iOS MDM注册配置文件请求/ profile使用java对证书进行签名 [英] iOS MDM Enrollment Profile Request of /profile to sign the certificate using java

问题描述

您好我们正在尝试使用java创建iOS MDM服务器。
我被困在第一点，我们必须签署证书并发送SCEP。
我首先将注册plist文件发送到ios设备。当我们从设备点击安装时，我从ios设备收到HttpServletRequest。

Hello we are trying to create an iOS MDM server using java. I am stuck at the very first point where we have to sign the certificate and send an SCEP. I have first sent the enroll plist file to the ios device. In response to which I receive a HttpServletRequest from the ios device when we click on "Install" from the device.

它使用包含配置文件请求网址的URL和在java中获取相同的请求。
读完request.getInputStream后，我知道请求中有两个部分。一个是plist另一个是设备的证书。

It the uses the URL which contains the profile request url and a request is obtained for the same in java. After reading the request.getInputStream i got to know that the request has two parts within. One is a plist another is the certificate of the device.

打印文件我得到了下面的plist：

printing the file i got the below plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CHALLENGE</key>
    <string>challengesessionvalue1234</string>
    <key>UDID</key>
    <string>b3d8980d72a6c2abf4f936862e8c50a734ccc030</string>
</dict>
</plist>

它包含在注册期间发送的Challenge字符串。它还为设备提供了UDID。通过使用字节读取java中请求的inputStream来检索此部分。

It contains the "Challenge" string which was sent during enrollment. Also it gives the device UDID. This part was retrieve by reading the inputStream of the request in java using bytes.

request.getInputStream包含的另一部分是Apple证书的pkcs签名证书详细信息，如下所示：

Another part the request.getInputStream contains is the pkcs signed certificate details of Apple certificate as shown below:

PKCS7 :: signer infos: 
    0.  Signer Info for (issuer): CN=Apple iPhone Device CA, OU=Apple iPhone, O=Apple Inc., C=US
    version:     01
    certificateSerialNumber:     0252f631 cadff5f3 99986
    digestAlgorithmId: SHA
    authenticatedAttributes: PKCS9 Attributes: [
    [ContentType: 1.2.840.113549.1.7.1];
    [MessageDigest: 0000: E1 BF 36 1B 11 5C CB 0E   E6 1C 57 4F 09 FC 55 B4  ..6..\....WO..U.
0010: D9 C1 E0 1E                                        ....
];
    [SigningTime: Wed Jul 30 11:46:02 UTC 2014]
    ] (end PKCS9 Attributes)
    digestEncryptionAlgorithmId: RSA
    encryptedDigest: 
0000: C5 11 AC 76 89 E7 43 BD   A3 03 5F 14 4B 08 BD E4  ...v..C..._.K...
0010: 5E F9 55 BA A7 F5 4E 43   E0 74 FD 06 D2 E2 88 03  ^.U...NC.t......
0020: C4 9C 88 A2 01 E0 9C 63   62 C2 D9 1A BD FC 00 B3  .......cb.......
0030: 64 30 8F 00 BD F4 4A B9   4E EA D5 C6 7B 26 1C 01  d0....J.N....&..
0040: A5 E2 B7 27 B9 7A A8 2D   22 97 E3 D9 24 7B 8B 24  ...'.z.-"...$..$
0050: 84 49 7C 38 1B A7 56 80   B8 CD 1A 44 9C AF 79 D9  .I.8..V....D..y.
0060: 86 12 B5 31 D1 BD 5C 27   F6 64 BC EC DC 02 19 A5  ...1..\'.d......
0070: 25 A5 09 F2 BB 11 67 78   3E DC D4 03 F2 E4 8D C0  %.....gx>.......

我没有复制整个文件，因为它是一个巨大的。为了阅读这部分，我使用了来自sun.security.pkcs包的PKCS7 for java。

I have not copied the whole file as it was a huge. To read this part i used PKCS7 available for java from sun.security.pkcs package.

我会冷杉想要阅读挑战值并使用挑战本身对证书进行身份验证，因为它将是我们唯一标识的会话值。我只想将签名证书传回iOS设备，以便我可以继续进行。

I would first like to read the "Challenge" value and authenticate the certificate using challenge itself as it will be a uniquely identified session value for us. I just want to pass back a sign certificate to iOS device so that i can proceed further.

请提供一个有助于解析此request.getInputStream的java代码。
请求的内容类型是=application / pkcs7-signature
我应该如何传回响应。我是否需要再次创建证书？

Please provide a java code which will help in parse this request.getInputStream. The content type of the request is = "application/pkcs7-signature" And how should i pass back the response. Do i need to create the certificate again?

请帮忙。
希望我怀疑自己。
先谢谢。!!

Please help. Hope i made myself clear with the doubt. Thanks in advance.!!

推荐答案

让我试着将你的问题分解为多个子问题并回答问题。

Let me try to break down your question to multiple subquestion and answer the.

我陷入了第一点，我们必须签署证书并发送SCEP。

I am stuck at the very first point where we have to sign the certificate and send an SCEP.

坦率地说，我无法理解你在说什么。

Frankly, I wasn't able to understand what you are talking about.

根据你得到的回复，你这样做：
https://developer.apple.com/library/ios/documentation/networkinginternet/conceptual/iphoneotaconfiguration/OTASecurity/OTASecurity.html

Based on the response which you got, you are doing this: https://developer.apple.com/library/ios/documentation/networkinginternet/conceptual/iphoneotaconfiguration/OTASecurity/OTASecurity.html

你正处于第2阶段第1阶段。

And you are on phase 2, step 1.

我首先要阅读挑战值并且使用挑战本身对证书进行身份验证，因为它将是我们唯一标识的会话值

I would first like to read the "Challenge" value and authenticate the certificate using challenge itself as it will be a uniquely identified session value for us

再次。我不是100％肯定你的意思。特别是使用挑战本身验证证书

Again. I am not 100% sure what you mean. Specifically "authenticate the certificate using challenge itself"

你应该在这个步骤做两件事

You should do two things at this steps

• 使用请求中的质询提取对此请求进行身份验证


• 验证签名（确保签名正确并且由相应的Apple证书签名）。


• 如果一切正确（挑战和证书），那么您应该发送带有SCEP有效载荷或PKCS12有效载荷的配置文件

请提供一个有助于解析此request.getInputStream的java代码。
要阅读本部分，我使用了来自sun.security.pkcs包的PKCS7 for java。

Please provide a java code which will help in parse this request.getInputStream. To read this part i used PKCS7 available for java from sun.security.pkcs package.

我建议你看看在 Bouncy Castle 。它是处理加密的优秀图书馆。

I would recommend to look at Bouncy Castle. It's excellent library which handles crypto.

并搜索Bouncy castle validate signature：

And search for "Bouncy castle validate signature":

使用Java和Bouncycastle进行X.509证书验证

http://www.nakov.com/blog/2009/12/01/x509-certificate-validation-in-java-build- and-verify-chain-and-verify-clr-with-bouncy-castle /

这篇关于iOS MDM注册配置文件请求/ profile使用java对证书进行签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！