@capgo/capacitor-updater 4.41.0 → 4.43.5

package/android/src/main/java/ee/forgr/capacitor_updater/CryptoCipher.java

@@ -12,142 +12,380 @@ package ee.forgr.capacitor_updater;
  * references: http://stackoverflow.com/questions/12471999/rsa-encryption-decryption-in-android
  */
 import android.util.Base64;
+import java.io.BufferedInputStream;
+import java.io.DataInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.KeyFactory;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.security.spec.InvalidKeySpecException;
-import java.security.spec.MGF1ParameterSpec;
-import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.OAEPParameterSpec;
-import javax.crypto.spec.PSource;
 import javax.crypto.spec.SecretKeySpec;
 
 public class CryptoCipher {
 
-  public static byte[] decryptRSA(byte[] source, PrivateKey privateKey)
-    throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
-    Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding");
-    OAEPParameterSpec oaepParams = new OAEPParameterSpec(
-      "SHA-256",
-      "MGF1",
-      new MGF1ParameterSpec("SHA-256"),
-      PSource.PSpecified.DEFAULT
-    );
-    cipher.init(Cipher.DECRYPT_MODE, privateKey, oaepParams);
-    byte[] decryptedBytes = cipher.doFinal(source);
-    return decryptedBytes;
-  }
-
-  public static byte[] decryptAES(byte[] cipherText, SecretKey key, byte[] iv) {
-    try {
-      IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
-      Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-      SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), "AES");
-      cipher.init(Cipher.DECRYPT_MODE, keySpec, ivParameterSpec);
-      byte[] decryptedText = cipher.doFinal(cipherText);
-      return decryptedText;
-    } catch (Exception e) {
-      e.printStackTrace();
-    }
-    return null;
-  }
-
-  public static SecretKey byteToSessionKey(byte[] sessionKey) {
-    // rebuild key using SecretKeySpec
-    SecretKey originalKey = new SecretKeySpec(
-      sessionKey,
-      0,
-      sessionKey.length,
-      "AES"
-    );
-    return originalKey;
-  }
-
-  private static PrivateKey readPkcs8PrivateKey(byte[] pkcs8Bytes)
-    throws GeneralSecurityException {
-    KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-    PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(pkcs8Bytes);
-    try {
-      return keyFactory.generatePrivate(keySpec);
-    } catch (InvalidKeySpecException e) {
-      throw new IllegalArgumentException("Unexpected key format!", e);
-    }
-  }
-
-  private static byte[] join(byte[] byteArray1, byte[] byteArray2) {
-    byte[] bytes = new byte[byteArray1.length + byteArray2.length];
-    System.arraycopy(byteArray1, 0, bytes, 0, byteArray1.length);
-    System.arraycopy(
-      byteArray2,
-      0,
-      bytes,
-      byteArray1.length,
-      byteArray2.length
-    );
-    return bytes;
-  }
-
-  private static PrivateKey readPkcs1PrivateKey(byte[] pkcs1Bytes)
-    throws GeneralSecurityException {
-    // We can't use Java internal APIs to parse ASN.1 structures, so we build a PKCS#8 key Java can understand
-    int pkcs1Length = pkcs1Bytes.length;
-    int totalLength = pkcs1Length + 22;
-    byte[] pkcs8Header = new byte[] {
-      0x30,
-      (byte) 0x82,
-      (byte) ((totalLength >> 8) & 0xff),
-      (byte) (totalLength & 0xff), // Sequence + total length
-      0x2,
-      0x1,
-      0x0, // Integer (0)
-      0x30,
-      0xD,
-      0x6,
-      0x9,
-      0x2A,
-      (byte) 0x86,
-      0x48,
-      (byte) 0x86,
-      (byte) 0xF7,
-      0xD,
-      0x1,
-      0x1,
-      0x1,
-      0x5,
-      0x0, // Sequence: 1.2.840.113549.1.1.1, NULL
-      0x4,
-      (byte) 0x82,
-      (byte) ((pkcs1Length >> 8) & 0xff),
-      (byte) (pkcs1Length & 0xff), // Octet string + length
+    private static Logger logger;
+
+    public static void setLogger(Logger loggerInstance) {
+        logger = loggerInstance;
+    }
+
+    public static byte[] decryptRSA(byte[] source, PublicKey publicKey)
+        throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+        Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
+        cipher.init(Cipher.DECRYPT_MODE, publicKey);
+        byte[] decryptedBytes = cipher.doFinal(source);
+        return decryptedBytes;
+    }
+
+    public static byte[] decryptAES(byte[] cipherText, SecretKey key, byte[] iv) {
+        try {
+            IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
+            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+            SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), "AES");
+            cipher.init(Cipher.DECRYPT_MODE, keySpec, ivParameterSpec);
+            return cipher.doFinal(cipherText);
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return null;
+    }
+
+    public static SecretKey byteToSessionKey(byte[] sessionKey) {
+        // rebuild key using SecretKeySpec
+        return new SecretKeySpec(sessionKey, 0, sessionKey.length, "AES");
+    }
+
+    private static PublicKey readX509PublicKey(byte[] x509Bytes) throws GeneralSecurityException {
+        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+        X509EncodedKeySpec keySpec = new X509EncodedKeySpec(x509Bytes);
+        try {
+            return keyFactory.generatePublic(keySpec);
+        } catch (InvalidKeySpecException e) {
+            throw new IllegalArgumentException("Unexpected key format!", e);
+        }
+    }
+
+    public static PublicKey stringToPublicKey(String public_key) throws GeneralSecurityException {
+        String pkcs1Pem = public_key
+            .replaceAll("\\s+", "")
+            .replace("-----BEGINRSAPUBLICKEY-----", "")
+            .replace("-----ENDRSAPUBLICKEY-----", "");
+
+        byte[] pkcs1EncodedBytes = Base64.decode(pkcs1Pem, Base64.DEFAULT);
+        return readPkcs1PublicKey(pkcs1EncodedBytes);
+    }
+
+    // since the public key is in pkcs1 format, we have to convert it to x509 format similar
+    // to what needs done with the private key converting to pkcs8 format
+    // so, the rest of the code below here is adapted from here https://stackoverflow.com/a/54246646
+    private static final int SEQUENCE_TAG = 0x30;
+    private static final int BIT_STRING_TAG = 0x03;
+    private static final byte[] NO_UNUSED_BITS = new byte[] { 0x00 };
+    private static final byte[] RSA_ALGORITHM_IDENTIFIER_SEQUENCE = {
+        (byte) 0x30,
+        (byte) 0x0d,
+        (byte) 0x06,
+        (byte) 0x09,
+        (byte) 0x2a,
+        (byte) 0x86,
+        (byte) 0x48,
+        (byte) 0x86,
+        (byte) 0xf7,
+        (byte) 0x0d,
+        (byte) 0x01,
+        (byte) 0x01,
+        (byte) 0x01,
+        (byte) 0x05,
+        (byte) 0x00
     };
-    byte[] pkcs8bytes = join(pkcs8Header, pkcs1Bytes);
-    return readPkcs8PrivateKey(pkcs8bytes);
-  }
-
-  public static PrivateKey stringToPrivateKey(String private_key)
-    throws GeneralSecurityException {
-    // Base64 decode the result
-
-    String pkcs1Pem = private_key.toString();
-    pkcs1Pem = pkcs1Pem.replace("-----BEGIN RSA PRIVATE KEY-----", "");
-    pkcs1Pem = pkcs1Pem.replace("-----END RSA PRIVATE KEY-----", "");
-    pkcs1Pem = pkcs1Pem.replace("\\n", "");
-    pkcs1Pem = pkcs1Pem.replace(" ", "");
-
-    byte[] pkcs1EncodedBytes = Base64.decode(
-      pkcs1Pem.getBytes(),
-      Base64.DEFAULT
-    );
-    // extract the private key
-    return readPkcs1PrivateKey(pkcs1EncodedBytes);
-  }
+
+    private static PublicKey readPkcs1PublicKey(byte[] pkcs1Bytes)
+        throws NoSuchAlgorithmException, InvalidKeySpecException, GeneralSecurityException {
+        // convert the pkcs1 public key to an x509 favorable format
+        byte[] keyBitString = createDEREncoding(BIT_STRING_TAG, joinPublic(NO_UNUSED_BITS, pkcs1Bytes));
+        byte[] keyInfoValue = joinPublic(RSA_ALGORITHM_IDENTIFIER_SEQUENCE, keyBitString);
+        byte[] keyInfoSequence = createDEREncoding(SEQUENCE_TAG, keyInfoValue);
+        return readX509PublicKey(keyInfoSequence);
+    }
+
+    private static byte[] joinPublic(byte[]... bas) {
+        int len = 0;
+        for (int i = 0; i < bas.length; i++) {
+            len += bas[i].length;
+        }
+
+        byte[] buf = new byte[len];
+        int off = 0;
+        for (int i = 0; i < bas.length; i++) {
+            System.arraycopy(bas[i], 0, buf, off, bas[i].length);
+            off += bas[i].length;
+        }
+
+        return buf;
+    }
+
+    public static void decryptFile(final File file, final String publicKey, final String ivSessionKey) throws IOException {
+        if (publicKey.isEmpty() || ivSessionKey == null || ivSessionKey.isEmpty() || ivSessionKey.split(":").length != 2) {
+            logger.info("Encryption not set, no public key or session, ignored");
+            return;
+        }
+        if (!publicKey.startsWith("-----BEGIN RSA PUBLIC KEY-----")) {
+            logger.error("The public key is not a valid RSA Public key");
+            return;
+        }
+
+        try {
+            String ivB64 = ivSessionKey.split(":")[0];
+            String sessionKeyB64 = ivSessionKey.split(":")[1];
+            byte[] iv = Base64.decode(ivB64.getBytes(), Base64.DEFAULT);
+            byte[] sessionKey = Base64.decode(sessionKeyB64.getBytes(), Base64.DEFAULT);
+            PublicKey pKey = CryptoCipher.stringToPublicKey(publicKey);
+            byte[] decryptedSessionKey = CryptoCipher.decryptRSA(sessionKey, pKey);
+
+            SecretKey sKey = CryptoCipher.byteToSessionKey(decryptedSessionKey);
+            byte[] content = new byte[(int) file.length()];
+
+            try (
+                final FileInputStream fis = new FileInputStream(file);
+                final BufferedInputStream bis = new BufferedInputStream(fis);
+                final DataInputStream dis = new DataInputStream(bis)
+            ) {
+                dis.readFully(content);
+                dis.close();
+                byte[] decrypted = CryptoCipher.decryptAES(content, sKey, iv);
+                // write the decrypted string to the file
+                try (final FileOutputStream fos = new FileOutputStream(file.getAbsolutePath())) {
+                    fos.write(decrypted);
+                }
+            }
+        } catch (GeneralSecurityException e) {
+            logger.info("decryptFile fail");
+            e.printStackTrace();
+            throw new IOException("GeneralSecurityException");
+        }
+    }
+
+    private static byte[] hexStringToByteArray(String s) {
+        int len = s.length();
+        byte[] data = new byte[len / 2];
+        for (int i = 0; i < len; i += 2) {
+            data[i / 2] = (byte) ((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));
+        }
+        return data;
+    }
+
+    public static String decryptChecksum(String checksum, String publicKey) throws IOException {
+        if (publicKey.isEmpty()) {
+            logger.error("No encryption set (public key) ignored");
+            return checksum;
+        }
+        try {
+            // TODO: remove this in a month or two
+            // Determine if input is hex or base64 encoded
+            // Hex strings only contain 0-9 and a-f, while base64 contains other characters
+            byte[] checksumBytes;
+            String detectedFormat;
+            if (checksum.matches("^[0-9a-fA-F]+$")) {
+                // Hex encoded (new format from CLI for plugin versions >= 5.30.0, 6.30.0, 7.30.0)
+                checksumBytes = hexStringToByteArray(checksum);
+                detectedFormat = "hex";
+            } else {
+                // TODO: remove backwards compatibility
+                // Base64 encoded (old format for backwards compatibility)
+                checksumBytes = Base64.decode(checksum, Base64.DEFAULT);
+                detectedFormat = "base64";
+            }
+            logger.debug(
+                "Received checksum format: " +
+                    detectedFormat +
+                    " (length: " +
+                    checksum.length() +
+                    " chars, " +
+                    checksumBytes.length +
+                    " bytes)"
+            );
+
+            // RSA-2048 encrypted data must be exactly 256 bytes
+            // If the checksum is not 256 bytes, the bundle was not encrypted properly
+            if (checksumBytes.length != 256) {
+                logger.error(
+                    "Checksum is not RSA encrypted (size: " +
+                        checksumBytes.length +
+                        " bytes, expected 256 for RSA-2048). Bundle must be uploaded with encryption when public key is configured."
+                );
+                throw new IOException("Bundle checksum is not encrypted. Upload bundle with --key flag when encryption is configured.");
+            }
+
+            PublicKey pKey = CryptoCipher.stringToPublicKey(publicKey);
+            byte[] decryptedChecksum = CryptoCipher.decryptRSA(checksumBytes, pKey);
+            // Return as hex string to match calcChecksum output format
+            StringBuilder hexString = new StringBuilder();
+            for (byte b : decryptedChecksum) {
+                String hex = Integer.toHexString(0xff & b);
+                if (hex.length() == 1) hexString.append('0');
+                hexString.append(hex);
+            }
+            String result = hexString.toString();
+
+            // Detect checksum algorithm based on length
+            String detectedAlgorithm;
+            if (decryptedChecksum.length == 32) {
+                detectedAlgorithm = "SHA-256";
+            } else if (decryptedChecksum.length == 4) {
+                detectedAlgorithm = "CRC32 (deprecated)";
+                logger.error("CRC32 checksum detected - deprecated algorithm");
+            } else {
+                detectedAlgorithm = "unknown (" + decryptedChecksum.length + " bytes)";
+                logger.error("Unknown checksum algorithm detected");
+                logger.debug("Byte count: " + decryptedChecksum.length + ", Expected: 32 (SHA-256)");
+            }
+            logger.debug(
+                "Decrypted checksum: " +
+                    detectedAlgorithm +
+                    " hex format (length: " +
+                    result.length() +
+                    " chars, " +
+                    decryptedChecksum.length +
+                    " bytes)"
+            );
+            return result;
+        } catch (GeneralSecurityException e) {
+            logger.error("Checksum decryption failed");
+            logger.debug("Error: " + e.getMessage());
+            throw new IOException("Decryption failed: " + e.getMessage());
+        }
+    }
+
+    /**
+     * Detect checksum algorithm based on hex string length.
+     * SHA-256 = 64 hex chars (32 bytes)
+     * CRC32 = 8 hex chars (4 bytes)
+     */
+    public static String detectChecksumAlgorithm(String hexChecksum) {
+        if (hexChecksum == null || hexChecksum.isEmpty()) {
+            return "empty";
+        }
+        int len = hexChecksum.length();
+        if (len == 64) {
+            return "SHA-256";
+        } else if (len == 8) {
+            return "CRC32 (deprecated)";
+        } else {
+            return "unknown (" + len + " hex chars)";
+        }
+    }
+
+    /**
+     * Log checksum info and warn if deprecated algorithm detected.
+     */
+    public static void logChecksumInfo(String label, String hexChecksum) {
+        String algorithm = detectChecksumAlgorithm(hexChecksum);
+        logger.debug(label + ": " + algorithm + " hex format (length: " + hexChecksum.length() + " chars)");
+        if (algorithm.contains("CRC32")) {
+            logger.error("CRC32 checksum detected - deprecated algorithm");
+        } else if (algorithm.contains("unknown")) {
+            logger.error("Unknown checksum algorithm detected");
+            logger.debug("Char count: " + hexChecksum.length() + ", Expected: 64 (SHA-256)");
+        }
+    }
+
+    public static String calcChecksum(File file) {
+        final int BUFFER_SIZE = 1024 * 1024 * 5; // 5 MB buffer size
+        MessageDigest digest;
+        try {
+            digest = MessageDigest.getInstance("SHA-256");
+        } catch (java.security.NoSuchAlgorithmException e) {
+            logger.error("SHA-256 algorithm not available");
+            return "";
+        }
+
+        try (FileInputStream fis = new FileInputStream(file)) {
+            byte[] buffer = new byte[BUFFER_SIZE];
+            int length;
+            while ((length = fis.read(buffer)) != -1) {
+                digest.update(buffer, 0, length);
+            }
+            byte[] hash = digest.digest();
+            StringBuilder hexString = new StringBuilder();
+            for (byte b : hash) {
+                String hex = Integer.toHexString(0xff & b);
+                if (hex.length() == 1) hexString.append('0');
+                hexString.append(hex);
+            }
+            return hexString.toString();
+        } catch (IOException e) {
+            logger.error("Cannot calculate checksum");
+            logger.debug("Path: " + file.getPath() + ", Error: " + e.getMessage());
+            return "";
+        }
+    }
+
+    private static byte[] createDEREncoding(int tag, byte[] value) {
+        if (tag < 0 || tag >= 0xFF) {
+            throw new IllegalArgumentException("Currently only single byte tags supported");
+        }
+
+        byte[] lengthEncoding = createDERLengthEncoding(value.length);
+
+        int size = 1 + lengthEncoding.length + value.length;
+        byte[] derEncodingBuf = new byte[size];
+
+        int off = 0;
+        derEncodingBuf[off++] = (byte) tag;
+        System.arraycopy(lengthEncoding, 0, derEncodingBuf, off, lengthEncoding.length);
+        off += lengthEncoding.length;
+        System.arraycopy(value, 0, derEncodingBuf, off, value.length);
+
+        return derEncodingBuf;
+    }
+
+    private static byte[] createDERLengthEncoding(int size) {
+        if (size <= 0x7F) {
+            // single byte length encoding
+            return new byte[] { (byte) size };
+        } else if (size <= 0xFF) {
+            // double byte length encoding
+            return new byte[] { (byte) 0x81, (byte) size };
+        } else if (size <= 0xFFFF) {
+            // triple byte length encoding
+            return new byte[] { (byte) 0x82, (byte) (size >> Byte.SIZE), (byte) size };
+        }
+
+        throw new IllegalArgumentException("size too large, only up to 64KiB length encoding supported: " + size);
+    }
+
+    /**
+     * Get first 20 characters of the public key for identification.
+     * Returns 20-character string or empty string if key is invalid/empty.
+     * The first 12 chars are always "MIIBCgKCAQEA" for RSA 2048-bit keys,
+     * so the unique part starts at character 13.
+     */
+    public static String calcKeyId(String publicKey) {
+        if (publicKey == null || publicKey.isEmpty()) {
+            return "";
+        }
+
+        // Remove PEM headers and whitespace to get the raw key data
+        String cleanedKey = publicKey
+            .replaceAll("\\s+", "")
+            .replace("-----BEGINRSAPUBLICKEY-----", "")
+            .replace("-----ENDRSAPUBLICKEY-----", "");
+
+        // Return first 20 characters of the base64-encoded key
+        return cleanedKey.length() >= 20 ? cleanedKey.substring(0, 20) : cleanedKey;
+    }
 }

package/android/src/main/java/ee/forgr/capacitor_updater/DataManager.java

@@ -0,0 +1,28 @@
+package ee.forgr.capacitor_updater;
+
+import org.json.JSONArray;
+
+public class DataManager {
+
+    private static DataManager instance;
+    private JSONArray currentManifest;
+
+    private DataManager() {}
+
+    public static synchronized DataManager getInstance() {
+        if (instance == null) {
+            instance = new DataManager();
+        }
+        return instance;
+    }
+
+    public void setManifest(JSONArray manifest) {
+        this.currentManifest = manifest;
+    }
+
+    public JSONArray getAndClearManifest() {
+        JSONArray manifest = this.currentManifest;
+        this.currentManifest = null;
+        return manifest;
+    }
+}

package/android/src/main/java/ee/forgr/capacitor_updater/DelayCondition.java

@@ -6,57 +6,52 @@
 
 package ee.forgr.capacitor_updater;
 
-import com.google.gson.annotations.SerializedName;
+import androidx.annotation.NonNull;
 import java.util.Objects;
 
 public class DelayCondition {
 
-  @SerializedName("kind")
-  private DelayUntilNext kind;
-
-  @SerializedName("value")
-  private String value;
-
-  public DelayCondition(DelayUntilNext kind, String value) {
-    this.kind = kind;
-    this.value = value;
-  }
-
-  public DelayUntilNext getKind() {
-    return kind;
-  }
-
-  public void setKind(DelayUntilNext kind) {
-    this.kind = kind;
-  }
-
-  public String getValue() {
-    return value;
-  }
-
-  public void setValue(String value) {
-    this.value = value;
-  }
-
-  @Override
-  public boolean equals(Object o) {
-    if (this == o) return true;
-    if (!(o instanceof DelayCondition)) return false;
-    DelayCondition that = (DelayCondition) o;
-    return (
-      getKind() == that.getKind() && Objects.equals(getValue(), that.getValue())
-    );
-  }
-
-  @Override
-  public int hashCode() {
-    return Objects.hash(getKind(), getValue());
-  }
-
-  @Override
-  public String toString() {
-    return (
-      "DelayCondition{" + "kind=" + kind + ", value='" + value + '\'' + '}'
-    );
-  }
+    private DelayUntilNext kind;
+
+    private String value;
+
+    public DelayCondition(DelayUntilNext kind, String value) {
+        this.kind = kind;
+        this.value = value;
+    }
+
+    public DelayUntilNext getKind() {
+        return kind;
+    }
+
+    public void setKind(DelayUntilNext kind) {
+        this.kind = kind;
+    }
+
+    public String getValue() {
+        return value;
+    }
+
+    public void setValue(String value) {
+        this.value = value;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (!(o instanceof DelayCondition)) return false;
+        DelayCondition that = (DelayCondition) o;
+        return (getKind() == that.getKind() && Objects.equals(getValue(), that.getValue()));
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(getKind(), getValue());
+    }
+
+    @NonNull
+    @Override
+    public String toString() {
+        return ("DelayCondition{" + "kind=" + kind + ", value='" + value + '\'' + '}');
+    }
 }

package/android/src/main/java/ee/forgr/capacitor_updater/DelayUntilNext.java

@@ -7,8 +7,8 @@
 package ee.forgr.capacitor_updater;
 
 public enum DelayUntilNext {
-  background,
-  kill,
-  nativeVersion,
-  date,
+    background,
+    kill,
+    nativeVersion,
+    date
 }