大道至简,知易行难
广阔天地,大有作为

苹果Over-the-Air Profile Delivery and Configuration第二阶段设备回复

在《Over-the-Air Profile Delivery and Configuration》中写到:

In response, the device sends back the list of requested attributes along with their values. If the server sent a Challenge value in its request, the device also includes this value along with the requested device attributes. Finally, to prove it is an iOS-based device, the device signs this identification with its device certificate. This response is sent to the handler for the /profile URL.

Validate that the device certificate is issued from “Apple iPhone Device CA”, which has the following Base64 encoded PEM data:

 

—–BEGIN CERTIFICATE—–
MIIDaTCCAlGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzET
MBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkxLTArBgNVBAMTJEFwcGxlIGlQaG9uZSBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0wNzA0MTYyMjU0NDZaFw0xNDA0MTYyMjU0NDZaMFoxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRUwEwYDVQQLEwxBcHBsZSBp
UGhvbmUxHzAdBgNVBAMTFkFwcGxlIGlQaG9uZSBEZXZpY2UgQ0EwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAPGUSsnquloYYK3Lok1NTlQZaRdZB2bLl+hmmkdf
Rq5nerVKc1SxywT2vTa4DFU4ioSDMVJl+TPhl3ecK0wmsCU/6TKqewh0lOzBSzgd
Z04IUpRai1mjXNeT9KD+VYW7TEaXXm6yd0UvZ1y8Cxi/WblshvcqdXbSGXH0KWO5
JQuvAgMBAAGjgZ4wgZswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFLL+ISNEhpVqedWBJo5zENinTI50MB8GA1UdIwQYMBaAFOc0Ki4i
3jlga7SUzneDYS8xoHw1MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly93d3cuYXBw
bGUuY29tL2FwcGxlY2EvaXBob25lLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAd13P
Z3pMViukVHe9WUg8Hum+0I/0kHKvjhwVd/IMwGlXyU7DhUYWdja2X/zqj7W24Aq5
7dEKm3fqqxK5XCFVGY5HI0cRsdENyTP7lxSiiTRYj2mlPedheCn+k6T5y0U4Xr40
FXwWb2nWqCF1AgIudhgvVbxlvqcxUm8Zz7yDeJ0JFovXQhyO5fLUHRLCQFssAbf8
B4i8rYYsBUhYTspVJcxVpIIltkYpdIRSIARA49HNvKK4hzjzMS/OhKQpVKw+OCEZ
xptCVeN2pjbdt9uzi175oVo/u6B2ArKAW17u6XEHIdDMOe7cb33peVI6TD15W4MI
pyQPbp8orlXe+tA8JA==
—–END CERTIFICATE—–

及:

the profile server receives a PKCS#7 signed data payload from the device, which it then unpack and verifies.

说明设备回复的数据是PKCS#7格式的,可以使用OpenSSL命令查看证书:

使用OpenSSL命令查看PKCS#7数据的证书信息

使用OpenSSL命令查看PKCS#7数据的证书信息

会发现如下的证书链:

签出:

签出:

经过对比OpenSSL解析出的证书信息,我们可以发现,苹果官方文档《Over-the-Air Profile Delivery and Configuration》中所说的:

Validate that the device certificate is issued from “Apple iPhone Device CA”

表述有误。每一个苹果设备均有一个唯一的设备证书(Apple iPhone Device CA),这个证书是由Apple iPhone Certification Authority签发的,官网上那段PEM的证书也是Apple iPhone Certification Authority的,而非设备证书(Apple iPhone Device CA)的。

参考资料:
1、https://stackoverflow.com/questions/12978019/unpacking-a-pkcs7-payload-from-an-ios-device-mdm-enrollment/13095640#13095640
2、https://stackoverflow.com/questions/25037650/ios-mdm-enrollment-profile-request-of-profile-to-sign-the-certificate-using-jav
3、https://stackoverflow.com/questions/36595294/replicate-openssl-command-to-sign-a-file-in-java

转载时请保留出处,违法转载追究到底:进城务工人员小梅 » 苹果Over-the-Air Profile Delivery and Configuration第二阶段设备回复

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址