iOS MDM Enrollment Profile Request of /profile to sign the certificate using java

Question

Hello we are trying to create an iOS MDM server using java. I am stuck at the very first point where we have to sign the certificate and send an SCEP. I have first sent the enroll plist file to the ios device. In response to which I receive a HttpServletRequest from the ios device when we click on "Install" from the device.

It the uses the URL which contains the profile request url and a request is obtained for the same in java. After reading the request.getInputStream i got to know that the request has two parts within. One is a plist another is the certificate of the device.

printing the file i got the below plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CHALLENGE</key>
    <string>challengesessionvalue1234</string>
    <key>UDID</key>
    <string>b3d8980d72a6c2abf4f936862e8c50a734ccc030</string>
</dict>
</plist>

It contains the "Challenge" string which was sent during enrollment. Also it gives the device UDID. This part was retrieve by reading the inputStream of the request in java using bytes.

Another part the request.getInputStream contains is the pkcs signed certificate details of Apple certificate as shown below:

PKCS7 :: signer infos: 
    0.  Signer Info for (issuer): CN=Apple iPhone Device CA, OU=Apple iPhone, O=Apple Inc., C=US
    version:     01
    certificateSerialNumber:     0252f631 cadff5f3 99986
    digestAlgorithmId: SHA
    authenticatedAttributes: PKCS9 Attributes: [
    [ContentType: 1.2.840.113549.1.7.1];
    [MessageDigest: 0000: E1 BF 36 1B 11 5C CB 0E   E6 1C 57 4F 09 FC 55 B4  ..6..\....WO..U.
0010: D9 C1 E0 1E                                        ....
];
    [SigningTime: Wed Jul 30 11:46:02 UTC 2014]
    ] (end PKCS9 Attributes)
    digestEncryptionAlgorithmId: RSA
    encryptedDigest: 
0000: C5 11 AC 76 89 E7 43 BD   A3 03 5F 14 4B 08 BD E4  ...v..C..._.K...
0010: 5E F9 55 BA A7 F5 4E 43   E0 74 FD 06 D2 E2 88 03  ^.U...NC.t......
0020: C4 9C 88 A2 01 E0 9C 63   62 C2 D9 1A BD FC 00 B3  .......cb.......
0030: 64 30 8F 00 BD F4 4A B9   4E EA D5 C6 7B 26 1C 01  d0....J.N....&..
0040: A5 E2 B7 27 B9 7A A8 2D   22 97 E3 D9 24 7B 8B 24  ...'.z.-"...$..$
0050: 84 49 7C 38 1B A7 56 80   B8 CD 1A 44 9C AF 79 D9  .I.8..V....D..y.
0060: 86 12 B5 31 D1 BD 5C 27   F6 64 BC EC DC 02 19 A5  ...1..\'.d......
0070: 25 A5 09 F2 BB 11 67 78   3E DC D4 03 F2 E4 8D C0  %.....gx>.......

I have not copied the whole file as it was a huge. To read this part i used PKCS7 available for java from sun.security.pkcs package.

I would first like to read the "Challenge" value and authenticate the certificate using challenge itself as it will be a uniquely identified session value for us. I just want to pass back a sign certificate to iOS device so that i can proceed further.

Please provide a java code which will help in parse this request.getInputStream. The content type of the request is = "application/pkcs7-signature" And how should i pass back the response. Do i need to create the certificate again?

Please help. Hope i made myself clear with the doubt. Thanks in advance.!!

Answer 1

Let me try to break down your question to multiple subquestion and answer the.

I am stuck at the very first point where we have to sign the certificate and send an SCEP.

Frankly, I wasn't able to understand what you are talking about.

Based on the response which you got, you are doing this: https://developer.apple.com/library/ios/documentation/networkinginternet/conceptual/iphoneotaconfiguration/OTASecurity/OTASecurity.html

And you are on phase 2, step 1.

I would first like to read the "Challenge" value and authenticate the certificate using challenge itself as it will be a uniquely identified session value for us

Again. I am not 100% sure what you mean. Specifically "authenticate the certificate using challenge itself"

You should do two things at this steps

• Authenticate this request using the challenge extract from the request
• Validate the signature (make sure that it's correct signature and that it's signed by appropriate Apple certificate).
• if everything is correct (the challange and the certificate) then you should send either a profile with SCEP payload or PKCS12 payload

Please provide a java code which will help in parse this request.getInputStream. To read this part i used PKCS7 available for java from sun.security.pkcs package.

I would recommend to look at Bouncy Castle. It's excellent library which handles crypto.

And search for "Bouncy castle validate signature":

X.509 Certificate validation with Java and Bouncycastle

http://www.nakov.com/blog/2009/12/01/x509-certificate-validation-in-java-build-and-verify-chain-and-verify-clr-with-bouncy-castle/