FIRInstanceIDKeyPairStore crash fix (#2953)

maksymmalyhin · web-flow · commit 2b403a6041fa · 2019-05-13T18:13:53.000-04:00
* FIRInstanceIDKeyPairStore fix SecKeyRef memory management issue * [WIP] FIRInstanceIDKeyPairStore - perform operations in the order they were scheduled * Revert "[WIP] FIRInstanceIDKeyPairStore - perform operations in the order they were scheduled" This reverts commit 7ff7b51. * FIRInstanceIDKeyPairStore - schedule updating public and private keys at once (not from a callback) to avoid modifications of keychain in between. Update `self.keyPair` before updating keychain for all cases. * Chengelog * Don't use dispatch_group, rely on `FIRInstanceIDKeychain` serialized implementation instead
diff --git a/Example/InstanceID/Tests/FIRInstanceIDKeyPairMigrationTest.m b/Example/InstanceID/Tests/FIRInstanceIDKeyPairMigrationTest.m
@@ -30,7 +30,7 @@
 @interface FIRInstanceIDKeyPairStore (ExposedForTest)
 
 @property(nonatomic, readwrite, strong) FIRInstanceIDBackupExcludedPlist *plist;
-@property(nonatomic, readwrite, strong) FIRInstanceIDKeyPair *keyPair;
+@property(atomic, readwrite, strong) FIRInstanceIDKeyPair *keyPair;
 BOOL FIRInstanceIDHasMigratedKeyPair(NSString *legacyPublicKeyTag, NSString *newPublicKeyTag);
 NSString *FIRInstanceIDLegacyPublicTagWithSubtype(NSString *subtype);
 NSString *FIRInstanceIDLegacyPrivateTagWithSubtype(NSString *subtype);
@@ -44,6 +44,10 @@ + (void)deleteKeyPairWithPrivateTag:(NSString *)privateTag
                             handler:(void (^)(NSError *))handler;
 - (void)migrateKeyPairCacheIfNeededWithHandler:(void (^)(NSError *error))handler;
 + (NSString *)keyStoreFileName;
+
+- (void)updateKeyRef:(SecKeyRef)keyRef
+             withTag:(NSString *)tag
+             handler:(void (^)(NSError *error))handler;
 @end
 
 // Need to separate the tests from FIRInstanceIDKeyPairStoreTest for separate keychain operations
@@ -68,7 +72,7 @@ - (void)tearDown {
   [self.keyPairStore removeKeyPairCreationTimePlistWithError:&error];
 }
 
-- (void)testMigrationDataIfLegtacyKeyPairsNotExist {
+- (void)testMigrationDataIfLegacyKeyPairsNotExist {
   NSString *legacyPublicKeyTag =
       FIRInstanceIDLegacyPublicTagWithSubtype(kFIRInstanceIDKeyPairSubType);
 
@@ -132,6 +136,49 @@ - (void)testMigrationIfLegacyKeyPairsExist {
                                                    }];
   }];
 
-  [self waitForExpectationsWithTimeout:1000 handler:nil];
+  [self waitForExpectationsWithTimeout:1 handler:nil];
 }
+
+- (void)testUpdateKeyRefWithTagRetainsAndReleasesKeyRef {
+  SecKeyRef publicKeyRef;
+
+  @autoreleasepool {
+    NSString *legacyPublicKeyTag =
+        FIRInstanceIDLegacyPublicTagWithSubtype(kFIRInstanceIDKeyPairSubType);
+    NSString *legacyPrivateKeyTag =
+        FIRInstanceIDLegacyPrivateTagWithSubtype(kFIRInstanceIDKeyPairSubType);
+    FIRInstanceIDKeyPair *keyPair =
+        [[FIRInstanceIDKeychain sharedInstance] generateKeyPairWithPrivateTag:legacyPrivateKeyTag
+                                                                    publicTag:legacyPublicKeyTag];
+    XCTAssertTrue([keyPair isValid]);
+
+    publicKeyRef = keyPair.publicKey;
+
+    // Retain to keep publicKeyRef alive to verify its reatin count
+    CFRetain(publicKeyRef);
+
+    // 2 = 1 from keyPair + 1 from CFRetain()
+    XCTAssertEqual(CFGetRetainCount(publicKeyRef), 2);
+
+    XCTestExpectation *completionExpectaion =
+        [self expectationWithDescription:@"completionExpectaion"];
+    [self.keyPairStore updateKeyRef:keyPair.publicKey
+                            withTag:@"test"
+                            handler:^(NSError *error) {
+                              [completionExpectaion fulfill];
+                            }];
+
+    // 3 = from keyPair + 1 from CFRetain() + 1 retained by `updateKeyRef`
+    XCTAssertEqual(CFGetRetainCount(publicKeyRef), 3);
+  }
+
+  // 2 = 1 from CFRetain() + 1 retained by `updateKeyRef`
+  XCTAssertEqual(CFGetRetainCount(publicKeyRef), 2);
+
+  [self waitForExpectationsWithTimeout:0.5 handler:NULL];
+
+  // No one else owns publicKeyRef except the test
+  XCTAssertEqual(CFGetRetainCount(publicKeyRef), 1);
+}
+
 @end
diff --git a/Firebase/InstanceID/CHANGELOG.md b/Firebase/InstanceID/CHANGELOG.md
@@ -1,3 +1,6 @@
+# Unreleased
+- A keychain migration crash fix (#2731)
+
 # 2019-05-07 -- 4.0.0
 - Remove deprecated `token` method. Use `instanceIDWithHandler:` instead. (#2741)
 - Send `firebaseUserAgent` with a register request (#2679)
diff --git a/Firebase/InstanceID/FIRInstanceIDKeyPairStore.m b/Firebase/InstanceID/FIRInstanceIDKeyPairStore.m
@@ -119,7 +119,7 @@ BOOL FIRInstanceIDHasMigratedKeyPair(NSString *legacyPublicKeyTag, NSString *new
 @interface FIRInstanceIDKeyPairStore ()
 
 @property(nonatomic, readwrite, strong) FIRInstanceIDBackupExcludedPlist *plist;
-@property(nonatomic, readwrite, strong) FIRInstanceIDKeyPair *keyPair;
+@property(atomic, readwrite, strong) FIRInstanceIDKeyPair *keyPair;
 @property(nonatomic, readwrite, assign) NSInteger keychainEntitlementsErrorCount;
 
 @end
@@ -365,30 +365,31 @@ - (void)migrateKeyPairCacheIfNeededWithHandler:(void (^)(NSError *error))handler
   self.keyPair = keyPair;
 
   // Either new key pair doesn't exist or it's different than legacy key pair, start the migration.
+  __block NSError *updateKeyRefError;
+
   NSString *privateKeyTag = FIRInstanceIDPrivateTagWithSubtype(kFIRInstanceIDKeyPairSubType);
   [self updateKeyRef:keyPair.publicKey
              withTag:publicKeyTag
              handler:^(NSError *error) {
                if (error) {
                  FIRInstanceIDLoggerError(kFIRInstanceIDMessageCodeKeyPairMigrationError,
                                           @"Unable to migrate key pair from legacy ones.");
+                 updateKeyRefError = error;
+               }
+             }];
+
+  [self updateKeyRef:keyPair.privateKey
+             withTag:privateKeyTag
+             handler:^(NSError *error) {
+               if (error) {
+                 FIRInstanceIDLoggerError(kFIRInstanceIDMessageCodeKeyPairMigrationError,
+                                          @"Unable to migrate key pair from legacy ones.");
+                 updateKeyRefError = error;
+               }
+
+               if (handler) {
+                 handler(updateKeyRefError);
                }
-               [self updateKeyRef:keyPair.privateKey
-                          withTag:privateKeyTag
-                          handler:^(NSError *error) {
-                            if (error) {
-                              FIRInstanceIDLoggerError(
-                                  kFIRInstanceIDMessageCodeKeyPairMigrationError,
-                                  @"Unable to migrate key pair from legacy ones.");
-                              return;
-                            }
-                            FIRInstanceIDLoggerDebug(
-                                kFIRInstanceIDMessageCodeKeyPairMigrationSuccess,
-                                @"Successfully migrated the key pair from legacy ones.");
-                            if (handler) {
-                              handler(error);
-                            }
-                          }];
              }];
 }
 
@@ -400,37 +401,38 @@ - (void)updateKeyRef:(SecKeyRef)keyRef
              handler:(void (^)(NSError *error))handler {
   NSData *updatedTagData = [tag dataUsingEncoding:NSUTF8StringEncoding];
 
+  __block NSError *keychainError;
+
   // Always delete the old keychain before adding a new one to avoid conflicts.
   NSDictionary *deleteQuery = @{
     (__bridge id)kSecAttrApplicationTag : updatedTagData,
     (__bridge id)kSecClass : (__bridge id)kSecClassKey,
     (__bridge id)kSecAttrKeyType : (__bridge id)kSecAttrKeyTypeRSA,
     (__bridge id)kSecReturnRef : @(YES),
   };
+  [[FIRInstanceIDKeychain sharedInstance] removeItemWithQuery:deleteQuery
+                                                      handler:^(NSError *error) {
+                                                        if (error) {
+                                                          keychainError = error;
+                                                        }
+                                                      }];
 
-  [[FIRInstanceIDKeychain sharedInstance]
-      removeItemWithQuery:deleteQuery
-                  handler:^(NSError *error) {
-                    if (error) {
-                      if (handler) {
-                        handler(error);
-                      }
-                      return;
-                    }
-                    NSDictionary *addQuery = @{
-                      (__bridge id)kSecAttrApplicationTag : updatedTagData,
-                      (__bridge id)kSecClass : (__bridge id)kSecClassKey,
-                      (__bridge id)kSecValueRef : (__bridge id)keyRef,
-                      (__bridge id)
-                      kSecAttrAccessible : (__bridge id)kSecAttrAccessibleAlwaysThisDeviceOnly,
-                    };
-                    [[FIRInstanceIDKeychain sharedInstance] addItemWithQuery:addQuery
-                                                                     handler:^(NSError *addError) {
-                                                                       if (handler) {
-                                                                         handler(addError);
-                                                                       }
-                                                                     }];
-                  }];
+  NSDictionary *addQuery = @{
+    (__bridge id)kSecAttrApplicationTag : updatedTagData,
+    (__bridge id)kSecClass : (__bridge id)kSecClassKey,
+    (__bridge id)kSecValueRef : (__bridge id)keyRef,
+    (__bridge id)kSecAttrAccessible : (__bridge id)kSecAttrAccessibleAlwaysThisDeviceOnly,
+  };
+  [[FIRInstanceIDKeychain sharedInstance] addItemWithQuery:addQuery
+                                                   handler:^(NSError *addError) {
+                                                     if (addError) {
+                                                       keychainError = addError;
+                                                     }
+
+                                                     if (handler) {
+                                                       handler(keychainError);
+                                                     }
+                                                   }];
 }
 
 - (void)deleteSavedKeyPairWithSubtype:(NSString *)subtype
@@ -453,6 +455,8 @@ - (void)deleteSavedKeyPairWithSubtype:(NSString *)subtype
     }
   }
 
+  self.keyPair = nil;
+
   [FIRInstanceIDKeyPairStore
       deleteKeyPairWithPrivateTag:privateKeyTag
                         publicTag:publicKeyTag
@@ -475,7 +479,6 @@ - (void)deleteSavedKeyPairWithSubtype:(NSString *)subtype
                                 handler(error);
                               }
                             } else {
-                              self.keyPair = nil;
                               if (handler) {
                                 handler(nil);
                               }
@@ -489,28 +492,25 @@ + (void)deleteKeyPairWithPrivateTag:(NSString *)privateTag
   NSDictionary *queryPublicKey = FIRInstanceIDKeyPairQuery(publicTag, NO, NO);
   NSDictionary *queryPrivateKey = FIRInstanceIDKeyPairQuery(privateTag, NO, NO);
 
+  __block NSError *keychainError;
+
   // Always remove public key first because it is the key we generate IID.
   [[FIRInstanceIDKeychain sharedInstance] removeItemWithQuery:queryPublicKey
                                                       handler:^(NSError *error) {
                                                         if (error) {
-                                                          if (handler) {
-                                                            handler(error);
-                                                          }
-                                                          return;
+                                                          keychainError = error;
+                                                        }
+                                                      }];
+
+  [[FIRInstanceIDKeychain sharedInstance] removeItemWithQuery:queryPrivateKey
+                                                      handler:^(NSError *error) {
+                                                        if (error) {
+                                                          keychainError = error;
+                                                        }
+
+                                                        if (handler) {
+                                                          handler(keychainError);
                                                         }
-                                                        [[FIRInstanceIDKeychain sharedInstance]
-                                                            removeItemWithQuery:queryPrivateKey
-                                                                        handler:^(NSError *error) {
-                                                                          if (error) {
-                                                                            if (handler) {
-                                                                              handler(error);
-                                                                            }
-                                                                            return;
-                                                                          }
-                                                                          if (handler) {
-                                                                            handler(nil);
-                                                                          }
-                                                                        }];
                                                       }];
 }
 
