Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix export signature verification #40

Closed
wants to merge 4 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions export/index.template.html
Original file line number Diff line number Diff line change
Expand Up @@ -328,8 +328,11 @@ <h2>Message log</h2>

/**
* Function to verify enclave signature on import bundle received from the server.
* @param {string} enclaveQuorumPublic uncompressed public key for the quorum key which produced the signature
* @param {string} publicSignature signature bytes encoded as a hexadecimal string
* @param {string} signedData signed bytes encoded as a hexadecimal string. This could be public key bytes directly, or JSON-encoded bytes
*/
async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, publicKey) {
async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, signedData) {
/** Turnkey Signer enclave's public keys */
const TURNKEY_SIGNERS_ENCLAVES = {
"prod": "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569",
Expand All @@ -355,8 +358,8 @@ <h2>Message log</h2>

// The ECDSA signature is ASN.1 DER encoded but WebCrypto uses raw format
const publicSignatureBuf = fromDerSignature(publicSignature);
const publicKeyBuf = uint8arrayFromHexString(publicKey);
return await crypto.subtle.verify({ name: "ECDSA", namedCurve: "P-256", hash: {name: "SHA-256" }}, quorumKey, publicSignatureBuf, publicKeyBuf);
const signedDataBuf = uint8arrayFromHexString(signedData);
return await crypto.subtle.verify({ name: "ECDSA", namedCurve: "P-256", hash: {name: "SHA-256" }}, quorumKey, publicSignatureBuf, signedDataBuf);
}

/**
Expand Down Expand Up @@ -742,7 +745,19 @@ <h2>Message log</h2>
if (!TKHQ.verifyEnclaveSignature) {
throw new Error("method not loaded");
}
verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.dataSignature, bundleObj.data.encappedPublic);

// Temporary solution to get the bytes signed by the enclave
var signedData = /"data":({[^}]+)/.exec(bundle);
if (signedData === null || signedData.length !== 2) {
throw new Error(`unable to find signed data in bundle: ${bundle}`);
}

// We add the closing brace back: it was our marker for the end of the group in the regex above, hence not captured.
const signedDataBytes = new TextEncoder().encode(signedData[1] + "}");
// Encode these bytes to hex since verifyEnclaveSignature expects hex-encoded bytes
const signedDataHexString = TKHQ.uint8arrayToHexString(signedDataBytes);

verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.dataSignature, signedDataHexString);
r-n-o marked this conversation as resolved.
Show resolved Hide resolved
if (!verified) {
throw new Error(`failed to verify enclave signature: ${bundle}`);
}
Expand Down
20 changes: 16 additions & 4 deletions import/index.template.html
Original file line number Diff line number Diff line change
Expand Up @@ -285,8 +285,11 @@

/**
* Function to verify enclave signature on import bundle received from the server.
* @param {string} enclaveQuorumPublic uncompressed public key for the quorum key which produced the signature
* @param {string} publicSignature signature bytes encoded as a hexadecimal string
* @param {string} signedData signed bytes encoded as a hexadecimal string. This could be public key bytes directly, or JSON-encoded bytes
*/
async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, publicKey) {
async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, signedData) {
/** Turnkey Signer enclave's public keys */
const TURNKEY_SIGNERS_ENCLAVES = {
"prod": "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569",
Expand All @@ -312,8 +315,8 @@

// The ECDSA signature is ASN.1 DER encoded but WebCrypto uses raw format
const publicSignatureBuf = fromDerSignature(publicSignature);
const publicKeyBuf = uint8arrayFromHexString(publicKey);
return await crypto.subtle.verify({ name: "ECDSA", namedCurve: "P-256", hash: {name: "SHA-256" }}, quorumKey, publicSignatureBuf, publicKeyBuf);
const signedDataBuf = uint8arrayFromHexString(signedData);
return await crypto.subtle.verify({ name: "ECDSA", namedCurve: "P-256", hash: {name: "SHA-256" }}, quorumKey, publicSignatureBuf, signedDataBuf);
}

/**
Expand Down Expand Up @@ -546,7 +549,16 @@
if (!TKHQ.verifyEnclaveSignature) {
throw new Error("method not loaded");
}
verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.dataSignature, bundleObj.data);

// Temporary solution to get the bytes signed by the enclave
var signedData = /"data":({[^}]+)/.exec(bundle);
if (signedData === null || signedData.length !== 2) {
throw new Error(`unable to find signed data in bundle: ${bundle}`);
}
const signedDataBytes = new TextEncoder().encode(signedData[1] + "}");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could add the same comments from export/index.template.html, but totally optional

const signedDataHexString = TKHQ.uint8arrayToHexString(signedDataBytes);

verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.dataSignature, signedDataHexString);
if (!verified) {
throw new Error(`failed to verify enclave signature: ${bundle}`);
}
Expand Down
21 changes: 17 additions & 4 deletions import/standalone.template.html
Original file line number Diff line number Diff line change
Expand Up @@ -337,8 +337,11 @@ <h2>Message log</h2>

/**
* Function to verify enclave signature on import bundle received from the server.
* @param {string} enclaveQuorumPublic uncompressed public key for the quorum key which produced the signature
* @param {string} publicSignature signature bytes encoded as a hexadecimal string
* @param {string} signedData signed bytes encoded as a hexadecimal string. This could be public key bytes directly, or JSON-encoded bytes
*/
async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, publicKey) {
async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, signedData) {
/** Turnkey Signer enclave's public keys */
const TURNKEY_SIGNERS_ENCLAVES = {
"prod": "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569",
Expand All @@ -364,8 +367,8 @@ <h2>Message log</h2>

// The ECDSA signature is ASN.1 DER encoded but WebCrypto uses raw format
const publicSignatureBuf = fromDerSignature(publicSignature);
const publicKeyBuf = uint8arrayFromHexString(publicKey);
return await crypto.subtle.verify({ name: "ECDSA", namedCurve: "P-256", hash: {name: "SHA-256" }}, quorumKey, publicSignatureBuf, publicKeyBuf);
const signedDataBuf = uint8arrayFromHexString(signedData);
return await crypto.subtle.verify({ name: "ECDSA", namedCurve: "P-256", hash: {name: "SHA-256" }}, quorumKey, publicSignatureBuf, signedDataBuf);
}

/**
Expand Down Expand Up @@ -543,7 +546,17 @@ <h2>Message log</h2>
if (!TKHQ.verifyEnclaveSignature) {
throw new Error("method not loaded");
}
verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.dataSignature, bundleObj.data);

// Temporary solution to get the bytes signed by the enclave
var signedData = /"data":({[^}]+)/.exec(bundle);
if (signedData === null || signedData.length !== 2) {
throw new Error(`unable to find signed data in bundle: ${bundle}`);
}
const signedDataBytes = new TextEncoder().encode(signedData[1] + "}");
const signedDataHexString = TKHQ.uint8arrayToHexString(signedDataBytes);

verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.dataSignature, signedDataHexString);

if (!verified) {
throw new Error(`failed to verify enclave signature: ${bundle}`);
}
Expand Down
Loading