4
votes

We are following the below article for over the air enrollment and profile delivery feature

http://developer.apple.com/library/ios/#documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html#//apple_ref/doc/uid/TP40009505-CH3-SW1

We could able to complete steps in Phase 1 and Phase 2. Once the device acquires the certificate from SCEP server(as part of phase 2), it sends the response back to the MDM server. This response is signed by the new certificate.The response consists of signature, plist content and certificate in binary format. Ideally, we need to extract the public key from this certificate and use that to sign the configuration profile (.mobileconfig). However we have difficulty extracting the certificate from the response. Looks like the certificate is corrupted somehow. We tried different encodings. But it didn't help :(

Has anyone successfully extracted the certificate in Phase #3.

Really appreciate any help in this regard.

Thanks

3

3 Answers

0
votes

The response from the device is a DER-encoded SMIME string. You can use openssl smime to extract the public key.

0
votes

if you are using C#, this can be accessed as part of the Pkcs library.

using System.Security.Cryptography.Pkcs
...
//get the data as a byte[]
var signer = new SignedCms();
signer.Decode(input)
//signer.Certificates[0] contains the cert
0
votes

To extract the certificates you can use openssl cli :

openssl pkcs7 -print_certs -in requestFromDevice.p7s -inform DER

You can then easily parse the output using stdout.split('-----END CERTIFICATE-----') & stdout.split("\n") (in javascript).