test: validate signature verification certificate

Neno Stefanov · NenoStefanov · commit 21e844658142 · 2025-12-09T10:34:44.000+02:00
diff --git a/MIRACLTrust/MIRACLTrust.xcodeproj/project.pbxproj b/MIRACLTrust/MIRACLTrust.xcodeproj/project.pbxproj
@@ -240,6 +240,7 @@
 		6DFE8FC527EB6E380085380D /* Helpers.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6DFE8FC427EB6E380085380D /* Helpers.swift */; };
 		6DFEC8CE26E1049100E8F682 /* MockURLSession.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6DFEC8CD26E1049100E8F682 /* MockURLSession.swift */; };
 		83695C1C2C9734AA00411EAA /* EmailVerificationMethod.swift in Sources */ = {isa = PBXBuildFile; fileRef = 83695C1B2C9734AA00411EAA /* EmailVerificationMethod.swift */; };
+		838EE9302EDECD2000042452 /* SignatureCertificateJWTPayload.swift in Sources */ = {isa = PBXBuildFile; fileRef = 838EE92F2EDECD1200042452 /* SignatureCertificateJWTPayload.swift */; };
 		83BD3EFB2CC902F000D4E47F /* GmailServiceWrapper.swift in Sources */ = {isa = PBXBuildFile; fileRef = 83BD3EFA2CC902DF00D4E47F /* GmailServiceWrapper.swift */; };
 		83BD3F0B2CCA23A900D4E47F /* AuthenticationJWTPayload.swift in Sources */ = {isa = PBXBuildFile; fileRef = 83BD3F0A2CCA23A500D4E47F /* AuthenticationJWTPayload.swift */; };
 		83DE9EBE2CCA320D00BD7749 /* JWTKit in Frameworks */ = {isa = PBXBuildFile; productRef = 83DE9EBD2CCA320D00BD7749 /* JWTKit */; };
@@ -555,6 +556,7 @@
 		6DFE8FC427EB6E380085380D /* Helpers.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Helpers.swift; sourceTree = "<group>"; };
 		6DFEC8CD26E1049100E8F682 /* MockURLSession.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = MockURLSession.swift; sourceTree = "<group>"; };
 		83695C1B2C9734AA00411EAA /* EmailVerificationMethod.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = EmailVerificationMethod.swift; sourceTree = "<group>"; };
+		838EE92F2EDECD1200042452 /* SignatureCertificateJWTPayload.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SignatureCertificateJWTPayload.swift; sourceTree = "<group>"; };
 		83BD3EF82CC7CDBD00D4E47F /* GmailService.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = GmailService.swift; sourceTree = "<group>"; };
 		83BD3EFA2CC902DF00D4E47F /* GmailServiceWrapper.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = GmailServiceWrapper.swift; sourceTree = "<group>"; };
 		83BD3F0A2CCA23A500D4E47F /* AuthenticationJWTPayload.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AuthenticationJWTPayload.swift; sourceTree = "<group>"; };
@@ -956,6 +958,7 @@
 				83BD3EFA2CC902DF00D4E47F /* GmailServiceWrapper.swift */,
 				6DFE8FC427EB6E380085380D /* Helpers.swift */,
 				83BD3F0A2CCA23A500D4E47F /* AuthenticationJWTPayload.swift */,
+				838EE92F2EDECD1200042452 /* SignatureCertificateJWTPayload.swift */,
 			);
 			path = Helpers;
 			sourceTree = "<group>";
@@ -1501,6 +1504,7 @@
 				6D26142C24AB1B7C004F0B54 /* Constants.swift in Sources */,
 				6D2E4F192E2E7A290001B5A7 /* CrossDeviceSessionIntegrationTest.swift in Sources */,
 				6D91ABDA26FDF4C000EE28CF /* SessionDetailsTestCase.swift in Sources */,
+				838EE9302EDECD2000042452 /* SignatureCertificateJWTPayload.swift in Sources */,
 				6D6B94B82E46141600BC7A60 /* CrossDeviceSessionAbortCase.swift in Sources */,
 				6D4167A52E435C78002E59EA /* CrossDeviceSessionAuthenticationCase.swift in Sources */,
 				6DDEB15127070C2C00C3313D /* AbortSessionIntergrationTest.swift in Sources */,
diff --git a/MIRACLTrust/MIRACLTrustIntegrationTests/Cases/Swift/AuthenticationIntegrationTests.swift b/MIRACLTrust/MIRACLTrustIntegrationTests/Cases/Swift/AuthenticationIntegrationTests.swift
@@ -87,7 +87,7 @@ class AuthenticationIntegrationTests: XCTestCase {
         XCTAssertNil(jwtError)
         XCTAssertNotNil(jwt)
 
-        let jwks = try XCTUnwrap(api.getJWKS(projectURL: projectURL))
+        let jwks = try String(contentsOf: XCTUnwrap(URL(string: "\(projectURL)/.well-known/jwks")))
         let signers = JWTSigners()
         try signers.use(jwksJSON: jwks)
         let payload = try signers.verify(jwt!, as: AuthenticationJWTPayload.self)
diff --git a/MIRACLTrust/MIRACLTrustIntegrationTests/Cases/Swift/SigningIntegrationTests.swift b/MIRACLTrust/MIRACLTrustIntegrationTests/Cases/Swift/SigningIntegrationTests.swift
@@ -1,4 +1,5 @@
 import CryptoKit
+import JWTKit
 import XCTest
 
 @testable import MIRACLTrust
@@ -106,23 +107,33 @@ class SigningIntegrationTests: XCTestCase {
         XCTAssertNil(error)
 
         let unwrappedSigningResult = try XCTUnwrap(signingResult)
-        let isSignatureVerified = api.verifySignature(
-            signingResult: unwrappedSigningResult,
-            serviceAccountToken: serviceAccountToken,
-            projectId: projectId,
-            projectURL: projectURL
+        XCTAssertEqual(messageHash.hex, unwrappedSigningResult.signature.signatureHash)
+
+        let verifySigningResponse = try XCTUnwrap(
+            api.verifySignature(
+                signingResult: unwrappedSigningResult,
+                serviceAccountToken: serviceAccountToken,
+                projectId: projectId,
+                projectURL: projectURL
+            )
         )
 
-        XCTAssertTrue(isSignatureVerified)
+        let jwks = try String(contentsOf: XCTUnwrap(URL(string: "\(projectURL)/dvs/jwks")))
+        let signers = JWTSigners()
+        try signers.use(jwksJSON: jwks)
+        let payload = try signers.verify(verifySigningResponse.certificate, as: SignatureCertificateJWTPayload.self)
+
+        XCTAssertEqual(messageHash.hex, payload.hash)
     }
 
     func testSigningCorrectnessWithSessionDetails() throws {
+        let hash = messageHash.hex
         let qrCode = try XCTUnwrap(
             api.startSigningSession(
                 projectID: projectId,
                 projectURL: projectURL,
                 userID: userId,
-                hash: UUID().uuidString,
+                hash: hash,
                 description: "Test transaction"
             )
         )
@@ -140,14 +151,23 @@ class SigningIntegrationTests: XCTestCase {
         XCTAssertNil(error)
 
         let unwrappedSigningResult = try XCTUnwrap(signingResult)
-        let isSignatureVerified = api.verifySignature(
-            signingResult: unwrappedSigningResult,
-            serviceAccountToken: serviceAccountToken,
-            projectId: projectId,
-            projectURL: projectURL
+        XCTAssertEqual(hash, unwrappedSigningResult.signature.signatureHash)
+
+        let verifySigningResponse = try XCTUnwrap(
+            api.verifySignature(
+                signingResult: unwrappedSigningResult,
+                serviceAccountToken: serviceAccountToken,
+                projectId: projectId,
+                projectURL: projectURL
+            )
         )
 
-        XCTAssertTrue(isSignatureVerified)
+        let jwks = try String(contentsOf: XCTUnwrap(URL(string: "\(projectURL)/dvs/jwks")))
+        let signers = JWTSigners()
+        try signers.use(jwksJSON: jwks)
+        let payload = try signers.verify(verifySigningResponse.certificate, as: SignatureCertificateJWTPayload.self)
+
+        XCTAssertEqual(messageHash.hex, payload.hash)
     }
 
     func testSigningCorrectnessWithCrossDeviceSession() async throws {
@@ -183,15 +203,22 @@ class SigningIntegrationTests: XCTestCase {
         let timeInterval = TimeInterval(signature.timestamp)
         let date = Date(timeIntervalSince1970: timeInterval)
 
-        let isSignatureVerified = api.verifySignature(
-            signature: signature,
-            timestamp: date,
-            serviceAccountToken: serviceAccountToken,
-            projectId: projectId,
-            projectURL: projectURL
+        let verifySigningResponse = try XCTUnwrap(
+            api.verifySignature(
+                signature: signature,
+                timestamp: date,
+                serviceAccountToken: serviceAccountToken,
+                projectId: projectId,
+                projectURL: projectURL
+            )
         )
 
-        XCTAssertTrue(isSignatureVerified)
+        let jwks = try String(contentsOf: XCTUnwrap(URL(string: "\(projectURL)/dvs/jwks")))
+        let signers = JWTSigners()
+        try signers.use(jwksJSON: jwks)
+        let payload = try signers.verify(verifySigningResponse.certificate, as: SignatureCertificateJWTPayload.self)
+
+        XCTAssertEqual(signature.signatureHash, payload.hash)
     }
 
     func testSigningCorrectnessWithCrossDeviceSessionForUniversalLink() throws {
@@ -242,14 +269,23 @@ class SigningIntegrationTests: XCTestCase {
         XCTAssertNil(error)
 
         let unwrappedSigningResult = try XCTUnwrap(signingResult)
-        let isSignatureVerified = api.verifySignature(
-            signingResult: unwrappedSigningResult,
-            serviceAccountToken: serviceAccountToken,
-            projectId: projectId,
-            projectURL: projectURL
+        XCTAssertEqual(messageHash.hex, unwrappedSigningResult.signature.signatureHash)
+
+        let verifySigningResponse = try XCTUnwrap(
+            api.verifySignature(
+                signingResult: unwrappedSigningResult,
+                serviceAccountToken: serviceAccountToken,
+                projectId: projectId,
+                projectURL: projectURL
+            )
         )
 
-        XCTAssertTrue(isSignatureVerified)
+        let jwks = try String(contentsOf: XCTUnwrap(URL(string: "\(projectURL)/dvs/jwks")))
+        let signers = JWTSigners()
+        try signers.use(jwksJSON: jwks)
+        let payload = try signers.verify(verifySigningResponse.certificate, as: SignatureCertificateJWTPayload.self)
+
+        XCTAssertEqual(messageHash.hex, payload.hash)
     }
 
     func testSigningEmptyMessageHash() throws {
diff --git a/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/MIRACLTrustHelperAPI/HelperAPIModel.swift b/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/MIRACLTrustHelperAPI/HelperAPIModel.swift
@@ -25,6 +25,10 @@ struct VerifySigningRequestBody: Codable {
     var timestamp: Int32
 }
 
+struct VerifySigningResponse: Codable {
+    var certificate: String
+}
+
 struct StartSessionResponse: Codable {
     var qrURL: URL
     var webOTT: String
diff --git a/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/MIRACLTrustHelperAPI/PlatformAPI.swift b/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/MIRACLTrustHelperAPI/PlatformAPI.swift
@@ -84,55 +84,6 @@ import MIRACLTrust
         }
     }
 
-    public func getJWKS(
-        projectURL: String,
-        completionHandler: @escaping @Sendable (String?, Error?) -> Void
-    ) {
-        guard let url = URL(string: projectURL) else {
-            return
-        }
-
-        guard let request = URLRequest.jwksRequest(url: url) else {
-            return
-        }
-
-        let task = URLSession.shared.dataTask(with: request) { responseData, response, error in
-            if error != nil {
-                DispatchQueue.main.async {
-                    completionHandler(nil, HelperAPIError.internalError)
-                }
-                return
-            }
-
-            if let response = response as? HTTPURLResponse {
-                if response.statusCode != 200 {
-                    DispatchQueue.main.async {
-                        completionHandler(nil, HelperAPIError.internalError)
-                    }
-                    return
-                }
-            }
-
-            guard let data = responseData else {
-                DispatchQueue.main.async {
-                    completionHandler(nil, HelperAPIError.noData)
-                }
-                return
-            }
-
-            if data.isEmpty {
-                DispatchQueue.main.async {
-                    completionHandler(nil, nil)
-                }
-                return
-            }
-
-            completionHandler(String(data: data, encoding: String.Encoding.utf8), nil)
-        }
-
-        task.resume()
-    }
-
     public func accessRequest(
         projectURL: String,
         webOTT: String,
@@ -189,13 +140,13 @@ import MIRACLTrust
         }
     }
 
-    public func verifySignature(
+    func verifySignature(
         for signature: Signature,
         timestamp: Date,
         serviceAccountToken: String,
         projectId: String,
         projectURL: String,
-        completionHandler: @escaping @Sendable (Bool, Error?) -> Void
+        completionHandler: @escaping @Sendable (VerifySigningResponse?, Error?) -> Void
     ) {
         guard let url = URL(string: projectURL) else {
             return
@@ -205,12 +156,12 @@ import MIRACLTrust
             return
         }
 
-        requestExecutor.executeHTTPRequest(request: request) { (result: Result<EmptyResponse?, HelperAPIError>) in
+        requestExecutor.executeHTTPRequest(request: request) { (result: Result<VerifySigningResponse?, HelperAPIError>) in
             switch result {
-            case .success:
-                completionHandler(true, nil)
+            case let .success(success):
+                completionHandler(success, nil)
             case let .failure(error):
-                completionHandler(false, error)
+                completionHandler(nil, error)
             }
         }
     }
diff --git a/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/MIRACLTrustHelperAPI/URLRequest+Extensions.swift b/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/MIRACLTrustHelperAPI/URLRequest+Extensions.swift
@@ -168,20 +168,6 @@ extension URLRequest {
         return request
     }
 
-    static func jwksRequest(url: URL) -> Self? {
-        guard var components = URLComponents(url: url, resolvingAgainstBaseURL: false) else {
-            return nil
-        }
-
-        components.path = "/.well-known/jwks"
-
-        guard let url = components.url else {
-            return nil
-        }
-
-        return URLRequest(url: url)
-    }
-
     static func signingSessionRequest(
         url: URL,
         projectID: String,
diff --git a/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/PlatformAPIWrapper.swift b/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/PlatformAPIWrapper.swift
@@ -35,22 +35,6 @@ import MIRACLTrust
         return verificationUrl
     }
 
-    @objc func getJWKS(projectURL: String) -> String? {
-        let jwksExpectation = XCTestExpectation(description: "wait for JWKS")
-        nonisolated(unsafe) var jwkSet: String?
-
-        platformAPI.getJWKS(projectURL: projectURL) { jwks, error in
-            if let jwks = jwks {
-                jwkSet = jwks
-            } else if let error = error {
-                print("Error when fetching JWKS \(error)")
-            }
-            jwksExpectation.fulfill()
-        }
-        _ = XCTWaiter.wait(for: [jwksExpectation], timeout: operationTimeout)
-        return jwkSet
-    }
-
     @objc func startSession(
         projectId: String,
         projectURL: String,
@@ -108,13 +92,13 @@ import MIRACLTrust
         return qrCode
     }
 
-    @objc func verifySignature(
+    func verifySignature(
         signingResult: SigningResult,
         serviceAccountToken: String,
         projectId: String,
         projectURL: String
-    ) -> Bool {
-        nonisolated(unsafe) var verifiedSignature = false
+    ) -> VerifySigningResponse? {
+        nonisolated(unsafe) var verifySigningResponse: VerifySigningResponse?
         let expectation = XCTestExpectation(description: "Waiting for signature verification")
 
         platformAPI.verifySignature(
@@ -123,23 +107,23 @@ import MIRACLTrust
             serviceAccountToken: serviceAccountToken,
             projectId: projectId,
             projectURL: projectURL
-        ) { isVerified, _ in
-            verifiedSignature = isVerified
+        ) { signingResponse, _ in
+            verifySigningResponse = signingResponse
             expectation.fulfill()
         }
         _ = XCTWaiter.wait(for: [expectation], timeout: operationTimeout)
 
-        return verifiedSignature
+        return verifySigningResponse
     }
 
-    @objc func verifySignature(
+    func verifySignature(
         signature: Signature,
         timestamp: Date,
         serviceAccountToken: String,
         projectId: String,
         projectURL: String
-    ) -> Bool {
-        nonisolated(unsafe) var verifiedSignature = false
+    ) -> VerifySigningResponse? {
+        nonisolated(unsafe) var verifySigningResponse: VerifySigningResponse?
         let expectation = XCTestExpectation(description: "Waiting for signature verification")
 
         platformAPI.verifySignature(
@@ -148,13 +132,13 @@ import MIRACLTrust
             serviceAccountToken: serviceAccountToken,
             projectId: projectId,
             projectURL: projectURL
-        ) { isVerified, _ in
-            verifiedSignature = isVerified
+        ) { signingResponse, _ in
+            verifySigningResponse = signingResponse
             expectation.fulfill()
         }
         _ = XCTWaiter.wait(for: [expectation], timeout: operationTimeout)
 
-        return verifiedSignature
+        return verifySigningResponse
     }
 
     func getVerificationURL(
diff --git a/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/SignatureCertificateJWTPayload.swift b/MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/SignatureCertificateJWTPayload.swift
@@ -0,0 +1,11 @@
+import JWTKit
+
+struct SignatureCertificateJWTPayload: JWTPayload {
+    var cAt: IssuedAtClaim
+    var exp: ExpirationClaim
+    var hash: String
+
+    func verify(using _: JWTKit.JWTSigner) throws {
+        try exp.verifyNotExpired()
+    }
+}
