@limrun/ui 0.9.0-rc.4 → 0.9.0-rc.5

package/src/core/device-install/apple/crypto.ts

@@ -1,202 +0,0 @@
-import forge from 'node-forge';
-
-export type AppleSigningKeyMaterial = {
-  privateKey: CryptoKey;
-  privateKeyPKCS8Base64: string;
-  publicKeySPKIBase64: string;
-  csrPEM: string;
-  csrBase64: string;
-};
-
-export type AppleCSRInput = {
-  commonName: string;
-  emailAddress?: string;
-};
-
-export type ExportP12Input = {
-  privateKeyPKCS8Base64: string;
-  certificateBase64?: string;
-  certificatePEM?: string;
-  password: string;
-  friendlyName?: string;
-};
-
-const rsaAlgorithm: RsaHashedKeyGenParams = {
-  name: 'RSASSA-PKCS1-v1_5',
-  modulusLength: 2048,
-  publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-  hash: 'SHA-256',
-};
-
-export async function generateAppleSigningKeyAndCSR(input: AppleCSRInput): Promise<AppleSigningKeyMaterial> {
-  if (!crypto.subtle) {
-    throw new Error('WebCrypto is not available in this browser.');
-  }
-  const keyPair = await crypto.subtle.generateKey(rsaAlgorithm, true, ['sign', 'verify']);
-  const publicKeySPKI = new Uint8Array(await crypto.subtle.exportKey('spki', keyPair.publicKey));
-  const certificationRequestInfo = derSequence(
-    derInteger(0),
-    derName(input),
-    publicKeySPKI,
-    derContext(0, new Uint8Array()),
-  );
-  const signature = new Uint8Array(
-    await crypto.subtle.sign('RSASSA-PKCS1-v1_5', keyPair.privateKey, toArrayBuffer(certificationRequestInfo)),
-  );
-  const csrDER = derSequence(
-    certificationRequestInfo,
-    derSequence(derOID('1.2.840.113549.1.1.11'), derNull()),
-    derBitString(signature),
-  );
-  const privateKeyPKCS8 = new Uint8Array(await crypto.subtle.exportKey('pkcs8', keyPair.privateKey));
-  return {
-    privateKey: keyPair.privateKey,
-    privateKeyPKCS8Base64: bytesToBase64(privateKeyPKCS8),
-    publicKeySPKIBase64: bytesToBase64(publicKeySPKI),
-    csrPEM: pemBlock('CERTIFICATE REQUEST', csrDER),
-    csrBase64: bytesToBase64(csrDER),
-  };
-}
-
-export function exportAppleCertificateP12(input: ExportP12Input) {
-  if (!input.certificateBase64 && !input.certificatePEM) {
-    throw new Error('certificateBase64 or certificatePEM is required.');
-  }
-  const privateKey = forge.pki.privateKeyFromPem(
-    pemFromBase64('PRIVATE KEY', input.privateKeyPKCS8Base64),
-  );
-  const certificate = input.certificatePEM
-    ? forge.pki.certificateFromPem(input.certificatePEM)
-    : forge.pki.certificateFromAsn1(
-        forge.asn1.fromDer(forge.util.createBuffer(base64ToBinary(input.certificateBase64!))),
-      );
-  const p12 = forge.pkcs12.toPkcs12Asn1(privateKey, [certificate], input.password, {
-    algorithm: '3des',
-    friendlyName: input.friendlyName,
-  });
-  const der = forge.asn1.toDer(p12).getBytes();
-  return binaryToBase64(der);
-}
-
-function derName(input: AppleCSRInput) {
-  const attributes = [derAttribute('2.5.4.3', derUTF8String(input.commonName))];
-  if (input.emailAddress) {
-    attributes.push(derAttribute('1.2.840.113549.1.9.1', derIA5String(input.emailAddress)));
-  }
-  return derSequence(...attributes);
-}
-
-function derAttribute(oid: string, value: Uint8Array) {
-  return derSet(derSequence(derOID(oid), value));
-}
-
-function derSequence(...values: Uint8Array[]) {
-  return derTLV(0x30, concatBytes(...values));
-}
-
-function derSet(...values: Uint8Array[]) {
-  return derTLV(0x31, concatBytes(...values));
-}
-
-function derContext(tag: number, value: Uint8Array) {
-  return derTLV(0xa0 + tag, value);
-}
-
-function derInteger(value: number) {
-  return derTLV(0x02, new Uint8Array([value]));
-}
-
-function derNull() {
-  return new Uint8Array([0x05, 0x00]);
-}
-
-function derUTF8String(value: string) {
-  return derTLV(0x0c, new TextEncoder().encode(value));
-}
-
-function derIA5String(value: string) {
-  return derTLV(0x16, new TextEncoder().encode(value));
-}
-
-function derBitString(value: Uint8Array) {
-  return derTLV(0x03, concatBytes(new Uint8Array([0]), value));
-}
-
-function derOID(oid: string) {
-  const parts = oid.split('.').map((part) => parseInt(part, 10));
-  if (parts.length < 2 || parts.some((part) => !Number.isFinite(part))) {
-    throw new Error(`Invalid OID: ${oid}`);
-  }
-  const encoded = [parts[0] * 40 + parts[1]];
-  for (const part of parts.slice(2)) {
-    const stack = [part & 0x7f];
-    let value = part >> 7;
-    while (value > 0) {
-      stack.unshift((value & 0x7f) | 0x80);
-      value >>= 7;
-    }
-    encoded.push(...stack);
-  }
-  return derTLV(0x06, new Uint8Array(encoded));
-}
-
-function derTLV(tag: number, value: Uint8Array) {
-  return concatBytes(new Uint8Array([tag]), derLength(value.byteLength), value);
-}
-
-function derLength(length: number) {
-  if (length < 0x80) {
-    return new Uint8Array([length]);
-  }
-  const bytes: number[] = [];
-  let value = length;
-  while (value > 0) {
-    bytes.unshift(value & 0xff);
-    value >>= 8;
-  }
-  return new Uint8Array([0x80 | bytes.length, ...bytes]);
-}
-
-function concatBytes(...chunks: Uint8Array[]) {
-  const length = chunks.reduce((sum, chunk) => sum + chunk.byteLength, 0);
-  const out = new Uint8Array(length);
-  let offset = 0;
-  for (const chunk of chunks) {
-    out.set(chunk, offset);
-    offset += chunk.byteLength;
-  }
-  return out;
-}
-
-function pemBlock(label: string, der: Uint8Array) {
-  const base64 = bytesToBase64(der);
-  const lines = base64.match(/.{1,64}/g) ?? [];
-  return `-----BEGIN ${label}-----\n${lines.join('\n')}\n-----END ${label}-----\n`;
-}
-
-function pemFromBase64(label: string, base64: string) {
-  const lines = base64.match(/.{1,64}/g) ?? [];
-  return `-----BEGIN ${label}-----\n${lines.join('\n')}\n-----END ${label}-----\n`;
-}
-
-function bytesToBase64(bytes: Uint8Array) {
-  let binary = '';
-  for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-  return btoa(binary);
-}
-
-function binaryToBase64(binary: string) {
-  return btoa(binary);
-}
-
-function base64ToBinary(value: string) {
-  return atob(value);
-}
-
-function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
-  const copy = new Uint8Array(bytes.byteLength);
-  copy.set(bytes);
-  return copy.buffer;
-}

package/src/core/device-install/apple/gsa-srp.ts

@@ -1,127 +0,0 @@
-import { Hash, Mode, Srp, util } from '@foxt/js-srp';
-
-export type AppleSRPProtocol = 's2k' | 's2k_fo';
-
-export type AppleSRPInitRequest = {
-  a: string;
-  accountName: string;
-  protocols: AppleSRPProtocol[];
-};
-
-export type AppleSRPInitResponse = {
-  iteration: number;
-  salt: string;
-  protocol: AppleSRPProtocol;
-  b: string;
-  c: string;
-};
-
-export type AppleSRPCompleteProof = {
-  accountName: string;
-  m1: string;
-  m2: string;
-  c: string;
-};
-
-const srp = new Srp(Mode.GSA, Hash.SHA256, 2048);
-
-export class AppleGsaSrpClient {
-  private srpClient?: Awaited<ReturnType<typeof srp.newClient>>;
-
-  constructor(private readonly accountName: string) {}
-
-  async init(): Promise<AppleSRPInitRequest> {
-    if (this.srpClient) {
-      throw new Error('SRP client is already initialized.');
-    }
-    this.srpClient = await srp.newClient(stringToBytes(this.accountName), new Uint8Array());
-    return {
-      accountName: this.accountName,
-      protocols: ['s2k', 's2k_fo'],
-      a: bytesToBase64(util.bytesFromBigint(this.srpClient.A)),
-    };
-  }
-
-  async complete(password: string, serverData: AppleSRPInitResponse): Promise<AppleSRPCompleteProof> {
-    if (!this.srpClient) {
-      throw new Error('SRP client is not initialized.');
-    }
-    if (serverData.protocol !== 's2k' && serverData.protocol !== 's2k_fo') {
-      throw new Error(`Unsupported Apple SRP protocol ${serverData.protocol}.`);
-    }
-    const salt = base64ToBytes(serverData.salt);
-    const serverPublicKey = base64ToBytes(serverData.b);
-    const derivedPassword = await deriveApplePassword(
-      serverData.protocol,
-      password,
-      salt,
-      serverData.iteration,
-    );
-    this.srpClient.p = derivedPassword;
-    await this.srpClient.generate(salt, serverPublicKey);
-    const m2 = await this.srpClient.generateM2();
-    return {
-      accountName: this.accountName,
-      c: serverData.c,
-      m1: bytesToBase64(this.srpClient._M),
-      m2: bytesToBase64(m2),
-    };
-  }
-}
-
-async function deriveApplePassword(
-  protocol: AppleSRPProtocol,
-  password: string,
-  salt: Uint8Array,
-  iterations: number,
-) {
-  let passHash = new Uint8Array(await util.hash(srp.h, toArrayBuffer(stringToBytes(password))));
-  if (protocol === 's2k_fo') {
-    passHash = stringToBytes(util.toHex(passHash));
-  }
-  const imported = await crypto.subtle.importKey(
-    'raw',
-    toArrayBuffer(passHash),
-    { name: 'PBKDF2' },
-    false,
-    ['deriveBits'],
-  );
-  const derived = await crypto.subtle.deriveBits(
-    {
-      name: 'PBKDF2',
-      hash: { name: 'SHA-256' },
-      iterations,
-      salt: toArrayBuffer(salt),
-    },
-    imported,
-    256,
-  );
-  return new Uint8Array(derived);
-}
-
-function stringToBytes(value: string) {
-  return new TextEncoder().encode(value);
-}
-
-function bytesToBase64(bytes: Uint8Array) {
-  let binary = '';
-  for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-  return btoa(binary);
-}
-
-function base64ToBytes(value: string) {
-  const binary = atob(value);
-  const bytes = new Uint8Array(binary.length);
-  for (let index = 0; index < binary.length; index += 1) {
-    bytes[index] = binary.charCodeAt(index);
-  }
-  return bytes;
-}
-
-function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
-  const copy = new Uint8Array(bytes.byteLength);
-  copy.set(bytes);
-  return copy.buffer;
-}

package/src/core/device-install/apple/index.ts

@@ -1,5 +0,0 @@
-export * from './client';
-export * from './crypto';
-export * from './gsa-srp';
-export * from './provisioning';
-export * from './relay';

package/src/core/device-install/apple/provisioning.ts

@@ -1,298 +0,0 @@
-import type { ProvisioningProfileInfo, StoredSigningAssets } from '../types';
-import {
-  getSigningAssets,
-  normalizeBundleID,
-  normalizeUDID,
-  profileContainsDevice,
-  profileMatchesBundleID,
-  putSigningAssets,
-} from '../storage';
-import type { AppleProvisioningRequest } from './relay';
-
-export type AppleDeveloperPortalTeam = {
-  name?: string;
-  teamId?: string;
-  providerId?: string | number;
-  publicProviderId?: string;
-  type?: string;
-  subType?: string;
-};
-
-export type AppleDeveloperPortalDevice = {
-  deviceId?: string;
-  name?: string;
-  deviceNumber?: string;
-  deviceClass?: string;
-  model?: string;
-  status?: string;
-};
-
-export type AppleDeveloperPortalAppID = {
-  appId?: string;
-  appIdId?: string;
-  identifier?: string;
-  bundleId?: string;
-  name?: string;
-  prefix?: string;
-  platform?: string;
-};
-
-export type AppleDeveloperPortalResponse = {
-  resultCode?: number;
-  resultString?: string;
-  userString?: string;
-  teams?: AppleDeveloperPortalTeam[];
-  provider?: AppleDeveloperPortalTeam;
-  availableProviders?: AppleDeveloperPortalTeam[];
-  appIds?: AppleDeveloperPortalAppID[];
-  devices?: AppleDeveloperPortalDevice[];
-  certRequests?: Array<Record<string, unknown>>;
-  certRequest?: Record<string, unknown>;
-  appId?: Record<string, unknown>;
-  device?: Record<string, unknown>;
-  provisioningProfile?: Record<string, unknown>;
-  provisioningProfiles?: Array<Record<string, unknown>>;
-};
-
-export type AppleProvisioningContext = {
-  bundleID: string;
-  deviceUDID: string;
-  teamID?: string;
-};
-
-export type AppleSigningAssetCacheInput = {
-  bundleID: string;
-  deviceUDID?: string;
-  teamID?: string;
-};
-
-export type PutAppleGeneratedSigningAssetsInput = {
-  bundleID: string;
-  deviceUDID?: string;
-  teamID?: string;
-  certificateID?: string;
-  certificateP12Base64: string;
-  certificatePassword: string;
-  provisioningProfileBase64: string;
-  profile: ProvisioningProfileInfo;
-};
-
-export function listTeamsRequest(): AppleProvisioningRequest {
-  return {
-    method: 'POST',
-    path: '/account/listTeams.action',
-    payload: {},
-  };
-}
-
-export function findBundleIDRequest({ bundleID, teamID = '' }: Pick<AppleProvisioningContext, 'bundleID' | 'teamID'>) {
-  void bundleID;
-  return pagedRequest('/account/ios/identifiers/listAppIds.action', teamID, { sort: 'name=asc' });
-}
-
-export function findDeviceRequest({ deviceUDID, teamID = '' }: Pick<AppleProvisioningContext, 'deviceUDID' | 'teamID'>) {
-  void deviceUDID;
-  return pagedRequest('/account/ios/device/listDevices.action', teamID, {
-    sort: 'name=asc',
-    includeRemovedDevices: false,
-  });
-}
-
-export function findDevelopmentCertificatesRequest(teamID = '') {
-  return pagedRequest('/account/ios/certificate/listCertRequests.action', teamID, {
-    sort: 'name=asc',
-    types: '83Q87W3TGH,5QPB9NHCEI',
-  });
-}
-
-export function findDevelopmentProfilesRequest({
-  bundleID,
-  teamID = '',
-}: Pick<AppleProvisioningContext, 'bundleID' | 'teamID'>) {
-  return pagedRequest('/account/ios/profile/listProvisioningProfiles.action', teamID, {
-    search: bundleID,
-    sort: 'name=asc',
-  });
-}
-
-export function registerDeviceRequest({
-  deviceUDID,
-  teamID = '',
-  name = 'Limrun iPhone',
-}: Pick<AppleProvisioningContext, 'deviceUDID' | 'teamID'> & { name?: string }) {
-  return {
-    method: 'POST',
-    path: '/account/ios/device/addDevices.action',
-    payload: {
-      teamId: teamID,
-      deviceNames: name,
-      deviceNumbers: normalizeUDID(deviceUDID),
-      deviceClasses: 'iphone',
-      register: 'single',
-    },
-  } satisfies AppleProvisioningRequest;
-}
-
-export function createBundleIDRequest({
-  bundleID,
-  teamID = '',
-  name,
-}: Pick<AppleProvisioningContext, 'bundleID' | 'teamID'> & { name?: string }) {
-  return {
-    method: 'POST',
-    path: '/account/ios/identifiers/addAppId.action',
-    payload: {
-      teamId: teamID,
-      name: name ?? bundleID,
-      identifier: bundleID,
-      type: 'explicit',
-    },
-  } satisfies AppleProvisioningRequest;
-}
-
-export function submitDevelopmentCSRRequest({
-  csrPEM,
-  teamID = '',
-}: {
-  csrPEM: string;
-  teamID?: string;
-}) {
-  return {
-    method: 'POST',
-    path: '/account/ios/certificate/submitCertificateRequest.action',
-    payload: {
-      teamId: teamID,
-      type: '83Q87W3TGH',
-      csrContent: csrPEM,
-    },
-  } satisfies AppleProvisioningRequest;
-}
-
-export function downloadCertificateRequest(certificateID: string, teamID = '') {
-  return {
-    method: 'GET',
-    path: '/account/ios/certificate/downloadCertificateContent.action',
-    payload: {
-      teamId: teamID,
-      certificateId: certificateID,
-      type: '83Q87W3TGH',
-    },
-  } satisfies AppleProvisioningRequest;
-}
-
-export function createDevelopmentProfileRequest({
-  bundleID,
-  teamID = '',
-  appIDID,
-  certificateID,
-  deviceIDs,
-  name,
-}: Pick<AppleProvisioningContext, 'bundleID' | 'teamID'> & {
-  appIDID: string;
-  certificateID: string;
-  deviceIDs: string[];
-  name?: string;
-}) {
-  return {
-    method: 'POST',
-    path: '/account/ios/profile/createProvisioningProfile.action',
-    payload: {
-      teamId: teamID,
-      provisioningProfileName: name ?? `Limrun ${bundleID}`,
-      certificateIds: [certificateID],
-      appIdId: appIDID,
-      deviceIds: deviceIDs,
-      distributionType: 'limited',
-      subPlatform: 'ios',
-    },
-  } satisfies AppleProvisioningRequest;
-}
-
-export function downloadProfileRequest(profileID: string, teamID = '') {
-  return {
-    method: 'GET',
-    path: '/account/ios/profile/downloadProfileContent',
-    payload: {
-      teamId: teamID,
-      provisioningProfileId: profileID,
-    },
-  } satisfies AppleProvisioningRequest;
-}
-
-export async function getReusableAppleSigningAssets({
-  bundleID,
-  deviceUDID,
-  teamID,
-}: AppleSigningAssetCacheInput) {
-  const stored = await getSigningAssets({ bundleID, deviceUDID });
-  if (!stored || !storedSigningAssetsReusable(stored, { bundleID, deviceUDID, teamID })) {
-    return undefined;
-  }
-  return stored;
-}
-
-export async function putAppleGeneratedSigningAssets(input: PutAppleGeneratedSigningAssetsInput) {
-  return putSigningAssets({
-    ...input,
-    certificateFileName: input.certificateID ? `${input.certificateID}.p12` : 'apple-development.p12',
-    profileFileName: input.profile.uuid ? `${input.profile.uuid}.mobileprovision` : 'apple-development.mobileprovision',
-  });
-}
-
-export function storedSigningAssetsReusable(
-  stored: StoredSigningAssets,
-  { bundleID, deviceUDID, teamID }: AppleSigningAssetCacheInput,
-) {
-  if (!profileMatchesBundleID(stored.profile, bundleID)) {
-    return false;
-  }
-  if (teamID && stored.teamID && stored.teamID !== teamID) {
-    return false;
-  }
-  if (deviceUDID && !profileContainsDevice(stored.profile, deviceUDID)) {
-    return false;
-  }
-  if (stored.profile.expirationDate && new Date(stored.profile.expirationDate).getTime() <= Date.now()) {
-    return false;
-  }
-  return normalizeBundleID(stored.bundleID) === normalizeBundleID(bundleID);
-}
-
-export function selectDeveloperPortalTeam(body: unknown): AppleDeveloperPortalTeam | undefined {
-  const response = body as AppleDeveloperPortalResponse | undefined;
-  return response?.teams?.[0] ?? response?.provider ?? response?.availableProviders?.[0];
-}
-
-export function teamIDCandidates(body: unknown): string[] {
-  const response = body as AppleDeveloperPortalResponse | undefined;
-  const teams = [
-    ...(response?.teams ?? []),
-    ...(response?.provider ? [response.provider] : []),
-    ...(response?.availableProviders ?? []),
-  ];
-  const ids = new Set<string>();
-  for (const team of teams) {
-    for (const value of [team.teamId, team.providerId, team.publicProviderId]) {
-      if (value !== undefined && value !== '') {
-        ids.add(String(value));
-      }
-    }
-  }
-  return [...ids];
-}
-
-function pagedRequest(path: string, teamID: string, payload: Record<string, unknown> = {}) {
-  const basePayload: Record<string, unknown> = {
-    pageNumber: 1,
-    pageSize: 200,
-    ...payload,
-  };
-  if (teamID) {
-    basePayload.teamId = teamID;
-  }
-  return {
-    method: 'POST',
-    path,
-    payload: basePayload,
-  } satisfies AppleProvisioningRequest;
-}