CloudKit Web Service - Compute X-Apple-CloudKit-Request-SignatureV1

Question

Created Sep ’17

Replies 1

Boosts 0

Views 1.1k

Participants 2

Hello,

I've been having a hard time trying to communicate a linux daemon we're working on to CloudKit, the idea is that such daemon has to upload some records to the public database from time to time, such records are thus processed/used by other iOS devices as changes arrive.

Following the docs I'm stuck in the section Authenticate Web Service Requests, step 2:

Compute the ECDSA signature of this message with your private key.

From step #1 I get something like:

2017-09-25T20:52:43Z:tfqpj5KsHvSwA8cYvMnNv6UwyHrJD6iresxhIhvafZE=:/database/1/iCloud.com.example.daemon.Surtur/development/public/records/modify

All this following the recipe: [Current date]:[Request body]:[Web service URL subpath]

There request body is created by base64 encoding a SHA256 hash of the real request body.

Up to this point we're fine, computing the ECDSA signature with openssl is failing somehow, what I do is this:

std::string ckPrivateKey = "-----BEGIN EC PRIVATE KEY-----\n ....\n-----END EC PRIVATE KEY-----";
EVP_PKEY *eckey = NULL;
BIO *buf = BIO_new_mem_buf((void *)ckPrivateKey.c_str(), (int)ckPrivateKey.size());
PEM_read_bio_PrivateKey(buf, &eckey, NULL, NULL);
EVP_DigestSignInit(ctx, NULL, EVP_get_digestbyname("RSA-SHA256"), NULL, eckey);
EVP_DigestSignUpdate(ctx, (const void *)rq_signature.c_str(), (unsigned int)rq_signature.size());
EVP_DigestSignFinal(ctx, ecdsa_buf, &siglen);
ecdsa_buf = (unsigned char *)OPENSSL_malloc(siglen);
EVP_DigestSignFinal(ctx, ecdsa_buf, &siglen);

And then I encode ecdsa_buf with EVP_EncodeBlock(base64, ecdsa_buf, siglen);

Which produces something like: MEUCIGXwy0irg+kIjVa35ucifJJEjW1K/vIhAI1VxOdUF0uXAiEALcK8aDhWSq16fQ1pwrmDL+nSxueZ+I6/3uGf4p0xYkw=

Then using libcurl I construct the rest of the request filling X-Apple-CloudKit-Request-KeyID and X-Apple-CloudKit-Request-ISO8601Date and also sending the JSON request, then I POST and this is what I get from the server.

< HTTP/1.1 100 Continue

< HTTP/1.1 401 Unauthorized

< Server: AppleHttpServer/2f080fc0

< Date: Mon, 25 Sep 2017 21:25:45 GMT

< Content-Type: application/json; charset=UTF-8

< Transfer-Encoding: chunked

< Connection: keep-alive

< apple-seq: 0

< apple-tk: false

< Apple-Originating-System: UnknownOriginatingSystem

< X-Responding-Instance: ckdatabasews:32400802:mr22p24ic-ztbu04130901:8202:17F360:nocommit

< Access-Control-Expose-Headers: X-Apple-Request-UUID, X-Responding-Instance

< Via: xrail:mr90p00ic-zteu08161401:8301:17E33:grp20

< Strict-Transport-Security: max-age=31536000; includeSubDomains;

< via: icloudedge:mi01p00ic-zteu02113101:7401:17RC82:Miami

< X-Apple-Request-UUID: 1098c2df-1499-4ec9-8b18-2d745a6aa525

< access-control-expose-headers: Via

* HTTP error before end of send, stop sending

I have tried changing EVP_get_digestbyname("RSA-SHA256") to EVP_sha256, have tried with different API Access keys and also have tried using the low level ECDSA_sign() functions to no avail, have any of you ran into this in the past?

Please help (I'm desperate)!!!

Boost

Answer 1

johnwarrior OP

Sep ’17

Accepted Answer

In case anyone stumble into this I did manage to get it working using EVP_Sign, the reason it was not working was because of libcurl not sending the body until after receiving the 100 Continue, since it didn't got the whole thing in one piece CloudKit servers were not able to validate my signature.

If this happens to you while using libcurl just make sure you send the request body like this:

curl_easy_setopt(www, CURLOPT_POSTFIELDSIZE_LARGE, request_body.size());
curl_easy_setopt(www, CURLOPT_POSTFIELDS, request_body.c_str());

1