From 141bdd61926e976c7404285d11d345a2e2fb2537 Mon Sep 17 00:00:00 2001 From: Rodrigo Reis Date: Mon, 16 Oct 2017 09:51:12 -0700 Subject: [PATCH 1/2] [iOS] Validate if VendorID exists in the sharedKeychain before sending to server --- .../_private_/models/MASDevice+MASPrivate.h | 9 +++++++++ .../_private_/models/MASDevice+MASPrivate.m | 18 +++++++++++++++++- .../services/access/MASAccessService.h | 1 + .../services/access/MASAccessService.m | 14 +++++++++++++- MASFoundation/Classes/models/MASDevice.m | 11 +++++++++++ 5 files changed, 51 insertions(+), 2 deletions(-) diff --git a/MASFoundation/Classes/_private_/models/MASDevice+MASPrivate.h b/MASFoundation/Classes/_private_/models/MASDevice+MASPrivate.h index 0b5c0fa9..ecbb5815 100644 --- a/MASFoundation/Classes/_private_/models/MASDevice+MASPrivate.h +++ b/MASFoundation/Classes/_private_/models/MASDevice+MASPrivate.h @@ -81,4 +81,13 @@ */ + (NSString *)deviceNameBase64Encoded; + +/** + * Retrieves the device vendor identifier that is uniquely generated for the + * specific device the framework is running upon. + * + * @return Returns the unique NSString device vendor identifier. + */ ++ (NSString *)deviceVendorId; + @end diff --git a/MASFoundation/Classes/_private_/models/MASDevice+MASPrivate.m b/MASFoundation/Classes/_private_/models/MASDevice+MASPrivate.m index 3ca228cf..48dab8cf 100644 --- a/MASFoundation/Classes/_private_/models/MASDevice+MASPrivate.m +++ b/MASFoundation/Classes/_private_/models/MASDevice+MASPrivate.m @@ -145,6 +145,15 @@ - (void)saveWithUpdatedInfo:(NSDictionary *)info [accessService setAccessValueNumber:[NSNumber numberWithDouble:[expirationDate timeIntervalSince1970]] withAccessValueType:MASAccessValueTypeSignedPublicCertificateExpirationDate]; } + // + // Device Vendor Id + // + NSString *deviceVendorId = [MASDevice deviceVendorId]; + if (deviceVendorId) + { + [accessService setAccessValueString:deviceVendorId withAccessValueType:MASAccessValueTypeDeviceVendorId]; + } + // // Reload MASAccess object after storing id-token and type // @@ -183,7 +192,7 @@ - (BOOL)isClientCertificateExpired + (NSString *)deviceIdBase64Encoded { - NSString *deviceId = [[[UIDevice currentDevice] identifierForVendor] UUIDString]; + NSString *deviceId = [MASDevice deviceVendorId]; // // If the sso is disabled, generate unique device id to differentiate the application's registration record from others. @@ -215,4 +224,11 @@ + (NSString *)deviceNameBase64Encoded; return [deviceNameData base64EncodedStringWithOptions:0]; } + ++ (NSString *)deviceVendorId +{ + return [[[UIDevice currentDevice] identifierForVendor] UUIDString]; +} + + @end diff --git a/MASFoundation/Classes/_private_/services/access/MASAccessService.h b/MASFoundation/Classes/_private_/services/access/MASAccessService.h index 7ab122e0..077e6038 100644 --- a/MASFoundation/Classes/_private_/services/access/MASAccessService.h +++ b/MASFoundation/Classes/_private_/services/access/MASAccessService.h @@ -51,6 +51,7 @@ typedef NS_ENUM(NSInteger, MASAccessValueType) MASAccessValueTypeTrustedServerCertificate, MASAccessValueTypeCurrentAuthCredentialsGrantType, MASAccessValueTypeMASUserObjectData, + MASAccessValueTypeDeviceVendorId, }; diff --git a/MASFoundation/Classes/_private_/services/access/MASAccessService.m b/MASFoundation/Classes/_private_/services/access/MASAccessService.m index efdb6e80..a03e0d4b 100644 --- a/MASFoundation/Classes/_private_/services/access/MASAccessService.m +++ b/MASFoundation/Classes/_private_/services/access/MASAccessService.m @@ -745,6 +745,9 @@ - (NSString *)getStorageKeyWithAccessValueType:(MASAccessValueType)type case MASAccessValueTypeMASUserObjectData: storageKey = kMASAccessSharedStorageKey; break; + case MASAccessValueTypeDeviceVendorId: + storageKey = kMASAccessSharedStorageKey; + break; default: // // MASAccessValueTypeUknonw @@ -857,24 +860,33 @@ - (NSString *)convertAccessTypeToString:(MASAccessValueType)type case MASAccessValueTypeSignedPublicCertificateExpirationDate: accessTypeToString = [NSString stringWithFormat:@"%@.%@", _gatewayIdentifier, @"kMASAccessValueTypeSignedPublicCertificateExpirationDate"]; break; + //AuthenticatedTimestamp case MASAccessValueTypeAuthenticatedTimestamp: accessTypeToString = [NSString stringWithFormat:@"%@.%@", _gatewayIdentifier, @"kMASAccessValueTypeAuthenticatedTimestamp"]; break; + //IsDeviceLocked: case MASAccessValueTypeIsDeviceLocked: accessTypeToString = [NSString stringWithFormat:@"%@.%@", _gatewayIdentifier, @"kMASAccessValueTypeIsDeviceLocked"]; break; + //CurrentAuthCredentialsGrantType case MASAccessValueTypeCurrentAuthCredentialsGrantType: accessTypeToString = [NSString stringWithFormat:@"%@.%@", _gatewayIdentifier, @"kMASAccessValueTypeCurrentAuthCredentialsGrantType"]; break; + //MASUserObjectData case MASAccessValueTypeMASUserObjectData: accessTypeToString = [NSString stringWithFormat:@"%@.%@", _gatewayHostName, @"kMASAccessValueTypeMASUserObjectData"]; + break; + //DeviceVendorId + case MASAccessValueTypeDeviceVendorId: + accessTypeToString = [NSString stringWithFormat:@"%@.%@", _gatewayHostName, @"kMASKeyChainDeviceVendorId"]; + break; default: // // MASAccessValueTypeUknonw // break; } - + if (![self isAccessGroupAccessible]) { accessTypeToString = [NSString stringWithFormat:@"_%@", accessTypeToString]; diff --git a/MASFoundation/Classes/models/MASDevice.m b/MASFoundation/Classes/models/MASDevice.m index 645399ce..5d384a7f 100644 --- a/MASFoundation/Classes/models/MASDevice.m +++ b/MASFoundation/Classes/models/MASDevice.m @@ -55,6 +55,17 @@ - (BOOL)isRegistered // MASAccessService *accessService = [MASAccessService sharedService]; + NSString *vendorIdFromKeychain = [accessService getAccessValueStringWithType:MASAccessValueTypeDeviceVendorId]; + NSString *vendorIdCurrent = [MASDevice deviceVendorId]; + + if([vendorIdCurrent isEqualToString:vendorIdFromKeychain]) + { + NSLog(@"YES, SAME VENDOR ID ;-)"); + } + else { + NSLog(@"NOOOOO, DIFFERENT VENDOR ID :-("); + } + NSString *magIdentifier = [accessService getAccessValueStringWithType:MASAccessValueTypeMAGIdentifier]; NSData *certificateData = [accessService getAccessValueCertificateWithType:MASAccessValueTypeSignedPublicCertificate]; From e3437bc151d51990bc5817e5c965cb69ae00957c Mon Sep 17 00:00:00 2001 From: Rodrigo Reis Date: Wed, 18 Oct 2017 12:05:56 -0700 Subject: [PATCH 2/2] [iOS] Validate if VendorID exists in the sharedKeychain before sending to server --- MASFoundation/Classes/models/MASDevice.m | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/MASFoundation/Classes/models/MASDevice.m b/MASFoundation/Classes/models/MASDevice.m index 5d384a7f..0cfbfd28 100644 --- a/MASFoundation/Classes/models/MASDevice.m +++ b/MASFoundation/Classes/models/MASDevice.m @@ -50,6 +50,8 @@ + (void)setProximityLoginDelegate:(id)delegate - (BOOL)isRegistered { + _isRegistered = NO; + // // Obtain key chain items to determine registration status // @@ -57,20 +59,18 @@ - (BOOL)isRegistered NSString *vendorIdFromKeychain = [accessService getAccessValueStringWithType:MASAccessValueTypeDeviceVendorId]; NSString *vendorIdCurrent = [MASDevice deviceVendorId]; - + + // + // Check if the vendorId in Keychain macth with current vendorId + // if([vendorIdCurrent isEqualToString:vendorIdFromKeychain]) { - NSLog(@"YES, SAME VENDOR ID ;-)"); - } - else { - NSLog(@"NOOOOO, DIFFERENT VENDOR ID :-("); + NSString *magIdentifier = [accessService getAccessValueStringWithType:MASAccessValueTypeMAGIdentifier]; + NSData *certificateData = [accessService getAccessValueCertificateWithType:MASAccessValueTypeSignedPublicCertificate]; + + _isRegistered = (magIdentifier && certificateData); } - NSString *magIdentifier = [accessService getAccessValueStringWithType:MASAccessValueTypeMAGIdentifier]; - NSData *certificateData = [accessService getAccessValueCertificateWithType:MASAccessValueTypeSignedPublicCertificate]; - - _isRegistered = (magIdentifier && certificateData); - return _isRegistered; } @@ -133,7 +133,6 @@ - (void)resetLocally } - # pragma mark - Lifecycle - (id)init