Hey everyone,
I hope you're all doing well. I'm currently deep into the implementation of the AddPaymentPassView feature for my app. However, I've hit a roadblock concerning the verification of signatures for both the nonce and nonceSignature.
Here's a snapshot of what's giving me a hard time:
Within the context of the AddPaymentPassView, I'm having problems when trying to verify the certificate with the nonce and nonceSignature fields. I do recognize the critical nature of this step in terms of security, but I'm finding myself uncertain about the most effective approach.
For clarity's sake, here's the function I've been utilizing to carry out signature verification in Swift:
func verifySignature(certificateRaw:Data, nonce:Data, nonceSignature:Data ) {
if #available(iOS 14, *)
{
var error: Unmanaged<CFError>?
let certificate = SecCertificateCreateWithData(nil, certificateRaw as CFData)
// Create a policy for X.509 certificate validation
let policy = SecPolicyCreateBasicX509()
// Create a certificate trust object with the certificate and policy
var trust: SecTrust?
let status = SecTrustCreateWithCertificates(certificate, policy, &trust)
// Perform policy checks
let trustResult = SecTrustEvaluateWithError(trust!, nil)
// Extract the public key from the certificate
let publicKey = SecTrustCopyKey(trust!)
print("PUBLIC KEY \(publicKey)")
print("nonceData \(nonce)")
print("nonceSignatureData \(nonceSignature)")
let result = SecKeyVerifySignature(publicKey!, SecKeyAlgorithm.ecdsaSignatureMessageX962SHA256,nonce as CFData, nonceSignature as CFData, &error)
if result {
print("Signature verification successful")
} else {
print("Signature verification failed: \(error?.takeRetainedValue() as Error?)")
}
}
else
{
// Return something else here.
print("NOT AVAILABLE")
}
}
I'm invoking this function within the addPaymentPassViewController like so:
func addPaymentPassViewController(
_ controller: PKAddPaymentPassViewController,
generateRequestWithCertificateChain certificates: [Data],
nonce: Data, nonceSignature: Data,
completionHandler handler: @escaping (PKAddPaymentPassRequest) -> Void) {
verifySignature(certificate: certificates[0], nonce: nonce, nonceSignature: nonceSignature)
However, the verification doesn't seem to be going as planned. Here's a snippet of the logs I'm getting:
PUBLIC KEY Optional(<SecKeyRef curve type: kSecECCurveSecp256r1, algorithm id: 3, key type: ECPublicKey, version: 4, block size: 256 bits, y: 613361F002148F2DB831620CBBFD5D6AC711E5F4FF236D1958F0033A5A9D66FF, x: B3095C90197DECCB25B6688EA7C9F3507BEBE38F38D4E2B2CED198968956594A, addr: 0x155b6b080>)
nonceData Optional(4 bytes)
nonceSignatureData Optional(81 bytes)
Signature verification failed: Optional(Error Domain=NSOSStatusErrorDomain Code=-67808 "EC signature verification failed (ccerr -7)" UserInfo={numberOfErrorsDeep=0, NSDescription=EC signature verification failed (ccerr -7)})
It's becoming a bit perplexing. I'm wondering if anyone else has encountered this issue and whether there might be alternative approaches or suggestions to tackle this problem.
Any input, code snippets, or resources you can share would be invaluable to me right now. Thanks so much for taking the time to read this and for any assistance you might offer!