added X509_verify(cert, serverPubKey) (#3861)

* added X509_verify(cert, serverPubKey)

Signed-off-by: Marino Faggiana <marino.faggiana@nextcloud.com>

* cleaning

Signed-off-by: Marino Faggiana <marino.faggiana@nextcloud.com>

---------

Signed-off-by: Marino Faggiana <marino.faggiana@nextcloud.com>

Author: marinofaggiana

iOSClient/Networking/E2EE/NCEndToEndEncryption.h

@@ -20,6 +20,9 @@
 - (NSString *)encryptPrivateKey:(NSString *)userId directory: (NSString *)directory passphrase:(NSString *)passphrase privateKey:(NSString **)privateKey;
 - (NSData *)decryptPrivateKey:(NSString *)privateKey passphrase:(NSString *)passphrase;
 
+// Verify X.509 certificate
+- (BOOL)verifyCertificate:(NSString *)certificate PublicKey:(NSString *)publicKey;
+
 // Encrypt / Decrypt file material
 
 - (NSString *)encryptPayloadFile:(NSData *)encrypted key:(NSString *)key;

iOSClient/Networking/E2EE/NCEndToEndEncryption.m

@@ -314,6 +314,59 @@ - (BOOL)saveP12WithCert:(X509 *)x509 key:(EVP_PKEY *)pkey directory:(NSString *)
     return YES;
 }
 
+#
+#pragma mark - Verify X.509 certificate
+#
+
+//  This method verifies that the provided X.509 certificate (issued by the server)
+//  was actually signed using the server's own public key.
+- (BOOL)verifyCertificate:(NSString *)certificate PublicKey:(NSString *)publicKey
+{
+    BOOL success = NO;
+    BIO *certBio = NULL;
+    BIO *pubBio = NULL;
+    X509 *cert = NULL;
+    EVP_PKEY *serverPubKey = NULL;
+
+    // Convert NSStrings to UTF-8 data buffers
+    NSData *certData = [certificate dataUsingEncoding:NSUTF8StringEncoding];
+    NSData *pubData  = [publicKey dataUsingEncoding:NSUTF8StringEncoding];
+    if (certData.length == 0 || pubData.length == 0) {
+        return NO;
+    }
+
+    // Create BIOs from memory buffers
+    certBio = BIO_new_mem_buf((void *)certData.bytes, (int)certData.length);
+    pubBio  = BIO_new_mem_buf((void *)pubData.bytes, (int)pubData.length);
+    if (!certBio || !pubBio) {
+        goto cleanup;
+    }
+
+    // Read X.509 certificate from PEM text
+    cert = PEM_read_bio_X509(certBio, NULL, NULL, NULL);
+    if (!cert) {
+        goto cleanup;
+    }
+
+    // Read public key from PEM text
+    serverPubKey = PEM_read_bio_PUBKEY(pubBio, NULL, NULL, NULL);
+    if (!serverPubKey) {
+        goto cleanup;
+    }
+
+    // Verify that the certificate was signed using this public key
+    int verifyResult = X509_verify(cert, serverPubKey);
+    success = (verifyResult == 1);
+
+cleanup:
+    if (serverPubKey) EVP_PKEY_free(serverPubKey);
+    if (cert) X509_free(cert);
+    if (certBio) BIO_free(certBio);
+    if (pubBio) BIO_free(pubBio);
+
+    return success;
+}
+
 #
 #pragma mark - Create CSR & Encrypt/Decrypt Private Key
 #

iOSClient/Settings/E2EE/NCEndToEndInitialize.swift

@@ -165,9 +165,23 @@ class NCEndToEndInitialize: NSObject {
                         }
                     } completion: { account, publicKey, _, error in
                         if error == .success, let publicKey {
+
+                            // Verify Certificate
+                            var verifyCertificate: Bool = false
+                            if let certificate = NCPreferences().getEndToEndCertificate(account: account) {
+                                verifyCertificate = NCEndToEndEncryption.shared().verifyCertificate(certificate, publicKey: publicKey)
+                            }
+                            if verifyCertificate == false {
+                                let error = NKError(errorCode: NCGlobal.shared.errorInternalError, errorDescription: "Serious internal error to verify certificate")
+                                NCContentPresenter().messageNotification("E2E verify certificate server", error: error, delay: NCGlobal.shared.dismissAfterSecond, type: NCContentPresenter.messageType.error, priority: .max)
+                                return
+                            }
+
                             NCPreferences().setEndToEndPublicKey(account: account, publicKey: publicKey)
                             NCManageDatabase.shared.clearTablesE2EE(account: account)
+
                             self.delegate?.endToEndInitializeSuccess(metadata: self.metadata)
+
                         } else if error != .success {
                             switch error.errorCode {
                             case NCGlobal.shared.errorBadRequest:
@@ -259,6 +273,16 @@ class NCEndToEndInitialize: NSObject {
                 } completion: { account, publicKey, _, error in
                     if error == .success, let publicKey {
 
+                        var verifyCertificate: Bool = false
+                        if let certificate = NCPreferences().getEndToEndCertificate(account: account) {
+                            verifyCertificate = NCEndToEndEncryption.shared().verifyCertificate(certificate, publicKey: publicKey)
+                        }
+                        if verifyCertificate == false {
+                            let error = NKError(errorCode: NCGlobal.shared.errorInternalError, errorDescription: "Serious internal error to verify certificate")
+                            NCContentPresenter().messageNotification("E2E verify certificate server", error: error, delay: NCGlobal.shared.dismissAfterSecond, type: NCContentPresenter.messageType.error, priority: .max)
+                            return
+                        }
+
                         NCPreferences().setEndToEndPublicKey(account: account, publicKey: publicKey)
                         NCManageDatabase.shared.clearTablesE2EE(account: account)