Verify XMLDSig in iOS #1612
Comments
It's available — We already use libxml2 indirectly via a XML parser wrapper library [1], so we definitely have access to libxml2. We also have access to XPath through that library. I don't know though how modular libxml2 is to know if c14n is always included in libxml2 — and if it will be available. I remember that one of the other hurdles was getting OpenSSL to build and using it. I don't remember how far I got getting signature verification to work (I certainly didn't get it working), but it was quite painful. |
I wonder if that will work with WASM? Do you know @colourful-land ? |
No, I don't think that will work in WASM. |
|
Closed due to inactivity and pending changes. |
|
No!!! I haven't given this one up! This is what you need (I found a pure js way to do the crypto so binary dependency is gone) (Optional) witness that xmldsig verification with JS works on commandlineFollow the instructions here: https://github.com/TokenScript/TokenScript/tree/main/xmldsig/js This way you can be sure the code demonstrated in https://github.com/TokenScript/TokenScript/blob/main/xmldsig/js/src/xmldsigverifier.js can verify XML signature. include the webpackCreate a webpack. There is the instruction in README but I already created one on my PC which you can use here, saving you the trouble of running Note, that if you managed to verify an xmldsig on iOS using the webpack, don't publish it in appstore yet until SmartTokenLabs/TokenScript#372 is solved. |
|
@colourful-land I haven't checked, but is there a TokenScript file which should verify successfully with this that we can test with? |
The readme gave an example that you can run through all files in TokenScript-Repo . read this line in the project folder https://github.com/TokenScript/TokenScript/tree/main/xmldsig/js |
|
Added an issue SmartTokenLabs/TokenScript#420 to see to make the code (from TokenScript repo) into the most ready-to-be-used-by-iOS way. |
|
Outdated |
It seems non-trivial:
https://stackoverflow.com/questions/5914508/how-to-verify-an-xml-signature-in-an-ios-application
The answer to that question uses xmlsec1 library which is big itself. In the iOS security practise, the keys never leave the security perimeter, which means we need more adaptation to xmlsec1 than the answer suggested.
I propose to shrink the size of the project by quite a bit by only implementing the functions we need. Clue:
Hence:
If we could get libxml2 working in iOS, we probably can manually write the code to verify XMLDSig.
This is a theory only. To verify that, we need:
This seems to be rather a big undertaking. Taking this approach has one draw back, that is:
drawback
Although code produced in this fashion is usable for iOS, one could argue that for the command line signer it's easier to just use libxmlsec, and for Android it would be additional work to adapt C code when it already supports signature verification with native libraries, leading to us having 3 separate ways to deal with XMLDsig.
--
†
The text was updated successfully, but these errors were encountered: