Merge pull request #4 from niscy-eudiw/feature/secure-enclave-jws

Feature/secure enclave jws
eu-digital-identity-wallet · Jan 8, 2024 · 7df336a · 7df336a
2 parents a088e75 + 5c83c73
commit 7df336a
Show file tree

Hide file tree

Showing 8 changed files with 2,391 additions and 2 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @eu-digital-identity-wallet/niscy-admins
diff --git a/.github/workflows/dependencycheck.yml b/.github/workflows/dependencycheck.yml
@@ -0,0 +1,29 @@
+name: SCA - Dependency-Check
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  Dependency_check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Depcheck Action - SCA
+        uses: dependency-check/Dependency-Check_Action@main
+        id: Depcheck
+        with:
+          project: '${{ github.repository }}'
+          path: '.'
+          format: 'HTML'
+          out: 'reports' # this is the default, no need to specify unless you wish to override it
+          args: >
+            --enableRetired
+            --enableExperimental
+      - name: Upload results - SCA
+        uses: actions/upload-artifact@master
+        with:
+           name: Depcheck report
+           path: ${{github.workspace}}/reports
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -0,0 +1,27 @@
+name: Secret Scanning - Gitleaks
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  Secret-Scanning:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks from container
+        run: |
+            docker create --name GL --entrypoint /bin/bash --interactive --volume ${{ github.workspace }}:/src zricethezav/gitleaks 
+            docker start GL
+            docker exec GL git config --global --add safe.directory '/src'
+            docker exec --user $(id -u):$(id -g) GL gitleaks detect --source=/src --verbose -c /src/security/gitleaks/gitleaks.toml --report-path /src/gitleaks-report.json
+        continue-on-error: true
+
+      - name: upload_artifacts   
+        uses: actions/upload-artifact@v3
+        with:
+          name: Gitleaks Artifact Upload
+          path:  ${{ github.workspace }}/gitleaks-report.json
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -0,0 +1,62 @@
+name: SAST - SonarCloud
+on:
+  push:
+  pull_request_target:
+  workflow_dispatch:
+
+jobs:
+  check_secret:
+    name: Check secret presence
+    runs-on: ubuntu-latest
+    steps:
+    - run: if [[ -z "$SONAR_TOKEN" ]]; then exit 1; else echo "Secret exists. The workflow will be continued"; fi
+    env:
+       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  P_WD_analysis:
+    name: SAST - SonarCloud - Push/WD analysis
+    needs: check_secret
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'push'|| github.event_name == 'workflow_dispatch')
+    steps:
+      - name: Checkout action
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: setup projectkey
+        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
+      - name: SonarCloud Scan - Action
+        uses: SonarSource/sonarcloud-github-action@master
+        with:
+            args: >
+                -Dsonar.organization=${{ github.repository_owner }}
+                -Dsonar.projectKey=${{ env.PROJECTKEY }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  PR_analysis:
+    name: SAST- SonarCloud - PR analysis
+    needs: check_secret
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'pull_request_target')
+    steps:
+      - name: Checkout action
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: setup projectkey
+        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
+      - name: SonarCloud Scan - Action
+        uses: SonarSource/sonarcloud-github-action@master
+        with:
+            args: >
+                -Dsonar.organization=${{ github.repository_owner }}
+                -Dsonar.projectKey=${{ env.PROJECTKEY }}
+                -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
+                -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }}
+                -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/Sources/Main/Encryption/KeyController.swift b/Sources/Main/Encryption/KeyController.swift
@@ -15,6 +15,7 @@
  */
 import Foundation
 import Security
+import CryptoKit
 
 public class KeyController {
 
@@ -81,6 +82,41 @@ public class KeyController {
     return privateKey
   }
 
+  public static func generateECDHSecureEnclavePrivateKey() throws -> SecKey {
+
+    guard Self.hasSecureEnclave() else {
+      return try generateECDHPrivateKey()
+    }
+
+    let access = SecAccessControlCreateWithFlags(
+      kCFAllocatorDefault,
+      kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+      .privateKeyUsage,
+      nil
+    )!
+
+    let attributes: NSDictionary = [
+      kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
+      kSecAttrKeySizeInBits: 256,
+      kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
+      kSecPrivateKeyAttrs: [
+        kSecAttrIsPermanent: true,
+        kSecAttrApplicationTag: UUID().uuidString,
+        kSecAttrAccessControl: access
+      ]
+    ]
+
+    var error: Unmanaged<CFError>?
+    guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else {
+      throw error!.takeRetainedValue() as Error
+    }
+    return privateKey
+  }
+
+  static func hasSecureEnclave() -> Bool {
+    return SecureEnclave.isAvailable
+  }
+
   public static func generateECDHPublicKey(from privateKey: SecKey) throws -> SecKey {
     guard let publicKey = SecKeyCopyPublicKey(privateKey) else {
       throw NSError(domain: "YourDomain", code: -1, userInfo: [NSLocalizedDescriptionKey: "Failed to generate public key"])

diff --git a/Tests/Wallet/NoOffer.swift → Tests/Wallet/VCIFlowNoOffer.swift b/Tests/Wallet/NoOffer.swift → Tests/Wallet/VCIFlowNoOffer.swift
@@ -19,7 +19,7 @@ import JOSESwift
 
 @testable import OpenID4VCI
 
-class NoOffer: XCTestCase {
+class VCIFlowNoOffer: XCTestCase {
 
   override func setUp() async throws {
     try await super.setUp()

diff --git a/Tests/Wallet/WithOffer.swift → Tests/Wallet/VCIFlowWithOffer.swift b/Tests/Wallet/WithOffer.swift → Tests/Wallet/VCIFlowWithOffer.swift
@@ -19,7 +19,7 @@ import JOSESwift
 
 @testable import OpenID4VCI
 
-class WithOffer: XCTestCase {
+class VCIFlowWithOffer: XCTestCase {
 
   override func setUp() async throws {
     try await super.setUp()