Add context and cert pinning. (eu-digital-green-certificates#37)

DGCAWallet.xcodeproj/project.pbxproj

@@ -35,6 +35,7 @@
 		CEA6D703261F8D2900715333 /* DGCAWalletTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = CEA6D702261F8D2900715333 /* DGCAWalletTests.swift */; };
 		CEA6D70E261F8D2900715333 /* DGCAWalletUITests.swift in Sources */ = {isa = PBXBuildFile; fileRef = CEA6D70D261F8D2900715333 /* DGCAWalletUITests.swift */; };
 		CEA6E561264058B50066DC8E /* UIViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = CEA6E560264058B50066DC8E /* UIViewController.swift */; };
+		CEC7FEDF264C5A41005561BA /* context.jsonc in Resources */ = {isa = PBXBuildFile; fileRef = CEC7FEDE264C5A41005561BA /* context.jsonc */; };
 		CED2726026398683003D47A9 /* UIFont.swift in Sources */ = {isa = PBXBuildFile; fileRef = CED2725F26398683003D47A9 /* UIFont.swift */; };
 		CED949CA263B50CE00883558 /* List.swift in Sources */ = {isa = PBXBuildFile; fileRef = CED949C9263B50CE00883558 /* List.swift */; };
 		CEDABD40263C5FF4007A9B97 /* CertTable.swift in Sources */ = {isa = PBXBuildFile; fileRef = CEDABD3F263C5FF4007A9B97 /* CertTable.swift */; };
@@ -92,6 +93,7 @@
 		CEA6D70D261F8D2900715333 /* DGCAWalletUITests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = DGCAWalletUITests.swift; sourceTree = "<group>"; };
 		CEA6D70F261F8D2900715333 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		CEA6E560264058B50066DC8E /* UIViewController.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UIViewController.swift; sourceTree = "<group>"; };
+		CEC7FEDE264C5A41005561BA /* context.jsonc */ = {isa = PBXFileReference; lastKnownFileType = file; path = context.jsonc; sourceTree = SOURCE_ROOT; };
 		CED2725F26398683003D47A9 /* UIFont.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = UIFont.swift; sourceTree = "<group>"; };
 		CED949C9263B50CE00883558 /* List.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = List.swift; sourceTree = "<group>"; };
 		CEDABD3F263C5FF4007A9B97 /* CertTable.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CertTable.swift; sourceTree = "<group>"; };
@@ -198,6 +200,7 @@
 				CEA6D6F4261F8D2900715333 /* Assets.xcassets */,
 				CEA6D6F9261F8D2900715333 /* Info.plist */,
 				CE6D4A46264835F100A5D33D /* Localizable.strings */,
+				CEC7FEDE264C5A41005561BA /* context.jsonc */,
 			);
 			path = SupportingFiles;
 			sourceTree = "<group>";
@@ -399,6 +402,7 @@
 				CE13CF05262DCDCD0070C80E /* CertificateViewer.storyboard in Resources */,
 				CE6D4A44264835F100A5D33D /* Localizable.strings in Resources */,
 				CEA6D6F8261F8D2900715333 /* LaunchScreen.storyboard in Resources */,
+				CEC7FEDF264C5A41005561BA /* context.jsonc in Resources */,
 				CE81533A263FF7EC0030D777 /* README.md in Resources */,
 				CEA6D6F5261F8D2900715333 /* Assets.xcassets in Resources */,
 				CEA6D6F3261F8D2700715333 /* Main.storyboard in Resources */,

DGCAWallet/Models/LocalData.swift

@@ -27,6 +27,7 @@
 
 import Foundation
 import SwiftDGC
+import SwiftyJSON
 
 struct DatedCertString: Codable {
   var date: Date
@@ -38,9 +39,11 @@ struct DatedCertString: Codable {
 }
 
 struct LocalData: Codable {
+  static let appVersion = (Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String) ?? "?.?.?"
   static var sharedInstance = LocalData()
 
   var certStrings = [DatedCertString]()
+  var config = Config.load()
 
   public func save() {
     Self.storage.save(self)
@@ -64,4 +67,11 @@ struct LocalData: Codable {
       completion()
     }
   }
+
+  var versionedConfig: JSON {
+    if config["versions"][Self.appVersion].exists() {
+      return config["versions"][Self.appVersion]
+    }
+    return config["versions"]["default"]
+  }
 }

DGCAWallet/Services/GatewayConnection.swift

@@ -30,10 +30,7 @@ import Alamofire
 import SwiftDGC
 import SwiftyJSON
 
-struct GatewayConnection {
-  static let serverURI = "https://dgca-issuance-web.cfapps.eu10.hana.ondemand.com/"
-  static let claimEndpoint = "dgca-issuance-service/dgci/wallet/claim"
-
+struct GatewayConnection: ContextConnection {
   public static func claim(cert: HCert, with tan: String?, completion: ((Bool, String?) -> Void)?) {
     guard var tan = tan, !tan.isEmpty else {
       return
@@ -62,14 +59,11 @@ struct GatewayConnection {
         "signature": sign.base64EncodedString(),
         "sigAlg": "SHA256withECDSA"
       ]
-      AF.request(
-        serverURI + claimEndpoint,
+      request(
+        ["endpoints", "claim"],
         method: .post,
         parameters: param,
-        encoding: JSONEncoding.default,
-        headers: nil,
-        interceptor: nil,
-        requestModifier: nil
+        encoding: JSONEncoding.default
       ).response {
         guard
           case .success(_) = $0.result,
@@ -87,4 +81,23 @@ struct GatewayConnection {
       }
     }
   }
+
+  public static func fetchContext() {
+    request(
+      ["context"]
+    ).response {
+      guard
+        let data = $0.data,
+        let string = String(data: data, encoding: .utf8)
+      else {
+        return
+      }
+      let json = JSON(parseJSONC: string)
+      LocalData.sharedInstance.config.merge(other: json)
+      LocalData.sharedInstance.save()
+    }
+  }
+  static var config: JSON {
+    LocalData.sharedInstance.versionedConfig
+  }
 }

context.jsonc

@@ -0,0 +1,24 @@
+{
+  // Origin in ISO alpha 2 code:
+  "origin": "DE",
+  "versions": {
+    "default": {
+      // catch-all for normal versions
+      "privacyUrl": "https://publications.europa.eu/en/web/about-us/legal-notices/eu-mobile-apps",
+      "context": {
+        "url": "https://dgca-issuance-web.cfapps.eu10.hana.ondemand.com/dgca-issuance-service/context",
+        "pubKeys": ["Ef6tLK887tpTdkiVkSG7ioXCgNEJsbIgKcAU+dxTTag="]
+      },
+      "endpoints": {
+        "claim": {
+          "url": "https://dgca-issuance-web.cfapps.eu10.hana.ondemand.com/dgca-issuance-service/dgci/wallet/claim",
+          "pubKeys": ["Ef6tLK887tpTdkiVkSG7ioXCgNEJsbIgKcAU+dxTTag="]
+        }
+      }
+    },
+    "0.1.0": {
+      // Example for a version that is insecure and shouldn't start.
+      "outdated": true
+    }
+  }
+}