When submitting to the app store I'm getting this error when including BlueRSA via Carthage.

I think the fix is to add CURRENT_PROJECT_VERSION to the Xcode project settings, and I will post a PR for that shortly.

ERROR ITMS-90056: "This bundle Payload/Application.app/Frameworks/CryptorRSA.framework is invalid. The Info.plist file is missing the required key: CFBundleVersion."
Return status of iTunes Transporter was 1: ERROR ITMS-90056: "This bundle Payload/Application.app/Frameworks/CryptorRSA.framework is invalid. The Info.plist file is missing the required key: CFBundleVersion."
The call to the iTMSTransporter completed with a non-zero exit status: 1. This indicates a failure.

On Linux, CryptorRSA.RSAData.decrypted() calls the openssl EVP_OpenInit function, but wrongly processes its return code:
https://github.com/IBM-Swift/BlueRSA/blob/1.0.21/Sources/CryptorRSA/CryptorRSA.swift#L417

The documentation for EVP_OpenInit states that it returns 0 on failure, or a positive integer on success matching the recovered secret key size. This matches the comment in the code, however the code's logic is inverted:

// EVP_OpenInit returns 0 on error or the recovered secret key size if successful
...
guard status != EVP_CIPHER_key_length(.make(optional: encType)) else {

Now for some reason, status is being returned as 1 in the success case (inconsistent with the documentation), so the logic above happens to work for success cases (because 1 is not equal to the key length). However, if EVP_OpenInit fails, 0 is also not equal to the key length, and so we erroneously carry on with decryption. This can result in a crash.

I'm not sure why the return value of EVP_OpenInit is inconsistent with the documentation, but I think the logic based on its observed behaviour should instead be:

guard status != 0 else {

(similar to EVP_OpenUpdate / EVP_OpenFinal).

Commit 842c82f removes "unneeded" CFString: Hashable extension (#70)

But that may not true. Some of our users reported that latest version of our Mac app shows an error:

The operation couldn't be completed. (CryptorRSA.CryptorRSA.Error error 1.)

It didn't happen on previous versions, and after revert to older commit ea8374b , our Mac app functional again.

CFString Hashable extension may be still required for some systems.

User environment:

• Device: Mac mini (later 2014)
• OS: macOS Big Sur 11.5
• Process: 2.6 GHz Dual-Core intel Core i5

Development environment:

• OS: macOS 11.5.1 (20G80)
• Chip: Apple M1
• Xcode Version 12.5.1 (12E507)
• Swift 5.3

There are some build issues for this package in Swift 5.8.1 (current release version). The issues I am seeing are as follows:

/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:476:61: error: cannot find 'EVP_PKEY_size' in scope
                                ek = UnsafeMutablePointer<UInt8>.allocate(capacity: Int(EVP_PKEY_size(.make(optional: key.reference))))
                                                                                        ^~~~~~~~~~~~~
/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:476:76: error: cannot infer contextual base in reference to member 'make'
                                ek = UnsafeMutablePointer<UInt8>.allocate(capacity: Int(EVP_PKEY_size(.make(optional: key.reference))))
                                                                                                      ~^~~~
/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:481:20: error: cannot find 'EVP_CIPHER_iv_length' in scope
                                let IVLength = EVP_CIPHER_iv_length(.make(optional: enc))
                                               ^~~~~~~~~~~~~~~~~~~~
/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:481:42: error: cannot infer contextual base in reference to member 'make'
                                let IVLength = EVP_CIPHER_iv_length(.make(optional: enc))
                                                                    ~^~~~
/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:688:28: error: cannot find 'EVP_PKEY_size' in scope
                                let encKeyLength = Int(EVP_PKEY_size(.make(optional: key.reference)))
                                                       ^~~~~~~~~~~~~
/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:688:43: error: cannot infer contextual base in reference to member 'make'
                                let encKeyLength = Int(EVP_PKEY_size(.make(optional: key.reference)))
                                                                     ~^~~~
/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:690:27: error: cannot find 'EVP_CIPHER_iv_length' in scope
                                let encIVLength = Int(EVP_CIPHER_iv_length(.make(optional: encType)))
                                                      ^~~~~~~~~~~~~~~~~~~~
/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:690:49: error: cannot infer contextual base in reference to member 'make'
                                let encIVLength = Int(EVP_CIPHER_iv_length(.make(optional: encType)))
                                                                           ~^~~~
/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:697:74: error: cannot convert value of type 'String' to expected argument type 'Data.Index' (aka 'Int')
                                let encryptedData = self.data.subdata(in: encKeyLength..<encKeyLength+encryptedDataLength)
                                                                                                     ^
/var/www/project/.build/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSA.swift:698:57: error: cannot convert value of type 'String' to expected argument type 'Data.Index' (aka 'Int')
                                let encryptedIV = self.data.subdata(in: encKeyLength+encryptedDataLength..<self.data.count)
                                                                                    ^

I also notice that this repo does not appear to be active, if this is the case can you let me know so I can look for an alternative.

*Please don't suggest that I create a pull request, there are currently three outstanding and no updates to the repo in 2 years.

At the moment you can't build BlueRSA on Catalyst.

it should be a one liner to fix the issue:

#if !targetEnvironment(macCatalyst)
key = SecCertificateCopyPublicKey(certData)
#endif

The Key will be created some lines above.

https://github.com/CocoaPods/Specs/blob/master/Specs/b/e/6/BlueRSA/1.0.34/BlueRSA.podspec.json

• both encryption and signature false tests. i.e. create signature, modify it and then try to verify
• fixed encryption and signature tests:
• fixed encryption and signature tests with data generated using cross library

I may misunderstand something here, but when I build my the project the following code fails:
try CryptorRSA.createPrivateKey(withPEMNamed: "private.pem", onPath: "/Resources/")

trying to find the key file at that path:
<path_to_xcode_project_derived_data>/SourcePackages/checkouts/BlueRSA/Sources/CryptorRSA/CryptorRSAKey.swift/Resources/private_key.pem

Code causing the problem in createPrivateKey function:
let fullPath = URL(fileURLWithPath: #file).appendingPathComponent( path.appending(certName) ).standardized
Is appending path to CryptorRSAKey.swift file is supposed to be working?

Workaround is to get the content of a .pem file yourself:
try CryptorRSA.createPrivateKey(withPEM: privateKey())

The same problem with any createXXXXX (pemName/derName, onPath) function.

OS: Linux
OpenSSL Version: 1.1.1

I am using the same exact code on MacOS and on Linux:

guard let decryptedData = try CryptorRSA.createEncrypted(with: data).decrypted(with: privateKey, algorithm: .sha1)?.data

I am attempting to decrypt data with a private key. It works properly on MacOS, but when running on Linux I get a crash with error:

Fatal error: Can't form Range with upperBound < lowerBound: file Swift/Range.swift, line 728

I noticed this is coming from line 697 in Sources/CryptorRSA.swift during the step with the comment "Extract encryptedKey, encryptedData, encryptedIV from data"

Below is my code

let publicKey = try? CryptorRSA.createPublicKey(withBase64: serverPublicKey)
let myPlaintext = try? CryptorRSA.createPlaintext(with: "Admin@123", using: String.Encoding.utf8)
let encryptedData = try? myPlaintext?.encrypted(with: publicKey!, algorithm: .sha1)
Using "encryptedData" as above , how to get the encrypted data.

Would it be possible to get CMS/PKCS#7 signatures (both attached and detached) added to BlueRSA? This would be useful for signing MDM payloads, validating AppStore receipts, etc. It's also unsupported by any Swift Linux framework.

There are multiple places where an RSA private-key is encoded or decoded with Base64 using standard Swift library functions. Since these functions do not guarantee constant-time processing of the input, there is a potential side-channel that may leak information about the private-key.

I did not investigate the code thoroughly, but here are the potentially insecure uses I found at first glance:

https://github.com/IBM-Swift/BlueRSA/blob/9435e102af2838aa29c1f52a843ee1886876c379/Sources/CryptorRSA/CryptorRSAKey.swift#L392

https://github.com/IBM-Swift/BlueRSA/blob/9435e102af2838aa29c1f52a843ee1886876c379/Sources/CryptorRSA/CryptorRSAKey.swift#L631

https://github.com/IBM-Swift/BlueRSA/blob/9435e102af2838aa29c1f52a843ee1886876c379/Sources/CryptorRSA/CryptorRSAKey.swift#L676

https://github.com/IBM-Swift/BlueRSA/blob/9435e102af2838aa29c1f52a843ee1886876c379/Sources/CryptorRSA/CryptorRSAKey.swift#L739

iOS 15.0 deprecated SecKeyGeneratePair, so would appreciate updating to SecKeyCreateRandomKey to eliminate a warning.

Pretty easy to change over -

    var privateKey: SecKey?
    var publicKey: SecKey?

    do {
        var error: Unmanaged<CFError>?

        // The keys are automatically stored in the keychain
        guard let privKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else {
            throw error!.takeRetainedValue() as Error
        }
        privateKey = privKey
        publicKey = SecKeyCopyPublicKey(privateKey!)
    } catch {
        ulog.error(error: error, "Error creating public/private keys")
    }

When trying to use the BlueRSA pod for iOS I get the following error:

The platform of the target `CocoapodsTest` (iOS 12.0) is not compatible with `BlueRSA (1.0.17)`, which does not support `ios`

when comparing the podspec of BlueRSA to BlueCryptor I saw that:

s.ios.deployment_target = "10.0"

Was missing. In the readme it states the BlueRSA runs on iOS 10 or higher so I would expect this to work.

There is not a reference to the BlueRSA pod but I assume it is intended to support this?

BlueRSA failed to create data from base64 string on Ubuntu.
The illegal instruction is from the forced unwrap of the Data object, which is nil.
Running on MacOS this works without any problems.

I added extra Log lines in CryptorRSAKey to find this bug.

It is recommended that we use EVP functions instead of RSA and EVP functions take in EVP keys. Right now I am converting the RSA key into EVP every time I want to use to use it. This is inefficient.

                // convert RSA key to EVP
                let  evp_key = EVP_PKEY_new()
                EVP_PKEY_set1_RSA(evp_key, key.reference)

Hi there,

can I use this lib also to generate a certificate with a private key that was created?
Something like:

let keypair = try CryptorRSA.makeKeyPair(CryptorRSA.RSAKey.KeySize.bits2048)
var cert = createCertificate()
cert.publicKey = keypair.publicKey
cert.sign(keypair.privateKey, sha256)

is it possible?
thanks

Right now when a DER encoded key is being used in OpenSSL, we convert to PEM and then create an RSA object from the PEM data.
OpenSSL has d2i_PrivateKey_bio which can be used directly for DER data.

Investigate if it's a good idea to use that instead of only PEM.

I removed header and footer lines in my private key file and use:

let privateKey = try CryptorRSA.createPrivateKey(withBase64: base64String)

it works well on Mac OS but on Linux it crashes with error:

Fatal error: Unexpectedly found nil while unwrapping an Optional value

We had reports of Memory leaks when signing/verifying a with Swift-JWT. We recreated this on our own repo JWT along with encryption and decryption. This produced the following memory report: leaks.txt which highlights leaks at:

evp_key = .init(PEM_read_bio_PUBKEY(bio, nil, nil, nil))

This is due to the evp_key not being properly freed after it was referenced by:

var pkey_ctx = EVP_PKEY_CTX_new(evp_key, nil)

(Mirrored for private key).

There are also leaks in encrypt and decrypt where allocated memory from pointers wasn't being deallocated.

I have a situation like, server will send the encrypted data (Encrypt Using Private Key), I have to decrypt the data using the Public Key(PEM File)

Please refer this image below,

The First way is pretty clear. The second path is little bit confused.

Based on my search, This seems to be bad idea to have a public key to decrypt the information. But in Other platforms they can do the same.

Help me! Thanks in advance.

Would it be possible to create a new release that contains #70.

Our Project is using https://github.com/Kitura/Swift-JWT which references this repository. Therefore we need a new version of this package to be published in order that the fix will get included.

Thanks for your work.

Building as part of a docker deploy on Bluemix. (ibmcom/swift-ubuntu:4.1.1)

Error message:
CryptorRSA.swift:618:58: error: cannot convert value of type 'UnsafePointer' to expected argument type 'UnsafeMutablePointer!'
return EVP_DigestVerifyFinal(md_ctx, sig, signature.data.count)
^~~~~~~

I am trying to build a release xcframework for distribution that uses SwiftJWT via Swift Package Manager:

I am able to build fine confirmed for Xcode 14.2.0, 14.0.1, 13.4.1, 13.2.1, and 13.1.0. But when I try building with Xcode 14.3, I get the following error:

** ARCHIVE FAILED **


The following build commands failed:
	SwiftVerifyEmittedModuleInterface normal arm64 Verifying\ emitted\ module\ interface\ CryptorRSA.private.swiftinterface /Users/tj/Library/Developer/Xcode/DerivedData/VNWebSDK-fwdasyvrfoacjledmziziwepgjrj/Build/Intermediates.noindex/ArchiveIntermediates/VNWebSDK/IntermediateBuildFilesPath/CryptorRSA.build/Release-iphoneos/CryptorRSA.build/Objects-normal/arm64/CryptorRSA.private.swiftinterface (in target 'CryptorRSA' from project 'CryptorRSA')
	SwiftVerifyEmittedModuleInterface normal arm64 Verifying\ emitted\ module\ interface\ CryptorRSA.swiftinterface /Users/tj/Library/Developer/Xcode/DerivedData/VNWebSDK-fwdasyvrfoacjledmziziwepgjrj/Build/Intermediates.noindex/ArchiveIntermediates/VNWebSDK/IntermediateBuildFilesPath/CryptorRSA.build/Release-iphoneos/CryptorRSA.build/Objects-normal/arm64/CryptorRSA.swiftinterface (in target 'CryptorRSA' from project 'CryptorRSA')
(2 failures)

I've tried several things, like setting -Xfrontend -module-interface-preserve-types-as-written in OTHER_SWIFT_FLAGS and excluding architectures. I can't get it to work.

Could this be due to a conflict/duplication between a module and class name inside of CryptorRSA, or is there something I can do to get this to build the xcframework in Xcode 14.3?

If you try to create an RSA key with data where byte 27 happens to be 0x30, key creation fails.

I tracked this down to an unsafe assumption in the stripX509CertificateHeader function:
https://github.com/IBM-Swift/BlueRSA/blob/master/Sources/CryptorRSA/CryptorRSAUtilities.swift#L228
which is called here:
https://github.com/IBM-Swift/BlueRSA/blob/master/Sources/CryptorRSA/CryptorRSAKey.swift#L624

I found this while debugging intermittent test failures in the CI. The symptom on Linux is a crash because we don't handle a failure from OpenSSL properly - I have a fix for that in the issue.swift51 branch, but I haven't figured out what to do about this problem yet.

Do you have a way of exporting the keys as a PEM?

getting this error when trying to decrypt.

Error Domain=NSOSStatusErrorDomain Code=-50 "RSA-WRAP too short input data" UserInfo={NSDescription=RSA-WRAP too short input data}

how should I resolve it????

Building returns this compiler error:

'SecCertificateCopyPublicKey' is unavailable in Mac Catalyst

When you encrypt some data using a public key on MacOS into an Encrypted data, you can decrypt this data on MacOS, However if you try to decrypt the same data on Linux it doesn't work. This means that is data is encrypted on MacOS it cannot be decrypted on Linux.

You can replicate this with the following code:

let publicKey = """
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDpbnF5g5bt9mjweE5nZioLAPKI
l31qj5/ht4i62gsEg/6R/GMBIAhUEgfr9n3H0jIKRoI0BvVH6+fUB9pKoMUdRu3V
sAF9ExkuhwazpE1uIfRbf2IJHIAz5zX3emUdymHaPZPucQUF7G/XmOMK86qKl8Zd
d8Gl8cTFpRVMoSs4lwIDAQAB
-----END PUBLIC KEY-----
"""

let privateKey = """
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDpbnF5g5bt9mjweE5nZioLAPKIl31qj5/ht4i62gsEg/6R/GMB
IAhUEgfr9n3H0jIKRoI0BvVH6+fUB9pKoMUdRu3VsAF9ExkuhwazpE1uIfRbf2IJ
HIAz5zX3emUdymHaPZPucQUF7G/XmOMK86qKl8Zdd8Gl8cTFpRVMoSs4lwIDAQAB
AoGAcs/ZjDTGxWAPGUdy+LRtNWBP6hLoosLllnVZEN4x0RTC3zbN0z3YGtGLh+mC
0Ad4iUlIvSI2/hrvuX/rRA1zJRSWqmUi+K/IQtRqH4L29xfDT9yxVd5X61vb5dGs
nruBHBSdcfsLKrQZClAqGKNElVfLn5+vaf48hsm9de5lSRECQQD+WcQHRSEyuuWl
dW0qhfRBXjtqnvS1VQ+CmS4nzeAVfNLV8KzJvx/evoQ9KxbnwfN/fQkyniK0RzNs
kcXNZFsLAkEA6vHzWrQVtiQ5b8itwn3er7FWWy53SFLiy2MJCUBmm0Z2uJXox4Ym
nH2SoUVMHJOvqgdqcwz53RJIlMPkAMgwJQJAbYTDZon6qHhXR65PSh8RtE/Z76fw
IGA25HoGqLb6BOaRdfNCwz/bfjK0iA4Ut8gIi92P5062DMAXwWjnLfBHTwJBAM0E
p2xeO5f+0lQ2lVJkDj/Yi1f0G0j0c04yNL9rAF69RXpb7o62BNmIRr0OQJWrVp4T
7JNLHnsIqmeO7Va1WjUCQQDcY8s947hfiISXQ9o6auz33WyIRQWt/x0WdujVsxjM
JNHkkGxCfEjy9Z74EO8MoSddiM4+u7gPZsr5f6AZvMsj
-----END RSA PRIVATE KEY-----
"""

// Generate encrypted data
let key = try CryptorRSA.createPublicKey(withPEM: publicKey)
            let plaintext = try CryptorRSA.createPlaintext(with: "Hello World", using: .utf8)
            let encrypted = try plaintext.encrypted(with: key, algorithm: .sha256)

// encrypted.base64String on linux (216 char)
let linuxEncryptedHelloWorld = "VyG6sYjAAH3FtuOfN5BJWnScjVl5gAXTfThXbFNA0pU50pgPXEffV+T/4e9CchWHp6/8gpKNfuP7J2ly5577zwxnsLTHU3K2VlH2eq4UMEmKi3aZ9sUVzea3I5xvIoBVK0JVluNW4Wjld8Er1dB/1ZDwN94Qq9/TamNhiTD4a10XN5byzBn5D+lOFJ6RTk16Z4svXV3OjjvANYowxvXIeg=="

// encrypted.base64String on mac (208 char)
let macEncryptedHelloWorld = "JaLeZ4VhVoAENpa7EZZhsUpm2YmzfG9L496m0rtau4vR6wGKZ432l0xcfOkYjZeGN93/Fav82VNQEDonrWCUjEQuiodapbyne2r3HElhPwbbtEBVqeSI3XmJwTE8PH3Q7qGH9DxPxZf0dEhQAyoYNKQHVr4vumYanDNR+rGSvIQqPW37+JIt1zb0wjFaJVRUUsB8ELQzRD0yogM="

if let decryptedString = self.decrypt(base64EncryptedData: linuxEncryptedHelloWorld) {
    print("Successfully decrypted the Linux encrypted word: \(decryptedString)")
}
if let decryptedString = self.decrypt(base64EncryptedData: macEncryptedHelloWorld) {
    print("Successfully decrypted the Mac encrypted word: \(decryptedString)")
}
// Only the operating system you are currently running will be able to decode the encrypted word

On linux OpenSSL envelopes are used similar to this article
On mac Security is used similar to this article

I did notice that the aes digest is different here. However, when you change to EVP_aes_128_gcm() the test fail.