Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Checking provisioning profile's developer certificate validity

I want to allow customers to upload their own provisioning profile, including icons, so that I can make them a custom version of my app on the fly, which they can then publish.

However, I'm having a little trouble validating the provisioning profile. In particular, I want to check whether the DeveloperCertificate is actually a valid certificate. The profile looks something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ApplicationIdentifierPrefix</key>
    <array>
        <string>ABCDEFGH</string>
    </array>
    <key>CreationDate</key>
    <date>2012-03-28T11:17:23Z</date>
    <key>DeveloperCertificates</key>
    <array>
        <data>
        MIIFajCCBFKgAwIBAgIIddUra9YprMQwDQYJKoZIhvcNAQEFBQAwgZYxCzAJ
        BgNVBAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSwwKgYDVQQLDCNBcHBs
        ZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9uczFEMEIGA1UEAww7QXBw
        ...     
        </data>
    </array>
    ...
</dict>

So, I extract the certificate(s) and then want to check them, preferably using an openssl command. What is the encryption used for these certificates, and how do I verify them using openssl? I would think that this uses pkcs12, but trying that gives me an error:

$ openssl pkcs12 -noout -in testcertificate
140653159306912:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140653159306912:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS12

Can anyone point me in the right direction? It is essential that I can somehow verify developer certificates' validity.

Thanks

like image 358
Doa Avatar asked Jul 17 '12 11:07

Doa


People also ask

Why is my provisioning profile invalid?

A: The provisioning profile invalid status is caused by changes to the profile’s associated certificate or App ID. Any time an App ID or certificate changes, all profiles that are associated to it are marked Invalid.

How to add provisioning profiles to the key-chain?

Double click the downloaded profile, it will be embedded in the key-chain access. In your Apple Developer account navigate to Certificates, IDs & Profiles > Identifiers > Provisioning Profiles. Add a new provisioning profile.

How to create a certificate and profile for iOS app development?

Here are the steps to create a certificate and profile on Apple’s website to develop an iOS app. Log into your Apple Developer account and navigate to Certificates, Identifiers & Profiles. Add a new certificate.

How do I create an App Store provisioning profile?

Under the “Register a New Provisioning Profile” section select “App Store” from the “Distribution” section. From the drop down menu, select your app ID. Click Continue. Select the certificate you just created. Click Continue. Fill in the name of your choice. The name is not visible to end-users. Click Generate. Download the provisioning profile.


1 Answers

I've been looking into this, and it turns out that it doesn't have to be as hard as how David describes it. The solution is actually quite simple:

The certificate is a base64-encoded DER certificate. What you need to do is the following:

  • Extract the certificate from the XML
  • Base64-decode the certificate:

    base64 -d certificate > certificate.crt

  • Test the certificate with OpenSSL:

    openssl x509 -inform DER -in certificate.crt -noout -text

Or, if we pipe it:

cat certificate | base64 -d - | openssl x509 -inform DER -noout -text

The -text option makes openssl give all the details, but you can specify according to your wishes. Suppose, for example, that you are only interested in whether the certificate is an actual Distribution certificate, you can use the -subject option instead and look at the CN= field.

like image 92
Doa Avatar answered Sep 30 '22 07:09

Doa