(wip) SRP Login implementation

Author: MattKiazyk

Xcodes.xcodeproj/project.pbxproj

@@ -3,7 +3,7 @@
 	archiveVersion = 1;
 	classes = {
 	};
-	objectVersion = 54;
+	objectVersion = 60;
 	objects = {
 
 /* Begin PBXBuildFile section */
@@ -122,6 +122,7 @@
 		E84E4F522B323A5F003F3959 /* CornerRadiusModifier.swift in Sources */ = {isa = PBXBuildFile; fileRef = E84E4F512B323A5F003F3959 /* CornerRadiusModifier.swift */; };
 		E84E4F542B333864003F3959 /* PlatformsListView.swift in Sources */ = {isa = PBXBuildFile; fileRef = E84E4F532B333864003F3959 /* PlatformsListView.swift */; };
 		E84E4F572B335094003F3959 /* OrderedCollections in Frameworks */ = {isa = PBXBuildFile; productRef = E84E4F562B335094003F3959 /* OrderedCollections */; };
+		E862D43B2CC8B26F00BAA376 /* SRP in Frameworks */ = {isa = PBXBuildFile; productRef = E862D43A2CC8B26F00BAA376 /* SRP */; };
 		E86671272B309D2F0048559A /* PlatformsView.swift in Sources */ = {isa = PBXBuildFile; fileRef = E86671262B309D2F0048559A /* PlatformsView.swift */; };
 		E87AB3C52939B65E00D72F43 /* Hardware.swift in Sources */ = {isa = PBXBuildFile; fileRef = E87AB3C42939B65E00D72F43 /* Hardware.swift */; };
 		E87DD6EB25D053FA00D86808 /* Progress+.swift in Sources */ = {isa = PBXBuildFile; fileRef = E87DD6EA25D053FA00D86808 /* Progress+.swift */; };
@@ -358,6 +359,7 @@
 				CA9FF86D25951C6E00E47BAF /* XCModel in Frameworks */,
 				CABFA9F82592F0F900380FEE /* KeychainAccess in Frameworks */,
 				E83FDC442CBB649100679C6B /* Sparkle in Frameworks */,
+				E862D43B2CC8B26F00BAA376 /* SRP in Frameworks */,
 				CAA858CD25A3D8BC00ACF8C0 /* ErrorHandling in Frameworks */,
 				E8C0EB1A291EF43E0081528A /* XcodesKit in Frameworks */,
 				E8FD5727291EE4AC001E004C /* AsyncNetworkService in Frameworks */,
@@ -723,6 +725,7 @@
 				E84E4F562B335094003F3959 /* OrderedCollections */,
 				E83FDC432CBB649100679C6B /* Sparkle */,
 				334A932B2CA885A400A5E079 /* LibFido2Swift */,
+				E862D43A2CC8B26F00BAA376 /* SRP */,
 			);
 			productName = XcodesMac;
 			productReference = CAD2E79E2449574E00113D76 /* Xcodes.app */;
@@ -812,6 +815,7 @@
 				E84E4F552B335094003F3959 /* XCRemoteSwiftPackageReference "swift-collections" */,
 				E83FDC422CBB649100679C6B /* XCRemoteSwiftPackageReference "Sparkle" */,
 				33027E282CA8BB5800CB387C /* XCRemoteSwiftPackageReference "LibFido2Swift" */,
+				E862D4392CC8B26F00BAA376 /* XCLocalSwiftPackageReference "xcodes-srp" */,
 			);
 			productRefGroup = CAD2E79F2449574E00113D76 /* Products */;
 			projectDirPath = "";
@@ -1480,6 +1484,13 @@
 		};
 /* End XCConfigurationList section */
 
+/* Begin XCLocalSwiftPackageReference section */
+		E862D4392CC8B26F00BAA376 /* XCLocalSwiftPackageReference "xcodes-srp" */ = {
+			isa = XCLocalSwiftPackageReference;
+			relativePath = "xcodes-srp";
+		};
+/* End XCLocalSwiftPackageReference section */
+
 /* Begin XCRemoteSwiftPackageReference section */
 		33027E282CA8BB5800CB387C /* XCRemoteSwiftPackageReference "LibFido2Swift" */ = {
 			isa = XCRemoteSwiftPackageReference;
@@ -1646,6 +1657,10 @@
 			package = E84E4F552B335094003F3959 /* XCRemoteSwiftPackageReference "swift-collections" */;
 			productName = OrderedCollections;
 		};
+		E862D43A2CC8B26F00BAA376 /* SRP */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = SRP;
+		};
 		E8C0EB19291EF43E0081528A /* XcodesKit */ = {
 			isa = XCSwiftPackageProductDependency;
 			productName = XcodesKit;

Xcodes.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -5,7 +5,7 @@ import PackageDescription
 
 let package = Package(
     name: "AppleAPI",
-    platforms: [.macOS(.v10_15)],
+    platforms: [.macOS(.v11)],
     products: [
         // Products define the executables and libraries a package produces, and make them visible to other packages.
         .library(

Xcodes/AppleAPI/Package.swift

@@ -1,5 +1,8 @@
 import Foundation
 import Combine
+import SRP
+import Crypto
+import CommonCrypto
 
 public class Client {
     private static let authTypes = ["sa", "hsa", "non-sa", "hsa2"]
@@ -8,6 +11,144 @@ public class Client {
 
     // MARK: - Login
 
+    public func srpLogin(accountName: String, password: String) -> AnyPublisher<AuthenticationState, Swift.Error> {
+        var serviceKey: String!
+        
+        let config = SRPConfiguration<SHA256>(.N2048)
+        let client = SRPClient(configuration: config)
+        let clientKeys = client.generateKeys()
+       
+        return Current.network.dataTask(with: URLRequest.itcServiceKey)
+            .map(\.data)
+            .decode(type: ServiceKeyResponse.self, decoder: JSONDecoder())
+            .flatMap { serviceKeyResponse -> AnyPublisher<(String, String), Swift.Error> in
+                serviceKey = serviceKeyResponse.authServiceKey
+                
+                // Fixes issue https://github.com/RobotsAndPencils/XcodesApp/issues/360
+                // On 2023-02-23, Apple added a custom implementation of hashcash to their auth flow
+                // Without this addition, Apple ID's would get set to locked
+                return self.loadHashcash(accountName: accountName, serviceKey: serviceKey)
+                    .map { return (serviceKey, $0)}
+                    .eraseToAnyPublisher()
+            }
+            .flatMap { (serviceKey, hashcash) -> AnyPublisher<(String, String, ServerSRPInitResponse), Swift.Error> in
+                
+                return Current.network.dataTask(with: URLRequest.SRPInit(serviceKey: serviceKey, a: clientKeys.private.hex, accountName: accountName))
+                    .map(\.data)
+                    .decode(type: ServerSRPInitResponse.self, decoder: JSONDecoder())
+                    .map { return (serviceKey, hashcash, $0) }
+                    .eraseToAnyPublisher()
+            }
+            .flatMap { (serviceKey, hashcash, srpInit) -> AnyPublisher<URLSession.DataTaskPublisher.Output, Swift.Error> in
+                
+                guard let decodedB = Data(base64Encoded: srpInit.b) else {
+                    return Fail(error: AuthenticationError.srpInvalidPublicKey)
+                        .eraseToAnyPublisher()
+                }
+                
+                guard let decodedSalt = Data(base64Encoded: srpInit.salt) else {
+                    return Fail(error: AuthenticationError.srpInvalidPublicKey)
+                        .eraseToAnyPublisher()
+                }
+
+                let iterations = srpInit.iteration
+                let serverPublic = SRPKey([UInt8](decodedB))
+                
+                guard let encryptedPassword = self.pbkdf2(password: password, saltData: decodedSalt, keyByteCount: 32, prf: CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256), rounds: iterations) else {
+                    return Fail(error: AuthenticationError.srpInvalidPublicKey)
+                        .eraseToAnyPublisher()
+                }
+                
+                 
+                let encryptedPasswordArray = encryptedPassword.hexEncodedString()
+                 
+                print("EncryptedPassword: \(encryptedPasswordArray)")
+                print("EncryptedPassword: \([UInt8](encryptedPassword))")
+                do {
+                    
+                    // this calculates "S"
+                    let clientSharedSecret = try client.calculateSharedSecret(
+                        encryptedPassword: encryptedPasswordArray,
+                        salt: [UInt8](decodedSalt),
+                        clientKeys: clientKeys,
+                        serverPublicKey: serverPublic
+                    )
+                    print("SharedSecret: \(clientSharedSecret)")
+                    
+                    let m1 = client.calculateClientProof(
+                        username: accountName,
+                        salt: [UInt8](decodedSalt),
+                        clientPublicKey: clientKeys.public,
+                        serverPublicKey: serverPublic,
+                        sharedSecret: clientSharedSecret
+                    )
+
+                    let m2 = client.serverProof(clientProof: m1, clientKeys: clientKeys, sharedSecret: clientSharedSecret)
+                   
+                    
+                    print("M1: \(Data(m1).base64EncodedString())")
+                    print("M2: \(Data(m2).base64EncodedString())")
+                    
+                    return Current.network.dataTask(with: URLRequest.SRPComplete(serviceKey: serviceKey, hashcash: hashcash, accountName: accountName, c: srpInit.c, m1: Data(m1).base64EncodedString(), m2: Data(m2).base64EncodedString()))
+                        .mapError { $0 as Swift.Error }
+                        .eraseToAnyPublisher()
+                } catch {
+                    print("Error: calculateSharedSecret \(error)")
+                    return Fail(error: AuthenticationError.srpInvalidPublicKey)
+                        .eraseToAnyPublisher()
+                }
+            }
+            .flatMap { result -> AnyPublisher<AuthenticationState, Swift.Error> in
+                let (data, response) = result
+                return Just(data)
+                    .decode(type: SignInResponse.self, decoder: JSONDecoder())
+                    .flatMap { responseBody -> AnyPublisher<AuthenticationState, Swift.Error> in
+                        let httpResponse = response as! HTTPURLResponse
+                        
+                        switch httpResponse.statusCode {
+                        case 200:
+                            return Current.network.dataTask(with: URLRequest.olympusSession)
+                                .map { _ in AuthenticationState.authenticated }
+                                .mapError { $0 as Swift.Error }
+                                .eraseToAnyPublisher()
+                        case 401:
+                            return Fail(error: AuthenticationError.invalidUsernameOrPassword(username: accountName))
+                                .eraseToAnyPublisher()
+                        case 403:
+                            let errorMessage = responseBody.serviceErrors?.first?.description.replacingOccurrences(of: "-20209: ", with: "") ?? ""
+                            return Fail(error: AuthenticationError.accountLocked(errorMessage))
+                                .eraseToAnyPublisher()
+                        case 409:
+                            return self.handleTwoStepOrFactor(data: data, response: response, serviceKey: serviceKey)
+                        case 412 where Client.authTypes.contains(responseBody.authType ?? ""):
+                            return Fail(error: AuthenticationError.appleIDAndPrivacyAcknowledgementRequired)
+                                .eraseToAnyPublisher()
+                        default:
+                            return Fail(error: AuthenticationError.unexpectedSignInResponse(statusCode: httpResponse.statusCode,
+                                                                 message: responseBody.serviceErrors?.map { $0.description }.joined(separator: ", ")))
+                                .eraseToAnyPublisher()
+                        }
+                    }
+                    .eraseToAnyPublisher()
+            }
+//            .map(\.data)
+//            .decode(type: ServerSRPInitResponse.self, decoder: JSONDecoder())
+//        
+//        
+//           
+//            .flatMap { result -> AnyPublisher<AuthenticationState, Swift.Error> in
+//                return ("")
+//            }
+//            .flatMap { serverResponse -> AnyPublisher<AuthenticationState, Error> in
+//                print(serverResponse)
+//                return Fail(error: AuthenticationError.accountUsesTwoStepAuthentication)
+//                    .eraseToAnyPublisher()
+//            }
+            .mapError { $0 as Swift.Error }
+            .eraseToAnyPublisher()
+    }
+    
+    
     public func login(accountName: String, password: String) -> AnyPublisher<AuthenticationState, Swift.Error> {
         var serviceKey: String!
 
@@ -257,6 +398,32 @@ public class Client {
             .mapError { $0 as Error }
             .eraseToAnyPublisher()
     }
+    
+    private func pbkdf2(password: String, saltData: Data, keyByteCount: Int, prf: CCPseudoRandomAlgorithm, rounds: Int) -> Data? {
+        guard let passwordData = password.data(using: .utf8) else { return nil }
+        
+        var derivedKeyData = Data(repeating: 0, count: keyByteCount)
+        let derivedCount = derivedKeyData.count
+        let derivationStatus: Int32 = derivedKeyData.withUnsafeMutableBytes { derivedKeyBytes in
+            let keyBuffer: UnsafeMutablePointer<UInt8> =
+                derivedKeyBytes.baseAddress!.assumingMemoryBound(to: UInt8.self)
+            return saltData.withUnsafeBytes { saltBytes -> Int32 in
+                let saltBuffer: UnsafePointer<UInt8> = saltBytes.baseAddress!.assumingMemoryBound(to: UInt8.self)
+                return CCKeyDerivationPBKDF(
+                    CCPBKDFAlgorithm(kCCPBKDF2),
+                    password,
+                    passwordData.count,
+                    saltBuffer,
+                    saltData.count,
+                    prf,
+                    UInt32(rounds),
+                    keyBuffer,
+                    derivedCount)
+            }
+        }
+        return derivationStatus == kCCSuccess ? derivedKeyData : nil
+    }
+
 }
 
 // MARK: - Types
@@ -282,6 +449,7 @@ public enum AuthenticationError: Swift.Error, LocalizedError, Equatable {
     case notDeveloperAppleId
     case notAuthorized
     case invalidResult(resultString: String?)
+    case srpInvalidPublicKey
 
     public var errorDescription: String? {
         switch self {
@@ -316,6 +484,8 @@ public enum AuthenticationError: Swift.Error, LocalizedError, Equatable {
             return "You are not authorized. Please Sign in with your Apple ID first."
         case let .invalidResult(resultString):
             return resultString ?? "If you continue to have problems, please submit a bug report in the Help menu."
+        case .srpInvalidPublicKey:
+            return "Invalid Key"
         }
     }
 }
@@ -495,3 +665,23 @@ public struct AppleProvider: Decodable, Equatable {
 public struct AppleUser: Decodable, Equatable {
     public let fullName: String
 }
+
+public struct ServerSRPInitResponse: Decodable {
+    let iteration: Int
+    let salt: String
+    let b: String
+    let c: String
+}
+
+
+
+extension String {
+    func base64ToU8Array() -> Data {
+        return Data(base64Encoded: self) ?? Data()
+    }
+}
+extension Data {
+    func hexEncodedString() -> String {
+        return map { String(format: "%02hhx", $0) }.joined()
+    }
+}

Xcodes/AppleAPI/Sources/AppleAPI/Client.swift

@@ -10,6 +10,10 @@ public extension URL {
     static let federate = URL(string: "https://idmsa.apple.com/appleauth/auth/federate")!
     static let olympusSession = URL(string: "https://appstoreconnect.apple.com/olympus/v1/session")!
     static let keyAuth = URL(string: "https://idmsa.apple.com/appleauth/auth/verify/security/key")!
+    
+    static let srpInit = URL(string: "https://idmsa.apple.com/appleauth/auth/signin/init")!
+    static let srpComplete = URL(string: "https://idmsa.apple.com/appleauth/auth/signin/complete?isRememberMeEnabled=false")!
+    
 }
 
 public extension URLRequest {
@@ -150,4 +154,51 @@ public extension URLRequest {
 
         return request
     }
+    
+    static func SRPInit(serviceKey: String, a: String, accountName: String) -> URLRequest {
+        struct ServerSRPInitRequest: Encodable {
+            public let a: String
+            public let accountName: String
+            public let protocols: [SRPProtocol]
+        }
+        
+        var request = URLRequest(url: .srpInit)
+        request.httpMethod = "POST"
+        request.allHTTPHeaderFields = request.allHTTPHeaderFields ?? [:]
+        request.allHTTPHeaderFields?["Accept"] = "application/json"
+        request.allHTTPHeaderFields?["Content-Type"] = "application/json"
+        request.allHTTPHeaderFields?["X-Requested-With"] = "XMLHttpRequest"
+        request.allHTTPHeaderFields?["X-Apple-Widget-Key"] = serviceKey
+        
+        request.httpBody = try? JSONEncoder().encode(ServerSRPInitRequest(a: a, accountName: accountName, protocols: [.s2k, .s2k_fo]))
+        return request
+    }
+    
+    static func SRPComplete(serviceKey: String, hashcash: String, accountName: String, c: String, m1: String, m2: String) -> URLRequest {
+        struct ServerSRPCompleteRequest: Encodable {
+            let accountName: String
+            let c: String
+            let m1: String
+            let m2: String
+            let rememberMe: Bool
+        }
+        
+        var request = URLRequest(url: .srpComplete)
+        request.httpMethod = "POST"
+        request.allHTTPHeaderFields = request.allHTTPHeaderFields ?? [:]
+        request.allHTTPHeaderFields?["Accept"] = "application/json"
+        request.allHTTPHeaderFields?["Content-Type"] = "application/json"
+        request.allHTTPHeaderFields?["X-Requested-With"] = "XMLHttpRequest"
+        request.allHTTPHeaderFields?["X-Apple-Widget-Key"] = serviceKey
+        request.allHTTPHeaderFields?["X-Apple-HC"] = hashcash
+        
+        request.httpBody = try? JSONEncoder().encode(ServerSRPCompleteRequest(accountName: accountName, c: c, m1: m1, m2: m2, rememberMe: false))
+        return request
+    }
 }
+
+public enum SRPProtocol: String, Codable {
+    case s2k, s2k_fo
+}
+
+