我正在C++中使用Apple OTA配置文件傳遞示例(位於Ruby中)實施Apple MDM配置文件服務。除了最後一步(配置應用),似乎所有的東西都運行良好。Apple MDM - 配置文件無法解密(未安裝此配置文件的解密密鑰)解決方案
IPhone配置實用程序顯示以下內容:
Jul 8 16:38:48 iPhone profiled[1454] : (Note) profiled: Service starting...
Jul 8 16:38:48 iPhone profiled[1454] : (Note) MC: Checking for MDM installation...
Jul 8 16:38:48 iPhone profiled[1454] : (Note) MC: ...finished checking for MDM installation.
Jul 8 16:38:50 iPhone profiled[1454] : (Note) MC: Enrolling in OTA Profile service...
Jul 8 16:38:51 iPhone profiled[1454] : (Note) MC: Attempting to retrieve issued certificate...
Jul 8 16:38:51 iPhone profiled[1454] : (Note) MC: Issued certificate received.
Jul 8 16:38:52 iPhone profiled[1454] : (Note) MC: Retrieving profile from OTA Profile service...
Jul 8 16:38:52 iPhone profiled[1454] : (Error) MC: Decryption failed: NSError:
Desc : Profile could not be decrypted
Sugg : Decryption key for this profile is not installed.
US Desc: Profile could not be decrypted
US Sugg: Decryption key for this profile is not installed.
Domain : MCProfileErrorDomain
Code : 1006
Type : MCFatalError
現在看來似乎是一個常見的錯誤,因爲我發現一對夫婦discussions.apple.com的討論,但他們沒有解決方案。我在這裏也找到了a comment,但它也沒有解決方案。
在Over-the-Air Profile Delivery Concepts中的Apple Ruby示例運行良好。我比較了C++實現和Ruby示例的輸出(證書轉儲)。他們是相同的除了域名(我使用「測試」而不是「ACME」。我試圖使用原始證書,但他們也沒有在我的實施工作。)。
我在代碼中使用相同的加密向設備端發送新的證書。有用。
在配置文件加密的情況下,我使用從設備端收到的來自PKCS7的證書。所以我不認爲這個問題是由於OpenSSL的錯誤使用造成的。
你能告訴我什麼嗎?
UPDATE1:
1)其實,當我說證書(礦山和例子)是相同的我的意思是,他們具有相同的依賴關係,我的意思是,它似乎像我和示例算法類似地工作。當然這些證書有不同的指紋等等。
2)我使用的是精確的算法,就像來自Over-the-Air Profile Delivery Concepts鏈接的Ruby例子。所以據我瞭解我使用SCEP。
這是我的C++代碼(我主要刪除了用於日誌記錄的代碼)。是的,我明白我的代碼很粗糙,但在這個階段我只需要一個有效的算法。
C-X509-請求從 - device.pem
PKCS #10 Certificate Request (Version 1.0)
Subject: CN=Profile Service (4feea0ef-b586-4c54-a767-5d8160a04952), O=TEST Inc.
Public Key: X.509 format RSA key
Extension Request:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
E-PKCS7-degenerated.pem
Owner: CN=Profile Service (4feea0ef-b586-4c54-a767-5d8160a04952), O=TEST Inc.
Issuer: CN=TEST Root CA (314aa3fe-ea1f-4afb-b2f5-ad998f1eddf3), O=None
Serial number: 145
Valid from: Wed Jul 09 22:38:04 NOVT 2014 until: Thu Jul 10 22:38:04 NOVT 2014
Certificate fingerprints:
MD5: B4:F4:78:E3:A1:69:FB:23:49:E8:0D:4C:E5:8F:C5:A6
SHA1: 47:19:8A:9C:9F:91:B2:FC:6B:ED:EE:A8:41:FF:3B:CF:6A:1D:52:F2
SHA256: 59:95:31:66:B8:D8:54:83:B5:23:17:86:1A:7F:94:98:B2:17:58:61:F8:
0A:4C:E8:B0:1C:4D:79:23:B0:32:93
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
/輪廓(第二POST;我的響應導致「配置文件無法解密」錯誤)
PKCS7Wrap pkcs7;
pkcs7.InitFromDER(httpData.block_, httpData.blockSize_);
std::string content;
// ...........
SavePKCS7ToFile(pkcs7.pkcs7_, "K-pkcs7-from-device-2.pem");
std::string tmp = appleMDMPList_.GetClientCertConfPayloadPList("foo");
SaveData(tmp, "3-client-cert-conf.xml");
PKCS7Wrap encryptedContent;
PKCS7Wrap::EncryptData(pkcs7.GetCertificates(), tmp, encryptedContent);
if (encryptedContent.IsInited())
{
SavePKCS7ToFile(encryptedContent.pkcs7_, "Q-encrypted_profile.pem");
content =
appleMDMPList_.GetConfigurationPayloadPList(encryptedContent.ToDER());
SaveData(content, "4-configuration.xml");
}
std::string signedProfile;
PKCS7Wrap::SignData(keyStore.GetAppleMDMSSLCrt(),
keyStore.GetAppleMDMSSLKey(), content, signedProfile);
// send to the device with mime = application/x-apple-aspen-config
K-pkcs7-from-device-2。PEM
Certificate[1]:
Owner: CN=Profile Service (4feea0ef-b586-4c54-a767-5d8160a04952), O=TEST Inc.
Issuer: CN=TEST Root CA (314aa3fe-ea1f-4afb-b2f5-ad998f1eddf3), O=None
Serial number: 145
Valid from: Wed Jul 09 22:38:04 NOVT 2014 until: Thu Jul 10 22:38:04 NOVT 2014
Certificate fingerprints:
MD5: B4:F4:78:E3:A1:69:FB:23:49:E8:0D:4C:E5:8F:C5:A6
SHA1: 47:19:8A:9C:9F:91:B2:FC:6B:ED:EE:A8:41:FF:3B:CF:6A:1D:52:F2
SHA256: 59:95:31:66:B8:D8:54:83:B5:23:17:86:1A:7F:94:98:B2:17:58:61:F8:
0A:4C:E8:B0:1C:4D:79:23:B0:32:93
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
Certificate[2]:
Owner: CN=TEST Root CA (314aa3fe-ea1f-4afb-b2f5-ad998f1eddf3), O=None
Issuer: CN=TEST Root CA (314aa3fe-ea1f-4afb-b2f5-ad998f1eddf3), O=None
Serial number: 1
Valid from: Mon Jul 07 19:28:55 NOVT 2014 until: Tue Jul 07 19:28:55 NOVT 2015
Certificate fingerprints:
MD5: 78:20:18:80:9C:09:D9:DA:36:3E:06:CC:F7:61:A9:13
SHA1: 40:61:EA:90:D8:58:20:3C:43:CB:2B:E1:3F:49:DF:A8:5A:7A:01:39
SHA256: AB:F6:5C:A7:23:F1:92:38:12:71:29:2A:C0:F1:04:69:CF:F4:7C:26:FC:
E7:0C:89:B4:10:A4:E5:58:9F:50:39
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
UPDATE2:
我剛纔再生證書(CA,RA,SSL)和它的作品。我不知道爲什麼:)
如果不提供任何代碼,您應該提供一些代碼或風險關閉「爲什麼此代碼無法工作」。 – jww