CryptorModule (#144)

fix(crypto): Improved security of crypto implementation by adding AES-CBC cryptor
feat(crypto): Add CryptorModule that allows configuring SDK to encrypt and decrypt messages

PubNub SDK 6.2.0 release

Author: jguz-pubnub

.pubnub.yml

@@ -1,9 +1,16 @@
 ---
 name: swift
 scm: github.com/pubnub/swift
-version: "6.1.0"
+version: "6.2.0"
 schema: 1
 changelog:
+  - date: 2023-10-16
+    version: v6.2.0
+    changes:
+      - type: feature
+        text: "Add CryptorModule that allows configuring SDK to encrypt and decrypt messages."
+      - type: bug
+        text: "Improved security of crypto implementation by adding AES-CBC cryptor."
   - date: 2023-08-30
     version: 6.1.0
     changes:
@@ -490,7 +497,7 @@ sdks:
           - distribution-type: source
             distribution-repository: GitHub release
             package-name: PubNub
-            location: https://github.com/pubnub/swift/archive/refs/tags/6.1.0.zip
+            location: https://github.com/pubnub/swift/archive/refs/tags/6.2.0.zip
             supported-platforms:
               supported-operating-systems:
                 macOS:

Examples/Sources/ConfigDetailTableViewController.swift

@@ -90,7 +90,7 @@ class ConfigDetailTableViewController: UITableViewController {
       case .subscribeKey:
         return config.subscribeKey
       case .cipherKey:
-        return config.cipherKey?.key.description ?? "Key Not Found"
+        return config.cryptorModule?.description ?? "CryptorModule Not Found"
       case .authKey:
         return config.authKey
       case .uuid:

LICENSE

@@ -1,27 +1,29 @@
-PubNub Real-time Cloud-Hosted Push API and Push Notification Client Frameworks
-Copyright (c) 2020 PubNub Inc.
-https://www.pubnub.com/
-https://www.pubnub.com/terms
+PubNub Software Development Kit License Agreement
+Copyright © 2023 PubNub Inc. All rights reserved.
+
+Subject to the terms and conditions of the license, you are hereby granted
+a non-exclusive, worldwide, royalty-free license to (a) copy and modify
+the software in source code or binary form for use with the software services
+and interfaces provided by PubNub, and (b) redistribute unmodified copies
+of the software to third parties. The software may not be incorporated in
+or used to provide any product or service competitive with the products
+and services of PubNub.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+The above copyright notice and this license shall be included
+in or with all copies or substantial portions of the software.
 
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
+This license does not grant you permission to use the trade names, trademarks,
+service marks, or product names of PubNub, except as required for reasonable
+and customary use in describing the origin of the software and reproducing
+the content of this license.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF
+ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
+EVENT SHALL PUBNUB OR THE AUTHORS OR COPYRIGHT HOLDERS OF THE SOFTWARE BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
+CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-PubNub Real-time Cloud-Hosted Push API and Push Notification Client Frameworks
-Copyright (c) 2013 PubNub Inc.
 https://www.pubnub.com/
 https://www.pubnub.com/terms

Podfile.lock

@@ -19,4 +19,4 @@ SPEC CHECKSUMS:
 
 PODFILE CHECKSUM: 61a40240486621bb01f596fdd5bc632504940fab
 
-COCOAPODS: 1.11.3
+COCOAPODS: 1.12.1

PubNub.xcodeproj/project.pbxproj

@@ -1,6 +1,6 @@
 Pod::Spec.new do |s|
   s.name     = 'PubNubSwift'
-  s.version  = '6.1.0'
+  s.version  = '6.2.0'
   s.homepage = 'https://github.com/pubnub/swift'
   s.documentation_url = 'https://www.pubnub.com/docs/swift-native/pubnub-swift-sdk'
   s.authors = { 'PubNub, Inc.' => '[email protected]' }

PubNubSwift.podspec

@@ -160,9 +160,9 @@ public extension PubNub {
       switch result {
       case let .success(response):
         do {
-          let autoCrypto = requestConfig.customConfiguration?.cipherKey ?? configuration.cipherKey
+          let cryptorModule = requestConfig.customConfiguration?.cryptorModule ?? configuration.cryptorModule
           completion?(.success((
-            try URLRequest(from: response.payload, uploading: content, crypto: autoCrypto),
+            try URLRequest(from: response.payload, uploading: content, cryptorModule: cryptorModule),
             response.payload.fileId,
             response.payload.filename
           )))
@@ -450,7 +450,7 @@ public extension PubNub {
   ///   - downloadTo: The async `Result` of the method call
   /// - Returns: The new file download task. The `urlSessionTask` property can be used to access the underlying `URLSessionDownloadTask`
   func createFileURLSessionDownloadTask(
-    _ taskType: FileDownloadTaskType, session: URLSessionReplaceable, downloadTo url: URL, decrypt: Crypto? = nil
+    _ taskType: FileDownloadTaskType, session: URLSessionReplaceable, downloadTo url: URL, decrypt: CryptorModule? = nil
   ) -> HTTPFileDownloadTask {
     let downloadTask: URLSessionDownloadTask
     switch taskType {
@@ -464,7 +464,7 @@ public extension PubNub {
       task: downloadTask,
       session: session.configuration.identifier,
       downloadTo: url,
-      crypto: decrypt ?? configuration.cipherKey
+      cryptorModule: decrypt ?? configuration.cryptorModule
     )
 
     // Create task map inside Delegate

Sources/PubNub/APIs/File+PubNub.swift

@@ -294,6 +294,12 @@ extension PubNubError.Reason: CustomStringConvertible, LocalizedError {
       return "The Content-Length was incorrect for the content being uploaded"
     case .serviceNotEnabled:
       return "The PubNub Service that you're attempting to use has not be enabled for your keyset."
+    case .encryptionFailure:
+      return "Failure to perform encryption"
+    case .decryptionFailure:
+      return "Failure to perform decryption"
+    case .unknownCryptorFailure:
+      return "Unknown Cryptor error"
     }
   }
 

Sources/PubNub/Errors/ErrorDescription.swift

@@ -105,6 +105,9 @@ public struct PubNubError: Error {
 
     // Crypto
     case missingCryptoKey
+    case encryptionFailure
+    case decryptionFailure
+    case unknownCryptorFailure
 
     // Request Processing
     case requestMutatorFailure
@@ -232,6 +235,8 @@ public struct PubNubError: Error {
         return .streamFailure
       case .fileTooLarge, .fileMissingAtPath, .fileAccessDenied, .fileContentLength:
         return .fileManagement
+      case .encryptionFailure, .decryptionFailure, .unknownCryptorFailure:
+        return .crypto
       }
     }
   }

Sources/PubNub/Errors/PubNubError.swift

@@ -46,7 +46,7 @@ public extension URLRequest {
   internal init(
     from response: GenerateUploadURLResponse,
     uploading content: PubNub.FileUploadContent,
-    crypto: Crypto? = nil
+    cryptorModule: CryptorModule? = nil
   ) throws {
     self.init(url: response.uploadRequestURL)
     method = response.uploadMethod
@@ -65,30 +65,32 @@ public extension URLRequest {
     postfixData.append("\r\n--\(response.fileId)--")
 
     // Get Content InputStream
-    guard var contentStream = content.inputStream else {
+    guard let contentStream = content.inputStream else {
       throw PubNubError(.streamCouldNotBeInitialized, additional: [content.debugDescription])
     }
-
-    // If we were given a Crypto payload we should convert the stream to a secure stream
-    if let crypto = crypto {
-      let cryptoStream = CryptoInputStream(
-        .encrypt, input: contentStream, contentLength: content.contentLength, with: crypto
-      )
-      setValue(
-        "\(prefixData.count + cryptoStream.estimatedCryptoCount + postfixData.count)",
-        forHTTPHeaderField: "Content-Length"
-      )
-      contentStream = cryptoStream
+    
+    let finalStream: InputStream
+    let contentLength: Int
+    
+    // If we were given a Crypto module we should convert the stream to a secure stream
+    if let cryptorModule = cryptorModule {
+      switch cryptorModule.encrypt(stream: contentStream, contentLength: content.contentLength) {
+      case .success(let encryptingResult):
+        finalStream = encryptingResult
+        contentLength = prefixData.count + ((encryptingResult as? MultipartInputStream)?.length ?? 0) + postfixData.count
+      case .failure(let encryptionError):
+        throw encryptionError
+      }      
     } else {
-      setValue("\(prefixData.count + content.contentLength + postfixData.count)", forHTTPHeaderField: "Content-Length")
+      finalStream = contentStream
+      contentLength = prefixData.count + content.contentLength + postfixData.count
     }
 
-    let inputStream = MultipartInputStream(
-      inputStreams: [InputStream(data: prefixData), contentStream, InputStream(data: postfixData)]
-    )
-
-    httpBodyStream = inputStream
-
+    setValue("\(contentLength)", forHTTPHeaderField: "Content-Length")
     setValue("multipart/form-data; boundary=\(response.fileId)", forHTTPHeaderField: "Content-Type")
+    
+    httpBodyStream = MultipartInputStream(
+      inputStreams: [InputStream(data: prefixData), finalStream, InputStream(data: postfixData)]
+    )
   }
 }