pymobiledevice3 4.26.0__py3-none-any.whl → 4.26.1__py3-none-any.whl

pymobiledevice3/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '4.26.0'
-__version_tuple__ = version_tuple = (4, 26, 0)
+__version__ = version = '4.26.1'
+__version_tuple__ = version_tuple = (4, 26, 1)
 
 __commit_id__ = commit_id = None

pymobiledevice3/ca.py

@@ -1,6 +1,6 @@
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
 from pathlib import Path
-from typing import Optional
+from typing import Optional, Union
 
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
@@ -10,8 +10,235 @@ from cryptography.hazmat.primitives.serialization import Encoding, NoEncryption,
 from cryptography.x509 import Certificate
 from cryptography.x509.oid import NameOID
 
+_SERIAL = 1
+
+
+def select_hash_algorithm(device_version: Union[tuple[int, int, int], str, None]) -> hashes.HashAlgorithm:
+    """
+    Choose hash algorithm to match libimobiledevice (idevicepair) logic.
+
+    :param device_version: Device version tuple (major, minor, patch) or "a.b.c" string.
+                           If None, defaults to SHA-256 (modern).
+    :returns: SHA-1 if version < 4.0.0, else SHA-256.
+    """
+    if device_version is None:
+        return hashes.SHA256()
+    if isinstance(device_version, str):
+        parts = tuple(int(x) for x in device_version.split("."))
+    else:
+        parts = device_version
+    return hashes.SHA1() if parts < (4, 0, 0) else hashes.SHA256()
+
+
+def get_validity_bounds(years: int = 10) -> tuple[datetime, datetime]:
+    """
+    Compute notBefore / notAfter validity window.
+
+    :param years: Number of years for certificate validity.
+    :returns: (not_before, not_after) in UTC.
+    """
+    now = datetime.now(timezone.utc)
+    return now - timedelta(minutes=1), now + timedelta(days=365 * years)
+
+
+def serialize_cert_pem(cert: Certificate) -> bytes:
+    """
+    Serialize an X.509 certificate in PEM format.
+
+    :param cert: Certificate object.
+    :returns: PEM-encoded certificate bytes.
+    """
+    return cert.public_bytes(Encoding.PEM)
+
+
+def serialize_private_key_pkcs8_pem(key: RSAPrivateKey) -> bytes:
+    """
+    Serialize a private key in PKCS#8 PEM format (like OpenSSL's PEM_write_bio_PrivateKey).
+
+    :param key: RSA private key.
+    :returns: PEM-encoded PKCS#8 key bytes (unencrypted).
+    """
+    return key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption())
+
+
+# =======================================
+# Certificate builders (empty DN, v3, KU)
+# =======================================
+
+def build_root_certificate(root_key: RSAPrivateKey, alg: hashes.HashAlgorithm) -> Certificate:
+    """
+    Build a self-signed root (CA) certificate:
+    - Empty subject/issuer (x509.Name([]))
+    - Serial = 1
+    - X.509 v3 with BasicConstraints CA:TRUE (critical)
+    - Signed with root_key using the chosen hash
+
+    :param root_key: RSA private key for the root CA.
+    :param alg: Hash algorithm (SHA-1 or SHA-256).
+    :returns: Root CA certificate.
+    """
+    not_before, not_after = get_validity_bounds()
+    empty = x509.Name([])
+    builder = (
+        x509.CertificateBuilder()
+        .subject_name(empty)
+        .issuer_name(empty)
+        .public_key(root_key.public_key())
+        .serial_number(_SERIAL)
+        .not_valid_before(not_before)
+        .not_valid_after(not_after)
+        .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
+    )
+    return builder.sign(root_key, alg)
+
+
+def build_host_certificate(
+        host_key: RSAPrivateKey,
+        root_cert: Certificate,
+        root_key: RSAPrivateKey,
+        alg: hashes.HashAlgorithm,
+) -> Certificate:
+    """
+    Build the host (leaf) certificate signed by the root:
+    - Empty subject
+    - Issuer = root's (empty) subject
+    - Serial = 1
+    - BasicConstraints CA:FALSE (critical)
+    - KeyUsage: digitalSignature, keyEncipherment (critical)
+    - Signed with root_key
+
+    :param host_key: Host RSA private key (leaf).
+    :param root_cert: Root CA certificate.
+    :param root_key: Root RSA private key.
+    :param alg: Hash algorithm (SHA-1 or SHA-256).
+    :returns: Host certificate (leaf).
+    """
+    not_before, not_after = get_validity_bounds()
+    builder = (
+        x509.CertificateBuilder()
+        .subject_name(x509.Name([]))
+        .issuer_name(root_cert.subject)  # empty
+        .public_key(host_key.public_key())
+        .serial_number(_SERIAL)
+        .not_valid_before(not_before)
+        .not_valid_after(not_after)
+        .add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True)
+        .add_extension(
+            x509.KeyUsage(
+                digital_signature=True,
+                key_encipherment=True,
+                key_cert_sign=False, crl_sign=False,
+                content_commitment=False, data_encipherment=False,
+                key_agreement=False, encipher_only=False, decipher_only=False,
+            ),
+            critical=True,
+        )
+    )
+    return builder.sign(root_key, alg)
+
+
+def build_device_certificate(
+        device_public_key: RSAPublicKey,
+        root_cert: Certificate,
+        root_key: RSAPrivateKey,
+        alg: hashes.HashAlgorithm,
+) -> Certificate:
+    """
+    Build the device certificate (leaf) signed by the root:
+    - Empty subject
+    - Issuer = root's (empty) subject
+    - Serial = 1
+    - BasicConstraints CA:FALSE (critical)
+    - KeyUsage: digitalSignature, keyEncipherment (critical)
+    - SubjectKeyIdentifier = hash
+    - Signed with root_key
+
+    :param device_public_key: Device's RSA public key (as advertised by lockdown).
+    :param root_cert: Root CA certificate.
+    :param root_key: Root RSA private key.
+    :param alg: Hash algorithm (SHA-1 or SHA-256).
+    :returns: Device certificate (leaf).
+    """
+    not_before, not_after = get_validity_bounds()
+    builder = (
+        x509.CertificateBuilder()
+        .subject_name(x509.Name([]))
+        .issuer_name(root_cert.subject)  # empty
+        .public_key(device_public_key)
+        .serial_number(_SERIAL)
+        .not_valid_before(not_before)
+        .not_valid_after(not_after)
+        .add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True)
+        .add_extension(
+            x509.KeyUsage(
+                digital_signature=True,
+                key_encipherment=True,
+                key_cert_sign=False, crl_sign=False,
+                content_commitment=False, data_encipherment=False,
+                key_agreement=False, encipher_only=False, decipher_only=False,
+            ),
+            critical=True,
+        )
+        .add_extension(x509.SubjectKeyIdentifier.from_public_key(device_public_key), critical=False)
+    )
+    return builder.sign(root_key, alg)
+
+
+# ==========================================
+# Public API for your pairing flow (renamed)
+# ==========================================
+
+def generate_pairing_cert_chain(
+        device_public_key_pem: bytes,
+        private_key: Optional[RSAPrivateKey] = None,
+        device_version: Union[tuple[int, int, int], str, None] = (4, 0, 0),
+) -> tuple[bytes, bytes, bytes, bytes, bytes]:
+    """
+    Generate a root→host certificate chain and a device certificate that mirror the
+    libimobiledevice C behavior (empty DN, serial=1, BC/KU/SKI, SHA1 flip for < 4.0).
+
+    :param device_public_key_pem: Device RSA public key in PEM ("RSA PUBLIC KEY") format.
+    :param private_key: Optional host RSA private key to reuse; if None, a new one is generated.
+    :param device_version: Version to select hash (tuple or "a.b.c"). < 4.0.0 => SHA-1; else SHA-256.
+    :returns: (host_cert_pem, host_key_pem, device_cert_pem, root_cert_pem, root_key_pem)
+    """
+    alg = select_hash_algorithm(device_version)
+
+    # Root CA (self-signed)
+    root_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    root_cert = build_root_certificate(root_key, alg)
+
+    # Host leaf (reuse provided key if given)
+    host_key = private_key or rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    host_cert = build_host_certificate(host_key, root_cert, root_key, alg)
+
+    # Device leaf (public key provided by the device)
+    dev_pub = load_pem_public_key(device_public_key_pem)
+    if not isinstance(dev_pub, RSAPublicKey):
+        raise ValueError("device_public_key_pem must be an RSA PUBLIC KEY in PEM format")
+    device_cert = build_device_certificate(dev_pub, root_cert, root_key, alg)
+
+    return (
+        serialize_cert_pem(host_cert),
+        serialize_private_key_pkcs8_pem(host_key),
+        serialize_cert_pem(device_cert),
+        serialize_cert_pem(root_cert),
+        serialize_private_key_pkcs8_pem(root_key),
+    )
+
 
 def make_cert(key: RSAPrivateKey, public_key: RSAPublicKey, common_name: Optional[str] = None) -> Certificate:
+    """
+    Create a simple self-signed certificate for the provided key.
+
+    NOTE: This is not suitable for pairing (it sets subject/issuer and lacks C-style fields).
+    It is preserved as-is for your keybag usage.
+
+    :param key: RSA private key for signing.
+    :param public_key: RSA public key to embed in the certificate.
+    :param common_name: Optional CN to include in subject/issuer.
+    :returns: Self-signed certificate.
+    """
     attributes = [x509.NameAttribute(NameOID.COMMON_NAME, common_name)] if common_name else []
     subject = issuer = x509.Name(attributes)
     cert = x509.CertificateBuilder()
@@ -27,22 +254,23 @@ def make_cert(key: RSAPrivateKey, public_key: RSAPublicKey, common_name: Optiona
     return cert
 
 
-def dump_cert(cert):
-    return cert.public_bytes(Encoding.PEM)
+def dump_cert(cert: Certificate) -> bytes:
+    """
+    Serialize a certificate in PEM format.
 
-
-def ca_do_everything(device_public_key, private_key: Optional[rsa.RSAPrivateKey] = None):
-    if private_key is None:
-        private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
-
-    cert = make_cert(private_key, private_key.public_key())
-    dev_key = load_pem_public_key(device_public_key)
-    dev_cert = make_cert(private_key, dev_key, 'Device')
-    return dump_cert(cert), private_key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption()), dump_cert(
-        dev_cert)
+    :param cert: Certificate object.
+    :returns: PEM-encoded certificate bytes.
+    """
+    return cert.public_bytes(Encoding.PEM)
 
 
 def create_keybag_file(file: Path, common_name: str) -> None:
+    """
+    Write a private key and a simple self-signed certificate to a file (PEM concatenated).
+
+    :param file: Destination file path.
+    :param common_name: Common Name to embed in the self-signed certificate.
+    """
     private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
     cer = make_cert(private_key, private_key.public_key(), common_name)
     file.write_bytes(
@@ -50,4 +278,5 @@ def create_keybag_file(file: Path, common_name: str) -> None:
             encoding=serialization.Encoding.PEM,
             format=PrivateFormat.TraditionalOpenSSL,
             encryption_algorithm=serialization.NoEncryption()
-        ) + cer.public_bytes(encoding=serialization.Encoding.PEM))
+        ) + cer.public_bytes(encoding=serialization.Encoding.PEM)
+    )

pymobiledevice3/lockdown.py

@@ -24,13 +24,13 @@ from packaging.version import Version
 
 from pymobiledevice3 import usbmux
 from pymobiledevice3.bonjour import DEFAULT_BONJOUR_TIMEOUT, browse_mobdev2
-from pymobiledevice3.ca import ca_do_everything
+from pymobiledevice3.ca import generate_pairing_cert_chain
 from pymobiledevice3.common import get_home_folder
 from pymobiledevice3.exceptions import BadDevError, CannotStopSessionError, ConnectionFailedError, \
     ConnectionTerminatedError, DeviceNotFoundError, FatalPairingError, GetProhibitedError, IncorrectModeError, \
     InvalidConnectionError, InvalidHostIDError, InvalidServiceError, LockdownError, MissingValueError, \
     NoDeviceConnectedError, NotPairedError, PairingDialogResponsePendingError, PairingError, PasswordRequiredError, \
-    SetProhibitedError, StartServiceError, UserDeniedPairingError
+    PyMobileDevice3Exception, SetProhibitedError, StartServiceError, UserDeniedPairingError
 from pymobiledevice3.irecv_devices import IRECV_DEVICES
 from pymobiledevice3.lockdown_service_provider import LockdownServiceProvider
 from pymobiledevice3.pair_records import create_pairing_records_cache_folder, generate_host_id, \
@@ -308,6 +308,7 @@ class LockdownClient(ABC, LockdownServiceProvider):
             if not response or response.get('Result') != 'Success':
                 raise CannotStopSessionError()
             return response
+        raise PyMobileDevice3Exception('No active session')
 
     def validate_pairing(self) -> bool:
         if self.pair_record is None:
@@ -363,15 +364,17 @@ class LockdownClient(ABC, LockdownServiceProvider):
             raise PairingError()
 
         self.logger.info('Creating host key & certificate')
-        cert_pem, private_key_pem, device_certificate = ca_do_everything(self.device_public_key,
-                                                                         private_key=private_key)
-
-        pair_record = {'DevicePublicKey': self.device_public_key,
-                       'DeviceCertificate': device_certificate,
-                       'HostCertificate': cert_pem,
+        host_cert_pem, host_key_pem, device_cert_pem, root_cert_pem, root_key_pem = generate_pairing_cert_chain(
+            self.device_public_key,
+            private_key=private_key
+            # TODO: consider parsing product_version to support iOS < 4
+        )
+
+        pair_record = {'DeviceCertificate': device_cert_pem,
+                       'HostCertificate': host_cert_pem,
                        'HostID': self.host_id,
-                       'RootCertificate': cert_pem,
-                       'RootPrivateKey': private_key_pem,
+                       'RootCertificate': root_cert_pem,
+                       'RootPrivateKey': root_key_pem,
                        'WiFiMACAddress': self.wifi_mac_address,
                        'SystemBUID': self.system_buid}
 
@@ -380,7 +383,7 @@ class LockdownClient(ABC, LockdownServiceProvider):
 
         pair = self._request_pair(pair_options, timeout=timeout)
 
-        pair_record['HostPrivateKey'] = private_key_pem
+        pair_record['HostPrivateKey'] = host_key_pem
         escrow_bag = pair.get('EscrowBag')
 
         if escrow_bag is not None:
@@ -405,14 +408,16 @@ class LockdownClient(ABC, LockdownServiceProvider):
             raise PairingError()
 
         self.logger.info('Creating host key & certificate')
-        cert_pem, private_key_pem, device_certificate = ca_do_everything(self.device_public_key)
+        host_cert_pem, host_key_pem, device_cert_pem, root_cert_pem, root_key_pem = generate_pairing_cert_chain(
+            self.device_public_key
+            # TODO: consider parsing product_version to support iOS < 4
+        )
 
-        pair_record = {'DevicePublicKey': self.device_public_key,
-                       'DeviceCertificate': device_certificate,
-                       'HostCertificate': cert_pem,
+        pair_record = {'DeviceCertificate': device_cert_pem,
+                       'HostCertificate': host_cert_pem,
                        'HostID': self.host_id,
-                       'RootCertificate': cert_pem,
-                       'RootPrivateKey': private_key_pem,
+                       'RootCertificate': root_cert_pem,
+                       'RootPrivateKey': root_key_pem,
                        'WiFiMACAddress': self.wifi_mac_address,
                        'SystemBUID': self.system_buid}
 
@@ -434,7 +439,7 @@ class LockdownClient(ABC, LockdownServiceProvider):
                 # second pair with Response to Challenge
                 pair = self._request_pair(pair_options, timeout=timeout)
 
-        pair_record['HostPrivateKey'] = private_key_pem
+        pair_record['HostPrivateKey'] = host_key_pem
         escrow_bag = pair.get('EscrowBag')
 
         if escrow_bag is not None:

{pymobiledevice3-4.26.0.dist-info → pymobiledevice3-4.26.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pymobiledevice3
-Version: 4.26.0
+Version: 4.26.1
 Summary: Pure python3 implementation for working with iDevices (iPhone, etc...)
 Author-email: doronz88 <doron88@gmail.com>, matan <matan1008@gmail.com>
 Maintainer-email: doronz88 <doron88@gmail.com>, matan <matan1008@gmail.com>

{pymobiledevice3-4.26.0.dist-info → pymobiledevice3-4.26.1.dist-info}/RECORD

@@ -8,14 +8,14 @@ misc/understanding_idevice_protocol_layers.md,sha256=8tEqRXWOUPoxOJLZVh7C7H9JGCh
 misc/usbmux_sniff.sh,sha256=iWtbucOEQ9_UEFXk9x-2VNt48Jg5zrPsnUbZ_LfZxwA,212
 pymobiledevice3/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pymobiledevice3/__main__.py,sha256=tBERBLftc5ENGB4NQfNJRIecok0LQfNvkqXlsi1feFw,11572
-pymobiledevice3/_version.py,sha256=hNrVJOR4hLThWMRcdRZRNkj64SfPTisebBA-EZ7azAM,706
+pymobiledevice3/_version.py,sha256=qneizFYIunJ9wWwPPVKHWiU6zVellqgeXXUE9ezfGGg,706
 pymobiledevice3/bonjour.py,sha256=-Q_TLBGJ6qW3CX_DgBcz-CXfWSwxWVQ2L64hk6PxnDY,5631
-pymobiledevice3/ca.py,sha256=Ho0NaOtATe5hdruUSlVDRpfR9ltEYXjL3MoKwEvEJjw,2296
+pymobiledevice3/ca.py,sha256=mTvWdSjTZw6Eb-22-IZ323GyA1G6CXYmdPedImTjm3A,10542
 pymobiledevice3/common.py,sha256=-PG6oaUkNFlB3jb7E0finMrX8wqhkS-cuTAfmLvZUmc,329
 pymobiledevice3/exceptions.py,sha256=VqWB6WWoMrXt8GDdKqRHeJ1otP-eZIThoHERswXWqpw,10347
 pymobiledevice3/irecv.py,sha256=FoEln1_zHkAiNcEctB5bStfhKNgniOSg7lg9xcX1U2Q,10596
 pymobiledevice3/irecv_devices.py,sha256=BG30ecXSChxdyYCCGIrIO0sVWT31hbKymB78nZWVfWc,38506
-pymobiledevice3/lockdown.py,sha256=AAcJ3QjnAITaatn01SQYQSbv4_uBBaPpYlGIeu8KSJY,38642
+pymobiledevice3/lockdown.py,sha256=xejqmSLhJsvM-F4rs4InxtVVtSYYSN3VJXnxd-ijspI,38814
 pymobiledevice3/lockdown_service_provider.py,sha256=l5N72tiuI-2uowk8wu6B7qkjY2UmqQsnhdJqvJy3I8A,1744
 pymobiledevice3/pair_records.py,sha256=Tr28mlBWPXvOF7vdKBDOuw1rCRwm6RViDTGbikfP77I,6034
 pymobiledevice3/service_connection.py,sha256=_-PTLFr3krtwEBNHEKXCd_2eOGwMpbsfPbB8AX2uN-g,14861
@@ -164,9 +164,9 @@ pymobiledevice3/services/web_protocol/switch_to.py,sha256=hDddJUEePbRN-8xlllOeGh
 pymobiledevice3/tunneld/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 pymobiledevice3/tunneld/api.py,sha256=EfGKXEWhsMSB__menPmRmL9R6dpazVJDUy7B3pn05MM,2357
 pymobiledevice3/tunneld/server.py,sha256=SvC57AV_R8YQhA0fCwGNUdhfy8TKMFWwL_fp_FmXrBI,22715
-pymobiledevice3-4.26.0.dist-info/licenses/LICENSE,sha256=jOtLnuWt7d5Hsx6XXB2QxzrSe2sWWh3NgMfFRetluQM,35147
-pymobiledevice3-4.26.0.dist-info/METADATA,sha256=4lY2IeOmA1nALJ_Ixi48DJBBmmjfrTzqLZWVbmmg_lM,17463
-pymobiledevice3-4.26.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-pymobiledevice3-4.26.0.dist-info/entry_points.txt,sha256=jJMlOanHlVwUxcY__JwvKeWPrvBJr_wJyEq4oHIZNKE,66
-pymobiledevice3-4.26.0.dist-info/top_level.txt,sha256=MjZoRqcWPOh5banG-BbDOnKEfsS3kCxqV9cv-nzyg2Q,21
-pymobiledevice3-4.26.0.dist-info/RECORD,,
+pymobiledevice3-4.26.1.dist-info/licenses/LICENSE,sha256=jOtLnuWt7d5Hsx6XXB2QxzrSe2sWWh3NgMfFRetluQM,35147
+pymobiledevice3-4.26.1.dist-info/METADATA,sha256=xkmBpgcU9uIklTKsi-zlXIUmy03ERVPu_YcRmHhnlaU,17463
+pymobiledevice3-4.26.1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+pymobiledevice3-4.26.1.dist-info/entry_points.txt,sha256=jJMlOanHlVwUxcY__JwvKeWPrvBJr_wJyEq4oHIZNKE,66
+pymobiledevice3-4.26.1.dist-info/top_level.txt,sha256=MjZoRqcWPOh5banG-BbDOnKEfsS3kCxqV9cv-nzyg2Q,21
+pymobiledevice3-4.26.1.dist-info/RECORD,,