Merge pull request stephencelis#556 from stephencelis/sqlcipher

sqlcipher enhancements

Author: jberkel

CocoaPodsTests/integration_test.rb

@@ -14,6 +14,7 @@ def test_validate_project
   def validator
     @validator ||= TestRunningValidator.new(podspec, []).tap do |validator|
         validator.test_files = Dir["#{project_test_dir}/*.swift"]
+        validator.test_resources = Dir["#{project_test_dir}/fixtures"]
         validator.config.verbose = true
         validator.no_clean = true
         validator.use_frameworks = true

CocoaPodsTests/test_running_validator.rb

@@ -7,12 +7,15 @@ class TestRunningValidator < Pod::Validator
   TEST_TARGET = 'Tests'
 
   attr_accessor :test_files
+  attr_accessor :test_resources
   attr_accessor :ios_simulator
   attr_accessor :tvos_simulator
   attr_accessor :watchos_simulator
 
   def initialize(spec_or_path, source_urls)
     super(spec_or_path, source_urls)
+    self.test_files = []
+    self.test_resources = []
     self.ios_simulator = :oldest
     self.tvos_simulator = :oldest
     self.watchos_simulator = :oldest
@@ -30,6 +33,7 @@ def add_app_project_import
     project = Xcodeproj::Project.open(validation_dir + 'App.xcodeproj')
     group = project.new_group(TEST_TARGET)
     test_target = project.targets.last
+    test_target.add_resources(test_resources.map { |resource| group.new_file(resource) })
     test_target.add_file_references(test_files.map { |file| group.new_file(file) })
     add_swift_version(test_target)
     project.save

SQLite.xcodeproj/project.pbxproj

@@ -46,12 +46,15 @@
 		03A65E941C6BB3030062603F /* ValueTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = EE247B331C3F142E00AE3E12 /* ValueTests.swift */; };
 		03A65E951C6BB3030062603F /* TestHelpers.swift in Sources */ = {isa = PBXBuildFile; fileRef = EE247B161C3F127200AE3E12 /* TestHelpers.swift */; };
 		03A65E971C6BB3210062603F /* libsqlite3.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 03A65E961C6BB3210062603F /* libsqlite3.tbd */; };
+		19A1709C3E7A406E62293B2A /* Fixtures.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A17B93B48B5560E6E51791 /* Fixtures.swift */; };
 		19A1717B10CC941ACB5533D6 /* FTS5.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A1730E4390C775C25677D1 /* FTS5.swift */; };
 		19A171E6FA242F72A308C594 /* FTS5Tests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A1721B8984686B9963B45D /* FTS5Tests.swift */; };
 		19A171F12AB8B07F2FD7201A /* Cipher.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A178A39ACA9667A62663CC /* Cipher.swift */; };
 		19A17254FBA7894891F7297B /* FTS5Tests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A1721B8984686B9963B45D /* FTS5Tests.swift */; };
+		19A17408007B182F884E3A53 /* Fixtures.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A17B93B48B5560E6E51791 /* Fixtures.swift */; };
 		19A174D78559CD30679BCCCB /* FTS5Tests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A1721B8984686B9963B45D /* FTS5Tests.swift */; };
 		19A1750CEE9B05267995CF3D /* FTS5.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A1730E4390C775C25677D1 /* FTS5.swift */; };
+		19A175DFF47B84757E547C62 /* fixtures in Resources */ = {isa = PBXBuildFile; fileRef = 19A17E2695737FAB5D6086E3 /* fixtures */; };
 		19A177CC33F2E6A24AF90B02 /* CipherTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A17399EA9E61235D5D77BF /* CipherTests.swift */; };
 		19A178072B371489E6A1E839 /* FoundationTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A1794CC4D7827E997E32A7 /* FoundationTests.swift */; };
 		19A17835FD5886FDC5A3228F /* Cipher.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A178A39ACA9667A62663CC /* Cipher.swift */; };
@@ -61,7 +64,10 @@
 		19A17C4B951CB054EE48AB1C /* CipherTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A17399EA9E61235D5D77BF /* CipherTests.swift */; };
 		19A17E04C4C0956715C5676A /* FoundationTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A1794CC4D7827E997E32A7 /* FoundationTests.swift */; };
 		19A17EC0D68BA8C03288ADF7 /* FTS5.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A1730E4390C775C25677D1 /* FTS5.swift */; };
+		19A17F3E1F7ACA33BD43E138 /* fixtures in Resources */ = {isa = PBXBuildFile; fileRef = 19A17E2695737FAB5D6086E3 /* fixtures */; };
+		19A17F60B685636D1F83C2DD /* Fixtures.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A17B93B48B5560E6E51791 /* Fixtures.swift */; };
 		19A17FB80B94E882050AA908 /* FoundationTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 19A1794CC4D7827E997E32A7 /* FoundationTests.swift */; };
+		19A17FDA323BAFDEC627E76F /* fixtures in Resources */ = {isa = PBXBuildFile; fileRef = 19A17E2695737FAB5D6086E3 /* fixtures */; };
 		3D67B3E61DB2469200A4F4C6 /* libsqlite3.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 3D67B3E51DB2469200A4F4C6 /* libsqlite3.tbd */; };
 		3D67B3E71DB246BA00A4F4C6 /* Blob.swift in Sources */ = {isa = PBXBuildFile; fileRef = EE247AEE1C3F06E900AE3E12 /* Blob.swift */; };
 		3D67B3E81DB246BA00A4F4C6 /* Connection.swift in Sources */ = {isa = PBXBuildFile; fileRef = EE247AEF1C3F06E900AE3E12 /* Connection.swift */; };
@@ -199,6 +205,8 @@
 		19A17399EA9E61235D5D77BF /* CipherTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = CipherTests.swift; sourceTree = "<group>"; };
 		19A178A39ACA9667A62663CC /* Cipher.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Cipher.swift; sourceTree = "<group>"; };
 		19A1794CC4D7827E997E32A7 /* FoundationTests.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = FoundationTests.swift; sourceTree = "<group>"; };
+		19A17B93B48B5560E6E51791 /* Fixtures.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Fixtures.swift; sourceTree = "<group>"; };
+		19A17E2695737FAB5D6086E3 /* fixtures */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = folder; path = fixtures; sourceTree = "<group>"; };
 		39548A631CA63C740003E3B5 /* module.modulemap */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.module-map"; path = module.modulemap; sourceTree = "<group>"; };
 		39548A651CA63C740003E3B5 /* module.modulemap */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.module-map"; path = module.modulemap; sourceTree = "<group>"; };
 		39548A671CA63C740003E3B5 /* module.modulemap */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.module-map"; path = module.modulemap; sourceTree = "<group>"; };
@@ -465,6 +473,8 @@
 				19A1721B8984686B9963B45D /* FTS5Tests.swift */,
 				19A1794CC4D7827E997E32A7 /* FoundationTests.swift */,
 				19A17399EA9E61235D5D77BF /* CipherTests.swift */,
+				19A17E2695737FAB5D6086E3 /* fixtures */,
+				19A17B93B48B5560E6E51791 /* Fixtures.swift */,
 			);
 			path = SQLiteTests;
 			sourceTree = "<group>";
@@ -792,6 +802,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				19A17F3E1F7ACA33BD43E138 /* fixtures in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -813,6 +824,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				19A17FDA323BAFDEC627E76F /* fixtures in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -827,6 +839,7 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				19A175DFF47B84757E547C62 /* fixtures in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -882,6 +895,7 @@
 				19A17254FBA7894891F7297B /* FTS5Tests.swift in Sources */,
 				19A17E04C4C0956715C5676A /* FoundationTests.swift in Sources */,
 				19A179A0C45377CB09BB358C /* CipherTests.swift in Sources */,
+				19A17F60B685636D1F83C2DD /* Fixtures.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -961,6 +975,7 @@
 				19A171E6FA242F72A308C594 /* FTS5Tests.swift in Sources */,
 				19A17FB80B94E882050AA908 /* FoundationTests.swift in Sources */,
 				19A177CC33F2E6A24AF90B02 /* CipherTests.swift in Sources */,
+				19A17408007B182F884E3A53 /* Fixtures.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -1013,6 +1028,7 @@
 				19A174D78559CD30679BCCCB /* FTS5Tests.swift in Sources */,
 				19A178072B371489E6A1E839 /* FoundationTests.swift in Sources */,
 				19A17C4B951CB054EE48AB1C /* CipherTests.swift in Sources */,
+				19A1709C3E7A406E62293B2A /* Fixtures.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

SQLite/Extensions/Cipher.swift

@@ -1,34 +1,64 @@
 #if SQLITE_SWIFT_SQLCIPHER
 import SQLCipher
 
+
+/// Extension methods for [SQLCipher](https://www.zetetic.net/sqlcipher/).
+/// @see [sqlcipher api](https://www.zetetic.net/sqlcipher/sqlcipher-api/)
 extension Connection {
-    public func key(_ key: String) throws {
-        try _key(keyPointer: key, keySize: key.utf8.count)
+
+    /// Specify the key for an encrypted database.  This routine should be
+    /// called right after sqlite3_open().
+    ///
+    /// @param key The key to use.The key itself can be a passphrase, which is converted to a key
+    ///            using [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) key derivation. The result
+    ///            is used as the encryption key for the database.
+    ///
+    ///            Alternatively, it is possible to specify an exact byte sequence using a blob literal.
+    ///            With this method, it is the calling application's responsibility to ensure that the data
+    ///            provided is a 64 character hex string, which will be converted directly to 32 bytes (256 bits)
+    ///            of key data.
+    ///            e.g. x'2DD29CA851E7B56E4697B0E1F08507293D761A05CE4D1B628663F411A8086D99'
+    /// @param db name of the database, defaults to 'main'
+    public func key(_ key: String, db: String = "main") throws {
+        try _key_v2(db: db, keyPointer: key, keySize: key.utf8.count)
     }
 
-    public func key(_ key: Blob) throws {
-        try _key(keyPointer: key.bytes, keySize: key.bytes.count)
+    public func key(_ key: Blob, db: String = "main") throws {
+        try _key_v2(db: db, keyPointer: key.bytes, keySize: key.bytes.count)
     }
 
-    public func rekey(_ key: String) throws {
-        try _rekey(keyPointer: key, keySize: key.utf8.count)
+
+    /// Change the key on an open database.  If the current database is not encrypted, this routine
+    /// will encrypt it.
+    /// To change the key on an existing encrypted database, it must first be unlocked with the
+    /// current encryption key. Once the database is readable and writeable, rekey can be used
+    /// to re-encrypt every page in the database with a new key.
+    public func rekey(_ key: String, db: String = "main") throws {
+        try _rekey_v2(db: db, keyPointer: key, keySize: key.utf8.count)
     }
 
-    public func rekey(_ key: Blob) throws {
-        try _rekey(keyPointer: key.bytes, keySize: key.bytes.count)
+    public func rekey(_ key: Blob, db: String = "main") throws {
+        try _rekey_v2(db: db, keyPointer: key.bytes, keySize: key.bytes.count)
     }
 
     // MARK: - private
-    private func _key(keyPointer: UnsafePointer<UInt8>, keySize: Int) throws {
-        try check(sqlite3_key(handle, keyPointer, Int32(keySize)))
+    private func _key_v2(db: String, keyPointer: UnsafePointer<UInt8>, keySize: Int) throws {
+        try check(sqlite3_key_v2(handle, db, keyPointer, Int32(keySize)))
+        try cipher_key_check()
+    }
+
+    private func _rekey_v2(db: String, keyPointer: UnsafePointer<UInt8>, keySize: Int) throws {
+        try check(sqlite3_rekey_v2(handle, db, keyPointer, Int32(keySize)))
+    }
+
+    // When opening an existing database, sqlite3_key_v2 will not immediately throw an error if
+    // the key provided is incorrect. To test that the database can be successfully opened with the
+    // provided key, it is necessary to perform some operation on the database (i.e. read from it).
+    private func cipher_key_check() throws {
         try execute(
             "CREATE TABLE \"__SQLCipher.swift__\" (\"cipher key check\");\n" +
             "DROP TABLE \"__SQLCipher.swift__\";"
         )
     }
-
-    private func _rekey(keyPointer: UnsafePointer<UInt8>, keySize: Int) throws {
-        try check(sqlite3_rekey(handle, keyPointer, Int32(keySize)))
-    }
 }
 #endif

SQLiteTests/CipherTests.swift

@@ -5,21 +5,20 @@ import SQLCipher
 
 class CipherTests: XCTestCase {
 
-    let db = try! Connection()
+    let db1 = try! Connection()
     let db2 = try! Connection()
 
     override func setUp() {
         // db
-        try! db.key("hello")
 
-        try! db.run("CREATE TABLE foo (bar TEXT)")
-        try! db.run("INSERT INTO foo (bar) VALUES ('world')")
+        try! db1.key("hello")
+
+        try! db1.run("CREATE TABLE foo (bar TEXT)")
+        try! db1.run("INSERT INTO foo (bar) VALUES ('world')")
 
         // db2
-        let keyData = NSMutableData(length: 64)!
-        let _ = SecRandomCopyBytes(kSecRandomDefault, 64,
-                                   keyData.mutableBytes.assumingMemoryBound(to: UInt8.self))
-        try! db2.key(Blob(bytes: keyData.bytes, length: keyData.length))
+        let key2 = keyData()
+        try! db2.key(Blob(bytes: key2.bytes, length: key2.length))
 
         try! db2.run("CREATE TABLE foo (bar TEXT)")
         try! db2.run("INSERT INTO foo (bar) VALUES ('world')")
@@ -28,24 +27,26 @@ class CipherTests: XCTestCase {
     }
 
     func test_key() {
-        XCTAssertEqual(1, try! db.scalar("SELECT count(*) FROM foo") as? Int64)
+        XCTAssertEqual(1, try! db1.scalar("SELECT count(*) FROM foo") as? Int64)
+    }
+
+    func test_key_blob_literal() {
+        let db = try! Connection()
+        try! db.key("x'2DD29CA851E7B56E4697B0E1F08507293D761A05CE4D1B628663F411A8086D99'")
     }
 
     func test_rekey() {
-        try! db.rekey("goodbye")
-        XCTAssertEqual(1, try! db.scalar("SELECT count(*) FROM foo") as? Int64)
+        try! db1.rekey("goodbye")
+        XCTAssertEqual(1, try! db1.scalar("SELECT count(*) FROM foo") as? Int64)
     }
 
     func test_data_key() {
         XCTAssertEqual(1, try! db2.scalar("SELECT count(*) FROM foo") as? Int64)
     }
 
     func test_data_rekey() {
-        let keyData = NSMutableData(length: 64)!
-        let _  = SecRandomCopyBytes(kSecRandomDefault, 64,
-                           keyData.mutableBytes.assumingMemoryBound(to: UInt8.self))
-
-        try! db2.rekey(Blob(bytes: keyData.bytes, length: keyData.length))
+        let newKey = keyData()
+        try! db2.rekey(Blob(bytes: newKey.bytes, length: newKey.length))
         XCTAssertEqual(1, try! db2.scalar("SELECT count(*) FROM foo") as? Int64)
     }
 
@@ -70,5 +71,24 @@ class CipherTests: XCTestCase {
         }
         XCTAssertEqual(SQLITE_NOTADB, rc)
     }
+
+    func test_open_db_encrypted_with_sqlcipher() {
+        // $ sqlcipher SQLiteTests/fixtures/encrypted.sqlite
+        // sqlite> pragma key = 'sqlcipher-test';
+        // sqlite> CREATE TABLE foo (bar TEXT);
+        // sqlite> INSERT INTO foo (bar) VALUES ('world');
+        let encryptedFile = fixture("encrypted", withExtension: "sqlite")
+        let conn = try! Connection(encryptedFile)
+        try! conn.key("sqlcipher-test")
+        XCTAssertEqual(1, try! conn.scalar("SELECT count(*) FROM foo") as? Int64)
+    }
+
+    private func keyData(length: Int = 64) -> NSMutableData {
+        let keyData = NSMutableData(length: length)!
+        let result  = SecRandomCopyBytes(kSecRandomDefault, length,
+                                         keyData.mutableBytes.assumingMemoryBound(to: UInt8.self))
+        XCTAssertEqual(0, result)
+        return keyData
+    }
 }
 #endif

SQLiteTests/Fixtures.swift

@@ -0,0 +1,8 @@
+import Foundation
+
+func fixture(_ name: String, withExtension: String?) -> String {
+    let testBundle = Bundle(for: SQLiteTestCase.self)
+    return testBundle.url(
+        forResource: URL(string: "fixtures")?.appendingPathComponent(name).path,
+        withExtension: withExtension)!.path
+}