Add context and cert pinning. (eu-digital-green-certificates#65)

DGCAVerifier.xcodeproj/project.pbxproj

@@ -36,6 +36,7 @@
 		CEA6D6F8261F8D2900715333 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = CEA6D6F6261F8D2900715333 /* LaunchScreen.storyboard */; };
 		CEA6D703261F8D2900715333 /* DGCAVerifierTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = CEA6D702261F8D2900715333 /* DGCAVerifierTests.swift */; };
 		CEA6D70E261F8D2900715333 /* DGCAVerifierUITests.swift in Sources */ = {isa = PBXBuildFile; fileRef = CEA6D70D261F8D2900715333 /* DGCAVerifierUITests.swift */; };
+		CEC7FEE1264C819D005561BA /* context.jsonc in Resources */ = {isa = PBXBuildFile; fileRef = CEC7FEE0264C819D005561BA /* context.jsonc */; };
 		CED2726026398683003D47A9 /* UIFont.swift in Sources */ = {isa = PBXBuildFile; fileRef = CED2725F26398683003D47A9 /* UIFont.swift */; };
 		CEFAD87F262714C4009AFEF9 /* EHNTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = CEFAD87E262714C4009AFEF9 /* EHNTests.swift */; };
 /* End PBXBuildFile section */
@@ -89,6 +90,7 @@
 		CEA6D709261F8D2900715333 /* DGCAVerifierUITests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = DGCAVerifierUITests.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
 		CEA6D70D261F8D2900715333 /* DGCAVerifierUITests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = DGCAVerifierUITests.swift; sourceTree = "<group>"; };
 		CEA6D70F261F8D2900715333 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
+		CEC7FEE0264C819D005561BA /* context.jsonc */ = {isa = PBXFileReference; lastKnownFileType = file; path = context.jsonc; sourceTree = SOURCE_ROOT; };
 		CED2725F26398683003D47A9 /* UIFont.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UIFont.swift; sourceTree = "<group>"; };
 		CEDCA7972639E6E700FCB83E /* SwiftDGC */ = {isa = PBXFileReference; lastKnownFileType = folder; name = SwiftDGC; path = "../dgca-app-core-ios"; sourceTree = "<group>"; };
 		CEDCA79B2639E77800FCB83E /* Package.resolved */ = {isa = PBXFileReference; lastKnownFileType = text; name = Package.resolved; path = DGCAVerifier.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved; sourceTree = SOURCE_ROOT; };
@@ -186,6 +188,7 @@
 				CEA6D6F4261F8D2900715333 /* Assets.xcassets */,
 				CEA6D6F9261F8D2900715333 /* Info.plist */,
 				CE345FB626446817003B457E /* Localizable.strings */,
+				CEC7FEE0264C819D005561BA /* context.jsonc */,
 			);
 			path = SupportingFiles;
 			sourceTree = "<group>";
@@ -389,6 +392,7 @@
 				CE81533C263FF8FE0030D777 /* README.md in Resources */,
 				CE345FB426446817003B457E /* Localizable.strings in Resources */,
 				CEA6D6F5261F8D2900715333 /* Assets.xcassets in Resources */,
+				CEC7FEE1264C819D005561BA /* context.jsonc in Resources */,
 				CEA6D6F3261F8D2700715333 /* Main.storyboard in Resources */,
 				CE345FAC26446694003B457E /* Settings.storyboard in Resources */,
 			);

DGCAVerifier/Models/LocalData.swift

@@ -27,8 +27,10 @@
 
 import Foundation
 import SwiftDGC
+import SwiftyJSON
 
 struct LocalData: Codable {
+  static let appVersion = (Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String) ?? "?.?.?"
   static var sharedInstance = LocalData()
 
   var encodedPublicKeys = [String: [String]]()
@@ -42,6 +44,7 @@ struct LocalData: Codable {
       lastFetchRaw = value
     }
   }
+  var config = Config.load()
 
   mutating func add(encodedPublicKey: String) {
     let kid = KID.from(encodedPublicKey)
@@ -73,9 +76,17 @@ struct LocalData: Codable {
       print(String.localizedStringWithFormat(format, result.encodedPublicKeys.count))
       LocalData.sharedInstance = result
       completion()
+      GatewayConnection.fetchContext()
     }
     HCert.publicKeyStorageDelegate = LocalDataDelegate.instance
   }
+
+  var versionedConfig: JSON {
+    if config["versions"][Self.appVersion].exists() {
+      return config["versions"][Self.appVersion]
+    }
+    return config["versions"]["default"]
+  }
 }
 
 class LocalDataDelegate: PublicKeyStorageDelegate {

DGCAVerifier/Services/GatewayConnection.swift

@@ -30,24 +30,17 @@ import Alamofire
 import SwiftDGC
 import SwiftyJSON
 
-struct GatewayConnection {
-  static let serverURI = "https://dgca-verifier-service.cfapps.eu10.hana.ondemand.com/"
-  static let updateEndpoint = "signercertificateUpdate"
-  static let statusEndpoint = "signercertificateStatus"
-
+struct GatewayConnection: ContextConnection {
   public static func certUpdate(resume resumeToken: String? = nil, completion: ((String?, String?) -> Void)?) {
     var headers = [String: String]()
     if let token = resumeToken {
       headers["x-resume-token"] = token
     }
-    AF.request(
-      serverURI + updateEndpoint,
+    request(
+      ["endpoints", "update"],
       method: .get,
-      parameters: nil,
       encoding: URLEncoding(),
-      headers: .init(headers),
-      interceptor: nil,
-      requestModifier: nil
+      headers: .init(headers)
     ).response {
       if
         let status = $0.response?.statusCode,
@@ -74,7 +67,7 @@ struct GatewayConnection {
     }
   }
   public static func certStatus(resume resumeToken: String? = nil, completion: (([String]) -> Void)?) {
-    AF.request(serverURI + statusEndpoint).response {
+    request(["endpoints", "status"]).response {
       guard
         case let .success(result) = $0.result,
         let response = result,
@@ -131,4 +124,23 @@ struct GatewayConnection {
       completion?()
     }
   }
+
+  public static func fetchContext() {
+    request(
+      ["context"]
+    ).response {
+      guard
+        let data = $0.data,
+        let string = String(data: data, encoding: .utf8)
+      else {
+        return
+      }
+      let json = JSON(parseJSONC: string)
+      LocalData.sharedInstance.config.merge(other: json)
+      LocalData.sharedInstance.save()
+    }
+  }
+  static var config: JSON {
+    LocalData.sharedInstance.versionedConfig
+  }
 }

context.jsonc

@@ -0,0 +1,29 @@
+{
+  // Origin in ISO alpha 2 code:
+  "origin": "DE",
+  "versions": {
+    "default": {
+      // catch-all for normal versions
+      "privacyUrl": "https://publications.europa.eu/en/web/about-us/legal-notices/eu-mobile-apps",
+      "context": {
+        // Currently this url is empty still, subject to change:
+        "url": "https://dgca-verifier-service.cfapps.eu10.hana.ondemand.com/context",
+        "pubKeys": ["Ef6tLK887tpTdkiVkSG7ioXCgNEJsbIgKcAU+dxTTag="]
+      },
+      "endpoints": {
+        "status": {
+          "url": "https://dgca-verifier-service.cfapps.eu10.hana.ondemand.com/signercertificateStatus",
+          "pubKeys": ["Ef6tLK887tpTdkiVkSG7ioXCgNEJsbIgKcAU+dxTTag="]
+        },
+        "update": {
+          "url": "https://dgca-verifier-service.cfapps.eu10.hana.ondemand.com/signercertificateUpdate",
+          "pubKeys": ["Ef6tLK887tpTdkiVkSG7ioXCgNEJsbIgKcAU+dxTTag="]
+        }
+      }
+    },
+    "0.1.0": {
+      // Example for a version that is insecure and shouldn't start.
+      "outdated": true
+    }
+  }
+}