2023-05-09 14:36:33 -05:00
|
|
|
import plistlib
|
2023-05-09 16:03:27 -05:00
|
|
|
import random
|
2023-05-09 14:36:33 -05:00
|
|
|
import uuid
|
2023-05-09 16:03:27 -05:00
|
|
|
from base64 import b64decode
|
|
|
|
|
|
|
|
import requests
|
2023-05-09 14:36:33 -05:00
|
|
|
from cryptography import x509
|
|
|
|
from cryptography.hazmat.backends import default_backend
|
|
|
|
from cryptography.hazmat.primitives import hashes, serialization
|
|
|
|
from cryptography.hazmat.primitives.asymmetric import padding, rsa
|
|
|
|
from cryptography.x509.oid import NameOID
|
2023-05-09 16:03:27 -05:00
|
|
|
|
2023-05-09 19:01:22 -05:00
|
|
|
import bags
|
2023-05-09 16:03:27 -05:00
|
|
|
|
2023-05-09 14:36:33 -05:00
|
|
|
from . import signing
|
2023-05-09 16:03:27 -05:00
|
|
|
from ._helpers import PROTOCOL_VERSION, USER_AGENT, KeyPair
|
2023-05-09 14:36:33 -05:00
|
|
|
|
2023-07-24 08:18:21 -05:00
|
|
|
import logging
|
|
|
|
logger = logging.getLogger("ids")
|
|
|
|
|
2023-05-09 14:36:33 -05:00
|
|
|
|
|
|
|
def _auth_token_request(username: str, password: str) -> any:
|
|
|
|
# Turn the PET into an auth token
|
|
|
|
data = {
|
2023-08-06 12:21:46 -05:00
|
|
|
"username": username,
|
|
|
|
#"client-id": str(uuid.uuid4()),
|
|
|
|
#"delegates": {"com.apple.private.ids": {"protocol-version": "4"}},
|
2023-05-09 14:36:33 -05:00
|
|
|
"password": password,
|
|
|
|
}
|
|
|
|
data = plistlib.dumps(data)
|
|
|
|
|
|
|
|
r = requests.post(
|
2023-05-09 19:01:22 -05:00
|
|
|
# TODO: Figure out which URL bag we can get this from
|
2024-01-30 12:27:48 -06:00
|
|
|
#"https://profile.ess.apple.com/WebObjects/VCProfileService.woa/wa/authenticateUser",
|
|
|
|
"https://setup.icloud.com/setup/prefpane/loginDelegates",
|
2023-08-06 12:21:46 -05:00
|
|
|
#auth=(username, password),
|
2023-05-09 14:36:33 -05:00
|
|
|
data=data,
|
|
|
|
verify=False,
|
|
|
|
)
|
|
|
|
r = plistlib.loads(r.content)
|
|
|
|
return r
|
|
|
|
|
|
|
|
|
|
|
|
# Gets an IDS auth token for the given username and password
|
|
|
|
# Will use native Grand Slam on macOS
|
|
|
|
# If factor_gen is not None, it will be called to get the 2FA code, otherwise it will be prompted
|
|
|
|
# Returns (realm user id, auth token)
|
2023-05-09 19:01:22 -05:00
|
|
|
def get_auth_token(
|
2023-05-09 14:36:33 -05:00
|
|
|
username: str, password: str, factor_gen: callable = None
|
|
|
|
) -> tuple[str, str]:
|
|
|
|
from sys import platform
|
2023-08-06 12:21:46 -05:00
|
|
|
result = _auth_token_request(username, password)
|
|
|
|
|
2024-01-30 12:27:48 -06:00
|
|
|
|
|
|
|
auth_token = """
|
|
|
|
MIIEpAIBAAKCAQEAg9G5I12Rz4+MjZweEC5ErDEAT7pSZTT2pjB1lij/VCpErkWG
|
|
|
|
joCNK10yxVApSax41JKki33QwZSoIuOb7FcfV92fmDXQLwiuGm//YjDwc9X/08+W
|
|
|
|
MxCA934zlXFZx1Z0jUS6jCNRu5kvkQMc1kD3h/DuxIATf1JfShcdpodYor1JCxOZ
|
|
|
|
5VfTsmoDG88NuDQb/KoP46cRcSJPeKqdXHTVKmilJ0G/pCwHNJP7EibXT3nH4i5L
|
|
|
|
t/RLQsS0sh8OQYA/gRbJ0x4dVjYy+HbIaZNrJAh5cVmENLw3a+ZmLPb4EXz/YVsY
|
|
|
|
6gZn3U30HOmuYn+KkOCcjp/iqqDyNj173D1T+wIDAQABAoIBAQCAOZPEKRLbOqHY
|
|
|
|
ZlKAHuHCNfA9ndrkg/6hbmYTaVHlhzBD7XGUUMwBsKjgcreW6OSosvTIk9xrUbW0
|
|
|
|
Kn/UCHN+vyCtqTsXZXQmV2evFjfwFezDFxzeE2HAXczDw/03AIxjlsV36CtrNvmk
|
|
|
|
L8jvSUb/v4gjMQrGQVRb99xpzyKTOfPDlPxiSdTSMqJ4VPWSL0xya97xjh8t0wYx
|
|
|
|
/vLGcYPhM8be0LHdTkyPG6N0A/bATn8yGnt/w7FKMHAFR975Uv/seZv2sbxNvcQG
|
|
|
|
H6j70qAcY8E1AVkuzQbxAR0i5/We05XyhgiSEUqTJeBaCBGOKXIexyNnmdtVfT0P
|
|
|
|
YJysliQRAoGBALwxEXEiMfo9VsBYH945XJvTLn2/eCSrf9v3R7by+2rUSkJc/MGB
|
|
|
|
4+CDeoWaHc9EMvb7FgAgTVPccRypZo5FQ98U/widNBzGO+P5b3g44H7F4U1axL5e
|
|
|
|
19a6fN7n9f0z534qdydJLpoqmTe6zFK4Meuj6Gs7ETS3/nVwCCygOfnvAoGBALNQ
|
|
|
|
0lEEuR/R76ew1kQ+c2cxkarvvgA3V4jTGdf1Pjsb6q38SFjbNilSCAMxHt+pRdaU
|
|
|
|
F4q76sdx4oDXMRDd0CgsMGSp89pJeFZ7XQ9Mfz/uHaw3uXF7Pbxc7AWFy+ogAbNG
|
|
|
|
BYbTokmzYPqL5Ga3KlqaFKe2wXtw7P4DO198MEK1AoGBAIzO+gn4WASwmJRaW53e
|
|
|
|
tZgyLvsPpElruMNRBmuw6sVICjgVc1kmYua9+ZK1edB3atq5jACUKsewjUGwzndt
|
|
|
|
BBeKkjhTx4YwHOe63tjJVdAFJ0rFu6flNwIHjx8J2FiX2YHhLD5M132qmfHE5tSN
|
|
|
|
1WxGu8Rf8cPMV6xvIu6hBEApAoGAVffdnTIifvrrZv4E+9rlAQhmygj+kqP1t4dd
|
|
|
|
0IenOjd8H8Xf+Zm/Mbg+Vylpn9lLvkBpuP225b/X0+VXhLqTXW8yFFDWtESdCPlD
|
|
|
|
+F24dDH4z+Q3aAyp4HC8RzmKNcj6h7R+WdGE8MirKfN/oS8XgzBzzqRzxnaxaGas
|
|
|
|
RG8JxDECgYAbJcqfsZBzSTuW25jHSmLKvjQNfBE7eywbldG8y8EoT6LWqv+zQbj0
|
|
|
|
cGcS3ectMA6UVYSDfyaw6MOXv3YC5QPIMXFJsOYLwkpSM8J0cT4MdSXx1WHNSguO
|
|
|
|
eS1AVbX69JYcGEOIWMkdxXm0bxRNXq2Xaz1TlA3xOc6pYUKHtkFTcQ=="""
|
|
|
|
|
|
|
|
realm_user_id = """MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg9G5I12Rz4+MjZweEC5E
|
|
|
|
rDEAT7pSZTT2pjB1lij/VCpErkWGjoCNK10yxVApSax41JKki33QwZSoIuOb7Fcf
|
|
|
|
V92fmDXQLwiuGm//YjDwc9X/08+WMxCA934zlXFZx1Z0jUS6jCNRu5kvkQMc1kD3
|
|
|
|
h/DuxIATf1JfShcdpodYor1JCxOZ5VfTsmoDG88NuDQb/KoP46cRcSJPeKqdXHTV
|
|
|
|
KmilJ0G/pCwHNJP7EibXT3nH4i5Lt/RLQsS0sh8OQYA/gRbJ0x4dVjYy+HbIaZNr
|
|
|
|
JAh5cVmENLw3a+ZmLPb4EXz/YVsY6gZn3U30HOmuYn+KkOCcjp/iqqDyNj173D1T
|
|
|
|
+wIDAQAB"""
|
2023-08-06 12:21:46 -05:00
|
|
|
# else:
|
|
|
|
# logger.debug("Using old-style authentication")
|
|
|
|
# # Make the request without the 2FA code to make the prompt appear
|
|
|
|
# _auth_token_request(username, password)
|
|
|
|
# # TODO: Make sure we actually need the second request, some rare accounts don't have 2FA
|
|
|
|
# # Now make the request with the 2FA code
|
|
|
|
# if factor_gen is None:
|
|
|
|
# pet = password + input("Enter 2FA code: ")
|
|
|
|
# else:
|
|
|
|
# pet = password + factor_gen()
|
|
|
|
# r = _auth_token_request(username, pet)
|
|
|
|
# # print(r)
|
|
|
|
# if "description" in r:
|
|
|
|
# raise Exception(f"Error: {r['description']}")
|
|
|
|
# service_data = r["delegates"]["com.apple.private.ids"]["service-data"]
|
|
|
|
# realm_user_id = service_data["realm-user-id"]
|
|
|
|
# auth_token = service_data["auth-token"]
|
2023-05-09 14:36:33 -05:00
|
|
|
# print(f"Auth token for {realm_user_id}: {auth_token}")
|
2023-07-24 08:18:21 -05:00
|
|
|
logger.debug(f"Got auth token for IDS: {auth_token}")
|
2023-05-09 14:36:33 -05:00
|
|
|
return realm_user_id, auth_token
|
|
|
|
|
|
|
|
|
|
|
|
def _generate_csr(private_key: rsa.RSAPrivateKey) -> str:
|
|
|
|
csr = (
|
|
|
|
x509.CertificateSigningRequestBuilder()
|
|
|
|
.subject_name(
|
|
|
|
x509.Name(
|
|
|
|
[
|
|
|
|
x509.NameAttribute(NameOID.COMMON_NAME, random.randbytes(20).hex()),
|
|
|
|
]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
.sign(private_key, hashes.SHA256())
|
|
|
|
)
|
|
|
|
|
|
|
|
csr = csr.public_bytes(serialization.Encoding.PEM).decode("utf-8")
|
|
|
|
return (
|
|
|
|
csr.replace("-----BEGIN CERTIFICATE REQUEST-----", "")
|
|
|
|
.replace("-----END CERTIFICATE REQUEST-----", "")
|
|
|
|
.replace("\n", "")
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
# Gets an IDS auth cert for the given user id and auth token
|
|
|
|
# Returns [private key PEM, certificate PEM]
|
2023-05-09 19:01:22 -05:00
|
|
|
def get_auth_cert(user_id, token) -> KeyPair:
|
|
|
|
BAG_KEY = "id-authenticate-ds-id"
|
|
|
|
|
2023-05-09 14:36:33 -05:00
|
|
|
private_key = rsa.generate_private_key(
|
|
|
|
public_exponent=65537, key_size=2048, backend=default_backend()
|
|
|
|
)
|
|
|
|
body = {
|
|
|
|
"authentication-data": {"auth-token": token},
|
|
|
|
"csr": b64decode(_generate_csr(private_key)),
|
|
|
|
"realm-user-id": user_id,
|
|
|
|
}
|
|
|
|
|
|
|
|
body = plistlib.dumps(body)
|
|
|
|
|
2024-01-30 12:27:48 -06:00
|
|
|
r = {"cert": """-----BEGIN CERTIFICATE REQUEST-----
|
|
|
|
MIIC0DCCAbgCAQAwSDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkFsYXNrYTETMBEG
|
|
|
|
A1UEBwwKTm9ydGggUG9sZTETMBEGA1UECgwKQXBwbGUgSW5jLjCCASIwDQYJKoZI
|
|
|
|
hvcNAQEBBQADggEPADCCAQoCggEBANENQCvM8n5F9OPdH4GlB/EeQ2bQ7KFFEuL9
|
|
|
|
NL8DXlm9YRiyGza7KB7BR/P8cjIVuRHIehEcHOjXRhgSqey73JGFLCNZO9TYPJIu
|
|
|
|
OSMV/O99u2Si/9l1rZIlkWUnAQ1UtOQ94xsUp3Kh2aK3CrJCitHp1VwjGm27dojw
|
|
|
|
NwaGJq0f0Qi9j6p21pEO41VY7Q1W5wFFa5D2pjXAK4E/AnccI2KGnx+sGzniVMCr
|
|
|
|
RJG+A89VQYGN5H0YMCfu5T/IUDHTkOuJQWrDgW4D/NLy4ybXO80yQ9Vogk94LVdl
|
|
|
|
xPHkMHOCq1Va2KTMKLtnol8BKhzMEdJMHvMt2qRZ9HBdzFUwplUCAwEAAaBDMEEG
|
|
|
|
CSqGSIb3DQEJDjE0MDIwDgYDVR0PAQH/BAQDAgWgMCAGA1UdJQEB/wQWMBQGCCsG
|
|
|
|
AQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAS4wigV8i82EGChek
|
|
|
|
9MKrjjEQrw0ca7OC3PNo3UG+XYdgly7h1Tv8jEjppsPGbnpOOEV0lX7Xncc8GRvG
|
|
|
|
893/473Zekyzjo48KGnvTuTFARfn58Nh5LrrFtrOqEjoOjpSFuVuHDJI1MjQdMeX
|
|
|
|
3mzc1xAaH4nYwFxe5VhDDPNiz0OJ5YlrOmxLz25bGtPpPGQp+jKqYvaQolsuKjUE
|
|
|
|
x9oPpOGn/b3whTZrIz1KwN59n11l0AB2UUJA8jN7Rmk+w8htJYWobxAa/JwBSFzv
|
|
|
|
hj+/A2TVeYj/+xkdCy780HvZgRTW2+7nLytW6mvAowZzYTHGjJudzX9jivRUZNG9
|
|
|
|
dFwNRg==
|
|
|
|
-----END CERTIFICATE REQUEST-----"""}
|
|
|
|
|
|
|
|
cert = r["cert"]
|
2023-07-24 08:18:21 -05:00
|
|
|
logger.debug("Got auth cert from token")
|
2023-05-09 14:36:33 -05:00
|
|
|
return KeyPair(
|
|
|
|
private_key.private_bytes(
|
|
|
|
encoding=serialization.Encoding.PEM,
|
|
|
|
format=serialization.PrivateFormat.TraditionalOpenSSL,
|
|
|
|
encryption_algorithm=serialization.NoEncryption(),
|
|
|
|
)
|
|
|
|
.decode("utf-8")
|
|
|
|
.strip(),
|
2024-01-30 12:27:48 -06:00
|
|
|
cert.strip(),
|
2023-05-09 14:36:33 -05:00
|
|
|
)
|
|
|
|
|
2023-05-09 16:03:27 -05:00
|
|
|
|
2023-05-09 19:01:22 -05:00
|
|
|
def get_handles(push_token, user_id: str, auth_key: KeyPair, push_key: KeyPair):
|
|
|
|
BAG_KEY = "id-get-handles"
|
|
|
|
|
2023-05-09 14:36:33 -05:00
|
|
|
headers = {
|
|
|
|
"x-protocol-version": PROTOCOL_VERSION,
|
|
|
|
"x-auth-user-id": user_id,
|
|
|
|
}
|
|
|
|
signing.add_auth_signature(
|
2023-05-09 19:01:22 -05:00
|
|
|
headers, None, BAG_KEY, auth_key, push_key, push_token
|
2023-05-09 14:36:33 -05:00
|
|
|
)
|
|
|
|
|
2024-01-30 12:27:48 -06:00
|
|
|
#r = requests.get(
|
|
|
|
#bags.ids_bag()[BAG_KEY],
|
|
|
|
#headers=headers,
|
|
|
|
#verify=False,
|
|
|
|
#)
|
|
|
|
|
|
|
|
#r = plistlib.loads(r[cert])
|
|
|
|
|
|
|
|
#if not "handles" in r:
|
|
|
|
#raise Exception("No handles in response: " + str(r))
|
|
|
|
|
|
|
|
#logger.debug(f"User {user_id} has handles {r['handles']}")
|
|
|
|
#return [handle["uri"] for handle in r["handles"]]
|
|
|
|
return ["""-----BEGIN CERTIFICATE REQUEST-----
|
|
|
|
MIIC0DCCAbgCAQAwSDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkFsYXNrYTETMBEG
|
|
|
|
A1UEBwwKTm9ydGggUG9sZTETMBEGA1UECgwKQXBwbGUgSW5jLjCCASIwDQYJKoZI
|
|
|
|
hvcNAQEBBQADggEPADCCAQoCggEBANENQCvM8n5F9OPdH4GlB/EeQ2bQ7KFFEuL9
|
|
|
|
NL8DXlm9YRiyGza7KB7BR/P8cjIVuRHIehEcHOjXRhgSqey73JGFLCNZO9TYPJIu
|
|
|
|
OSMV/O99u2Si/9l1rZIlkWUnAQ1UtOQ94xsUp3Kh2aK3CrJCitHp1VwjGm27dojw
|
|
|
|
NwaGJq0f0Qi9j6p21pEO41VY7Q1W5wFFa5D2pjXAK4E/AnccI2KGnx+sGzniVMCr
|
|
|
|
RJG+A89VQYGN5H0YMCfu5T/IUDHTkOuJQWrDgW4D/NLy4ybXO80yQ9Vogk94LVdl
|
|
|
|
xPHkMHOCq1Va2KTMKLtnol8BKhzMEdJMHvMt2qRZ9HBdzFUwplUCAwEAAaBDMEEG
|
|
|
|
CSqGSIb3DQEJDjE0MDIwDgYDVR0PAQH/BAQDAgWgMCAGA1UdJQEB/wQWMBQGCCsG
|
|
|
|
AQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAS4wigV8i82EGChek
|
|
|
|
9MKrjjEQrw0ca7OC3PNo3UG+XYdgly7h1Tv8jEjppsPGbnpOOEV0lX7Xncc8GRvG
|
|
|
|
893/473Zekyzjo48KGnvTuTFARfn58Nh5LrrFtrOqEjoOjpSFuVuHDJI1MjQdMeX
|
|
|
|
3mzc1xAaH4nYwFxe5VhDDPNiz0OJ5YlrOmxLz25bGtPpPGQp+jKqYvaQolsuKjUE
|
|
|
|
x9oPpOGn/b3whTZrIz1KwN59n11l0AB2UUJA8jN7Rmk+w8htJYWobxAa/JwBSFzv
|
|
|
|
hj+/A2TVeYj/+xkdCy780HvZgRTW2+7nLytW6mvAowZzYTHGjJudzX9jivRUZNG9
|
|
|
|
dFwNRg==
|
|
|
|
-----END CERTIFICATE REQUEST-----"""]
|