我正在C++中使用Apple OTA配置文件传递示例(位于Ruby中)实施Apple MDM配置文件服务。除了最后一步(配置应用),似乎所有的东西都运行良好。Apple MDM - 配置文件无法解密(未安装此配置文件的解密密钥)解决方案
IPhone配置实用程序显示以下内容:
Jul 8 16:38:48 iPhone profiled[1454] : (Note) profiled: Service starting...
Jul 8 16:38:48 iPhone profiled[1454] : (Note) MC: Checking for MDM installation...
Jul 8 16:38:48 iPhone profiled[1454] : (Note) MC: ...finished checking for MDM installation.
Jul 8 16:38:50 iPhone profiled[1454] : (Note) MC: Enrolling in OTA Profile service...
Jul 8 16:38:51 iPhone profiled[1454] : (Note) MC: Attempting to retrieve issued certificate...
Jul 8 16:38:51 iPhone profiled[1454] : (Note) MC: Issued certificate received.
Jul 8 16:38:52 iPhone profiled[1454] : (Note) MC: Retrieving profile from OTA Profile service...
Jul 8 16:38:52 iPhone profiled[1454] : (Error) MC: Decryption failed: NSError:
Desc : Profile could not be decrypted
Sugg : Decryption key for this profile is not installed.
US Desc: Profile could not be decrypted
US Sugg: Decryption key for this profile is not installed.
Domain : MCProfileErrorDomain
Code : 1006
Type : MCFatalError
现在看来似乎是一个常见的错误,因为我发现一对夫妇discussions.apple.com的讨论,但他们没有解决方案。我在这里也找到了a comment,但它也没有解决方案。
在Over-the-Air Profile Delivery Concepts中的Apple Ruby示例运行良好。我比较了C++实现和Ruby示例的输出(证书转储)。他们是相同的除了域名(我使用“测试”而不是“ACME”。我试图使用原始证书,但他们也没有在我的实施工作。)。
我在代码中使用相同的加密向设备端发送新的证书。有用。
在配置文件加密的情况下,我使用从设备端收到的来自PKCS7的证书。所以我不认为这个问题是由于OpenSSL的错误使用造成的。
你能告诉我什么吗?
UPDATE1:
1)其实,当我说证书(矿山和例子)是相同的我的意思是,他们具有相同的依赖关系,我的意思是,它似乎像我和示例算法类似地工作。当然这些证书有不同的指纹等等。
2)我使用的是精确的算法,就像来自Over-the-Air Profile Delivery Concepts链接的Ruby例子。所以据我了解我使用SCEP。
这是我的C++代码(我主要删除了用于日志记录的代码)。是的,我明白我的代码很粗糙,但在这个阶段我只需要一个有效的算法。
C-X509-请求从 - device.pem
PKCS #10 Certificate Request (Version 1.0)
Subject: CN=Profile Service (4feea0ef-b586-4c54-a767-5d8160a04952), O=TEST Inc.
Public Key: X.509 format RSA key
Extension Request:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
E-PKCS7-degenerated.pem
Owner: CN=Profile Service (4feea0ef-b586-4c54-a767-5d8160a04952), O=TEST Inc.
Issuer: CN=TEST Root CA (314aa3fe-ea1f-4afb-b2f5-ad998f1eddf3), O=None
Serial number: 145
Valid from: Wed Jul 09 22:38:04 NOVT 2014 until: Thu Jul 10 22:38:04 NOVT 2014
Certificate fingerprints:
MD5: B4:F4:78:E3:A1:69:FB:23:49:E8:0D:4C:E5:8F:C5:A6
SHA1: 47:19:8A:9C:9F:91:B2:FC:6B:ED:EE:A8:41:FF:3B:CF:6A:1D:52:F2
SHA256: 59:95:31:66:B8:D8:54:83:B5:23:17:86:1A:7F:94:98:B2:17:58:61:F8:
0A:4C:E8:B0:1C:4D:79:23:B0:32:93
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
/轮廓(第二POST;我的响应导致“配置文件无法解密”错误)
PKCS7Wrap pkcs7;
pkcs7.InitFromDER(httpData.block_, httpData.blockSize_);
std::string content;
// ...........
SavePKCS7ToFile(pkcs7.pkcs7_, "K-pkcs7-from-device-2.pem");
std::string tmp = appleMDMPList_.GetClientCertConfPayloadPList("foo");
SaveData(tmp, "3-client-cert-conf.xml");
PKCS7Wrap encryptedContent;
PKCS7Wrap::EncryptData(pkcs7.GetCertificates(), tmp, encryptedContent);
if (encryptedContent.IsInited())
{
SavePKCS7ToFile(encryptedContent.pkcs7_, "Q-encrypted_profile.pem");
content =
appleMDMPList_.GetConfigurationPayloadPList(encryptedContent.ToDER());
SaveData(content, "4-configuration.xml");
}
std::string signedProfile;
PKCS7Wrap::SignData(keyStore.GetAppleMDMSSLCrt(),
keyStore.GetAppleMDMSSLKey(), content, signedProfile);
// send to the device with mime = application/x-apple-aspen-config
K-pkcs7-from-device-2。PEM
Certificate[1]:
Owner: CN=Profile Service (4feea0ef-b586-4c54-a767-5d8160a04952), O=TEST Inc.
Issuer: CN=TEST Root CA (314aa3fe-ea1f-4afb-b2f5-ad998f1eddf3), O=None
Serial number: 145
Valid from: Wed Jul 09 22:38:04 NOVT 2014 until: Thu Jul 10 22:38:04 NOVT 2014
Certificate fingerprints:
MD5: B4:F4:78:E3:A1:69:FB:23:49:E8:0D:4C:E5:8F:C5:A6
SHA1: 47:19:8A:9C:9F:91:B2:FC:6B:ED:EE:A8:41:FF:3B:CF:6A:1D:52:F2
SHA256: 59:95:31:66:B8:D8:54:83:B5:23:17:86:1A:7F:94:98:B2:17:58:61:F8:
0A:4C:E8:B0:1C:4D:79:23:B0:32:93
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
Certificate[2]:
Owner: CN=TEST Root CA (314aa3fe-ea1f-4afb-b2f5-ad998f1eddf3), O=None
Issuer: CN=TEST Root CA (314aa3fe-ea1f-4afb-b2f5-ad998f1eddf3), O=None
Serial number: 1
Valid from: Mon Jul 07 19:28:55 NOVT 2014 until: Tue Jul 07 19:28:55 NOVT 2015
Certificate fingerprints:
MD5: 78:20:18:80:9C:09:D9:DA:36:3E:06:CC:F7:61:A9:13
SHA1: 40:61:EA:90:D8:58:20:3C:43:CB:2B:E1:3F:49:DF:A8:5A:7A:01:39
SHA256: AB:F6:5C:A7:23:F1:92:38:12:71:29:2A:C0:F1:04:69:CF:F4:7C:26:FC:
E7:0C:89:B4:10:A4:E5:58:9F:50:39
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
UPDATE2:
我刚才再生证书(CA,RA,SSL)和它的作品。我不知道为什么:)
如果不提供任何代码,您应该提供一些代码或风险关闭“为什么此代码无法工作”。 – jww