.algorithmName(algorithmName)
_ = signDataHolder.secret(privateKey)
let signBuilder : JWTEncodingBuilder = JWTEncodingBuilder.encodePayload(payload)
_ = signBuilder.addHolder(signDataHolder)
let signResult = signBuilder.result
if ((signResult?.successResult) != nil) {
print(signResult!.successResult.encoded)
} else {
print(signResult?.errorResult.error.localizedDescription ?? "Unknown")
}
JWT version 3.0.0.-beta7 not suported PKCS8.
i use PKCS1 with RSA256 and it worked!
func encryptPayload(payload:[AnyHashable:Any])->String?
{
var resultStr: String?
var publicKeyCrypto: JWTCryptoKeyProtocol? = nil
do {
publicKeyCrypto = try JWTCryptoKeyPublic(pemEncoded: AppConstant.Scurity.publicKey, parameters: nil)
}
catch {
NSLog("error: \(error)")
}
guard let theCrypto = publicKeyCrypto else {
return nil
}
do {
let privateKeyCrypto = try JWTCryptoKeyPrivate(pemEncoded: privateKey, parameters: nil)
guard let holder = JWTAlgorithmRSFamilyDataHolder().signKey(privateKeyCrypto)?.secretData(AppConstant.Scurity.privateKey.data(using: .utf8))?.algorithmName(JWTAlgorithmNameRS256) else {return nil}
let headers : [AnyHashable:Any] = ["alg": "RS256","typ": "JWT"]
guard let encoding = JWTEncodingBuilder.encodePayload(payload).headers(headers)?.addHolder(holder) else {return nil}
let result = encoding.result
print(result?.successResult?.encoded ?? "Encoding failed")
print(result?.errorResult?.error ?? "No encoding error")
let verifyDataHolder = JWTAlgorithmRSFamilyDataHolder().signKey(theCrypto)?.secretData(publicKey.data(using: .utf8)!)?.algorithmName(JWTAlgorithmNameRS256)
let verifyResult = JWTDecodingBuilder.decodeMessage(result?.successResult?.encoded).addHolder(verifyDataHolder)?.result
if verifyResult?.successResult != nil, let result = verifyResult?.successResult.encoded {
print("Verification successful, result: \(result)")
} else {
print("Verification error: \(verifyResult!.errorResult.error)")
}
resultStr = result?.successResult.encoded
} catch {
print(error)
}
return resultStr
}
I have project where I need to sign string(raw or base64 encoded) with private digital signature (that has password). I searched on internet and found that private digital certificate is x.509 format(RSA). In xcode I set UIFileSharingEnabled to Enabled and uploaded that rsa.p12 certificate using Itunes. Next I get the certificate from document directory in (data or string) format. My question is how can I encrypt any text using digital signature?
I tried to use this lib https://github.com/TakeScoop/SwiftyRSA/issues but this lib does not support x.509 certificate.
I just found the code which encodes string text and it works
func signRequestorId(requestorID: String) -> String? {
let name = "RSA256_4f1826090c554a439c419043270d40f7d.p12"
guard let certificateData = CustomFileManager.getFile(by: name) else {
return nil
}
var status: OSStatus
let certificateKey = "123456"
let options = [kSecImportExportPassphrase as String : certificateKey]
var optItems: CFArray?
status = SecPKCS12Import(certificateData as CFData, options as CFDictionary, &optItems)
if status != errSecSuccess {
print("Cannot sign the device id info: failed importing keystore.")
return nil
}
guard let items = optItems else {
return nil
}
// Cast CFArrayRef to Swift Array
let itemsArray = items as [AnyObject]
// Cast CFDictionaryRef as Swift Dictionary
guard let myIdentityAndTrust = itemsArray.first as? [String : AnyObject] else {
return nil
}
// Get our SecIdentityRef from the PKCS #12 blob
let outIdentity = myIdentityAndTrust[kSecImportItemIdentity as String] as! SecIdentity
var myReturnedCertificate: SecCertificate?
status = SecIdentityCopyCertificate(outIdentity, &myReturnedCertificate)
if status != errSecSuccess {
print("Failed to retrieve the certificate associated with the requested identity.")
return nil
}
// Get the private key associated with our identity
var optPrivateKey: SecKey?
status = SecIdentityCopyPrivateKey(outIdentity, &optPrivateKey)
if status != errSecSuccess {
print("Failed to extract the private key from the keystore.")
return nil
}
// Unwrap privateKey from optional SecKeyRef
guard let privateKey = optPrivateKey else {
return nil
}
// Retrieve the digital signature and sign the requestor
// Get the maximum size of the digital signature
var signedBytesSize: size_t = SecKeyGetBlockSize(privateKey)
var signedBytes: UnsafeMutablePointer<UInt8>
// alloc a buffer to hold the signature
signedBytes = UnsafeMutablePointer<UInt8>.allocate(capacity: signedBytesSize)
memset(signedBytes, 0x0, signedBytesSize)
// We're calling alloc here, so we need to destroy and deinit
defer {
signedBytes.deinitialize()
signedBytes.deallocate(capacity: signedBytesSize)
}
// Sign data
let requestorData = requestorID.data(using: String.Encoding.utf8)!
// Generate a digital signature for our requestor from our cert
let buffer = UnsafeMutablePointer<UInt8>.allocate(capacity: requestorData.count)
let stream = OutputStream(toBuffer: buffer, capacity: requestorData.count)
stream.open()
requestorData.withUnsafeBytes({ (p: UnsafePointer<UInt8>) -> Void in
stream.write(p, maxLength: requestorData.count)
})
stream.close()
let weidformat = UnsafePointer<UInt8>(buffer)
status = SecKeyRawSign(privateKey, .PKCS1, weidformat,
requestorData.count, signedBytes, &signedBytesSize)
if status != errSecSuccess {
print("Cannot sign the device id info: failed obtaining the signed bytes.")
return nil
}
let encryptedBytes = NSData(bytes: signedBytes, length: signedBytesSize)
let signedRequestorId = encryptedBytes.base64EncodedString(options: [])
print(signedRequestorId)
return signedRequestorId
}
U also need function get document by name
static func getFile(by name: String)-> Data?{
let documentsUrl = FileManager.default.urls(for: .documentDirectory, in: .userDomainMask).first
let destinationUrl = documentsUrl!.appendingPathComponent("\(name)")
let isFileFound = FileManager.default.fileExists(atPath: destinationUrl.path)
if isFileFound {
let documentContent = FileManager.default.contents(atPath: destinationUrl.path)
return documentContent
}
return nil
}
enter code here
How could I send hashed password with sha256 via post request ?
func sha256(string: String) -> Data? {
guard let messageData = string.data(using:String.Encoding.utf8) else { return nil; }
var digestData = Data(count: Int(CC_SHA256_DIGEST_LENGTH))
_ = digestData.withUnsafeMutableBytes {digestBytes in
messageData.withUnsafeBytes {messageBytes in
CC_SHA256(messageBytes, CC_LONG(messageData.count), digestBytes)
}
}
return digestData
}
This is how I am hasing a password.
Then whenever I try to pack it into an array as a [String: Any] it throws an exception in JSONSErialization 'NSInvalidArgumentException', reason: 'Invalid type in JSON write (Foundation._SwiftNSData)'
guard let loginURL = URL(string: LOGIN_URL) else {
print("Error: cannot create URL")
return
}
var loginURLRequest = URLRequest(url: loginURL)
loginURLRequest.httpMethod = "POST"
let content: [String: Any] = ["username": username, "passwordHash": password]
let json: Data
do {
json = try JSONSerialization.data(withJSONObject: content, options: [])
loginURLRequest.httpBody = json
} catch {
print("Error: Can not create JSON")
return
}
Thanks in advance!
What you probably want to do is encode the hash as a hex string. Given your sha256 function defined above, The following will do that:
let password = sha256(string: "myPassword")
.map { return String(format: "%02x", $0) }
.joined()
let content = [
"username": username,
"passwordHash": password
]
Alternatively, you could change your sha256 function to return a string (and make it an extension of string):
func sha256() -> String? {
guard let messageData = data(using:String.Encoding.utf8) else {
return nil
}
var digestData = Data(count: Int(CC_SHA256_DIGEST_LENGTH))
_ = digestData.withUnsafeMutableBytes { digestBytes in
withUnsafeBytes { messageBytes in
CC_SHA256(messageBytes, CC_LONG(messageData.count), digestBytes)
}
}
return digestData.map { return String(format: "%02x", $0) }.joined()
}
Note: I'm winging this a little since CommonCrypto won't work in a playground and I'm too lazy to wrap a whole project around this, but the important parts are here.
Use data.map to iterate over each byte in the hash
convert it to a hex string with String(format: "%02x"...)
put it all back together with joined()