@capgo/capacitor-updater 6.1.16 → 6.1.18

package/README.md

@@ -218,7 +218,6 @@ CapacitorUpdater can be configured with these options:
 | **`localSupaAnon`**      | <code>string</code>  | Configure the CLI to use a local server for testing.                                                                                                                                            | <code>undefined</code>                     | 4.17.48 |
 | **`allowModifyUrl`**     | <code>boolean</code> | Allow the plugin to modify the updateUrl, statsUrl and channelUrl dynamically from the JavaScript side.                                                                                         | <code>false</code>                         | 5.4.0   |
 | **`defaultChannel`**     | <code>string</code>  | Set the default channel for the app in the config.                                                                                                                                              | <code>undefined</code>                     | 5.5.0   |
-| **`signKey`**            | <code>string</code>  | Public key used for bundle signing.                                                                                                                                                             | <code>undefined</code>                     | 6.1.0   |
 
 ### Examples
 
@@ -246,8 +245,7 @@ In `capacitor.config.json`:
       "localSupa": undefined,
       "localSupaAnon": undefined,
       "allowModifyUrl": undefined,
-      "defaultChannel": undefined,
-      "signKey": undefined
+      "defaultChannel": undefined
     }
   }
 }
@@ -282,7 +280,6 @@ const config: CapacitorConfig = {
       localSupaAnon: undefined,
       allowModifyUrl: undefined,
       defaultChannel: undefined,
-      signKey: undefined,
     },
   },
 };
@@ -937,7 +934,6 @@ Listen for app ready event in the App, let you know when app is ready to use
 | **`version`**    | <code>string</code> | The version code/name of this bundle/version                                                                                                                     |                        |       |
 | **`sessionKey`** | <code>string</code> | The session key for the update                                                                                                                                   | <code>undefined</code> | 4.0.0 |
 | **`checksum`**   | <code>string</code> | The checksum for the update                                                                                                                                      | <code>undefined</code> | 4.0.0 |
-| **`signature`**  | <code>string</code> | The signature of the update. Can be generated using capgo CLI                                                                                                    | <code>undefined</code> | 6.1.0 |
 
 
 #### BundleId

package/android/src/main/java/ee/forgr/capacitor_updater/CapacitorUpdater.java

@@ -40,13 +40,11 @@ import java.io.InputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URL;
 import java.net.URLConnection;
-import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.security.MessageDigest;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.SecureRandom;
-import java.security.Signature;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.Iterator;
@@ -55,7 +53,6 @@ import java.util.Objects;
 import java.util.zip.CRC32;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
-import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 import org.json.JSONException;
 import org.json.JSONObject;
@@ -92,9 +89,10 @@ public class CapacitorUpdater {
   public String defaultChannel = "";
   public String appId = "";
   public String privateKey = "";
+  public String publicKey = "";
+  public boolean hasOldPrivateKeyPropertyInConfig = false;
   public String deviceID = "";
   public int timeout = 20000;
-  public PublicKey signKey = null;
 
   private final FilenameFilter filter = (f, name) -> {
     // ignore directories generated by mac os x
@@ -285,7 +283,6 @@ public class CapacitorUpdater {
           String sessionKey = bundle.getString(DownloadService.SESSIONKEY);
           String checksum = bundle.getString(DownloadService.CHECKSUM);
           String error = bundle.getString(DownloadService.ERROR);
-          String signature = bundle.getString(DownloadService.SIGNATURE);
           Log.i(
             CapacitorUpdater.TAG,
             "res " +
@@ -299,8 +296,6 @@ public class CapacitorUpdater {
             " " +
             checksum +
             " " +
-            signature +
-            " " +
             error
           );
           if (dest == null) {
@@ -323,7 +318,6 @@ public class CapacitorUpdater {
               version,
               sessionKey,
               checksum,
-              signature,
               true
             );
         } else {
@@ -333,13 +327,32 @@ public class CapacitorUpdater {
     }
   };
 
+  private String decryptChecksum(String checksum, String version)
+    throws IOException {
+    if (this.publicKey.isEmpty()) {
+      Log.e(CapacitorUpdater.TAG, "The public key is empty");
+      return checksum;
+    }
+    try {
+      byte[] checksumBytes = Base64.decode(checksum, Base64.DEFAULT);
+      PublicKey pKey = CryptoCipherV2.stringToPublicKey(this.publicKey);
+      byte[] decryptedChecksum = CryptoCipherV2.decryptRSA(checksumBytes, pKey);
+      // return Base64.encodeToString(decryptedChecksum, Base64.DEFAULT);
+      String result = Base64.encodeToString(decryptedChecksum, Base64.DEFAULT);
+      return result.replaceAll("\\s", ""); // Remove all whitespace, including newlines
+    } catch (GeneralSecurityException e) {
+      Log.e(TAG, "decryptChecksum fail: " + e.getMessage());
+      this.sendStats("decrypt_fail", version);
+      throw new IOException("Decryption failed: " + e.getMessage());
+    }
+  }
+
   public Boolean finishDownload(
     String id,
     String dest,
     String version,
     String sessionKey,
     String checksumRes,
-    String signature,
     Boolean setNext
   ) {
     File downloaded = null;
@@ -349,36 +362,27 @@ public class CapacitorUpdater {
       this.notifyDownload(id, 71);
       downloaded = new File(this.documentsDir, dest);
 
-      boolean valid = verifyBundleSignature(version, downloaded, signature);
-      if (!valid) {
-        Log.e(
-          CapacitorUpdater.TAG,
-          "Invalid signature, cannot accept download"
-        );
-
-        this.sendStats("invalid_signature", version);
-        throw new GeneralSecurityException(
-          "Signature is not valid, cannot accept update"
-        );
+      String checksumDecrypted = Objects.requireNonNullElse(checksumRes, "");
+      if (!this.hasOldPrivateKeyPropertyInConfig && !sessionKey.isEmpty()) {
+        this.decryptFileV2(downloaded, sessionKey, version);
+        checksumDecrypted = this.decryptChecksum(checksumRes, version);
+        checksum = this.calcChecksumV2(downloaded);
       } else {
-        Log.i(CapacitorUpdater.TAG, "Valid signature");
+        this.decryptFile(downloaded, sessionKey, version);
+        checksum = this.calcChecksum(downloaded);
       }
-
-      this.decryptFile(downloaded, sessionKey, version);
-      checksum = this.calcChecksum(downloaded);
       if (
-        checksumRes != null &&
-        !checksumRes.isEmpty() &&
-        !checksumRes.equals(checksum)
+        (!checksumDecrypted.isEmpty() || !this.publicKey.isEmpty()) &&
+        !checksumDecrypted.equals(checksum)
       ) {
         Log.e(
           CapacitorUpdater.TAG,
-          "Error checksum " + checksumRes + " " + checksum
+          "Error checksum '" + checksumDecrypted + "' '" + checksum + "' '"
         );
         this.sendStats("checksum_fail");
         throw new IOException("Checksum failed: " + id);
       }
-    } catch (IOException | GeneralSecurityException e) {
+    } catch (IOException e) {
       final Boolean res = this.delete(id);
       if (!res) {
         Log.i(CapacitorUpdater.TAG, "Double error, cannot cleanup: " + version);
@@ -443,8 +447,7 @@ public class CapacitorUpdater {
     final String version,
     final String sessionKey,
     final String checksum,
-    final String dest,
-    final String signature
+    final String dest
   ) {
     Intent intent = new Intent(this.activity, DownloadService.class);
     intent.putExtra(DownloadService.URL, url);
@@ -457,7 +460,6 @@ public class CapacitorUpdater {
     intent.putExtra(DownloadService.VERSION, version);
     intent.putExtra(DownloadService.SESSIONKEY, sessionKey);
     intent.putExtra(DownloadService.CHECKSUM, checksum);
-    intent.putExtra(DownloadService.SIGNATURE, signature);
     this.activity.startService(intent);
   }
 
@@ -544,44 +546,100 @@ public class CapacitorUpdater {
     }
   }
 
-  private boolean verifyBundleSignature(
-    final String version,
-    final File file,
-    final String signatureStr
-  ) throws GeneralSecurityException, IOException {
-    if (this.signKey == null) {
-      Log.i(TAG, "Signing not configured");
-      return true;
+  private String calcChecksumV2(File file) {
+    final int BUFFER_SIZE = 1024 * 1024 * 5; // 5 MB buffer size
+    MessageDigest digest;
+    try {
+      digest = MessageDigest.getInstance("SHA-256");
+    } catch (java.security.NoSuchAlgorithmException e) {
+      System.err.println(TAG + " SHA-256 algorithm not available");
+      return "";
     }
 
-    if (signatureStr.isEmpty()) {
-      Log.i(TAG, "Signature required but none provided");
-      this.sendStats("signature_not_provided", version);
-      throw new GeneralSecurityException(
-        "Signature was required but none was provided"
+    try (FileInputStream fis = new FileInputStream(file)) {
+      byte[] buffer = new byte[BUFFER_SIZE];
+      int length;
+      while ((length = fis.read(buffer)) != -1) {
+        digest.update(buffer, 0, length);
+      }
+      byte[] hash = digest.digest();
+      StringBuilder hexString = new StringBuilder();
+      for (byte b : hash) {
+        String hex = Integer.toHexString(0xff & b);
+        if (hex.length() == 1) hexString.append('0');
+        hexString.append(hex);
+      }
+      return hexString.toString();
+    } catch (IOException e) {
+      System.err.println(
+        TAG +
+        " Cannot calc checksum v2: " +
+        file.getPath() +
+        " " +
+        e.getMessage()
       );
+      return "";
     }
+  }
 
-    byte[] providedSignatureBytes = Base64.decode(
-      signatureStr.getBytes(StandardCharsets.UTF_8),
-      Base64.DEFAULT
-    );
-
-    Signature signature = Signature.getInstance("SHA512withRSA");
-    signature.initVerify(this.signKey);
-
-    byte[] content = new byte[(int) file.length()];
-
-    try (
-      final FileInputStream fis = new FileInputStream(file);
-      final BufferedInputStream bis = new BufferedInputStream(fis);
-      final DataInputStream dis = new DataInputStream(bis)
+  private void decryptFileV2(
+    final File file,
+    final String ivSessionKey,
+    final String version
+  ) throws IOException {
+    // (str != null && !str.isEmpty())
+    if (
+      this.publicKey.isEmpty() ||
+      ivSessionKey == null ||
+      ivSessionKey.isEmpty() ||
+      ivSessionKey.split(":").length != 2
     ) {
-      dis.readFully(content);
-      dis.close();
+      Log.i(TAG, "Cannot found public key or sessionKey");
+      return;
+    }
+    if (!this.publicKey.startsWith("-----BEGIN RSA PUBLIC KEY-----")) {
+      Log.e(
+        CapacitorUpdater.TAG,
+        "The public key is not a valid RSA Public key"
+      );
+      return;
+    }
+    try {
+      String ivB64 = ivSessionKey.split(":")[0];
+      String sessionKeyB64 = ivSessionKey.split(":")[1];
+      byte[] iv = Base64.decode(ivB64.getBytes(), Base64.DEFAULT);
+      byte[] sessionKey = Base64.decode(
+        sessionKeyB64.getBytes(),
+        Base64.DEFAULT
+      );
+      PublicKey pKey = CryptoCipherV2.stringToPublicKey(this.publicKey);
+      byte[] decryptedSessionKey = CryptoCipherV2.decryptRSA(sessionKey, pKey);
 
-      signature.update(content);
-      return signature.verify(providedSignatureBytes);
+      SecretKey sKey = CryptoCipherV2.byteToSessionKey(decryptedSessionKey);
+      byte[] content = new byte[(int) file.length()];
+
+      try (
+        final FileInputStream fis = new FileInputStream(file);
+        final BufferedInputStream bis = new BufferedInputStream(fis);
+        final DataInputStream dis = new DataInputStream(bis)
+      ) {
+        dis.readFully(content);
+        dis.close();
+        byte[] decrypted = CryptoCipherV2.decryptAES(content, sKey, iv);
+        // write the decrypted string to the file
+        try (
+          final FileOutputStream fos = new FileOutputStream(
+            file.getAbsolutePath()
+          )
+        ) {
+          fos.write(decrypted);
+        }
+      }
+    } catch (GeneralSecurityException e) {
+      Log.i(TAG, "decryptFile fail");
+      this.sendStats("decrypt_fail", version);
+      e.printStackTrace();
+      throw new IOException("GeneralSecurityException");
     }
   }
 
@@ -591,14 +649,15 @@ public class CapacitorUpdater {
     final String version
   ) throws IOException {
     // (str != null && !str.isEmpty())
-    if (
-      this.privateKey == null ||
-      this.privateKey.isEmpty() ||
+    if (this.privateKey == null || this.privateKey.isEmpty()) {
+      Log.i(TAG, "Cannot found privateKey");
+      return;
+    } else if (
       ivSessionKey == null ||
       ivSessionKey.isEmpty() ||
       ivSessionKey.split(":").length != 2
     ) {
-      Log.i(TAG, "Cannot found privateKey or sessionKey");
+      Log.i(TAG, "Cannot found sessionKey");
       return;
     }
     try {
@@ -643,8 +702,7 @@ public class CapacitorUpdater {
     final String url,
     final String version,
     final String sessionKey,
-    final String checksum,
-    final String signature
+    final String checksum
   ) {
     final String id = this.randomString();
     this.saveBundleInfo(
@@ -665,8 +723,7 @@ public class CapacitorUpdater {
         version,
         sessionKey,
         checksum,
-        this.randomString(),
-        signature
+        this.randomString()
       );
   }
 
@@ -674,8 +731,7 @@ public class CapacitorUpdater {
     final String url,
     final String version,
     final String sessionKey,
-    final String checksum,
-    final String signature
+    final String checksum
   ) throws IOException {
     final String id = this.randomString();
     this.saveBundleInfo(
@@ -693,15 +749,7 @@ public class CapacitorUpdater {
     final String dest = this.randomString();
     this.downloadFile(id, url, dest);
     final Boolean finished =
-      this.finishDownload(
-          id,
-          dest,
-          version,
-          sessionKey,
-          checksum,
-          signature,
-          false
-        );
+      this.finishDownload(id, dest, version, sessionKey, checksum, false);
     final BundleStatus status = finished
       ? BundleStatus.PENDING
       : BundleStatus.ERROR;

package/android/src/main/java/ee/forgr/capacitor_updater/CapacitorUpdaterPlugin.java

@@ -30,7 +30,6 @@ import java.io.IOException;
 import java.lang.reflect.Type;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.security.PublicKey;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Date;
@@ -51,12 +50,10 @@ public class CapacitorUpdaterPlugin extends Plugin {
   private static final String updateUrlDefault =
     "https://api.capgo.app/updates";
   private static final String statsUrlDefault = "https://api.capgo.app/stats";
-  private static final String defaultPrivateKey =
-    "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEA4pW9olT0FBXXivRCzd3xcImlWZrqkwcF2xTkX/FwXmj9eh9H\nkBLrsQmfsC+PJisRXIOGq6a0z3bsGq6jBpp3/Jr9jiaW5VuPGaKeMaZZBRvi/N5f\nIMG3hZXSOcy0IYg+E1Q7RkYO1xq5GLHseqG+PXvJsNe4R8R/Bmd/ngq0xh/cvcrH\nHpXwO0Aj9tfprlb+rHaVV79EkVRWYPidOLnK1n0EFHFJ1d/MyDIp10TEGm2xHpf/\nBrlb1an8wXEuzoC0DgYaczgTjovwR+ewSGhSHJliQdM0Qa3o1iN87DldWtydImMs\nPjJ3DUwpsjAMRe5X8Et4+udFW2ciYnQo9H0CkwIDAQABAoIBAQCtjlMV/4qBxAU4\nu0ZcWA9yywwraX0aJ3v1xrfzQYV322Wk4Ea5dbSxA5UcqCE29DA1M824t1Wxv/6z\npWbcTP9xLuresnJMtmgTE7umfiubvTONy2sENT20hgDkIwcq1CfwOEm61zjQzPhQ\nkSB5AmEsyR/BZEsUNc+ygR6AWOUFB7tj4yMc32LOTWSbE/znnF2BkmlmnQykomG1\n2oVqM3lUFP7+m8ux1O7scO6IMts+Z/eFXjWfxpbebUSvSIR83GXPQZ34S/c0ehOg\nyHdmCSOel1r3VvInMe+30j54Jr+Ml/7Ee6axiwyE2e/bd85MsK9sVdp0OtelXaqA\nOZZqWvN5AoGBAP2Hn3lSq+a8GsDH726mHJw60xM0LPbVJTYbXsmQkg1tl3NKJTMM\nQqz41+5uys+phEgLHI9gVJ0r+HaGHXnJ4zewlFjsudstb/0nfctUvTqnhEhfNo9I\ny4kufVKPRF3sMEeo7CDVJs4GNBLycEyIBy6Mbv0VcO7VaZqggRwu4no9AoGBAOTK\n6NWYs1BWlkua2wmxexGOzehNGedInp0wGr2l4FDayWjkZLqvB+nNXUQ63NdHlSs4\nWB2Z1kQXZxVaI2tPYexGUKXEo2uFob63uflbuE029ovDXIIPFTPtGNdNXwhHT5a+\nPhmy3sMc+s2BSNM5qaNmfxQxhdd6gRU6oikE+c0PAoGAMn3cKNFqIt27hkFLUgIL\nGKIuf1iYy9/PNWNmEUaVj88PpopRtkTu0nwMpROzmH/uNFriKTvKHjMvnItBO4wV\nkHW+VadvrFL0Rrqituf9d7z8/1zXBNo+juePVe3qc7oiM2NVA4Tv4YAixtM5wkQl\nCgQ15nlqsGYYTg9BJ1e/CxECgYEAjEYPzO2reuUrjr0p8F59ev1YJ0YmTJRMk0ks\nC/yIdGo/tGzbiU3JB0LfHPcN8Xu07GPGOpfYM7U5gXDbaG6qNgfCaHAQVdr/mQPi\nJQ1kCQtay8QCkscWk9iZM1//lP7LwDtxraXqSCwbZSYP9VlUNZeg8EuQqNU2EUL6\nqzWexmcCgYEA0prUGNBacraTYEknB1CsbP36UPWsqFWOvevlz+uEC5JPxPuW5ZHh\nSQN7xl6+PHyjPBM7ttwPKyhgLOVTb3K7ex/PXnudojMUK5fh7vYfChVTSlx2p6r0\nDi58PdD+node08cJH+ie0Yphp7m+D4+R9XD0v0nEvnu4BtAW6DrJasw=\n-----END RSA PRIVATE KEY-----\n";
   private static final String channelUrlDefault =
     "https://api.capgo.app/channel_self";
 
-  private final String PLUGIN_VERSION = "6.1.16";
+  private final String PLUGIN_VERSION = "6.1.18";
   private static final String DELAY_CONDITION_PREFERENCES = "";
 
   private SharedPreferences.Editor editor;
@@ -138,12 +135,6 @@ public class CapacitorUpdaterPlugin extends Plugin {
       this.implementation.requestQueue = Volley.newRequestQueue(
         this.getContext()
       );
-      final String signKeyStr = this.getConfig().getString("signKey", "");
-      if (signKeyStr.length() > 0) {
-        this.implementation.signKey = CryptoCipher.stringToPublicKey(
-          signKeyStr
-        );
-      }
 
       this.implementation.directUpdate = this.getConfig()
         .getBoolean("directUpdate", false);
@@ -181,8 +172,15 @@ public class CapacitorUpdaterPlugin extends Plugin {
       );
     }
     Log.i(CapacitorUpdater.TAG, "appId: " + implementation.appId);
+    this.implementation.publicKey = this.getConfig().getString("publicKey", "");
     this.implementation.privateKey = this.getConfig()
-      .getString("privateKey", defaultPrivateKey);
+      .getString("privateKey", "");
+    if (
+      this.implementation.privateKey != null &&
+      !this.implementation.privateKey.isEmpty()
+    ) {
+      this.implementation.hasOldPrivateKeyPropertyInConfig = true;
+    }
     this.implementation.statsUrl = this.getConfig()
       .getString("statsUrl", statsUrlDefault);
     this.implementation.channelUrl = this.getConfig()
@@ -583,7 +581,6 @@ public class CapacitorUpdaterPlugin extends Plugin {
     final String version = call.getString("version");
     final String sessionKey = call.getString("sessionKey", "");
     final String checksum = call.getString("checksum", "");
-    final String signature = call.getString("signature", "");
     if (url == null) {
       Log.e(CapacitorUpdater.TAG, "Download called without url");
       call.reject("Download called without url");
@@ -594,17 +591,6 @@ public class CapacitorUpdaterPlugin extends Plugin {
       call.reject("Download called without version");
       return;
     }
-    if (
-      this.implementation.signKey != null &&
-      (signature == null || signature.isEmpty())
-    ) {
-      Log.e(
-        CapacitorUpdater.TAG,
-        "Signature required but none provided for download call"
-      );
-      call.reject("Signature required but none provided");
-      return;
-    }
     try {
       Log.i(CapacitorUpdater.TAG, "Downloading " + url);
       startNewThread(() -> {
@@ -614,8 +600,7 @@ public class CapacitorUpdaterPlugin extends Plugin {
                 url,
                 version,
                 sessionKey,
-                checksum,
-                signature
+                checksum
               );
           if (downloaded.isErrorStatus()) {
             throw new RuntimeException(
@@ -1283,15 +1268,11 @@ public class CapacitorUpdaterPlugin extends Plugin {
                     final String checksum = res.has("checksum")
                       ? res.getString("checksum")
                       : "";
-                    final String signature = res.has("signature")
-                      ? res.getString("signature")
-                      : "";
                     CapacitorUpdaterPlugin.this.implementation.downloadBackground(
                         url,
                         latestVersionName,
                         sessionKey,
-                        checksum,
-                        signature
+                        checksum
                       );
                   } catch (final Exception e) {
                     Log.e(CapacitorUpdater.TAG, "error downloading file", e);

package/android/src/main/java/ee/forgr/capacitor_updater/CryptoCipherV2.java

@@ -0,0 +1,184 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+package ee.forgr.capacitor_updater;
+
+/**
+ * Created by Awesometic
+ * It's encrypt returns Base64 encoded, and also decrypt for Base64 encoded cipher
+ * references: http://stackoverflow.com/questions/12471999/rsa-encryption-decryption-in-android
+ */
+import android.util.Base64;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PSource;
+import javax.crypto.spec.SecretKeySpec;
+
+public class CryptoCipherV2 {
+
+  public static byte[] decryptRSA(byte[] source, PublicKey publicKey)
+    throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
+    Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
+    cipher.init(Cipher.DECRYPT_MODE, publicKey);
+    byte[] decryptedBytes = cipher.doFinal(source);
+    return decryptedBytes;
+  }
+
+  public static byte[] decryptAES(byte[] cipherText, SecretKey key, byte[] iv) {
+    try {
+      IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
+      Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+      SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), "AES");
+      cipher.init(Cipher.DECRYPT_MODE, keySpec, ivParameterSpec);
+      return cipher.doFinal(cipherText);
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+    return null;
+  }
+
+  public static SecretKey byteToSessionKey(byte[] sessionKey) {
+    // rebuild key using SecretKeySpec
+    return new SecretKeySpec(sessionKey, 0, sessionKey.length, "AES");
+  }
+
+  private static PublicKey readX509PublicKey(byte[] x509Bytes)
+    throws GeneralSecurityException {
+    KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+    X509EncodedKeySpec keySpec = new X509EncodedKeySpec(x509Bytes);
+    try {
+      return keyFactory.generatePublic(keySpec);
+    } catch (InvalidKeySpecException e) {
+      throw new IllegalArgumentException("Unexpected key format!", e);
+    }
+  }
+
+  public static PublicKey stringToPublicKey(String public_key)
+    throws GeneralSecurityException {
+    String pkcs1Pem = public_key
+      .replaceAll("\\s+", "")
+      .replace("-----BEGINRSAPUBLICKEY-----", "")
+      .replace("-----ENDRSAPUBLICKEY-----", "");
+
+    byte[] pkcs1EncodedBytes = Base64.decode(pkcs1Pem, Base64.DEFAULT);
+    return readPkcs1PublicKey(pkcs1EncodedBytes);
+  }
+
+  // since the public key is in pkcs1 format, we have to convert it to x509 format similar
+  // to what needs done with the private key converting to pkcs8 format
+  // so, the rest of the code below here is adapted from here https://stackoverflow.com/a/54246646
+  private static final int SEQUENCE_TAG = 0x30;
+  private static final int BIT_STRING_TAG = 0x03;
+  private static final byte[] NO_UNUSED_BITS = new byte[] { 0x00 };
+  private static final byte[] RSA_ALGORITHM_IDENTIFIER_SEQUENCE = {
+    (byte) 0x30,
+    (byte) 0x0d,
+    (byte) 0x06,
+    (byte) 0x09,
+    (byte) 0x2a,
+    (byte) 0x86,
+    (byte) 0x48,
+    (byte) 0x86,
+    (byte) 0xf7,
+    (byte) 0x0d,
+    (byte) 0x01,
+    (byte) 0x01,
+    (byte) 0x01,
+    (byte) 0x05,
+    (byte) 0x00,
+  };
+
+  private static PublicKey readPkcs1PublicKey(byte[] pkcs1Bytes)
+    throws NoSuchAlgorithmException, InvalidKeySpecException, GeneralSecurityException {
+    // convert the pkcs1 public key to an x509 favorable format
+    byte[] keyBitString = createDEREncoding(
+      BIT_STRING_TAG,
+      joinPublic(NO_UNUSED_BITS, pkcs1Bytes)
+    );
+    byte[] keyInfoValue = joinPublic(
+      RSA_ALGORITHM_IDENTIFIER_SEQUENCE,
+      keyBitString
+    );
+    byte[] keyInfoSequence = createDEREncoding(SEQUENCE_TAG, keyInfoValue);
+    return readX509PublicKey(keyInfoSequence);
+  }
+
+  private static byte[] joinPublic(byte[]... bas) {
+    int len = 0;
+    for (int i = 0; i < bas.length; i++) {
+      len += bas[i].length;
+    }
+
+    byte[] buf = new byte[len];
+    int off = 0;
+    for (int i = 0; i < bas.length; i++) {
+      System.arraycopy(bas[i], 0, buf, off, bas[i].length);
+      off += bas[i].length;
+    }
+
+    return buf;
+  }
+
+  private static byte[] createDEREncoding(int tag, byte[] value) {
+    if (tag < 0 || tag >= 0xFF) {
+      throw new IllegalArgumentException(
+        "Currently only single byte tags supported"
+      );
+    }
+
+    byte[] lengthEncoding = createDERLengthEncoding(value.length);
+
+    int size = 1 + lengthEncoding.length + value.length;
+    byte[] derEncodingBuf = new byte[size];
+
+    int off = 0;
+    derEncodingBuf[off++] = (byte) tag;
+    System.arraycopy(
+      lengthEncoding,
+      0,
+      derEncodingBuf,
+      off,
+      lengthEncoding.length
+    );
+    off += lengthEncoding.length;
+    System.arraycopy(value, 0, derEncodingBuf, off, value.length);
+
+    return derEncodingBuf;
+  }
+
+  private static byte[] createDERLengthEncoding(int size) {
+    if (size <= 0x7F) {
+      // single byte length encoding
+      return new byte[] { (byte) size };
+    } else if (size <= 0xFF) {
+      // double byte length encoding
+      return new byte[] { (byte) 0x81, (byte) size };
+    } else if (size <= 0xFFFF) {
+      // triple byte length encoding
+      return new byte[] {
+        (byte) 0x82,
+        (byte) (size >> Byte.SIZE),
+        (byte) size,
+      };
+    }
+
+    throw new IllegalArgumentException(
+      "size too large, only up to 64KiB length encoding supported: " + size
+    );
+  }
+}