Merge pull request #640 from XcodesOrg/matt/SRPLogin

Support SRP Login

Author: MattKiazyk

README.md

@@ -22,11 +22,14 @@ XcodesApp is now part of the `XcodesOrg` - [read more here](nextstep.md)
 - Just click a button to make a version active with `xcode-select`.
 - View release notes, OS compatibility, included SDKs and compilers from [Xcode Releases](https://xcodereleases.com).
 - Dark/Light Mode supported
+- Security Key Authentication supported 
 
 ## Platforms/Runtimes
 
 - Xcodes supports downloading the Apple runtimes via the app. Simply click on the Platform, and Xcodes will install automatically for you.
 
+**Note: iOS 18+, tvOS 18+, watchOS 11+, visionOS 2+ requires that Xcode 16.1 Beta 3+ be installed and active.** 
+
 ## Experiments
 
 - Thanks to the wonderful work of [https://github.com/saagarjha/unxip](https://github.com/saagarjha/unxip), turn on the experiment to increase your unxipping time by up to 70%! More can be found on his repo, but bugs, high memory may occur if used.
@@ -160,7 +163,8 @@ popd
 # Attach the zip that was created in the Product directory to the release
 # Publish the release
 
-# Update the [Homebrew Cask](https://github.com/RobotsAndPencils/homebrew-cask/blob/master/Casks/xcodes.rb).
+shasum -a 256 xcodes.zip
+# Update the [Homebrew Cask](https://github.com/XcodesOrg/homebrew-cask/blob/master/Casks/x/xcodes.rb).
 ```
 </details>
 

Xcodes.xcodeproj/project.pbxproj

@@ -7,6 +7,7 @@
 	objects = {
 
 /* Begin PBXBuildFile section */
+		15F5B8902CCF09B900705E2F /* CryptoKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 15F5B88F2CCF09B900705E2F /* CryptoKit.framework */; };
 		33027E342CA8C18800CB387C /* LibFido2Swift in Frameworks */ = {isa = PBXBuildFile; productRef = 334A932B2CA885A400A5E079 /* LibFido2Swift */; };
 		3328073F2CA5E2C80036F691 /* SignInSecurityKeyPinView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 3328073E2CA5E2C80036F691 /* SignInSecurityKeyPinView.swift */; };
 		332807412CA5EA820036F691 /* SignInSecurityKeyTouchView.swift in Sources */ = {isa = PBXBuildFile; fileRef = 332807402CA5EA820036F691 /* SignInSecurityKeyTouchView.swift */; };
@@ -122,6 +123,7 @@
 		E84E4F522B323A5F003F3959 /* CornerRadiusModifier.swift in Sources */ = {isa = PBXBuildFile; fileRef = E84E4F512B323A5F003F3959 /* CornerRadiusModifier.swift */; };
 		E84E4F542B333864003F3959 /* PlatformsListView.swift in Sources */ = {isa = PBXBuildFile; fileRef = E84E4F532B333864003F3959 /* PlatformsListView.swift */; };
 		E84E4F572B335094003F3959 /* OrderedCollections in Frameworks */ = {isa = PBXBuildFile; productRef = E84E4F562B335094003F3959 /* OrderedCollections */; };
+		E862D43B2CC8B26F00BAA376 /* SRP in Frameworks */ = {isa = PBXBuildFile; productRef = E862D43A2CC8B26F00BAA376 /* SRP */; };
 		E86671272B309D2F0048559A /* PlatformsView.swift in Sources */ = {isa = PBXBuildFile; fileRef = E86671262B309D2F0048559A /* PlatformsView.swift */; };
 		E87AB3C52939B65E00D72F43 /* Hardware.swift in Sources */ = {isa = PBXBuildFile; fileRef = E87AB3C42939B65E00D72F43 /* Hardware.swift */; };
 		E87DD6EB25D053FA00D86808 /* Progress+.swift in Sources */ = {isa = PBXBuildFile; fileRef = E87DD6EA25D053FA00D86808 /* Progress+.swift */; };
@@ -195,6 +197,7 @@
 /* End PBXCopyFilesBuildPhase section */
 
 /* Begin PBXFileReference section */
+		15F5B88F2CCF09B900705E2F /* CryptoKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CryptoKit.framework; path = System/Library/Frameworks/CryptoKit.framework; sourceTree = SDKROOT; };
 		3328073E2CA5E2C80036F691 /* SignInSecurityKeyPinView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SignInSecurityKeyPinView.swift; sourceTree = "<group>"; };
 		332807402CA5EA820036F691 /* SignInSecurityKeyTouchView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SignInSecurityKeyTouchView.swift; sourceTree = "<group>"; };
 		36741BFC291E4FDB00A85AAE /* DownloadPreferencePane.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = DownloadPreferencePane.swift; sourceTree = "<group>"; };
@@ -351,13 +354,15 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				15F5B8902CCF09B900705E2F /* CryptoKit.framework in Frameworks */,
 				33027E342CA8C18800CB387C /* LibFido2Swift in Frameworks */,
 				CABFA9E42592F08E00380FEE /* Version in Frameworks */,
 				CABFA9FD2592F13300380FEE /* LegibleError in Frameworks */,
 				E689540325BE8C64000EBCEA /* DockProgress in Frameworks */,
 				CA9FF86D25951C6E00E47BAF /* XCModel in Frameworks */,
 				CABFA9F82592F0F900380FEE /* KeychainAccess in Frameworks */,
 				E83FDC442CBB649100679C6B /* Sparkle in Frameworks */,
+				E862D43B2CC8B26F00BAA376 /* SRP in Frameworks */,
 				CAA858CD25A3D8BC00ACF8C0 /* ErrorHandling in Frameworks */,
 				E8C0EB1A291EF43E0081528A /* XcodesKit in Frameworks */,
 				E8FD5727291EE4AC001E004C /* AsyncNetworkService in Frameworks */,
@@ -414,6 +419,7 @@
 		CA538A12255A4F7C00E64DD7 /* Frameworks */ = {
 			isa = PBXGroup;
 			children = (
+				15F5B88F2CCF09B900705E2F /* CryptoKit.framework */,
 			);
 			name = Frameworks;
 			sourceTree = "<group>";
@@ -723,6 +729,7 @@
 				E84E4F562B335094003F3959 /* OrderedCollections */,
 				E83FDC432CBB649100679C6B /* Sparkle */,
 				334A932B2CA885A400A5E079 /* LibFido2Swift */,
+				E862D43A2CC8B26F00BAA376 /* SRP */,
 			);
 			productName = XcodesMac;
 			productReference = CAD2E79E2449574E00113D76 /* Xcodes.app */;
@@ -1646,6 +1653,10 @@
 			package = E84E4F552B335094003F3959 /* XCRemoteSwiftPackageReference "swift-collections" */;
 			productName = OrderedCollections;
 		};
+		E862D43A2CC8B26F00BAA376 /* SRP */ = {
+			isa = XCSwiftPackageProductDependency;
+			productName = SRP;
+		};
 		E8C0EB19291EF43E0081528A /* XcodesKit */ = {
 			isa = XCSwiftPackageProductDependency;
 			productName = XcodesKit;

Xcodes.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -10,6 +10,15 @@
           "version": null
         }
       },
+      {
+        "package": "big-num",
+        "repositoryURL": "https://github.com/adam-fowler/big-num",
+        "state": {
+          "branch": null,
+          "revision": "5c5511ad06aeb2b97d0868f7394e14a624bfb1c7",
+          "version": "2.0.2"
+        }
+      },
       {
         "package": "CombineExpectations",
         "repositoryURL": "https://github.com/groue/CombineExpectations",
@@ -100,6 +109,24 @@
           "version": "1.0.5"
         }
       },
+      {
+        "package": "swift-crypto",
+        "repositoryURL": "https://github.com/apple/swift-crypto",
+        "state": {
+          "branch": null,
+          "revision": "ddb07e896a2a8af79512543b1c7eb9797f8898a5",
+          "version": "1.1.7"
+        }
+      },
+      {
+        "package": "swift-srp",
+        "repositoryURL": "https://github.com/xcodesOrg/swift-srp",
+        "state": {
+          "branch": "main",
+          "revision": "543aa0122a0257b992f6c7d62d18a26e3dffb8fe",
+          "version": null
+        }
+      },
       {
         "package": "SwiftSoup",
         "repositoryURL": "https://github.com/scinfu/SwiftSoup",

Xcodes/AppleAPI/Package.swift

@@ -1,24 +1,26 @@
-// swift-tools-version:5.3
+// swift-tools-version:5.7
 // The swift-tools-version declares the minimum version of Swift required to build this package.
 
 import PackageDescription
 
 let package = Package(
     name: "AppleAPI",
-    platforms: [.macOS(.v10_15)],
+    platforms: [.macOS(.v11)],
     products: [
         // Products define the executables and libraries a package produces, and make them visible to other packages.
         .library(
             name: "AppleAPI",
             targets: ["AppleAPI"]),
     ],
-    dependencies: [],
+    dependencies: [
+        .package(url: "https://github.com/xcodesOrg/swift-srp", branch: "main")
+    ],
     targets: [
         // Targets are the basic building blocks of a package. A target can define a module or a test suite.
         // Targets can depend on other targets in this package, and on products in packages this package depends on.
         .target(
             name: "AppleAPI",
-            dependencies: []),
+            dependencies: [.product(name: "SRP", package: "swift-srp")]),
         .testTarget(
             name: "AppleAPITests",
             dependencies: ["AppleAPI"]),

Xcodes/AppleAPI/Sources/AppleAPI/Client.swift

@@ -1,5 +1,9 @@
 import Foundation
 import Combine
+import SRP
+import Crypto
+import CommonCrypto
+
 
 public class Client {
     private static let authTypes = ["sa", "hsa", "non-sa", "hsa2"]
@@ -8,8 +12,12 @@ public class Client {
 
     // MARK: - Login
 
-    public func login(accountName: String, password: String) -> AnyPublisher<AuthenticationState, Swift.Error> {
+    public func srpLogin(accountName: String, password: String) -> AnyPublisher<AuthenticationState, Swift.Error> {
         var serviceKey: String!
+        
+        let client = SRPClient(configuration: SRPConfiguration<SHA256>(.N2048))
+        let clientKeys = client.generateKeys()
+        let a = clientKeys.public
 
         return Current.network.dataTask(with: URLRequest.itcServiceKey)
             .map(\.data)
@@ -24,11 +32,45 @@ public class Client {
                     .map { return (serviceKey, $0)}
                     .eraseToAnyPublisher()
             }
-            .flatMap { (serviceKey, hashcash) -> AnyPublisher<URLSession.DataTaskPublisher.Output, Swift.Error> in
+            .flatMap { (serviceKey, hashcash) -> AnyPublisher<(String, String, ServerSRPInitResponse), Swift.Error> in
+                
+                return Current.network.dataTask(with: URLRequest.SRPInit(serviceKey: serviceKey, a: Data(a.bytes).base64EncodedString(), accountName: accountName))
+                    .map(\.data)
+                    .decode(type: ServerSRPInitResponse.self, decoder: JSONDecoder())
+                    .map { return (serviceKey, hashcash, $0) }
+                    .eraseToAnyPublisher()
+            }
+            .flatMap { (serviceKey, hashcash, srpInit) -> AnyPublisher<URLSession.DataTaskPublisher.Output, Swift.Error> in
+                guard let decodedB = Data(base64Encoded: srpInit.b) else {
+                    return Fail(error: AuthenticationError.srpInvalidPublicKey)
+                        .eraseToAnyPublisher()
+                }
+                
+                guard let decodedSalt = Data(base64Encoded: srpInit.salt) else {
+                    return Fail(error: AuthenticationError.srpInvalidPublicKey)
+                        .eraseToAnyPublisher()
+                }
+
+                let iterations = srpInit.iteration
+                
+                do {
+                    guard let encryptedPassword = self.pbkdf2(password: password, saltData: decodedSalt, keyByteCount: 32, prf: CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256), rounds: iterations) else {
+                        return Fail(error: AuthenticationError.srpInvalidPublicKey)
+                            .eraseToAnyPublisher()
+                    }
+                    
+                    let sharedSecret = try client.calculateSharedSecret(password: encryptedPassword, salt: [UInt8](decodedSalt), clientKeys: clientKeys, serverPublicKey: .init([UInt8](decodedB)))
 
-                return Current.network.dataTask(with: URLRequest.signIn(serviceKey: serviceKey, accountName: accountName, password: password, hashcash: hashcash))
+                    let m1 = client.calculateClientProof(username: accountName, salt: [UInt8](decodedSalt), clientPublicKey: a, serverPublicKey: .init([UInt8](decodedB)), sharedSecret: .init(sharedSecret.bytes))
+                    let m2 = client.calculateServerProof(clientPublicKey: a, clientProof: m1, sharedSecret: .init([UInt8](sharedSecret.bytes)))
+
+                    return Current.network.dataTask(with: URLRequest.SRPComplete(serviceKey: serviceKey, hashcash: hashcash, accountName: accountName, c: srpInit.c, m1: Data(m1).base64EncodedString(), m2: Data(m2).base64EncodedString()))
                             .mapError { $0 as Swift.Error }
                             .eraseToAnyPublisher()
+                } catch {
+                    return Fail(error: AuthenticationError.srpInvalidPublicKey)
+                        .eraseToAnyPublisher()
+                }
             }
             .flatMap { result -> AnyPublisher<AuthenticationState, Swift.Error> in
                 let (data, response) = result
@@ -257,6 +299,44 @@ public class Client {
             .mapError { $0 as Error }
             .eraseToAnyPublisher()
     }
+
+    func sha256(data : Data) -> Data {
+        var hash = [UInt8](repeating: 0,  count: Int(CC_SHA256_DIGEST_LENGTH))
+        data.withUnsafeBytes {
+            _ = CC_SHA256($0.baseAddress, CC_LONG(data.count), &hash)
+        }
+        return Data(hash)
+    }
+
+    private func pbkdf2(password: String, saltData: Data, keyByteCount: Int, prf: CCPseudoRandomAlgorithm, rounds: Int) -> Data? {
+        guard let passwordData = password.data(using: .utf8) else { return nil }
+        let hashedPasswordData = sha256(data: passwordData)
+
+        var derivedKeyData = Data(repeating: 0, count: keyByteCount)
+        let derivedCount = derivedKeyData.count
+        let derivationStatus: Int32 = derivedKeyData.withUnsafeMutableBytes { derivedKeyBytes in
+            let keyBuffer: UnsafeMutablePointer<UInt8> =
+                derivedKeyBytes.baseAddress!.assumingMemoryBound(to: UInt8.self)
+            return saltData.withUnsafeBytes { saltBytes -> Int32 in
+                let saltBuffer: UnsafePointer<UInt8> = saltBytes.baseAddress!.assumingMemoryBound(to: UInt8.self)
+                return hashedPasswordData.withUnsafeBytes { hashedPasswordBytes -> Int32 in
+                    let passwordBuffer: UnsafePointer<UInt8> = hashedPasswordBytes.baseAddress!.assumingMemoryBound(to: UInt8.self)
+                    return CCKeyDerivationPBKDF(
+                        CCPBKDFAlgorithm(kCCPBKDF2),
+                        passwordBuffer,
+                        hashedPasswordData.count,
+                        saltBuffer,
+                        saltData.count,
+                        prf,
+                        UInt32(rounds),
+                        keyBuffer,
+                        derivedCount)
+                }
+            }
+        }
+        return derivationStatus == kCCSuccess ? derivedKeyData : nil
+    }
+
 }
 
 // MARK: - Types
@@ -282,6 +362,7 @@ public enum AuthenticationError: Swift.Error, LocalizedError, Equatable {
     case notDeveloperAppleId
     case notAuthorized
     case invalidResult(resultString: String?)
+    case srpInvalidPublicKey
 
     public var errorDescription: String? {
         switch self {
@@ -316,6 +397,8 @@ public enum AuthenticationError: Swift.Error, LocalizedError, Equatable {
             return "You are not authorized. Please Sign in with your Apple ID first."
         case let .invalidResult(resultString):
             return resultString ?? "If you continue to have problems, please submit a bug report in the Help menu."
+        case .srpInvalidPublicKey:
+            return "Invalid Key"
         }
     }
 }
@@ -495,3 +578,23 @@ public struct AppleProvider: Decodable, Equatable {
 public struct AppleUser: Decodable, Equatable {
     public let fullName: String
 }
+
+public struct ServerSRPInitResponse: Decodable {
+    let iteration: Int
+    let salt: String
+    let b: String
+    let c: String
+}
+
+
+
+extension String {
+    func base64ToU8Array() -> Data {
+        return Data(base64Encoded: self) ?? Data()
+    }
+}
+extension Data {
+    func hexEncodedString() -> String {
+        return map { String(format: "%02hhx", $0) }.joined()
+    }
+}

Xcodes/AppleAPI/Sources/AppleAPI/URLRequest+Apple.swift

@@ -10,6 +10,10 @@ public extension URL {
     static let federate = URL(string: "https://idmsa.apple.com/appleauth/auth/federate")!
     static let olympusSession = URL(string: "https://appstoreconnect.apple.com/olympus/v1/session")!
     static let keyAuth = URL(string: "https://idmsa.apple.com/appleauth/auth/verify/security/key")!
+    
+    static let srpInit = URL(string: "https://idmsa.apple.com/appleauth/auth/signin/init")!
+    static let srpComplete = URL(string: "https://idmsa.apple.com/appleauth/auth/signin/complete?isRememberMeEnabled=false")!
+    
 }
 
 public extension URLRequest {
@@ -150,4 +154,51 @@ public extension URLRequest {
 
         return request
     }
+    
+    static func SRPInit(serviceKey: String, a: String, accountName: String) -> URLRequest {
+        struct ServerSRPInitRequest: Encodable {
+            public let a: String
+            public let accountName: String
+            public let protocols: [SRPProtocol]
+        }
+        
+        var request = URLRequest(url: .srpInit)
+        request.httpMethod = "POST"
+        request.allHTTPHeaderFields = request.allHTTPHeaderFields ?? [:]
+        request.allHTTPHeaderFields?["Accept"] = "application/json"
+        request.allHTTPHeaderFields?["Content-Type"] = "application/json"
+        request.allHTTPHeaderFields?["X-Requested-With"] = "XMLHttpRequest"
+        request.allHTTPHeaderFields?["X-Apple-Widget-Key"] = serviceKey
+        
+        request.httpBody = try? JSONEncoder().encode(ServerSRPInitRequest(a: a, accountName: accountName, protocols: [.s2k, .s2k_fo]))
+        return request
+    }
+    
+    static func SRPComplete(serviceKey: String, hashcash: String, accountName: String, c: String, m1: String, m2: String) -> URLRequest {
+        struct ServerSRPCompleteRequest: Encodable {
+            let accountName: String
+            let c: String
+            let m1: String
+            let m2: String
+            let rememberMe: Bool
+        }
+        
+        var request = URLRequest(url: .srpComplete)
+        request.httpMethod = "POST"
+        request.allHTTPHeaderFields = request.allHTTPHeaderFields ?? [:]
+        request.allHTTPHeaderFields?["Accept"] = "application/json"
+        request.allHTTPHeaderFields?["Content-Type"] = "application/json"
+        request.allHTTPHeaderFields?["X-Requested-With"] = "XMLHttpRequest"
+        request.allHTTPHeaderFields?["X-Apple-Widget-Key"] = serviceKey
+        request.allHTTPHeaderFields?["X-Apple-HC"] = hashcash
+        
+        request.httpBody = try? JSONEncoder().encode(ServerSRPCompleteRequest(accountName: accountName, c: c, m1: m1, m2: m2, rememberMe: false))
+        return request
+    }
 }
+
+public enum SRPProtocol: String, Codable {
+    case s2k, s2k_fo
+}
+
+

Xcodes/Backend/AppState.swift

@@ -290,7 +290,7 @@ class AppState: ObservableObject {
         Current.defaults.set(username, forKey: "username")
 
         isProcessingAuthRequest = true
-        return client.login(accountName: username, password: password)
+        return client.srpLogin(accountName: username, password: password)
             .receive(on: DispatchQueue.main)
             .handleEvents(
                 receiveOutput: { authenticationState in