进城务工人员小梅在《Over-the-Air Profile Delivery and Configuration》中写到:
In response, the device sends back the list of requested attributes along with their values. If the server sent a
Challengevalue in its request, the device also includes this value along with the requested device attributes. Finally, to prove it is an iOS-based device, the device signs this identification with its device certificate. This response is sent to the handler for the/profileURL.Validate that the device certificate is issued from “Apple iPhone Device CA”, which has the following Base64 encoded PEM data:
—–BEGIN CERTIFICATE—–
MIIDaTCCAlGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzET
MBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkxLTArBgNVBAMTJEFwcGxlIGlQaG9uZSBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0wNzA0MTYyMjU0NDZaFw0xNDA0MTYyMjU0NDZaMFoxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRUwEwYDVQQLEwxBcHBsZSBp
UGhvbmUxHzAdBgNVBAMTFkFwcGxlIGlQaG9uZSBEZXZpY2UgQ0EwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPGUSsnquloYYK3Lok1NTlQZaRdZB2bLl+hmmkdf
Rq5nerVKc1SxywT2vTa4DFU4ioSDMVJl+TPhl3ecK0wmsCU/6TKqewh0lOzBSzgd
Z04IUpRai1mjXNeT9KD+VYW7TEaXXm6yd0UvZ1y8Cxi/WblshvcqdXbSGXH0KWO5
JQuvAgMBAAGjgZ4wgZswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFLL+ISNEhpVqedWBJo5zENinTI50MB8GA1UdIwQYMBaAFOc0Ki4i
3jlga7SUzneDYS8xoHw1MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly93d3cuYXBw
bGUuY29tL2FwcGxlY2EvaXBob25lLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAd13P
Z3pMViukVHe9WUg8Hum+0I/0kHKvjhwVd/IMwGlXyU7DhUYWdja2X/zqj7W24Aq5
7dEKm3fqqxK5XCFVGY5HI0cRsdENyTP7lxSiiTRYj2mlPedheCn+k6T5y0U4Xr40
FXwWb2nWqCF1AgIudhgvVbxlvqcxUm8Zz7yDeJ0JFovXQhyO5fLUHRLCQFssAbf8
B4i8rYYsBUhYTspVJcxVpIIltkYpdIRSIARA49HNvKK4hzjzMS/OhKQpVKw+OCEZ
xptCVeN2pjbdt9uzi175oVo/u6B2ArKAW17u6XEHIdDMOe7cb33peVI6TD15W4MI
pyQPbp8orlXe+tA8JA==
—–END CERTIFICATE—–
及:
the profile server receives a PKCS#7 signed data payload from the device, which it then unpack and verifies.
说明设备回复的数据是PKCS#7格式的,可以使用OpenSSL命令查看证书:
使用OpenSSL命令查看PKCS#7数据的证书信息
会发现如下的证书链:
|
1 2 3 4 5 |
Issuer: C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA Validity Not Before: Apr 12 17:43:28 2007 GMT Not After : Apr 12 17:43:28 2022 GMT Subject: C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple iPhone Certification Authority |
签出:
|
1 2 3 4 5 |
Issuer: C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple iPhone Certification Authority Validity Not Before: Apr 16 22:54:46 2007 GMT Not After : Apr 16 22:54:46 2014 GMT Subject: C=US, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA |
签出:
|
1 2 3 4 5 |
Issuer: C=US, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA Validity Not Before: Apr 27 06:56:32 2018 GMT Not After : Apr 27 06:56:32 2021 GMT Subject: CN=5CDC0370-9820-4836-BB24-9425F0FA0987, C=US, ST=CA, L=Cupertino, O=Apple Inc., OU=iPhone |
经过对比OpenSSL解析出的证书信息,我们可以发现,苹果官方文档《Over-the-Air Profile Delivery and Configuration》中所说的:
Validate that the device certificate is issued from “Apple iPhone Device CA”
表述有误。每一个苹果设备均有一个唯一的设备证书(Apple iPhone Device CA),这个证书是由Apple iPhone Certification Authority签发的,官网上那段PEM的证书也是Apple iPhone Certification Authority的,而非设备证书(Apple iPhone Device CA)的。
参考资料:
1、https://stackoverflow.com/questions/12978019/unpacking-a-pkcs7-payload-from-an-ios-device-mdm-enrollment/13095640#13095640
2、https://stackoverflow.com/questions/25037650/ios-mdm-enrollment-profile-request-of-profile-to-sign-the-certificate-using-jav
3、https://stackoverflow.com/questions/36595294/replicate-openssl-command-to-sign-a-file-in-java
转载时请保留出处,违法转载追究到底:进城务工人员小梅 » 苹果Over-the-Air Profile Delivery and Configuration第二阶段设备回复