All geek questions in one place

How to encrypt and sign mobile iphone configuration file using Ruby

I have an unsigned mobileconfig file in xml format (template) created by iphone configuration utility. I would like to encrypt and sign it using openssl and install it on iphone using Ruby on rails. I do not want to create a SCEP server for this, since I want to dynamically modify this XML template file and serve it using some URL.

Thanks for your help in advance.

I already checked the following question, but it is not clear from it how to encrypt a file that can be installed correctly on the iphone, as I continue to receive β€œthe configuration file could not be installed due to an unknown error” when I tried to simulate the encrypted file format from iphone setup utilities by only encrypting a part and adding / adding other parts of the configuration file accordingly.

Signing iPhone iPhone Configuration Profile Using Ruby on Rails

This Apple tutorial is useful, but it's more about creating a SCEP server, rather than manipulating the mobileconfig template file -

http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/profile-service/profile-service.html

+3
source share
2 answers

If you still have problems signing and encrypting your profile using Ruby, the following answer will be helpful.

I used the OpenSSL module available in Ruby and Plist gem.

Consider the password restriction profile.

passcode_payload ={ 'PayloadUUID' => 'RANDOM_STRING_UUID', 'PayloadOrganization' => 'PayloadOrganization', 'PayloadVersion' => 1, 'PayloadIdentifier' => 'com.test.PayloadIdentifier', 'PayloadType' => 'Configuration', 'PayloadDisplayName' => 'PayloadDisplayName', 'PayloadRemovalDisallowed' => false } passcode_payload_content = { 'PayloadDescription' => 'PayloadDescription', 'PayloadDisplayName' => 'PayloadDisplayName', 'PayloadIdentifier' => 'PayloadIdentifier', 'PayloadOrganization' => 'PayloadOrganization', 'PayloadType' => 'com.apple.mobiledevice.passwordpolicy', 'PayloadUUID' => "RANDOM_STRING_UUID", 'PayloadVersion' => 1, 'allowSimple' => true, 'forcePIN' => true 'maxPINAgeInDays' => 20, 'minComplexChars' => 1, 'minLength' => 4, 'requireAlphanumeric' => true }

**

Encryption

**

Usually for a normal profile, passcode_payload_content goes into passcode_payload['PayloadContent'] as an array of dictionaries.

passcode_payload ['PayloadContent'] = [passcode_payload_content]

But for the encrypted profile, PayloadContent should be deleted and EncryptedPayloadContent should be used in accordance with the configuration profile key reference document .

from the document

To encrypt a profile, follow these steps:

Remove the PayloadContent array and serialize it as the correct plist. Note that the top-level object in this plist is an array, not a dictionary. CMS encryption of serialized plist as data envelopes. Serialize encrypted data in DER format. Set serialized data as a value as a data item in a profile using the EncryptedPayloadContent key

Since the top level object in plist should be an array

 passcode_payload_content_array = [passcode_payload_content]

Serialization for the correct plist

 to_be_encrypted_plist = passcode_payload_content_array.to_plist

Encrypting the contents of the certificate payload,

 device_certificate = OpenSSL::X509::Certificate.new File.read('deviceIdentityCertificate.pem') encrypted_payload = OpenSSL::PKCS7.encrypt([device_certificate],to_be_encrypted_plist, OpenSSL::Cipher::Cipher::new("des-ede3-cbc"),OpenSSL::PKCS7::BINARY)

Add encrypted payload content to the original payload in the format

 passcode_payload['EncryptedPayloadContent'] = StringIO.new(encrypted_payload.to_der)

**

Conclusion

**

 signed_passcode_profile = OpenSSL::PKCS7.sign(SSL_CERTIFICATE, SSL_KEY, passcode_payload.to_plist, [], OpenSSL::PKCS7::BINARY)

Finally you can use

 send_data signed_passcode_profile.to_der, :type => "application/x-apple-aspen-config"

to send the payload.

+1
source

The specified link only talks about signing the iPhone configuration profile. Does the signature work for you personally? You can verify the signature generated by your code using the openssl command-line utility. Write the generated signature to the file and use the following command to verify the signature and extract the source data from the pkcs # 7 signature.

openssl smime -verify -inform DER -in signed_config.p7s -signer your_signing_certificate -out data.txt

-1
source

Source: https://habr.com/ru/post/919564/

More articles:


All Articles