如何加密和签名iphone手机配置文件使用Ruby [英] how to encrypt and sign iphone mobile configuration file using Ruby

问题描述

我有一个由iphone配置实用程序生成的xml格式（模板）的unsigned mobileconfig文件。我想加密和签名使用openssl，并能够安装在iphone上使用Ruby on rails。我不想创建一个SCEP服务器来执行此操作，因为我想要动态修改此模板xml文件并使用一些URL来提供它。

I have a unsigned mobileconfig file in xml format (template) generated by iphone configuration utility. I would like to encrypt and sign it using openssl and be able to install it on iphone using Ruby on rails. I do not want to create a SCEP server to do this as I want to keep modifying this template xml file dynamically and serve it using some URL.

感谢您的帮助

我已经检查了以下问题，但它不清楚它如何加密可以正确安装在iphone上的文件 - 因为我不断得到配置文件无法安装由于未知错误当我试图通过只加密的部分，并添加/预先配置文件的配置文件的其他部分，从iphone配置实用程序模仿加密的文件格式。

I have already checked following question but it is not clear from it how to encrypt the file that can be installed correctly on iphone - as I keep getting "config file could not be installed due to unknown error" when I tried to mimic encrypted file format from iphone configuration utility by only encrypting the part and appending/prepending other parts of the configuration file appropriately.

使用Ruby on Rails为iPhone配置XML配置文件签名

Signing iPhone Configuration XML Profile with Ruby on Rails

本手册由苹果公司提供，但更适合创建SCEP服务器，而不是用于操作模板mobileconfig文件 -

This manual by apple is useful but its more geared for creating a SCEP server and not for manipulating template mobileconfig file -

http ：//developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/profile-service/profile-service.html

推荐答案

如果仍然有人在使用Ruby签名和加密配置文件时遇到问题，下面的答案将是有用的。

Incase if still anybody is having issues with signing and encrypting the profile with Ruby, following answer would be useful.

OpenSSL 模块可在Ruby和 Plist gem。

I have used OpenSSL module available in Ruby and Plist gem.

考虑密码限制

passcode_payload ={
              'PayloadUUID' => 'RANDOM_STRING_UUID',
              'PayloadOrganization' => 'PayloadOrganization',
              'PayloadVersion' => 1,
              'PayloadIdentifier' => 'com.test.PayloadIdentifier',
              'PayloadType' => 'Configuration',
              'PayloadDisplayName' => 'PayloadDisplayName',
              'PayloadRemovalDisallowed' => false
            }
  passcode_payload_content = {
              'PayloadDescription' => 'PayloadDescription',
              'PayloadDisplayName' => 'PayloadDisplayName',
              'PayloadIdentifier' => 'PayloadIdentifier',
              'PayloadOrganization' => 'PayloadOrganization',
              'PayloadType' => 'com.apple.mobiledevice.passwordpolicy',
              'PayloadUUID' => "RANDOM_STRING_UUID",
              'PayloadVersion' => 1,
              'allowSimple' => true,
              'forcePIN' => true
              'maxPINAgeInDays' => 20,
              'minComplexChars' => 1,
              'minLength' => 4,
              'requireAlphanumeric' => true
            }

**

**

通常，对于普通个人资料， passcode_payload_content 进入 passcode_payload ['PayloadContent'] 作为字典数组。

Usually for a normal profile the passcode_payload_content goes into the passcode_payload['PayloadContent'] as array of dictionaries.

passcode_payload ['PayloadContent'] = [passcode_payload_content]

但对于加密的个人资料， PayloadContent 并且应根据 EncryptedPayloadContent 。 html＃// apple_ref / doc / uid / TP40010206-CH1-SW52rel =nofollow>配置个人资料键参考文档。

But for an encrypted profile, PayloadContent should be removed and EncryptedPayloadContent should be used as per the configuration profile key reference document.

，

要加密配置文件，请执行以下操作：

删除 PayloadContent


请注意，此plist中的顶级对象是数组，而不是
字典。

CMS将串行化plist加密为包络数据。
以DER格式序列化加密的数据。

将序列化数据设置为
，作为配置文件中Data Plist项的值，使用键
EncryptedPayloadContent

To encrypt a profile do the following:

Remove the PayloadContent array and serialize it as a proper plist.

Note that the top-level object in this plist is an array, not a dictionary.

CMS-encrypt the serialized plist as enveloped data. Serialize the encrypted data in DER format.

Set the serialized data as the value of as a Data plist item in the profile, using the key EncryptedPayloadContent

由于plist中的顶级对象应该是一个数组

Since top level object in the plist should be an array

passcode_payload_content_array = [passcode_payload_content]

序列化到正确的plist

Serializing to proper plist

to_be_encrypted_plist = passcode_payload_content_array.to_plist

加密凭证负载内容，

device_certificate = OpenSSL::X509::Certificate.new File.read('deviceIdentityCertificate.pem')
encrypted_payload = OpenSSL::PKCS7.encrypt([device_certificate],to_be_encrypted_plist, OpenSSL::Cipher::Cipher::new("des-ede3-cbc"),OpenSSL::PKCS7::BINARY)

添加加密的有效内容到原始有效负载的格式

Add encrypted payload content to the original payload in der format

passcode_payload['EncryptedPayloadContent'] = StringIO.new(encrypted_payload.to_der)

**

**

signed_passcode_profile = OpenSSL::PKCS7.sign(SSL_CERTIFICATE, SSL_KEY, passcode_payload.to_plist, [], OpenSSL::PKCS7::BINARY)

最后，可以使用

send_data signed_passcode_profile.to_der, :type => "application/x-apple-aspen-config" 

发送有效载荷。

这篇关于如何加密和签名iphone手机配置文件使用Ruby的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！