如何使用Ruby加密和签署iphone手机配置文件 [英] how to encrypt and sign iphone mobile configuration file using Ruby
问题描述
感谢您的帮助
我已经检查了以下问题,但是它不清楚如何加密在iphone上可以正确安装的文件 - 因为我不断得到配置文件由于未知错误而无法安装当我尝试通过加密部件并适当地追加/预先配置其他配置文件时,从iPhone配置实用程序模拟加密文件格式。
使用Ruby on Rails签名iPhone配置XML配置文件
苹果的本手册很有用,但更适用于创建SCEP服务器,而不是用于操作模板mobileconfig文件 -
如果还有人是使用Ruby签名和加密配置文件时遇到问题,以下答案将非常有用。
考虑密码限制配置文件。
passcode_payload = {
'PayloadUUID'=> 'RANDOM_STRING_UUID',
'PayloadOrganization'=> 'PayloadOrganization',
'PayloadVersion'=> 1,
'PayloadIdentifier'=> 'com.test.PayloadIdentifier',
'PayloadType'=> '配置',
'PayloadDisplayName'=> 'PayloadDisplayName',
'PayloadRemovalDisallowed'=> false
}
passcode_payload_content = {
'PayloadDescription'=> 'PayloadDescription',
'PayloadDisplayName'=> 'PayloadDisplayName',
'PayloadIdentifier'=> 'PayloadIdentifier',
'PayloadOrganization'=> 'PayloadOrganization',
'PayloadType'=> 'com.apple.mobiledevice.passwordpolicy',
'PayloadUUID'=> RANDOM_STRING_UUID,
'PayloadVersion'=> 1,
'allowSimple'=> true,
'forcePIN'=> true
'maxPINAgeInDays'=> 20,
'minComplexChars'=> 1,
'minLength'=> 4,
'requireAlphanumeric'=> true
}
**
< h2>加密
**
通常对于普通配置文件, passcode_payload_content 进入 passcode_payload ['PayloadContent'] 作为字典数组。
passcode_payload ['PayloadContent'] = [passcode_payload_content]
但是对于加密配置文件, PayloadContent 应该应该被删除,并且应该根据 EncryptedPayloadContent 。 html#// apple_ref / doc / uid / TP40010206-CH1-SW52rel =nofollow>配置文件密钥参考文档。
要加密配置文件,请执行以下操作:
删除 PayloadContentarray并将其序列化为适当的plist。
请注意,此plist中的顶级对象是数组,而不是
字典。CMS将串行化plist加密为包络数据。
以DER格式序列化加密数据。使用
<$ c将序列化数据设置为
作为数据标签项的值$ c> EncryptedPayloadContent
由于plist中的顶级对象应该是一个数组
passcode_payload_content_array = [passcode_payload_content]
序列化到正确的plist
to_be_encrypted_plist = passcode_payload_content_array.to_plist
加密证书有效载荷内容
device_certificate = OpenSSL :: X509 :: Certificate.new File.read('deviceIdentityCertificate.pem')
encrypted_payload = OpenSSL :: PKCS7.encrypt([device_certificate],to_be_encrypted_plist,OpenSSL :: Cipher :: Cipher :: new( des-ede3-cbc),OpenSSL :: PKCS7 :: BINARY)
添加加密的有效载荷内容到原来的有效载荷格式
passcode_payload ['EncryptedPayloadContent'] = StringIO.new(encrypted_payload.to_der)
**
签收
**
signed_passcode_profile = OpenSSL :: PKCS7.sign(SSL_CERTIFICATE,SSL_KEY,passcode_payload.to_plist,[],OpenSSL: :PKCS7 :: BINARY)
最后,您可以使用
send_data signed_passcode_profile.to_der,:type => application / x-apple-aspen-config
发送有效载荷
I have a unsigned mobileconfig file in xml format (template) generated by iphone configuration utility. I would like to encrypt and sign it using openssl and be able to install it on iphone using Ruby on rails. I do not want to create a SCEP server to do this as I want to keep modifying this template xml file dynamically and serve it using some URL.
Thanks for your help in advance.
I have already checked following question but it is not clear from it how to encrypt the file that can be installed correctly on iphone - as I keep getting "config file could not be installed due to unknown error" when I tried to mimic encrypted file format from iphone configuration utility by only encrypting the part and appending/prepending other parts of the configuration file appropriately.
Signing iPhone Configuration XML Profile with Ruby on Rails
This manual by apple is useful but its more geared for creating a SCEP server and not for manipulating template mobileconfig file -
Incase if still anybody is having issues with signing and encrypting the profile with Ruby, following answer would be useful.
I have used OpenSSL module available in Ruby and Plist gem.
Consider a passcode restriction profile.
passcode_payload ={
'PayloadUUID' => 'RANDOM_STRING_UUID',
'PayloadOrganization' => 'PayloadOrganization',
'PayloadVersion' => 1,
'PayloadIdentifier' => 'com.test.PayloadIdentifier',
'PayloadType' => 'Configuration',
'PayloadDisplayName' => 'PayloadDisplayName',
'PayloadRemovalDisallowed' => false
}
passcode_payload_content = {
'PayloadDescription' => 'PayloadDescription',
'PayloadDisplayName' => 'PayloadDisplayName',
'PayloadIdentifier' => 'PayloadIdentifier',
'PayloadOrganization' => 'PayloadOrganization',
'PayloadType' => 'com.apple.mobiledevice.passwordpolicy',
'PayloadUUID' => "RANDOM_STRING_UUID",
'PayloadVersion' => 1,
'allowSimple' => true,
'forcePIN' => true
'maxPINAgeInDays' => 20,
'minComplexChars' => 1,
'minLength' => 4,
'requireAlphanumeric' => true
}
**
Encryption
**
Usually for a normal profile the passcode_payload_content goes into the passcode_payload['PayloadContent'] as array of dictionaries.
passcode_payload['PayloadContent'] = [passcode_payload_content]
But for an encrypted profile, PayloadContent should be removed and EncryptedPayloadContent should be used as per the configuration profile key reference document.
from the doc,
To encrypt a profile do the following:
Remove the PayloadContentarray and serialize it as a proper plist.Note that the top-level object in this plist is an array, not a dictionary. CMS-encrypt the serialized plist as enveloped data. Serialize the encrypted data in DER format. Set the serialized data as the value of as a Data plist item in the profile, using the key EncryptedPayloadContent
Since top level object in the plist should be an array
passcode_payload_content_array = [passcode_payload_content]
Serializing to proper plist
to_be_encrypted_plist = passcode_payload_content_array.to_plist
Encrypting the certificate payload content,
device_certificate = OpenSSL::X509::Certificate.new File.read('deviceIdentityCertificate.pem')
encrypted_payload = OpenSSL::PKCS7.encrypt([device_certificate],to_be_encrypted_plist, OpenSSL::Cipher::Cipher::new("des-ede3-cbc"),OpenSSL::PKCS7::BINARY)
Add encrypted payload content to the original payload in der format
passcode_payload['EncryptedPayloadContent'] = StringIO.new(encrypted_payload.to_der)
**
Signing
**
signed_passcode_profile = OpenSSL::PKCS7.sign(SSL_CERTIFICATE, SSL_KEY, passcode_payload.to_plist, [], OpenSSL::PKCS7::BINARY)
At last, you can use
send_data signed_passcode_profile.to_der, :type => "application/x-apple-aspen-config"
to send the payload.
这篇关于如何使用Ruby加密和签署iphone手机配置文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
