search

amitaymolko / react-native-rsa-native

A native implementation of RSA key generation and encryption/decryption.
MIT License
233 stars 115 forks source link

verify pass on iOS with any bogus message #102

Open thomashagstrom opened 3 years ago

thomashagstrom commented 3 years ago

When verifying using either RSA or RSAKeychain on iOS any totally bogus message will pass as true. Completely unreliable.

image

export const VerifyKeyChain = async (messageSignature, message) => {
  try {
    console.log('@@ rsaManager.VerifyKeyChain');
    console.log('MESSAGE SIGNATURE', messageSignature);
    console.log('MESSAGE', message);
    const verification = await RSAKeychain.verify(
      messageSignature,
      message,
      keyTag,
    );
    console.log('rsaManager VERIFICATION', verification);
    return verification;
  } catch (error) {
    console.warn(error);
  }
};

        const message = `${uuid.toString()};${timeStamp};${publicKey}`;
        const signature = response.data?.signature;

        console.log(`**** **** VERIFY SERVER SIGNATURE ******`);
        console.log('MESSAGE', message);
        console.log('SERVER SIGNATURE DATA', signature);

          console.log('>> VerifyKeyChain');
          const verified = await rsaManager.VerifyKeyChain(
            signature,
            'totally BOGUS??',
          );
          console.log('VerifyKeyChain', verified.toString().toUpperCase());
thomashagstrom commented 3 years ago

Same thing with RSA.verify64WithAlgorithm

          const algorithm = RSA.SHA256withRSA;
          const signature = response.data?.signature;
          const publicKey = await rsaManager.WriteKeyChainPair();
          console.log('>> verify64WithAlgorithm: ' + 'totally BOGUS??');
          const verified = await RSA.verify64WithAlgorithm(
            signature,
            'totally BOGUS??',
            publicKey,
            algorithm,
          );
          console.log(
            'verify64WithAlgorithm',
            verified.toString().toUpperCase(),
          );
gbfish commented 3 years ago

same issue

amitaymolko commented 3 years ago

wow, something is very wrong.
I will try to look into it, PRs welcome

myzkyy commented 3 years ago

Same issue. RSA.verify(...) returns true when it must be false. Otherwise it randomly throws exception Error: error instead of false.

Platform: iPhone 5s Simulator (iOS 12.4)

gitpcq23 commented 3 years ago

I am also facing same issue in iOS. for android it is working fine.

Need help :-)

johku90 commented 3 years ago

I had some issues with iOS verify functions as well. I created this PR: https://github.com/amitaymolko/react-native-rsa-native/pull/117

Could some maintainer check that please?

Pakile commented 3 years ago

@amitaymolko @johku90 still error in version 2.0.4, can you check it again?