feat: Add xeapi Aegis support#175
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
MoeFurina
added
增强 Enhancements
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
| * @param {string} input - XOR 编码后的 base64 输入 | ||
| * @returns {Buffer} 解码后的原始字节 | ||
| */ | ||
| function xorDecode(input) { |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements the xeapi (Aegis) encryption scheme, which involves a three-layer encryption process (AES-256-GCM, ECDH P-256, and HKDF-SHA256) reverse-engineered from the Netease Cloud Music Android app. The changes include detailed documentation of the algorithm, a new utility for encryption/decryption, integration into the core request logic, and a new VIP tasks endpoint. Feedback from the reviewer highlights a compatibility issue with Node.js versions regarding crypto.hkdfSync, an invalid hex string length for the static AES key, and the use of placeholder values for the HKDF salt that will prevent successful server communication. Additionally, the reviewer suggested improving error handling for missing public keys and adopting modern JavaScript scoping practices.
| const sharedSecret = ecdh.computeSecret(serverPublicKey) | ||
|
|
||
| // HKDF-SHA256 派生 | ||
| const derivedKey = crypto.hkdfSync( |
There was a problem hiding this comment.
crypto.hkdfSync was introduced in Node.js v15.0.0. However, the package.json specifies a minimum Node.js version of >=12. This will cause a runtime error on older Node.js versions. Please update the engines field in package.json to >=15.0.0 or provide a fallback implementation for HKDF.
| } | ||
|
|
||
| // 参考值 (issue.md 提供, 可能不完整) | ||
| const keyHex = 'b31d1a4bf2ba849fe97edd55727d896dc1ed9ee492c0e86947c6dfb93b1' |
There was a problem hiding this comment.
The hex string keyHex has an odd length (59 characters), which is invalid for a hex-encoded buffer. This results in a truncated 29-byte buffer instead of the expected 32-byte (256-bit) AES key. Please verify and provide the complete 64-character hex string.
| if (!serverPublicKeyBase64) { | ||
| console.warn( | ||
| '[xeapi] ⚠️ 服务器公钥为空,使用临时密钥占位 (此加密无法被真实服务器解密)', | ||
| ) | ||
| const tempEcdh = crypto.createECDH('prime256v1') | ||
| tempEcdh.generateKeys() | ||
| serverPublicKeyBase64 = tempEcdh | ||
| .getPublicKey(null, 'compressed') | ||
| .toString('base64') | ||
| } |
There was a problem hiding this comment.
Generating a random ECC key pair when the server public key is missing will result in an encrypted payload that the server cannot decrypt, leading to a failed request. It is better to throw an error early to inform the user that a valid serverPublicKey is required for xeapi encryption.
if (!serverPublicKeyBase64) {
throw new Error('[xeapi] 服务器公钥未设置!xeapi 加密需要有效的服务器 ECC 公钥。')
}| options.xeapiServerKey || process.env.XEAPI_SERVER_PUBLIC_KEY || '', | ||
| }) | ||
| encryptData = xeapiResult.params // { B, S, R } | ||
| var xeapiDynamicKey = xeapiResult.dynamicKey // 用于响应解密 |
There was a problem hiding this comment.
The variable xeapiDynamicKey is declared with var inside a switch case. While this works due to function-level hoisting (allowing it to be accessed in the .then block later), it is considered poor practice in modern JavaScript. It is recommended to declare the variable using let at the top of the createRequest function scope to improve clarity and avoid potential hoisting-related bugs.
| * 🟡 待从 libAegisSDK.so DAT_001a04c0 提取 (Ghidra read_memory) | ||
| * 这是一个 16 字节的全局数据,目前使用占位符 | ||
| */ | ||
| const HKDF_SALT = Buffer.alloc(16, 0) |
There was a problem hiding this comment.
HKDF_SALT is currently a placeholder (all zeros). According to the reverse engineering notes in issue.md, this value needs to be extracted from the native library (DAT_001a04c0) for the encryption to be compatible with the actual server. Using a zeroed salt will result in incorrect derived keys.
1 participant
由于缺少AES密钥和ECC公钥, 这个PR随时可能关闭