SecKeyRawVerify with empty signature

We are facing a UT failure only on iOS10, which expects SecKeyRawVerify to fail verification when signature is empty (length = 0).

Under iOS8 or iOS9, the function returns -9809, but iOS10 returns errSecSuccess. This makes the test to fail. We use kSecPaddingPKCS1SHA256 padding type.

Do we need to always check emptiness of a signature before using the function? What is the status of this change?


Thank you,

sukeza

Replies

That sounds like a bug to me; in general, I'd expect

SecKeyRawVerify
to fail securely if you pass it bogus parameters. Please file a bug report and post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

eskimo,


Thank you for your reply.

I've filed a bug report and got bug number

29470219

We will work around the problem for a while.

Just for the record.

Hi eskimo,


I found that the bug report 29470219 has already closed.

Can you provid me with how the issue was resolved?

Thanks and regards,

sukeza

The bug here was specifically related to the signature being empty; in that case the API will return

errSecSuccess
rather than
errSSLCrypto
that you’d expect when verification fails. The fix was to change the code to correct its input checking.

The fix should be in the [latest iOS 10.3 beta seed][refD], so you can check it for yourself.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"