test: validate signature verification certificate

Author: Neno Stefanov

MIRACLTrust/MIRACLTrust.xcodeproj/project.pbxproj

@@ -240,6 +240,7 @@
 		6DFE8FC527EB6E380085380D /* Helpers.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6DFE8FC427EB6E380085380D /* Helpers.swift */; };
 		6DFEC8CE26E1049100E8F682 /* MockURLSession.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6DFEC8CD26E1049100E8F682 /* MockURLSession.swift */; };
 		83695C1C2C9734AA00411EAA /* EmailVerificationMethod.swift in Sources */ = {isa = PBXBuildFile; fileRef = 83695C1B2C9734AA00411EAA /* EmailVerificationMethod.swift */; };
+		838EE9302EDECD2000042452 /* SignatureCertificateJWTPayload.swift in Sources */ = {isa = PBXBuildFile; fileRef = 838EE92F2EDECD1200042452 /* SignatureCertificateJWTPayload.swift */; };
 		83BD3EFB2CC902F000D4E47F /* GmailServiceWrapper.swift in Sources */ = {isa = PBXBuildFile; fileRef = 83BD3EFA2CC902DF00D4E47F /* GmailServiceWrapper.swift */; };
 		83BD3F0B2CCA23A900D4E47F /* AuthenticationJWTPayload.swift in Sources */ = {isa = PBXBuildFile; fileRef = 83BD3F0A2CCA23A500D4E47F /* AuthenticationJWTPayload.swift */; };
 		83DE9EBE2CCA320D00BD7749 /* JWTKit in Frameworks */ = {isa = PBXBuildFile; productRef = 83DE9EBD2CCA320D00BD7749 /* JWTKit */; };
@@ -555,6 +556,7 @@
 		6DFE8FC427EB6E380085380D /* Helpers.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Helpers.swift; sourceTree = "<group>"; };
 		6DFEC8CD26E1049100E8F682 /* MockURLSession.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = MockURLSession.swift; sourceTree = "<group>"; };
 		83695C1B2C9734AA00411EAA /* EmailVerificationMethod.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = EmailVerificationMethod.swift; sourceTree = "<group>"; };
+		838EE92F2EDECD1200042452 /* SignatureCertificateJWTPayload.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SignatureCertificateJWTPayload.swift; sourceTree = "<group>"; };
 		83BD3EF82CC7CDBD00D4E47F /* GmailService.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = GmailService.swift; sourceTree = "<group>"; };
 		83BD3EFA2CC902DF00D4E47F /* GmailServiceWrapper.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = GmailServiceWrapper.swift; sourceTree = "<group>"; };
 		83BD3F0A2CCA23A500D4E47F /* AuthenticationJWTPayload.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AuthenticationJWTPayload.swift; sourceTree = "<group>"; };
@@ -956,6 +958,7 @@
 				83BD3EFA2CC902DF00D4E47F /* GmailServiceWrapper.swift */,
 				6DFE8FC427EB6E380085380D /* Helpers.swift */,
 				83BD3F0A2CCA23A500D4E47F /* AuthenticationJWTPayload.swift */,
+				838EE92F2EDECD1200042452 /* SignatureCertificateJWTPayload.swift */,
 			);
 			path = Helpers;
 			sourceTree = "<group>";
@@ -1501,6 +1504,7 @@
 				6D26142C24AB1B7C004F0B54 /* Constants.swift in Sources */,
 				6D2E4F192E2E7A290001B5A7 /* CrossDeviceSessionIntegrationTest.swift in Sources */,
 				6D91ABDA26FDF4C000EE28CF /* SessionDetailsTestCase.swift in Sources */,
+				838EE9302EDECD2000042452 /* SignatureCertificateJWTPayload.swift in Sources */,
 				6D6B94B82E46141600BC7A60 /* CrossDeviceSessionAbortCase.swift in Sources */,
 				6D4167A52E435C78002E59EA /* CrossDeviceSessionAuthenticationCase.swift in Sources */,
 				6DDEB15127070C2C00C3313D /* AbortSessionIntergrationTest.swift in Sources */,

MIRACLTrust/MIRACLTrustIntegrationTests/Cases/Swift/SigningIntegrationTests.swift

@@ -1,4 +1,5 @@
 import CryptoKit
+import JWTKit
 import XCTest
 
 @testable import MIRACLTrust
@@ -106,23 +107,33 @@ class SigningIntegrationTests: XCTestCase {
         XCTAssertNil(error)
 
         let unwrappedSigningResult = try XCTUnwrap(signingResult)
-        let isSignatureVerified = api.verifySignature(
-            signingResult: unwrappedSigningResult,
-            serviceAccountToken: serviceAccountToken,
-            projectId: projectId,
-            projectURL: projectURL
+        XCTAssertEqual(messageHash.hex, unwrappedSigningResult.signature.signatureHash)
+
+        let verifySigningResponse = try XCTUnwrap(
+            api.verifySignature(
+                signingResult: unwrappedSigningResult,
+                serviceAccountToken: serviceAccountToken,
+                projectId: projectId,
+                projectURL: projectURL
+            )
         )
 
-        XCTAssertTrue(isSignatureVerified)
+        let jwks = try XCTUnwrap(api.getDvsJWKS(projectURL: projectURL))
+        let signers = JWTSigners()
+        try signers.use(jwksJSON: jwks)
+        let payload = try signers.verify(verifySigningResponse.certificate, as: SignatureCertificateJWTPayload.self)
+
+        XCTAssertEqual(messageHash.hex, payload.hash)
     }
 
     func testSigningCorrectnessWithSessionDetails() throws {
+        let hash = messageHash.hex
         let qrCode = try XCTUnwrap(
             api.startSigningSession(
                 projectID: projectId,
                 projectURL: projectURL,
                 userID: userId,
-                hash: UUID().uuidString,
+                hash: hash,
                 description: "Test transaction"
             )
         )
@@ -140,14 +151,23 @@ class SigningIntegrationTests: XCTestCase {
         XCTAssertNil(error)
 
         let unwrappedSigningResult = try XCTUnwrap(signingResult)
-        let isSignatureVerified = api.verifySignature(
-            signingResult: unwrappedSigningResult,
-            serviceAccountToken: serviceAccountToken,
-            projectId: projectId,
-            projectURL: projectURL
+        XCTAssertEqual(hash, unwrappedSigningResult.signature.signatureHash)
+
+        let verifySigningResponse = try XCTUnwrap(
+            api.verifySignature(
+                signingResult: unwrappedSigningResult,
+                serviceAccountToken: serviceAccountToken,
+                projectId: projectId,
+                projectURL: projectURL
+            )
         )
 
-        XCTAssertTrue(isSignatureVerified)
+        let jwks = try XCTUnwrap(api.getDvsJWKS(projectURL: projectURL))
+        let signers = JWTSigners()
+        try signers.use(jwksJSON: jwks)
+        let payload = try signers.verify(verifySigningResponse.certificate, as: SignatureCertificateJWTPayload.self)
+
+        XCTAssertEqual(messageHash.hex, payload.hash)
     }
 
     func testSigningCorrectnessWithCrossDeviceSession() async throws {
@@ -183,15 +203,22 @@ class SigningIntegrationTests: XCTestCase {
         let timeInterval = TimeInterval(signature.timestamp)
         let date = Date(timeIntervalSince1970: timeInterval)
 
-        let isSignatureVerified = api.verifySignature(
-            signature: signature,
-            timestamp: date,
-            serviceAccountToken: serviceAccountToken,
-            projectId: projectId,
-            projectURL: projectURL
+        let verifySigningResponse = try XCTUnwrap(
+            api.verifySignature(
+                signature: signature,
+                timestamp: date,
+                serviceAccountToken: serviceAccountToken,
+                projectId: projectId,
+                projectURL: projectURL
+            )
         )
 
-        XCTAssertTrue(isSignatureVerified)
+        let jwks = try XCTUnwrap(api.getDvsJWKS(projectURL: projectURL))
+        let signers = JWTSigners()
+        try signers.use(jwksJSON: jwks)
+        let payload = try signers.verify(verifySigningResponse.certificate, as: SignatureCertificateJWTPayload.self)
+
+        XCTAssertEqual(signature.signatureHash, payload.hash)
     }
 
     func testSigningCorrectnessWithCrossDeviceSessionForUniversalLink() throws {
@@ -242,14 +269,23 @@ class SigningIntegrationTests: XCTestCase {
         XCTAssertNil(error)
 
         let unwrappedSigningResult = try XCTUnwrap(signingResult)
-        let isSignatureVerified = api.verifySignature(
-            signingResult: unwrappedSigningResult,
-            serviceAccountToken: serviceAccountToken,
-            projectId: projectId,
-            projectURL: projectURL
+        XCTAssertEqual(messageHash.hex, unwrappedSigningResult.signature.signatureHash)
+
+        let verifySigningResponse = try XCTUnwrap(
+            api.verifySignature(
+                signingResult: unwrappedSigningResult,
+                serviceAccountToken: serviceAccountToken,
+                projectId: projectId,
+                projectURL: projectURL
+            )
         )
 
-        XCTAssertTrue(isSignatureVerified)
+        let jwks = try XCTUnwrap(api.getDvsJWKS(projectURL: projectURL))
+        let signers = JWTSigners()
+        try signers.use(jwksJSON: jwks)
+        let payload = try signers.verify(verifySigningResponse.certificate, as: SignatureCertificateJWTPayload.self)
+
+        XCTAssertEqual(messageHash.hex, payload.hash)
     }
 
     func testSigningEmptyMessageHash() throws {

MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/MIRACLTrustHelperAPI/HelperAPIModel.swift

@@ -25,6 +25,10 @@ struct VerifySigningRequestBody: Codable {
     var timestamp: Int32
 }
 
+struct VerifySigningResponse: Codable {
+    var certificate: String
+}
+
 struct StartSessionResponse: Codable {
     var qrURL: URL
     var webOTT: String

MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/MIRACLTrustHelperAPI/PlatformAPI.swift

@@ -133,6 +133,55 @@ import MIRACLTrust
         task.resume()
     }
 
+    public func getDvsJWKS(
+        projectURL: String,
+        completionHandler: @escaping @Sendable (String?, Error?) -> Void
+    ) {
+        guard let url = URL(string: projectURL) else {
+            return
+        }
+
+        guard let request = URLRequest.dvsJwksRequest(url: url) else {
+            return
+        }
+
+        let task = URLSession.shared.dataTask(with: request) { responseData, response, error in
+            if error != nil {
+                DispatchQueue.main.async {
+                    completionHandler(nil, HelperAPIError.internalError)
+                }
+                return
+            }
+
+            if let response = response as? HTTPURLResponse {
+                if response.statusCode != 200 {
+                    DispatchQueue.main.async {
+                        completionHandler(nil, HelperAPIError.internalError)
+                    }
+                    return
+                }
+            }
+
+            guard let data = responseData else {
+                DispatchQueue.main.async {
+                    completionHandler(nil, HelperAPIError.noData)
+                }
+                return
+            }
+
+            if data.isEmpty {
+                DispatchQueue.main.async {
+                    completionHandler(nil, nil)
+                }
+                return
+            }
+
+            completionHandler(String(data: data, encoding: String.Encoding.utf8), nil)
+        }
+
+        task.resume()
+    }
+
     public func accessRequest(
         projectURL: String,
         webOTT: String,
@@ -189,13 +238,13 @@ import MIRACLTrust
         }
     }
 
-    public func verifySignature(
+    func verifySignature(
         for signature: Signature,
         timestamp: Date,
         serviceAccountToken: String,
         projectId: String,
         projectURL: String,
-        completionHandler: @escaping @Sendable (Bool, Error?) -> Void
+        completionHandler: @escaping @Sendable (VerifySigningResponse?, Error?) -> Void
     ) {
         guard let url = URL(string: projectURL) else {
             return
@@ -205,12 +254,12 @@ import MIRACLTrust
             return
         }
 
-        requestExecutor.executeHTTPRequest(request: request) { (result: Result<EmptyResponse?, HelperAPIError>) in
+        requestExecutor.executeHTTPRequest(request: request) { (result: Result<VerifySigningResponse?, HelperAPIError>) in
             switch result {
-            case .success:
-                completionHandler(true, nil)
+            case let .success(success):
+                completionHandler(success, nil)
             case let .failure(error):
-                completionHandler(false, error)
+                completionHandler(nil, error)
             }
         }
     }

MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/MIRACLTrustHelperAPI/URLRequest+Extensions.swift

@@ -182,6 +182,20 @@ extension URLRequest {
         return URLRequest(url: url)
     }
 
+    static func dvsJwksRequest(url: URL) -> Self? {
+        guard var components = URLComponents(url: url, resolvingAgainstBaseURL: false) else {
+            return nil
+        }
+
+        components.path = "/dvs/jwks"
+
+        guard let url = components.url else {
+            return nil
+        }
+
+        return URLRequest(url: url)
+    }
+
     static func signingSessionRequest(
         url: URL,
         projectID: String,

MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/PlatformAPIWrapper.swift

@@ -51,6 +51,22 @@ import MIRACLTrust
         return jwkSet
     }
 
+    @objc func getDvsJWKS(projectURL: String) -> String? {
+        let jwksExpectation = XCTestExpectation(description: "wait for JWKS")
+        nonisolated(unsafe) var jwkSet: String?
+
+        platformAPI.getDvsJWKS(projectURL: projectURL) { jwks, error in
+            if let jwks = jwks {
+                jwkSet = jwks
+            } else if let error = error {
+                print("Error when fetching JWKS \(error)")
+            }
+            jwksExpectation.fulfill()
+        }
+        _ = XCTWaiter.wait(for: [jwksExpectation], timeout: operationTimeout)
+        return jwkSet
+    }
+
     @objc func startSession(
         projectId: String,
         projectURL: String,
@@ -108,13 +124,13 @@ import MIRACLTrust
         return qrCode
     }
 
-    @objc func verifySignature(
+    func verifySignature(
         signingResult: SigningResult,
         serviceAccountToken: String,
         projectId: String,
         projectURL: String
-    ) -> Bool {
-        nonisolated(unsafe) var verifiedSignature = false
+    ) -> VerifySigningResponse? {
+        nonisolated(unsafe) var verifySigningResponse: VerifySigningResponse?
         let expectation = XCTestExpectation(description: "Waiting for signature verification")
 
         platformAPI.verifySignature(
@@ -123,23 +139,23 @@ import MIRACLTrust
             serviceAccountToken: serviceAccountToken,
             projectId: projectId,
             projectURL: projectURL
-        ) { isVerified, _ in
-            verifiedSignature = isVerified
+        ) { signingResponse, _ in
+            verifySigningResponse = signingResponse
             expectation.fulfill()
         }
         _ = XCTWaiter.wait(for: [expectation], timeout: operationTimeout)
 
-        return verifiedSignature
+        return verifySigningResponse
     }
 
-    @objc func verifySignature(
+    func verifySignature(
         signature: Signature,
         timestamp: Date,
         serviceAccountToken: String,
         projectId: String,
         projectURL: String
-    ) -> Bool {
-        nonisolated(unsafe) var verifiedSignature = false
+    ) -> VerifySigningResponse? {
+        nonisolated(unsafe) var verifySigningResponse: VerifySigningResponse?
         let expectation = XCTestExpectation(description: "Waiting for signature verification")
 
         platformAPI.verifySignature(
@@ -148,13 +164,13 @@ import MIRACLTrust
             serviceAccountToken: serviceAccountToken,
             projectId: projectId,
             projectURL: projectURL
-        ) { isVerified, _ in
-            verifiedSignature = isVerified
+        ) { signingResponse, _ in
+            verifySigningResponse = signingResponse
             expectation.fulfill()
         }
         _ = XCTWaiter.wait(for: [expectation], timeout: operationTimeout)
 
-        return verifiedSignature
+        return verifySigningResponse
     }
 
     func getVerificationURL(

MIRACLTrust/MIRACLTrustIntegrationTests/Helpers/SignatureCertificateJWTPayload.swift

@@ -0,0 +1,11 @@
+import JWTKit
+
+struct SignatureCertificateJWTPayload: JWTPayload {
+    var cAt: IssuedAtClaim
+    var exp: ExpirationClaim
+    var hash: String
+
+    func verify(using _: JWTKit.JWTSigner) throws {
+        try exp.verifyNotExpired()
+    }
+}