Add PEM headers during pairing file serialization (#4)

Fixes regression from rustls migration. * Update Cargo.toml * Update pairing_file.rs * base64
2026-03-02 14:36:16 +01:00 · 2025-05-05 17:35:35 -04:00
parent 6ee26a5872
commit 512b556a45
2 changed files with 99 additions and 18 deletions
--- a/idevice/Cargo.toml
+++ b/idevice/Cargo.toml
@@ -22,11 +22,11 @@ ns-keyed-archive = { version = "0.1.3", optional = true }
 thiserror = { version = "2" }
 log = { version = "0.4" }
 env_logger = { version = "0.11" }
+base64 = { version = "0.22" }

 indexmap = { version = "2.7", features = ["serde"], optional = true }
 uuid = { version = "1.12", features = ["serde", "v4"], optional = true }
 async-recursion = { version = "1.1", optional = true }
-base64 = { version = "0.22", optional = true }
 chrono = { version = "0.4.40", optional = true, default-features = false }

 serde_json = { version = "1", optional = true }
@@ -76,7 +76,6 @@ xpc = [
  "dep:indexmap",
  "dep:uuid",
  "dep:async-recursion",
-  "dep:base64",
  "dep:json",
 ]
 full = [
--- a/idevice/src/pairing_file.rs
+++ b/idevice/src/pairing_file.rs
@@ -149,18 +149,28 @@ impl TryFrom<RawPairingFile> for PairingFile {
    ///
    /// Performs validation of cryptographic materials during conversion.
    fn try_from(value: RawPairingFile) -> Result<Self, Self::Error> {
+        // Convert raw data into certificates and keys with proper PEM format
+        let device_cert_data = Into::<Vec<u8>>::into(value.device_certificate);
+        let host_private_key_data = Into::<Vec<u8>>::into(value.host_private_key);
+        let host_cert_data = Into::<Vec<u8>>::into(value.host_certificate);
+        let root_private_key_data = Into::<Vec<u8>>::into(value.root_private_key);
+        let root_cert_data = Into::<Vec<u8>>::into(value.root_certificate);
+
+        // Ensure device certificate has proper PEM headers
+        let device_certificate_pem = ensure_pem_headers(&device_cert_data, "CERTIFICATE");
+        
+        // Ensure host certificate has proper PEM headers
+        let host_certificate_pem = ensure_pem_headers(&host_cert_data, "CERTIFICATE");
+        
+        // Ensure root certificate has proper PEM headers
+        let root_certificate_pem = ensure_pem_headers(&root_cert_data, "CERTIFICATE");
+        
        Ok(Self {
-            device_certificate: CertificateDer::from_pem_slice(&Into::<Vec<u8>>::into(
-                value.device_certificate,
-            ))?,
-            host_private_key: Into::<Vec<u8>>::into(value.host_private_key),
-            host_certificate: CertificateDer::from_pem_slice(&Into::<Vec<u8>>::into(
-                value.host_certificate,
-            ))?,
-            root_private_key: Into::<Vec<u8>>::into(value.root_private_key),
-            root_certificate: CertificateDer::from_pem_slice(&Into::<Vec<u8>>::into(
-                value.root_certificate,
-            ))?,
+            device_certificate: CertificateDer::from_pem_slice(&device_certificate_pem)?,
+            host_private_key: host_private_key_data,
+            host_certificate: CertificateDer::from_pem_slice(&host_certificate_pem)?,
+            root_private_key: root_private_key_data,
+            root_certificate: CertificateDer::from_pem_slice(&root_certificate_pem)?,
            system_buid: value.system_buid,
            host_id: value.host_id,
            escrow_bag: value.escrow_bag.into(),
@@ -173,12 +183,21 @@ impl TryFrom<RawPairingFile> for PairingFile {
 impl From<PairingFile> for RawPairingFile {
    /// Converts a structured pairing file into a raw pairing file for serialization
    fn from(value: PairingFile) -> Self {
+        // Ensure certificates include proper PEM format
+        let device_cert_data = ensure_pem_headers(&value.device_certificate.to_vec(), "CERTIFICATE");
+        let host_cert_data = ensure_pem_headers(&value.host_certificate.to_vec(), "CERTIFICATE");
+        let root_cert_data = ensure_pem_headers(&value.root_certificate.to_vec(), "CERTIFICATE");
+        
+        // Ensure private keys include proper PEM format
+        let host_private_key_data = ensure_pem_headers(&value.host_private_key, "PRIVATE KEY");
+        let root_private_key_data = ensure_pem_headers(&value.root_private_key, "PRIVATE KEY");
+
        Self {
-            device_certificate: Data::new(value.device_certificate.to_vec()),
-            host_private_key: Data::new(value.host_private_key),
-            host_certificate: Data::new(value.host_certificate.to_vec()),
-            root_private_key: Data::new(value.root_private_key),
-            root_certificate: Data::new(value.root_certificate.to_vec()),
+            device_certificate: Data::new(device_cert_data),
+            host_private_key: Data::new(host_private_key_data),
+            host_certificate: Data::new(host_cert_data),
+            root_private_key: Data::new(root_private_key_data),
+            root_certificate: Data::new(root_cert_data),
            system_buid: value.system_buid,
            host_id: value.host_id.clone(),
            escrow_bag: Data::new(value.escrow_bag),
@@ -188,6 +207,69 @@ impl From<PairingFile> for RawPairingFile {
    }
 }

+/// Helper function to ensure data has proper PEM headers
+/// If the data already has headers, it returns it as is
+/// If not, it adds the appropriate BEGIN and END headers
+fn ensure_pem_headers(data: &[u8], pem_type: &str) -> Vec<u8> {
+    if is_pem_formatted(data) {
+        return data.to_vec();
+    }
+    
+    // If it's just base64 data, add PEM headers
+    let mut result = Vec::new();
+    
+    // Add header
+    let header = format!("-----BEGIN {}-----\n", pem_type);
+    result.extend_from_slice(header.as_bytes());
+    
+    // Add base64 content with line breaks every 64 characters
+    let base64_content = if is_base64(data) {
+        // Clean up any existing whitespace/newlines
+        let data_str = String::from_utf8_lossy(data);
+        data_str.replace('\n', "").replace('\r', "").replace(' ', "").into_bytes()
+    } else {
+        base64::encode(data).into_bytes()
+    };
+    
+    // Format base64 content with proper line breaks (64 chars per line)
+    for (i, chunk) in base64_content.chunks(64).enumerate() {
+        if i > 0 {
+            result.push(b'\n');
+        }
+        result.extend_from_slice(chunk);
+    }
+    
+    // Add a final newline before the footer
+    result.push(b'\n');
+    
+    // Add footer
+    let footer = format!("-----END {}-----", pem_type);
+    result.extend_from_slice(footer.as_bytes());
+    
+    result
+}
+
+/// Check if data is already in PEM format
+fn is_pem_formatted(data: &[u8]) -> bool {
+    if let Ok(data_str) = std::str::from_utf8(data) {
+        data_str.contains("-----BEGIN") && data_str.contains("-----END")
+    } else {
+        false
+    }
+}
+
+/// Check if data is already base64 encoded
+fn is_base64(data: &[u8]) -> bool {
+    if let Ok(data_str) = std::str::from_utf8(data) {
+        // Simple check to see if string contains only valid base64 characters
+        data_str.chars().all(|c| {
+            c.is_ascii_alphanumeric() || c == '+' || c == '/' || c == '=' || c.is_whitespace()
+        })
+    } else {
+        false
+    }
+}
+
 #[test]
 fn test_pairing_file_roundtrip() {
    let f = std::fs::read("/var/lib/lockdown/test.plist").unwrap();