appium-ios-remotexpc 0.0.6 → 0.1.1

package/CHANGELOG.md

@@ -1,3 +1,15 @@
+## [0.1.1](https://github.com/appium/appium-ios-remotexpc/compare/v0.1.0...v0.1.1) (2025-07-23)
+
+### Bug Fixes
+
+* change tuntap dependency to appium-ios-tuntap ([#55](https://github.com/appium/appium-ios-remotexpc/issues/55)) ([dad93be](https://github.com/appium/appium-ios-remotexpc/commit/dad93be92c73ab67a028878777d42d31c799288c))
+
+## [0.1.0](https://github.com/appium/appium-ios-remotexpc/compare/v0.0.6...v0.1.0) (2025-07-05)
+
+### Features
+
+* add SRP implementation for Apple TV authentication ([#51](https://github.com/appium/appium-ios-remotexpc/issues/51)) ([4cc8c4e](https://github.com/appium/appium-ios-remotexpc/commit/4cc8c4ef92a689306a903bcc8dd5cfad5b024d7b))
+
 ## [0.0.6](https://github.com/appium/appium-ios-remotexpc/compare/v0.0.5...v0.0.6) (2025-07-05)
 
 ### Bug Fixes

package/build/src/lib/apple-tv/srp/crypto-utils.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Computes a cryptographic hash of the provided input buffers.
+ *
+ * @param inputs - Variable number of Buffer objects to hash
+ * @returns The computed hash as a Buffer
+ * @throws {Error} If no inputs provided
+ */
+export declare function hash(...inputs: Buffer[]): Buffer;
+/**
+ * Calculates the SRP multiplier parameter k = H(N, g).
+ *
+ * @param N - The large safe prime modulus
+ * @param g - The generator
+ * @param keyLength - The key length in bytes
+ * @returns The calculated k value as a bigint
+ * @throws {Error} If parameters are invalid
+ */
+export declare function calculateK(N: bigint, g: bigint, keyLength: number): bigint;
+/**
+ * Calculates the private key x = H(salt, H(username:password)).
+ *
+ * @param salt - The salt buffer
+ * @param username - The username string
+ * @param password - The password string
+ * @returns The calculated x value as a bigint
+ * @throws {Error} If parameters are invalid
+ */
+export declare function calculateX(salt: Buffer, username: string, password: string): bigint;
+/**
+ * Calculates the random scrambling parameter u = H(A, B).
+ *
+ * @param A - The client's public key
+ * @param B - The server's public key
+ * @param keyLength - The key length in bytes
+ * @returns The calculated u value as a bigint
+ * @throws {Error} If parameters are invalid
+ */
+export declare function calculateU(A: bigint, B: bigint, keyLength: number): bigint;
+/**
+ * Calculates the client evidence M1 = H(H(N) xor H(g), H(username), salt, A, B, K).
+ *
+ * @param N - The large safe prime modulus
+ * @param g - The generator
+ * @param username - The username string
+ * @param salt - The salt buffer
+ * @param A - The client's public key
+ * @param B - The server's public key
+ * @param K - The session key
+ * @returns The calculated M1 evidence as a Buffer
+ * @throws {Error} If parameters are invalid
+ */
+export declare function calculateM1(N: bigint, g: bigint, username: string, salt: Buffer, A: bigint, B: bigint, K: Buffer): Buffer;
+//# sourceMappingURL=crypto-utils.d.ts.map

package/build/src/lib/apple-tv/srp/crypto-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-utils.d.ts","sourceRoot":"","sources":["../../../../../src/lib/apple-tv/srp/crypto-utils.ts"],"names":[],"mappings":"AASA;;;;;;GAMG;AACH,wBAAgB,IAAI,CAAC,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAehD;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAa1E;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CACxB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,MAAM,CAcR;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAkB1E;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CACzB,CAAC,EAAE,MAAM,EACT,CAAC,EAAE,MAAM,EACT,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,CAAC,EAAE,MAAM,EACT,CAAC,EAAE,MAAM,EACT,CAAC,EAAE,MAAM,GACR,MAAM,CA6BR"}

package/build/src/lib/apple-tv/srp/crypto-utils.js

@@ -0,0 +1,128 @@
+import { createHash } from 'node:crypto';
+import { SRP_HASH_ALGORITHM } from '../constants.js';
+import { bigIntToBuffer, bigIntToMinimalBuffer, bufferToBigInt, } from '../utils/buffer-utils.js';
+/**
+ * Computes a cryptographic hash of the provided input buffers.
+ *
+ * @param inputs - Variable number of Buffer objects to hash
+ * @returns The computed hash as a Buffer
+ * @throws {Error} If no inputs provided
+ */
+export function hash(...inputs) {
+    if (inputs.length === 0) {
+        throw new Error('At least one input buffer is required for hashing');
+    }
+    const hasher = createHash(SRP_HASH_ALGORITHM);
+    for (const input of inputs) {
+        if (!Buffer.isBuffer(input)) {
+            throw new Error('All inputs must be Buffer objects');
+        }
+        hasher.update(input);
+    }
+    return hasher.digest();
+}
+/**
+ * Calculates the SRP multiplier parameter k = H(N, g).
+ *
+ * @param N - The large safe prime modulus
+ * @param g - The generator
+ * @param keyLength - The key length in bytes
+ * @returns The calculated k value as a bigint
+ * @throws {Error} If parameters are invalid
+ */
+export function calculateK(N, g, keyLength) {
+    if (N <= BigInt(0) || g <= BigInt(0)) {
+        throw new Error('N and g must be positive');
+    }
+    if (keyLength <= 0) {
+        throw new Error('Key length must be positive');
+    }
+    const NBuffer = bigIntToBuffer(N, keyLength);
+    const gBuffer = bigIntToBuffer(g, keyLength);
+    const kHash = hash(NBuffer, gBuffer);
+    return bufferToBigInt(kHash);
+}
+/**
+ * Calculates the private key x = H(salt, H(username:password)).
+ *
+ * @param salt - The salt buffer
+ * @param username - The username string
+ * @param password - The password string
+ * @returns The calculated x value as a bigint
+ * @throws {Error} If parameters are invalid
+ */
+export function calculateX(salt, username, password) {
+    if (!Buffer.isBuffer(salt) || salt.length === 0) {
+        throw new Error('Salt must be a non-empty Buffer');
+    }
+    if (!username || !password) {
+        throw new Error('Username and password must be non-empty strings');
+    }
+    const usernamePasswordHash = hash(Buffer.from(`${username}:${password}`, 'utf8'));
+    const xHash = hash(salt, usernamePasswordHash);
+    return bufferToBigInt(xHash);
+}
+/**
+ * Calculates the random scrambling parameter u = H(A, B).
+ *
+ * @param A - The client's public key
+ * @param B - The server's public key
+ * @param keyLength - The key length in bytes
+ * @returns The calculated u value as a bigint
+ * @throws {Error} If parameters are invalid
+ */
+export function calculateU(A, B, keyLength) {
+    if (A <= BigInt(0) || B <= BigInt(0)) {
+        throw new Error('Public keys A and B must be positive');
+    }
+    if (keyLength <= 0) {
+        throw new Error('Key length must be positive');
+    }
+    const ABuffer = bigIntToBuffer(A, keyLength);
+    const BBuffer = bigIntToBuffer(B, keyLength);
+    const uHash = hash(ABuffer, BBuffer);
+    const u = bufferToBigInt(uHash);
+    if (u === BigInt(0)) {
+        throw new Error('Calculated u value cannot be zero (hash collision)');
+    }
+    return u;
+}
+/**
+ * Calculates the client evidence M1 = H(H(N) xor H(g), H(username), salt, A, B, K).
+ *
+ * @param N - The large safe prime modulus
+ * @param g - The generator
+ * @param username - The username string
+ * @param salt - The salt buffer
+ * @param A - The client's public key
+ * @param B - The server's public key
+ * @param K - The session key
+ * @returns The calculated M1 evidence as a Buffer
+ * @throws {Error} If parameters are invalid
+ */
+export function calculateM1(N, g, username, salt, A, B, K) {
+    if (N <= BigInt(0) || g <= BigInt(0) || A <= BigInt(0) || B <= BigInt(0)) {
+        throw new Error('All bigint parameters must be positive');
+    }
+    if (!username) {
+        throw new Error('Username must be non-empty');
+    }
+    if (!Buffer.isBuffer(salt) || salt.length === 0) {
+        throw new Error('Salt must be a non-empty Buffer');
+    }
+    if (!Buffer.isBuffer(K) || K.length === 0) {
+        throw new Error('Session key K must be a non-empty Buffer');
+    }
+    const NBytes = bigIntToMinimalBuffer(N);
+    const gBytes = bigIntToMinimalBuffer(g);
+    const NHash = hash(NBytes);
+    const gHash = hash(gBytes);
+    const NgXorBytes = Buffer.alloc(NHash.length);
+    for (let i = 0; i < NHash.length; i++) {
+        NgXorBytes[i] = NHash[i] ^ gHash[i];
+    }
+    const usernameHash = hash(Buffer.from(username, 'utf8'));
+    const ABytes = bigIntToMinimalBuffer(A);
+    const BBytes = bigIntToMinimalBuffer(B);
+    return hash(NgXorBytes, usernameHash, salt, ABytes, BBytes, K);
+}

package/build/src/lib/apple-tv/srp/index.d.ts

@@ -0,0 +1,3 @@
+export { SRPClient } from './srp-client.js';
+export { hash, calculateK, calculateX, calculateU, calculateM1, } from './crypto-utils.js';
+//# sourceMappingURL=index.d.ts.map

package/build/src/lib/apple-tv/srp/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/lib/apple-tv/srp/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EACL,IAAI,EACJ,UAAU,EACV,UAAU,EACV,UAAU,EACV,WAAW,GACZ,MAAM,mBAAmB,CAAC"}

package/build/src/lib/apple-tv/srp/index.js

@@ -0,0 +1,2 @@
+export { SRPClient } from './srp-client.js';
+export { hash, calculateK, calculateX, calculateU, calculateM1, } from './crypto-utils.js';

package/build/src/lib/apple-tv/srp/srp-client.d.ts

@@ -0,0 +1,130 @@
+/**
+ * SRP (Secure Remote Password) client implementation following RFC 5054.
+ *
+ * This class handles the client-side operations of the SRP protocol,
+ * including key generation, authentication proof computation, and
+ * session key derivation.
+ */
+export declare class SRPClient {
+    private static readonly ZERO;
+    private static readonly ONE;
+    private static readonly MAX_KEY_GENERATION_ATTEMPTS;
+    private readonly N;
+    private readonly g;
+    private readonly k;
+    private readonly N_MINUS_ONE;
+    private username;
+    private password;
+    private _salt;
+    private _a;
+    private _A;
+    private _B;
+    private _S;
+    private _K;
+    private keysGenerated;
+    private disposed;
+    constructor();
+    /**
+     * Sets the user identity credentials.
+     * Note: Username is set to SRP_USERNAME constant, but can be overridden.
+     *
+     * @param username - The username for authentication
+     * @param password - The password for authentication
+     * @throws {SRPError} If username or password is empty
+     */
+    setIdentity(username: string, password: string): void;
+    /**
+     * Gets the salt value received from the server.
+     *
+     * @returns The salt buffer or null if not set
+     */
+    get salt(): Buffer | null;
+    /**
+     * Sets the salt value received from the server.
+     *
+     * @param value - The salt buffer from the server
+     * @throws {SRPError} If salt is empty or client is disposed
+     */
+    set salt(value: Buffer);
+    /**
+     * Gets the server's public key B.
+     *
+     * @returns The server's public key as a Buffer or null if not set
+     */
+    get serverPublicKey(): Buffer | null;
+    /**
+     * Sets the server's public key B.
+     *
+     * @param value - The server's public key as a Buffer
+     * @throws {SRPError} If the server public key is invalid or client is disposed
+     */
+    set serverPublicKey(value: Buffer);
+    /**
+     * Gets the client's public key A.
+     *
+     * @returns The client's public key as a Buffer
+     * @throws {SRPError} If keys are not generated yet or client is disposed
+     */
+    get publicKey(): Buffer;
+    /**
+     * Computes the authentication proof M1.
+     *
+     * @returns The authentication proof as a Buffer
+     * @throws {SRPError} If required parameters are not set or client is disposed
+     */
+    computeProof(): Buffer;
+    /**
+     * Gets the computed session key K.
+     *
+     * @returns The session key as a Buffer
+     * @throws {SRPError} If session key is not computed or client is disposed
+     */
+    get sessionKey(): Buffer;
+    /**
+     * Checks if the client is ready to perform operations.
+     *
+     * @returns True if salt and server public key are set
+     */
+    isReady(): boolean;
+    /**
+     * Checks if session key has been computed.
+     *
+     * @returns True if a session key is available
+     */
+    hasSessionKey(): boolean;
+    /**
+     * Clears sensitive data and disposes the client.
+     * After calling this method, the client instance should not be used.
+     */
+    dispose(): void;
+    /**
+     * Generates client keys if both salt and server public key are available.
+     * This method ensures keys are generated only once.
+     */
+    private generateClientKeysIfReady;
+    /**
+     * Generates the client's private and public keys using cryptographically secure methods.
+     *
+     * @throws {SRPError} If generated public key is invalid or key generation fails
+     */
+    private generateClientKeys;
+    /**
+     * Computes the shared secret S and derives the session key K.
+     *
+     * @throws {SRPError} If required parameters are not set
+     */
+    private computeSharedSecret;
+    /**
+     * Validates that identity has been set.
+     *
+     * @throws {SRPError} If password is not set (username is set by default)
+     */
+    private validateIdentitySet;
+    /**
+     * Throws an error if the client has been disposed.
+     *
+     * @throws {SRPError} If client is disposed
+     */
+    private throwIfDisposed;
+}
+//# sourceMappingURL=srp-client.d.ts.map

package/build/src/lib/apple-tv/srp/srp-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"srp-client.d.ts","sourceRoot":"","sources":["../../../../../src/lib/apple-tv/srp/srp-client.ts"],"names":[],"mappings":"AA0BA;;;;;;GAMG;AACH,qBAAa,SAAS;IAEpB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAa;IACzC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAa;IACxC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,2BAA2B,CAAO;IAE1D,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAkB;IACpC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAiB;IACnC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAS;IAC3B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IAErC,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,KAAK,CAAuB;IACpC,OAAO,CAAC,EAAE,CAA0B;IACpC,OAAO,CAAC,EAAE,CAA0B;IACpC,OAAO,CAAC,EAAE,CAAuB;IACjC,OAAO,CAAC,EAAE,CAAuB;IACjC,OAAO,CAAC,EAAE,CAAuB;IAGjC,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAS;;IAWzB;;;;;;;OAOG;IACI,WAAW,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI;IAgB5D;;;;OAIG;IACH,IAAI,IAAI,IAAI,MAAM,GAAG,IAAI,CAExB;IAED;;;;;OAKG;IACH,IAAI,IAAI,CAAC,KAAK,EAAE,MAAM,EAWrB;IAED;;;;OAIG;IACH,IAAI,eAAe,IAAI,MAAM,GAAG,IAAI,CAEnC;IAED;;;;;OAKG;IACH,IAAI,eAAe,CAAC,KAAK,EAAE,MAAM,EAwBhC;IAED;;;;;OAKG;IACH,IAAI,SAAS,IAAI,MAAM,CAUtB;IAED;;;;;OAKG;IACI,YAAY,IAAI,MAAM;IAyB7B;;;;;OAKG;IACH,IAAI,UAAU,IAAI,MAAM,CAavB;IAED;;;;OAIG;IACI,OAAO,IAAI,OAAO;IAIzB;;;;OAIG;IACI,aAAa,IAAI,OAAO;IAI/B;;;OAGG;IACI,OAAO,IAAI,IAAI;IAqBtB;;;OAGG;IACH,OAAO,CAAC,yBAAyB;IAOjC;;;;OAIG;IACH,OAAO,CAAC,kBAAkB;IAqC1B;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;IAiC3B;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;IAQ3B;;;;OAIG;IACH,OAAO,CAAC,eAAe;CAKxB"}

package/build/src/lib/apple-tv/srp/srp-client.js

@@ -0,0 +1,288 @@
+import { logger } from '@appium/support';
+import { randomBytes } from 'node:crypto';
+import { SRP_GENERATOR, SRP_KEY_LENGTH_BYTES, SRP_PRIME_3072, SRP_PRIVATE_KEY_BITS, SRP_USERNAME, } from '../constants.js';
+import { SRPError } from '../errors.js';
+import { bigIntToBuffer, bufferToBigInt, modPow, } from '../utils/buffer-utils.js';
+import { calculateK, calculateM1, calculateU, calculateX, hash, } from './crypto-utils.js';
+const log = logger.getLogger('SRPClient');
+/**
+ * SRP (Secure Remote Password) client implementation following RFC 5054.
+ *
+ * This class handles the client-side operations of the SRP protocol,
+ * including key generation, authentication proof computation, and
+ * session key derivation.
+ */
+export class SRPClient {
+    // Constants
+    static ZERO = BigInt(0);
+    static ONE = BigInt(1);
+    static MAX_KEY_GENERATION_ATTEMPTS = 100;
+    N = SRP_PRIME_3072;
+    g = SRP_GENERATOR;
+    k;
+    N_MINUS_ONE;
+    username;
+    password;
+    _salt = null;
+    _a = SRPClient.ZERO;
+    _A = SRPClient.ZERO;
+    _B = null;
+    _S = null;
+    _K = null;
+    // State tracking
+    keysGenerated = false;
+    disposed = false;
+    constructor() {
+        this.k = calculateK(this.N, this.g, SRP_KEY_LENGTH_BYTES);
+        this.N_MINUS_ONE = this.N - SRPClient.ONE;
+        this.username = SRP_USERNAME;
+        this.password = '';
+        log.debug('Initialized SRP client with k value');
+    }
+    /**
+     * Sets the user identity credentials.
+     * Note: Username is set to SRP_USERNAME constant, but can be overridden.
+     *
+     * @param username - The username for authentication
+     * @param password - The password for authentication
+     * @throws {SRPError} If username or password is empty
+     */
+    setIdentity(username, password) {
+        this.throwIfDisposed();
+        if (!username?.trim()) {
+            throw new SRPError('Username cannot be empty');
+        }
+        if (!password) {
+            throw new SRPError('Password cannot be empty');
+        }
+        this.username = username.trim();
+        this.password = password;
+        log.debug('Identity set successfully');
+    }
+    /**
+     * Gets the salt value received from the server.
+     *
+     * @returns The salt buffer or null if not set
+     */
+    get salt() {
+        return this._salt;
+    }
+    /**
+     * Sets the salt value received from the server.
+     *
+     * @param value - The salt buffer from the server
+     * @throws {SRPError} If salt is empty or client is disposed
+     */
+    set salt(value) {
+        this.throwIfDisposed();
+        if (!value || value.length === 0) {
+            throw new SRPError('Salt cannot be empty');
+        }
+        this._salt = value;
+        this.generateClientKeysIfReady();
+        log.debug('Salt set successfully');
+    }
+    /**
+     * Gets the server's public key B.
+     *
+     * @returns The server's public key as a Buffer or null if not set
+     */
+    get serverPublicKey() {
+        return this._B ? bigIntToBuffer(this._B, SRP_KEY_LENGTH_BYTES) : null;
+    }
+    /**
+     * Sets the server's public key B.
+     *
+     * @param value - The server's public key as a Buffer
+     * @throws {SRPError} If the server public key is invalid or client is disposed
+     */
+    set serverPublicKey(value) {
+        this.throwIfDisposed();
+        if (!value || value.length !== SRP_KEY_LENGTH_BYTES) {
+            throw new SRPError(`Server public key must be ${SRP_KEY_LENGTH_BYTES} bytes, got ${value?.length || 0}`);
+        }
+        this._B = bufferToBigInt(value);
+        if (this._B <= SRPClient.ONE || this._B >= this.N_MINUS_ONE) {
+            throw new SRPError('Invalid server public key B: must be in range (1, N-1)');
+        }
+        // Additional security check
+        if (this._B % this.N === SRPClient.ZERO) {
+            throw new SRPError('Invalid server public key B: divisible by N');
+        }
+        this.generateClientKeysIfReady();
+        log.debug('Server public key set successfully');
+    }
+    /**
+     * Gets the client's public key A.
+     *
+     * @returns The client's public key as a Buffer
+     * @throws {SRPError} If keys are not generated yet or client is disposed
+     */
+    get publicKey() {
+        this.throwIfDisposed();
+        if (this._A === SRPClient.ZERO) {
+            throw new SRPError('Client keys not generated yet. Set salt and serverPublicKey properties first.');
+        }
+        return bigIntToBuffer(this._A, SRP_KEY_LENGTH_BYTES);
+    }
+    /**
+     * Computes the authentication proof M1.
+     *
+     * @returns The authentication proof as a Buffer
+     * @throws {SRPError} If required parameters are not set or client is disposed
+     */
+    computeProof() {
+        this.throwIfDisposed();
+        this.validateIdentitySet();
+        if (!this._K) {
+            this.computeSharedSecret();
+        }
+        if (!this._salt || !this._K || !this._B) {
+            throw new SRPError('Cannot compute proof: salt, session key, and server public key must be set');
+        }
+        return calculateM1(this.N, this.g, this.username, this._salt, this._A, this._B, this._K);
+    }
+    /**
+     * Gets the computed session key K.
+     *
+     * @returns The session key as a Buffer
+     * @throws {SRPError} If session key is not computed or client is disposed
+     */
+    get sessionKey() {
+        this.throwIfDisposed();
+        this.validateIdentitySet();
+        if (!this._K) {
+            this.computeSharedSecret();
+        }
+        if (!this._K) {
+            throw new SRPError('Session key not computed');
+        }
+        return this._K;
+    }
+    /**
+     * Checks if the client is ready to perform operations.
+     *
+     * @returns True if salt and server public key are set
+     */
+    isReady() {
+        return !this.disposed && !!(this._salt && this._B && this.keysGenerated);
+    }
+    /**
+     * Checks if session key has been computed.
+     *
+     * @returns True if a session key is available
+     */
+    hasSessionKey() {
+        return !this.disposed && !!this._K;
+    }
+    /**
+     * Clears sensitive data and disposes the client.
+     * After calling this method, the client instance should not be used.
+     */
+    dispose() {
+        if (this.disposed) {
+            return;
+        }
+        // Clear sensitive data
+        this.password = '';
+        this._a = SRPClient.ZERO;
+        if (this._K) {
+            this._K.fill(0);
+        }
+        this._salt = null;
+        this._S = null;
+        this._B = null;
+        this.disposed = true;
+        log.debug('SRP client disposed and sensitive data cleared');
+    }
+    /**
+     * Generates client keys if both salt and server public key are available.
+     * This method ensures keys are generated only once.
+     */
+    generateClientKeysIfReady() {
+        if (this._salt && this._B && !this.keysGenerated) {
+            this.generateClientKeys();
+            this.keysGenerated = true;
+        }
+    }
+    /**
+     * Generates the client's private and public keys using cryptographically secure methods.
+     *
+     * @throws {SRPError} If generated public key is invalid or key generation fails
+     */
+    generateClientKeys() {
+        this.validateIdentitySet();
+        let attempts = 0;
+        while (attempts < SRPClient.MAX_KEY_GENERATION_ATTEMPTS) {
+            const randomBits = randomBytes(SRP_PRIVATE_KEY_BITS / 8);
+            this._a = bufferToBigInt(randomBits);
+            // Ensure key is in valid range without introducing bias
+            if (this._a >= this.N) {
+                attempts++;
+                continue;
+            }
+            if (this._a === SRPClient.ZERO) {
+                attempts++;
+                continue;
+            }
+            this._A = modPow(this.g, this._a, this.N);
+            if (this._A <= SRPClient.ONE || this._A >= this.N_MINUS_ONE) {
+                attempts++;
+                continue;
+            }
+            // Successfully generated valid keys
+            log.debug('Generated client keys successfully');
+            return;
+        }
+        throw new SRPError(`Failed to generate secure client keys after ${SRPClient.MAX_KEY_GENERATION_ATTEMPTS} attempts`);
+    }
+    /**
+     * Computes the shared secret S and derives the session key K.
+     *
+     * @throws {SRPError} If required parameters are not set
+     */
+    computeSharedSecret() {
+        this.validateIdentitySet();
+        if (!this._salt || !this._B) {
+            throw new SRPError('Salt and server public key must be set first');
+        }
+        if (this._A === SRPClient.ZERO) {
+            throw new SRPError('Client keys not generated');
+        }
+        const u = calculateU(this._A, this._B, SRP_KEY_LENGTH_BYTES);
+        log.debug('Calculated u value');
+        const x = calculateX(this._salt, this.username, this.password);
+        log.debug('Calculated x value');
+        const gx = modPow(this.g, x, this.N);
+        const kgx = (this.k * gx) % this.N;
+        // Fix negative modulo operation
+        let base = this._B - kgx;
+        base = ((base % this.N) + this.N) % this.N;
+        const exponent = this._a + u * x;
+        this._S = modPow(base, exponent, this.N);
+        log.debug('Calculated shared secret S');
+        const SBuffer = bigIntToBuffer(this._S, SRP_KEY_LENGTH_BYTES);
+        this._K = hash(SBuffer);
+        log.debug('Calculated session key K');
+    }
+    /**
+     * Validates that identity has been set.
+     *
+     * @throws {SRPError} If password is not set (username is set by default)
+     */
+    validateIdentitySet() {
+        if (!this.password) {
+            throw new SRPError('Password must be set before performing operations. Call setIdentity() first.');
+        }
+    }
+    /**
+     * Throws an error if the client has been disposed.
+     *
+     * @throws {SRPError} If client is disposed
+     */
+    throwIfDisposed() {
+        if (this.disposed) {
+            throw new SRPError('SRP client has been disposed');
+        }
+    }
+}

package/build/src/lib/tunnel/index.d.ts

@@ -1,5 +1,5 @@
+import { type TunnelConnection } from 'appium-ios-tuntap';
 import type { TLSSocket } from 'tls';
-import { type TunnelConnection } from 'tuntap-bridge';
 import { RemoteXpcConnection } from '../remote-xpc/remote-xpc-connection.js';
 /**
  * A wrapper around the tunnel connection that

package/build/src/lib/tunnel/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/lib/tunnel/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,KAAK,CAAC;AACrC,OAAO,EAAE,KAAK,gBAAgB,EAA2B,MAAM,eAAe,CAAC;AAE/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAC;AAsB7E;;;GAGG;AACH,cAAM,oBAAoB;IAExB,OAAO,CAAC,cAAc,CAA+C;IAErE;;;;;OAKG;IACH,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAKtC;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,EAAE;IAM5B;;;;;;OAMG;IACG,yBAAyB,CAC7B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC;IA2C/B;;;;;;OAMG;IACG,SAAS,CAAC,mBAAmB,EAAE,SAAS,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAmD1E;;;;;OAKG;IACH,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,GAAG,IAAI;IAU5D;;;;;OAKG;IACG,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAgC1D;;;;OAIG;IACG,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC;IAatC;;;;;OAKG;IACG,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;CAGnC;AAGD,eAAO,MAAM,aAAa,sBAA6B,CAAC;AAExD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/lib/tunnel/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,gBAAgB,EAEtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,KAAK,CAAC;AAErC,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAC;AAsB7E;;;GAGG;AACH,cAAM,oBAAoB;IAExB,OAAO,CAAC,cAAc,CAA+C;IAErE;;;;;OAKG;IACH,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAKtC;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,EAAE;IAM5B;;;;;;OAMG;IACG,yBAAyB,CAC7B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,mBAAmB,CAAC;IA2C/B;;;;;;OAMG;IACG,SAAS,CAAC,mBAAmB,EAAE,SAAS,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAmD1E;;;;;OAKG;IACH,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,GAAG,IAAI;IAU5D;;;;;OAKG;IACG,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAgC1D;;;;OAIG;IACG,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC;IAatC;;;;;OAKG;IACG,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;CAGnC;AAGD,eAAO,MAAM,aAAa,sBAA6B,CAAC;AAExD,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC"}

package/build/src/lib/tunnel/index.js

@@ -1,5 +1,5 @@
 import { logger } from '@appium/support';
-import { connectToTunnelLockdown } from 'tuntap-bridge';
+import { connectToTunnelLockdown, } from 'appium-ios-tuntap';
 import { RemoteXpcConnection } from '../remote-xpc/remote-xpc-connection.js';
 const log = logger.getLogger('TunnelManager');
 /**

package/build/src/lib/tunnel/packet-stream-client.d.ts

@@ -1,5 +1,5 @@
+import type { PacketConsumer } from 'appium-ios-tuntap';
 import { EventEmitter } from 'events';
-import type { PacketConsumer } from 'tuntap-bridge';
 /**
  * Client that connects to a PacketStreamServer to receive packet data
  * Implements the PacketSource interface required by SyslogService

package/build/src/lib/tunnel/packet-stream-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"packet-stream-client.d.ts","sourceRoot":"","sources":["../../../../src/lib/tunnel/packet-stream-client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAEtC,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,eAAe,CAAC;AAShE;;;GAGG;AACH,qBAAa,kBAAmB,SAAQ,YAAY;IAOhD,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,IAAI;IAPvB,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkC;IAClE,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,SAAS,CAAS;gBAGP,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM;IAKzB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAwC9B,WAAW,IAAI,OAAO;IAIhB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IASjC,iBAAiB,CAAC,QAAQ,EAAE,cAAc,GAAG,IAAI;IAIjD,oBAAoB,CAAC,QAAQ,EAAE,cAAc,GAAG,IAAI;IAIpD;;OAEG;IACH,OAAO,CAAC,UAAU;IAKlB;;OAEG;IACH,OAAO,CAAC,aAAa;IA2BrB;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAc5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAStB;;OAEG;IACH,OAAO,CAAC,WAAW;IAWnB;;OAEG;IACH,OAAO,CAAC,eAAe;CASxB"}
+{"version":3,"file":"packet-stream-client.d.ts","sourceRoot":"","sources":["../../../../src/lib/tunnel/packet-stream-client.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,mBAAmB,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAUtC;;;GAGG;AACH,qBAAa,kBAAmB,SAAQ,YAAY;IAOhD,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,IAAI;IAPvB,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkC;IAClE,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,SAAS,CAAS;gBAGP,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM;IAKzB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAwC9B,WAAW,IAAI,OAAO;IAIhB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IASjC,iBAAiB,CAAC,QAAQ,EAAE,cAAc,GAAG,IAAI;IAIjD,oBAAoB,CAAC,QAAQ,EAAE,cAAc,GAAG,IAAI;IAIpD;;OAEG;IACH,OAAO,CAAC,UAAU;IAKlB;;OAEG;IACH,OAAO,CAAC,aAAa;IA2BrB;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAc5B;;OAEG;IACH,OAAO,CAAC,cAAc;IAStB;;OAEG;IACH,OAAO,CAAC,WAAW;IAWnB;;OAEG;IACH,OAAO,CAAC,eAAe;CASxB"}