smartdevicelink / sdl_security_ios Goto Github PK

Add ability to cancel an ongoing request for a certificate.

We should encrypt data being saved to disk and decrypt certificate data being retrieved.

Bug Report

Change how the certificate manager parses the response JSON to get the certificate data so it works out-of-the-box with the SDL Policy Server.

Once SHAID has been setup to return certificates, update the README with SHAID JSON formatting.

Bug Report

After updating the SSL library in v2.0.1, there are some deprecated method calls. These should be updated.

Reproduction Steps

n/a

Expected Behavior

n/a

Observed Behavior

n/a

OS & Version Information

• SDL Security iOS Version: v2.0.1
• SDL iOS Version: n/a
• iOS Version: n/a
• Testing Against: n/a

Test Case, Sample Code, and / or Example App

n/a

Investigate changing out the OpenSSL dependency for the SecureTransport API https://developer.apple.com/documentation/security/secure_transport?language=objc

Almost all of the header files are devoid of documentation as well as most of the private methods. As a result it can be extremely difficult to decipher what the code is trying to do.

There are many things that can go wrong during downloading and verifying the certificate. It would be extremely useful to have a logger class for printing debug statements to the console that can be easily customized.

Actual: LICENSE file includes "Copyright (c) 2016, Ford Motor Company All rights reserved." and "Neither the name of Ford Motor Company nor the names..."

Expected: LICENSE file should include "Copyright (c) 2017, SmartDeviceLink Consortium, Inc. All rights reserved." and "Neither the name of SmartDeviceLink Consortium, Inc. nor the names..."

Add a README to this project:

1. First, give an overview of the security library including the communications protocol used (DTLS), the cryptographic library used (OpenSSL) and how the library can be customized by an OEM.
2. Then provide a general overview of how the library works:
   • When the security manager starts, the mobile certificate and private key associated with the SDL app's appID is downloaded from a URL.
   • The certificate is then parsed to make sure that it is valid.
   • If the certificate is valid, the security library attempts to open the communication channel with Core.
   • Messages sent to Core via the security manager will be encrypted and encrypted messages received from Core can be decrypted.
3. Give instructions on how to customize the security library:
   • availableMakes in the SDLSecurityManager class should match the vehicleMakes returned in the RegisterAppInterface response.
4. More information about the mobile certificate
   • Currently the library expects a file type of .pfx. A PFX file contains a public certificate and a private key.
   • A PFX file is downloaded from a URL using the SDL app's appID. This is done in the _SDLCertificateManager class. It is expected that the:
     • SDLTLSIssuer in the SDLPrivateSecurityConstants class should match the certificate issuer name.
     • SDLTLSCertPassword in the SDLPrivateSecurityConstants class should match the password used to generate the mobile certificate.
5. How to build and install the security library in a project:
   • The library is installed as a static library (.a), which means the contents of library hidden from the developer.
   • To build static library, switch to the SDLSecurityStatic target and run the project. This generates the libSDLSecurityStatic.a, SDLSecurityConstants.h, and the SDLSecurityManager.h files. These 3 files can be added to the project.
     • Add a general overview of the 3 files and how to use them
     • To use the library, import SDLSecurityManager.h into where you are setting the encryption manager in your SDL project. If you have a Swift project, this may require adding a bridging-header to the project.

     let encryptionManager = SDLEncryptionConfiguration(securityManagers: [SDLSecurityManager.self])

Bug Report

If a static framework is built, you need to delete the framework before you can build another.

Reproduction Steps

1. Select SDLSecurityStatic scheme
2. Build project
3. Repeat step 2

Expected Behavior

A new build is available for the developer

Observed Behavior

PhaseSriptError due to having a file with the same name

OS & Version Information

• SDL Security iOS Version: branch dev
• SDL iOS Version: N/A
• iOS Version: Xcode 13.1 simulator
• Testing Against: N/A

The OpenSSL dependency installed in the library does not seem to work as expected. When the security library is installed in a project over 40+ errors are thrown while compiling. Either:

1. The OpenSSL dependency is not being included in the static library build
2. The OpenSSL dependency is outdated
3. My working environment is not configured correctly

The only way I could fix the errors was by installing the OpenSSL-Universal library via Cocoapods (https://cocoapods.org/pods/OpenSSL-Universal ) to my project.

Bug Report

We currently use deprecated ASL logging. Since we bumped our min version to iOS 10, we should switch to OSLog.

Reproduction Steps

n/a

OS & Version Information

• SDL Security iOS Version: v1.1.0-in progress
• SDL iOS Version: n/a
• iOS Version: iOS 10+
• Testing Against: n/a

Test Case, Sample Code, and / or Example App

n/a

Bug Report

Importing the dynamic framework doesn't work properly, resulting in build errors.

Reproduction Steps

1. Build the dynamic framework
2. Import it to a test app
3. Import the framework into a file in the test app
4. Attempt to build

Expected Behavior

The app builds

Observed Behavior

The app does not build

OS & Version Information

• SDL Security iOS Version: 1.0
• SDL iOS Version: 6.4.1
• iOS Version: n/a
• Testing Against: n/a

License file should be updated from "Copyright (c) 2017 SmartDeviceLink Consortium, Inc." to "Copyright (c) 2017 - 2020 SmartDeviceLink Consortium, Inc."

For consistency, the availableMakes property should be moved to the SDLPrivateSecurityConstants class.

The README should be updated to reflect this change.

Add markdown file containing list of third party libraries information used within repo.

Bug Report

The umbrella header for the dynamic framework, SDLSecurity.h references a class that does not exist: SDLTLSSecurityManager. Also, SDLSecurityType.h should not be in the umbrella header because it is not a public class. A custom module.modulemap file should be created to use the SDLSecurityType protocol.

OS & Version Information

• SDL Security iOS Version: 1.0

Bug Report

If the request for certificate data returns json formatted differently from the expected json format, parsing the json should not crash the app.

Reproduction Steps

1. Request certificate data
2. The response data is formatted differently than the expected format in the SDLCertificateManager.m

Expected Behavior

If parsing the response for the certificate data fails, an error should be returned explaining that the response data is not in the correct format.

Observed Behavior

The security library crashes.

OS & Version Information

• SDL Security iOS Version: 1.0.0
• SDL iOS Version: 6.4
• iOS Version: n/a
• Testing Against: n/a

Bug Report

Investigate using a while loop to read decrypted data from the OpenSSL server. Currently only one attempt is made to read the decrypted data, which means:

1. If the read fails, another attempt is not made
2. It is possible that not all data will be read

OS & Version Information

• SDL Security iOS Version: 1.0
• SDL iOS Version: n/a
• iOS Version: n/a
• Testing Against: n/a

Bug Report

The OpenSSL library included in the library for developer convenience does not compile on Xcode 12 due to the OpenSSL library files libcrypto.a and libssl.a not being built for the i368 architectures.

Reproduction Steps

1. Try to build the static target on Xcode 12

Expected Behavior

The build succeeds

Observed Behavior

The build fails due to issues with the OpenSSL library

OS & Version Information

• SDL Security iOS Version: 1.0
• SDL iOS Version: n/a
• iOS Version: n/a
• Testing Against: n/a

Bug Report

We should update the example certificate details in SDLPrivateSecurityConstants to be more generic.

Bug Report

Revert back to OpenSSL 1.1.1l stable version for header files after noticing bug when replacing deprecated methods in SDLTLSEngine

OS & Version Information

• SDL Security iOS Version: branch dev
• SDL iOS Version: N/A
• iOS Version: xcode 13.2.1 simulator
• Testing Against: generic_hmi

Change the expected response key from Certificate to certificate.

The expected json response:

{
  "meta": {
    "request_id": "23e6f9dd-20fe-4e6d-b8d5-9777d7cda8c0",
    "code": 200,
    "message": null
  },
  "data": {
    "certificate": "..."
  }
}

Bug Report

If a SSL_ERROR_SSL error is returned during a read/write action it means that a non-recoverable, fatal error in the SSL library occurred.

The OpenSSL documentation says:

If this error occurs then no further I/O operations should be performed on the connection and SSL_shutdown() must not be called.

Currently the library does not handle this error at all.

OS & Version Information

• SDL Security iOS Version: 1.0
• SDL iOS Version: n/a
• iOS Version: n/a
• Testing Against: n/a

If the security manager setup fails for any reason we pass back a rather unhelpful error:
Error Domain=com.sdl.security Code=7 "(null)". The error code should be made human readable so developers know what went wrong even if they do not have access to the error codes.

Bug Report

In runHandshakeWithClientData of SDLTLSEngine.m if dataToSend is empty; one of the errors below has probably occurred. In this case nil should be return and error should not be nil.

Reproduction Steps

1. Add security library to an SDL app with encrypted navigation
2. Reproduce issue #1527 in SDL iOS or just make the core send a NAK to start secure service

Expected Behavior

Error should be sent to SDL iOS which should call sdl_serverSecurityFailedMessageWithClientMessageHeader

Observed Behavior

Infinite loop occur between SDL iOS and SDL Core because error isn't handled

OS & Version Information

• SDL Security iOS Version: 1.0.0
• SDL iOS Version: 6.6.0
• iOS Version: 13.4.1
• Testing Against: SYNC 3.2v2 R4

Test Case, Sample Code, and / or Example App

When building and running the SDLSecurityStatic target a warning error is thrown but the build still succeeds.

This error should be fixed because it looks like the build failed even though it has succeeded.

The warning:

/xcodebuild:-1: SDK "iphoneos2.4" cannot be located.

https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/FileSystemProgrammingGuide/FileSystemOverview/FileSystemOverview.html#//apple_ref/doc/uid/TP40010672-CH2-SW1

See this link. It should either be put into the caches sub-directory (so that it won't be saved to iCloud, but it may get cleared if device storage is very low. Or it should be in the Application Support directory, which will be backed up to iCloud but won't be cleared if device storage is low.

Check that certificates can be downloaded from a URL, parsed, and saved correctly. The following situations should be handled:

1. No internet connection
2. Poor internet connection
3. Certificate data write fails
4. Certificate data access fails
   • Library crashes here if it attempts to access certificate data that does not exist.
5. Certificate validation fails
6. Handshake fails

Bug Report

The OpenSSL license in DEPENDENCIES.md and third_party.md should be updated. The OpenSSL dependency was update to v1.1.1 in PR #19.

Bug Report

OpenSSL restricts the amount of plaintext bytes that will be sent in any one SSL/TLS record. By default its value is SSL3_RT_MAX_PLAIN_LENGTH (16384 bytes). If the size of the data to be encrypted is larger than SSL3_RT_MAX_PLAIN_LENGTH, then the write will fail will the error message dtls message too big. This is an issue with encrypting video frame data which can be larger than the max allowed size.

Instead of performing one SSL_write, the code needs to be updated to use a while loop to write chunks of data no larger than SSL3_RT_MAX_PLAIN_LENGTH to the sslConnection.

Reproduction Steps

1. Set up a video streaming app to support video stream encryption.
2. Connect the SDL app to a module and launch the app. Video should start streaming.

Expected Behavior

Video should stream as expected.

Observed Behavior

Video may not stream or frames may be dropped due to the size of the video frame data.

OS & Version Information

• SDL Security iOS Version: 1.0
• SDL iOS Version: 7.0
• iOS Version: n/a
• Testing Against: sdl_hmi (v.5.3.1) and sdl_core (v.7.0)

Currently there are three constants for the certificate URLs: CertDevURL, CertQAURL, CertProdURL, but CertQAURL is the only one being used.

Either only one url should be used, or the project should be configured to use a different URL based on whether a debug or release build is being created.

A .podspec file was added to the library so it can be installed as a dependency via CocoaPods. However it seems to have no purpose since the installed files can not be utilized. It should be removed or, if it does have a purpose, more information on how to use it should be added to the README.