@capgo/capacitor-updater 6.27.11 → 6.34.0

package/ios/Sources/CapacitorUpdaterPlugin/{CryptoCipherV2.swift → CryptoCipher.swift}

@@ -8,24 +8,59 @@ import Foundation
 import CryptoKit
 import BigInt
 
-// V2 Encryption - uses publicKey (modern encryption from main branch)
-public struct CryptoCipherV2 {
+public struct CryptoCipher {
     private static var logger: Logger!
 
     public static func setLogger(_ logger: Logger) {
         self.logger = logger
     }
 
+    private static func hexStringToData(_ hex: String) -> Data? {
+        var data = Data()
+        var hexIterator = hex.makeIterator()
+        while let c1 = hexIterator.next(), let c2 = hexIterator.next() {
+            guard let byte = UInt8(String([c1, c2]), radix: 16) else {
+                return nil
+            }
+            data.append(byte)
+        }
+        return data
+    }
+
+    private static func isHexString(_ str: String) -> Bool {
+        let hexCharacterSet = CharacterSet(charactersIn: "0123456789abcdefABCDEF")
+        return str.unicodeScalars.allSatisfy { hexCharacterSet.contains($0) }
+    }
+
     public static func decryptChecksum(checksum: String, publicKey: String) throws -> String {
         if publicKey.isEmpty {
             logger.info("No encryption set (public key) ignored")
             return checksum
         }
         do {
-            guard let checksumBytes = Data(base64Encoded: checksum) else {
-                logger.error("Cannot decode checksum as base64: \(checksum)")
-                throw CustomError.cannotDecode
+            // Determine if input is hex or base64 encoded
+            // Hex strings only contain 0-9 and a-f, while base64 contains other characters
+            let checksumBytes: Data
+            let detectedFormat: String
+            if isHexString(checksum) {
+                // Hex encoded (new format from CLI for plugin versions >= 5.30.0, 6.30.0, 7.30.0)
+                guard let hexData = hexStringToData(checksum) else {
+                    logger.error("Cannot decode checksum as hex: \(checksum)")
+                    throw CustomError.cannotDecode
+                }
+                checksumBytes = hexData
+                detectedFormat = "hex"
+            } else {
+                // TODO: remove backwards compatibility
+                // Base64 encoded (old format for backwards compatibility)
+                guard let base64Data = Data(base64Encoded: checksum) else {
+                    logger.error("Cannot decode checksum as base64: \(checksum)")
+                    throw CustomError.cannotDecode
+                }
+                checksumBytes = base64Data
+                detectedFormat = "base64"
             }
+            logger.debug("Received encrypted checksum format: \(detectedFormat) (length: \(checksum.count) chars, \(checksumBytes.count) bytes)")
 
             if checksumBytes.isEmpty {
                 logger.error("Decoded checksum is empty")
@@ -42,12 +77,56 @@ public struct CryptoCipherV2 {
                 throw NSError(domain: "Failed to decrypt session key data", code: 2, userInfo: nil)
             }
 
-            return decryptedChecksum.base64EncodedString()
+            // Return as hex string to match calcChecksum output format
+            let result = decryptedChecksum.map { String(format: "%02x", $0) }.joined()
+
+            // Detect checksum algorithm based on length
+            let detectedAlgorithm: String
+            if decryptedChecksum.count == 32 {
+                detectedAlgorithm = "SHA-256"
+            } else if decryptedChecksum.count == 4 {
+                detectedAlgorithm = "CRC32 (deprecated)"
+                logger.error("CRC32 checksum detected. This algorithm is deprecated and no longer supported. Please update your CLI to use SHA-256 checksums.")
+            } else {
+                detectedAlgorithm = "unknown (\(decryptedChecksum.count) bytes)"
+                logger.error("Unknown checksum algorithm detected with \(decryptedChecksum.count) bytes. Expected SHA-256 (32 bytes).")
+            }
+            logger.debug("Decrypted checksum: \(detectedAlgorithm) hex format (length: \(result.count) chars, \(decryptedChecksum.count) bytes)")
+            return result
         } catch {
             logger.error("decryptChecksum fail: \(error.localizedDescription)")
             throw CustomError.cannotDecode
         }
     }
+
+    /// Detect checksum algorithm based on hex string length.
+    /// SHA-256 = 64 hex chars (32 bytes)
+    /// CRC32 = 8 hex chars (4 bytes)
+    public static func detectChecksumAlgorithm(_ hexChecksum: String) -> String {
+        if hexChecksum.isEmpty {
+            return "empty"
+        }
+        let len = hexChecksum.count
+        if len == 64 {
+            return "SHA-256"
+        } else if len == 8 {
+            return "CRC32 (deprecated)"
+        } else {
+            return "unknown (\(len) hex chars)"
+        }
+    }
+
+    /// Log checksum info and warn if deprecated algorithm detected.
+    public static func logChecksumInfo(label: String, hexChecksum: String) {
+        let algorithm = detectChecksumAlgorithm(hexChecksum)
+        logger.debug("\(label): \(algorithm) hex format (length: \(hexChecksum.count) chars)")
+        if algorithm.contains("CRC32") {
+            logger.error("CRC32 checksum detected. This algorithm is deprecated and no longer supported. Please update your CLI to use SHA-256 checksums.")
+        } else if algorithm.contains("unknown") {
+            logger.error("Unknown checksum algorithm detected. Expected SHA-256 (64 hex chars) but got \(hexChecksum.count) chars.")
+        }
+    }
+
     public static func calcChecksum(filePath: URL) -> String {
         let bufferSize = 1024 * 1024 * 5 // 5 MB
         var sha256 = SHA256()

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@capgo/capacitor-updater",
-  "version": "6.27.11",
+  "version": "6.34.0",
   "license": "MPL-2.0",
   "description": "Live update for capacitor apps",
   "main": "dist/plugin.cjs.js",

package/android/src/main/java/ee/forgr/capacitor_updater/CryptoCipherV1.java

@@ -1,222 +0,0 @@
-/*
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at https://mozilla.org/MPL/2.0/.
- */
-
-package ee.forgr.capacitor_updater;
-
-/**
- * Created by Awesometic
- * It's encrypt returns Base64 encoded, and also decrypt for Base64 encoded cipher
- * references: http://stackoverflow.com/questions/12471999/rsa-encryption-decryption-in-android
- *
- * V1 Encryption - uses privateKey (deprecated but kept for backwards compatibility)
- */
-import android.util.Base64;
-import android.util.Log;
-import java.io.BufferedInputStream;
-import java.io.DataInputStream;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.MGF1ParameterSpec;
-import java.security.spec.PKCS8EncodedKeySpec;
-import java.security.spec.X509EncodedKeySpec;
-import java.util.zip.CRC32;
-import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.OAEPParameterSpec;
-import javax.crypto.spec.PSource;
-import javax.crypto.spec.SecretKeySpec;
-
-public class CryptoCipherV1 {
-
-    private static Logger logger;
-
-    public static void setLogger(Logger loggerInstance) {
-        logger = loggerInstance;
-    }
-
-    public static byte[] decryptRSA(byte[] source, PrivateKey privateKey)
-        throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
-        Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding");
-        OAEPParameterSpec oaepParams = new OAEPParameterSpec(
-            "SHA-256",
-            "MGF1",
-            new MGF1ParameterSpec("SHA-256"),
-            PSource.PSpecified.DEFAULT
-        );
-        cipher.init(Cipher.DECRYPT_MODE, privateKey, oaepParams);
-        return cipher.doFinal(source);
-    }
-
-    public static byte[] decryptAES(byte[] cipherText, SecretKey key, byte[] iv) {
-        try {
-            IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
-            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-            SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), "AES");
-            cipher.init(Cipher.DECRYPT_MODE, keySpec, ivParameterSpec);
-            return cipher.doFinal(cipherText);
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-        return null;
-    }
-
-    public static SecretKey byteToSessionKey(byte[] sessionKey) {
-        // rebuild key using SecretKeySpec
-        return new SecretKeySpec(sessionKey, 0, sessionKey.length, "AES");
-    }
-
-    private static PrivateKey readPkcs8PrivateKey(byte[] pkcs8Bytes) throws GeneralSecurityException {
-        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(pkcs8Bytes);
-        try {
-            return keyFactory.generatePrivate(keySpec);
-        } catch (InvalidKeySpecException e) {
-            throw new IllegalArgumentException("Unexpected key format!", e);
-        }
-    }
-
-    private static byte[] join(byte[] byteArray1, byte[] byteArray2) {
-        byte[] bytes = new byte[byteArray1.length + byteArray2.length];
-        System.arraycopy(byteArray1, 0, bytes, 0, byteArray1.length);
-        System.arraycopy(byteArray2, 0, bytes, byteArray1.length, byteArray2.length);
-        return bytes;
-    }
-
-    private static PrivateKey readPkcs1PrivateKey(byte[] pkcs1Bytes) throws GeneralSecurityException {
-        // We can't use Java internal APIs to parse ASN.1 structures, so we build a PKCS#8 key Java can understand
-        int pkcs1Length = pkcs1Bytes.length;
-        int totalLength = pkcs1Length + 22;
-        byte[] pkcs8Header = new byte[] {
-            0x30,
-            (byte) 0x82,
-            (byte) ((totalLength >> 8) & 0xff),
-            (byte) (totalLength & 0xff), // Sequence + total length
-            0x2,
-            0x1,
-            0x0, // Integer (0)
-            0x30,
-            0xD,
-            0x6,
-            0x9,
-            0x2A,
-            (byte) 0x86,
-            0x48,
-            (byte) 0x86,
-            (byte) 0xF7,
-            0xD,
-            0x1,
-            0x1,
-            0x1,
-            0x5,
-            0x0, // Sequence: 1.2.840.113549.1.1.1, NULL
-            0x4,
-            (byte) 0x82,
-            (byte) ((pkcs1Length >> 8) & 0xff),
-            (byte) (pkcs1Length & 0xff) // Octet string + length
-        };
-        byte[] pkcs8bytes = join(pkcs8Header, pkcs1Bytes);
-        return readPkcs8PrivateKey(pkcs8bytes);
-    }
-
-    public static PrivateKey stringToPrivateKey(String private_key) throws GeneralSecurityException {
-        // Base64 decode the result
-
-        String pkcs1Pem = private_key;
-        pkcs1Pem = pkcs1Pem.replace("-----BEGIN RSA PRIVATE KEY-----", "");
-        pkcs1Pem = pkcs1Pem.replace("-----END RSA PRIVATE KEY-----", "");
-        pkcs1Pem = pkcs1Pem.replace("\\n", "");
-        pkcs1Pem = pkcs1Pem.replace(" ", "");
-
-        byte[] pkcs1EncodedBytes = Base64.decode(pkcs1Pem.getBytes(), Base64.DEFAULT);
-        // extract the private key
-        return readPkcs1PrivateKey(pkcs1EncodedBytes);
-    }
-
-    public static void decryptFile(final File file, final String privateKey, final String ivSessionKey, final String version)
-        throws IOException {
-        // (str != null && !str.isEmpty())
-        if (privateKey == null || privateKey.isEmpty()) {
-            Log.i("[Capacitor-updater]", "Cannot found privateKey");
-            return;
-        } else if (ivSessionKey == null || ivSessionKey.isEmpty() || ivSessionKey.split(":").length != 2) {
-            Log.i("[Capacitor-updater]", "Cannot found sessionKey");
-            return;
-        }
-        try {
-            String ivB64 = ivSessionKey.split(":")[0];
-            String sessionKeyB64 = ivSessionKey.split(":")[1];
-            byte[] iv = Base64.decode(ivB64.getBytes(), Base64.DEFAULT);
-            byte[] sessionKey = Base64.decode(sessionKeyB64.getBytes(), Base64.DEFAULT);
-            PrivateKey pKey = CryptoCipherV1.stringToPrivateKey(privateKey);
-            byte[] decryptedSessionKey = CryptoCipherV1.decryptRSA(sessionKey, pKey);
-            SecretKey sKey = CryptoCipherV1.byteToSessionKey(decryptedSessionKey);
-            byte[] content = new byte[(int) file.length()];
-
-            try (
-                final FileInputStream fis = new FileInputStream(file);
-                final BufferedInputStream bis = new BufferedInputStream(fis);
-                final DataInputStream dis = new DataInputStream(bis)
-            ) {
-                dis.readFully(content);
-                dis.close();
-                byte[] decrypted = CryptoCipherV1.decryptAES(content, sKey, iv);
-                // write the decrypted string to the file
-                try (final FileOutputStream fos = new FileOutputStream(file.getAbsolutePath())) {
-                    fos.write(decrypted);
-                }
-            }
-        } catch (GeneralSecurityException e) {
-            Log.i("[Capacitor-updater]", "decryptFile fail");
-            e.printStackTrace();
-            throw new IOException("GeneralSecurityException");
-        }
-    }
-
-    public static String calcChecksum(File file) {
-        final int BUFFER_SIZE = 1024 * 1024 * 5; // 5 MB buffer size
-        CRC32 crc = new CRC32();
-
-        try (FileInputStream fis = new FileInputStream(file)) {
-            byte[] buffer = new byte[BUFFER_SIZE];
-            int length;
-            while ((length = fis.read(buffer)) != -1) {
-                crc.update(buffer, 0, length);
-            }
-            return String.format("%08x", crc.getValue());
-        } catch (IOException e) {
-            System.err.println("[Capacitor-updater]" + " Cannot calc checksum: " + file.getPath() + " " + e.getMessage());
-            return "";
-        }
-    }
-
-    public static PublicKey stringToPublicKey(String publicKey) {
-        byte[] encoded = Base64.decode(publicKey, Base64.DEFAULT);
-
-        KeyFactory keyFactory = null;
-        try {
-            keyFactory = KeyFactory.getInstance("RSA");
-            X509EncodedKeySpec keySpec = new X509EncodedKeySpec(encoded);
-            return keyFactory.generatePublic(keySpec);
-        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
-            Log.i("Capacitor-updater", "stringToPublicKey fail\nError:\n" + e.toString());
-            return null;
-        }
-    }
-}

package/ios/Sources/CapacitorUpdaterPlugin/CryptoCipherV1.swift

@@ -1,245 +0,0 @@
-/*
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at https://mozilla.org/MPL/2.0/.
- */
-
-import Foundation
-import CommonCrypto
-import zlib
-
-///
-/// Constants
-///
-private enum CryptoCipherConstants {
-    static let rsaKeySizeInBits: NSNumber = 2048
-    static let aesAlgorithm: CCAlgorithm = CCAlgorithm(kCCAlgorithmAES)
-    static let aesOptions: CCOptions = CCOptions(kCCOptionPKCS7Padding)
-    static let rsaAlgorithm: SecKeyAlgorithm = .rsaEncryptionOAEPSHA256
-}
-///
-/// The RSA keypair. Includes both private and public key.
-///
-public struct RSAKeyPair {
-    private let privateKey: SecKey
-    private let publicKey: SecKey
-
-    #if DEBUG
-    public var __debug_privateKey: SecKey { self.privateKey }
-    public var __debug_publicKey: SecKey { self.publicKey }
-    #endif
-
-    fileprivate init(privateKey: SecKey, publicKey: SecKey) {
-        self.privateKey = privateKey
-        self.publicKey = publicKey
-    }
-
-    ///
-    /// Takes the data and uses the private key to decrypt it.
-    /// Returns the decrypted data.
-    ///
-    public func decrypt(data: Data) -> Data? {
-        var error: Unmanaged<CFError>?
-        if let decryptedData: CFData = SecKeyCreateDecryptedData(self.privateKey, CryptoCipherConstants.rsaAlgorithm, data as CFData, &error) {
-            if error != nil {
-                return nil
-            } else {
-                return decryptedData as Data
-            }
-        } else {
-            return nil
-        }
-    }
-
-    ///
-    /// Takes the data and uses the public key to encrypt it.
-    /// Returns the encrypted data.
-    ///
-    public func encrypt(data: Data) -> Data? {
-        var error: Unmanaged<CFError>?
-        if let encryptedData: CFData = SecKeyCreateEncryptedData(self.publicKey, CryptoCipherConstants.rsaAlgorithm, data as CFData, &error) {
-            if error != nil {
-                return nil
-            } else {
-                return encryptedData as Data
-            }
-        } else {
-            return nil
-        }
-    }
-
-}
-///
-/// The RSA public key.
-///
-public struct RSAPrivateKey {
-    private let privateKey: SecKey
-
-    #if DEBUG
-    public var __debug_privateKey: SecKey { self.privateKey }
-    #endif
-
-    fileprivate init(privateKey: SecKey) {
-        self.privateKey = privateKey
-    }
-    ///
-    /// Takes the data and uses the private key to decrypt it.
-    /// Returns the decrypted data.
-    ///
-    public func decrypt(data: Data) -> Data? {
-        var error: Unmanaged<CFError>?
-        if let decryptedData: CFData = SecKeyCreateDecryptedData(self.privateKey, CryptoCipherConstants.rsaAlgorithm, data as CFData, &error) {
-            if error != nil {
-                return nil
-            } else {
-                return decryptedData as Data
-            }
-        } else {
-            return nil
-        }
-    }
-
-    ///
-    /// Allows you to export the RSA public key to a format (so you can send over the net).
-    ///
-    public func export() -> Data? {
-        return privateKey.exportToData()
-    }
-
-    ///
-    /// Allows you to load an RSA public key (i.e. one downloaded from the net).
-    ///
-    public static func load(rsaPrivateKey: String) -> RSAPrivateKey? {
-        var privKey: String = rsaPrivateKey
-        privKey = privKey.replacingOccurrences(of: "-----BEGIN RSA PRIVATE KEY-----", with: "")
-        privKey = privKey.replacingOccurrences(of: "-----END RSA PRIVATE KEY-----", with: "")
-        privKey = privKey.replacingOccurrences(of: "\\n+", with: "", options: .regularExpression)
-        privKey = privKey.trimmingCharacters(in: .whitespacesAndNewlines)
-        do {
-            guard let rsaPrivateKeyData: Data  = Data(base64Encoded: privKey) else {
-                throw CustomError.cannotDecode
-            }
-            guard let privateKey: SecKey = .loadPrivateFromData(rsaPrivateKeyData) else {
-                throw CustomError.cannotDecode
-            }
-            return RSAPrivateKey(privateKey: privateKey)
-        } catch {
-            print("Error load RSA: \(error)")
-            return nil
-        }
-    }
-}
-
-fileprivate extension SecKey {
-    func exportToData() -> Data? {
-        var error: Unmanaged<CFError>?
-        if let cfData: CFData = SecKeyCopyExternalRepresentation(self, &error) {
-            if error != nil {
-                return nil
-            } else {
-                return cfData as Data
-            }
-        } else {
-            return nil
-        }
-    }
-    static func loadPublicFromData(_ data: Data) -> SecKey? {
-        let keyDict: [NSObject: NSObject] = [
-            kSecAttrKeyType: kSecAttrKeyTypeRSA,
-            kSecAttrKeyClass: kSecAttrKeyClassPublic,
-            kSecAttrKeySizeInBits: CryptoCipherConstants.rsaKeySizeInBits
-        ]
-        return SecKeyCreateWithData(data as NSData, keyDict as CFDictionary, nil)
-    }
-    static func loadPrivateFromData(_ data: Data) -> SecKey? {
-        let keyDict: [NSObject: NSObject] = [
-            kSecAttrKeyType: kSecAttrKeyTypeRSA,
-            kSecAttrKeyClass: kSecAttrKeyClassPrivate,
-            kSecAttrKeySizeInBits: CryptoCipherConstants.rsaKeySizeInBits
-        ]
-        return SecKeyCreateWithData(data as CFData, keyDict as CFDictionary, nil)
-    }
-}
-
-// V1 Encryption - uses privateKey (deprecated but kept for backwards compatibility)
-public struct CryptoCipherV1 {
-    private static var logger: Logger?
-
-    public static func setLogger(_ newLogger: Logger) {
-        logger = newLogger
-    }
-
-    public static func calcChecksum(filePath: URL) -> String {
-        let bufferSize = 1024 * 1024 * 5 // 5 MB
-        var checksum = uLong(0)
-
-        do {
-            let fileHandle = try FileHandle(forReadingFrom: filePath)
-            defer {
-                fileHandle.closeFile()
-            }
-
-            while autoreleasepool(invoking: {
-                let fileData = fileHandle.readData(ofLength: bufferSize)
-                if fileData.count > 0 {
-                    checksum = fileData.withUnsafeBytes {
-                        crc32(checksum, $0.bindMemory(to: Bytef.self).baseAddress, uInt(fileData.count))
-                    }
-                    return true // Continue
-                } else {
-                    return false // End of file
-                }
-            }) {}
-
-            return String(format: "%08X", checksum).lowercased()
-        } catch {
-            print("\("[Capacitor-updater]") Cannot get checksum: \(filePath.path)", error)
-            return ""
-        }
-    }
-    public static func decryptFile(filePath: URL, privateKey: String, sessionKey: String, version: String) throws {
-        if privateKey.isEmpty {
-            print("\("[Capacitor-updater]") Cannot found privateKey")
-            return
-        } else if sessionKey.isEmpty  || sessionKey.components(separatedBy: ":").count != 2 {
-            print("\("[Capacitor-updater]") Cannot found sessionKey")
-            return
-        }
-        do {
-            guard let rsaPrivateKey: RSAPrivateKey = .load(rsaPrivateKey: privateKey) else {
-                print("cannot decode privateKey", privateKey)
-                throw CustomError.cannotDecode
-            }
-
-            let sessionKeyArray: [String] = sessionKey.components(separatedBy: ":")
-            guard let ivData: Data = Data(base64Encoded: sessionKeyArray[0]) else {
-                print("cannot decode sessionKey", sessionKey)
-                throw CustomError.cannotDecode
-            }
-
-            guard let sessionKeyDataEncrypted = Data(base64Encoded: sessionKeyArray[1]) else {
-                throw NSError(domain: "Invalid session key data", code: 1, userInfo: nil)
-            }
-
-            guard let sessionKeyDataDecrypted = rsaPrivateKey.decrypt(data: sessionKeyDataEncrypted) else {
-                throw NSError(domain: "Failed to decrypt session key data", code: 2, userInfo: nil)
-            }
-
-            let aesPrivateKey = AES128Key(iv: ivData, aes128Key: sessionKeyDataDecrypted, logger: logger ?? Logger(withTag: "[Capacitor-updater]"))
-
-            guard let encryptedData = try? Data(contentsOf: filePath) else {
-                throw NSError(domain: "Failed to read encrypted data", code: 3, userInfo: nil)
-            }
-
-            guard let decryptedData = aesPrivateKey.decrypt(data: encryptedData) else {
-                throw NSError(domain: "Failed to decrypt data", code: 4, userInfo: nil)
-            }
-
-            try decryptedData.write(to: filePath)
-
-        } catch {
-            print("\("[Capacitor-updater]") Cannot decode: \(filePath.path)", error)
-            throw CustomError.cannotDecode
-        }
-    }
-}