Merge branch 'unify-validation-and-signature-creation' into various-i…

…mprovements
ueman · Sep 20, 2024 · 0e8eca6 · 0e8eca6
2 parents 2059946 + 132e669
commit 0e8eca6
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 14 deletions.
diff --git a/passkit/lib/src/certificate_extension.dart b/passkit/lib/src/certificate_extension.dart
@@ -0,0 +1,14 @@
+import 'package:collection/collection.dart';
+import 'package:pkcs7/pkcs7.dart';
+
+extension CertX on X509 {
+  /// Matches the pass type identifer for PkPass and the merchant identifier for
+  /// orders
+  String? get identifier =>
+      subject.firstWhereOrNull((it) => it.key.name == 'UID')?.value as String?;
+
+  /// Matches the team identifier
+  String? get teamIdentifier => subject
+      .firstWhereOrNull((it) => it.key.name == 'organizationalUnitName')
+      ?.value as String?;
+}
diff --git a/passkit/lib/src/order/pk_order.dart b/passkit/lib/src/order/pk_order.dart
@@ -17,8 +17,8 @@ class PkOrder {
   });
 
   /// Parses bytes to a [PkOrder] instance.
-  /// Setting [skipVerification] to true disables any checksum or signature
-  /// verification and validation.
+  /// Setting [skipChecksumVerification] and [skipSignatureVerification] to true
+  /// disables checksum or signature verification and validation.
   // TODO(ueman): Provide an async method for this.
   static PkOrder fromBytes(
     final Uint8List bytes, {

diff --git a/passkit/lib/src/pkpass/pkpass.dart b/passkit/lib/src/pkpass/pkpass.dart
@@ -296,7 +296,10 @@ class PkPass {
       final signature = writeSignature(
         certificatePem,
         privateKeyPem,
-        Uint8List.fromList(manifestFile.content as List<int>),
+        manifestFile.binaryContent,
+        pass.passTypeIdentifier,
+        pass.teamIdentifier,
+        true,
       );
 
       final signatureFile = ArchiveFile(

diff --git a/passkit/lib/src/signature_verification.dart b/passkit/lib/src/signature_verification.dart
@@ -3,6 +3,7 @@ import 'dart:typed_data';
 import 'package:collection/collection.dart';
 import 'package:crypto/crypto.dart';
 import 'package:passkit/src/apple_wwdr_certificate.dart';
+import 'package:passkit/src/certificate_extension.dart';
 import 'package:passkit/src/pkpass/exceptions.dart';
 import 'package:pkcs7/pkcs7.dart';
 
@@ -52,22 +53,13 @@ bool verifySignature({
   // Set the serialNumber key to the unique serial number for that identifier.
 
   final signerInfo = pkcs7.verify([wwdrG4]);
-  // final algo = signerInfo.getDigest(signerInfo.digestAlgorithm); Calculate hash based on the algo?
   return signerInfo.listEquality(manifestHash, signerInfo.messageDigest!);
 }
 
 bool Function(X509) _verifier(String teamIdentifier, String identifier) {
   return (X509 x509) {
-    final identifierMatches =
-        x509.subject.firstWhereOrNull((it) => it.key.name == 'UID')?.value ==
-            identifier;
-
-    final teamIdentifierMatches = x509.subject
-            .firstWhereOrNull(
-              (it) => it.key.name == 'organizationalUnitName',
-            )
-            ?.value ==
-        teamIdentifier;
+    final identifierMatches = x509.identifier == identifier;
+    final teamIdentifierMatches = x509.teamIdentifier == teamIdentifier;
 
     return identifierMatches && teamIdentifierMatches;
   };

diff --git a/passkit/lib/src/write_signature.dart b/passkit/lib/src/write_signature.dart
@@ -3,6 +3,8 @@ import 'dart:typed_data';
 import 'package:crypto/crypto.dart';
 import 'package:encrypt/encrypt.dart' as encrypt;
 import 'package:passkit/src/apple_wwdr_certificate.dart';
+import 'package:passkit/src/certificate_extension.dart';
+import 'package:passkit/src/pkpass/exceptions.dart';
 import 'package:pkcs7/pkcs7.dart';
 import 'package:pointycastle/pointycastle.dart';
 
@@ -19,8 +21,17 @@ Uint8List writeSignature(
   String certificatePem,
   String privateKeyPem,
   Uint8List manifestBytes,
+  String identifier,
+  String teamIdentifier,
+  bool isPkPass,
 ) {
   final issuer = X509.fromPem(certificatePem);
+  _ensureCertificateMatchesPass(
+    issuer,
+    identifier,
+    teamIdentifier,
+    isPkPass,
+  );
 
   final pkcs7Builder = Pkcs7Builder();
 
@@ -47,3 +58,34 @@ Uint8List writeSignature(
   final pkcs7 = pkcs7Builder.build();
   return pkcs7.der;
 }
+
+void _ensureCertificateMatchesPass(
+  X509 issuer,
+  String identifier,
+  String teamIdentifier,
+  bool isPkPass,
+) {
+  final identifierMatches = issuer.identifier == identifier;
+  final teamIdentifierMatches = issuer.teamIdentifier == teamIdentifier;
+
+  if (identifierMatches) {
+    if (isPkPass) {
+      throw Exception(
+        "PkPass.pass.passTypeIdentifier doesn't match the certificate Pass Type ID",
+      );
+    } else {
+      // TODO(any): Write a proper exception for orders
+      throw SignatureMismatchException();
+    }
+  }
+  if (teamIdentifierMatches) {
+    if (isPkPass) {
+      throw Exception(
+        "PkPass.pass.teamIdentifier doesn't match the certificate team ID",
+      );
+    } else {
+      // TODO(any): Write a proper exception for orders
+      throw SignatureMismatchException();
+    }
+  }
+}