Get certificate expiry date from the embedded.mobileprovision provisioning profile

Question

I need to get the expiry date of our iOS enterprise certificate used in an ipa's embedded.mobileprovision file using the command line.

I've got this so far:

security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist && /usr/libexec/PlistBuddy -c 'Print :DeveloperCertificates' tmp.plist | base64 -d - | openssl x509 -inform DER -noout -text

The response:

Apr 22 12:28:47 c01892 base64[14721] <Info>: Read 510 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Wrote 680 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Read 510 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Wrote 680 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Read 440 bytes.
Apr 22 12:28:47 c01892 base64[14721] <Info>: Wrote 588 bytes.
unable to load certificate
14722:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:/SourceCache/OpenSSL098/    OpenSSL098-52.20.2/src/crypto/asn1/tasn_dec.c:1323:
14722:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:/SourceCache/    OpenSSL098/OpenSSL098-52.20.2/src/crypto/asn1/tasn_dec.c:379:Type=X509

The openssl command works on our certificate file just fine:

openssl x509 -inform DER -noout -text -in "iPhone Distribution: XXXX.cer"

So what I am missing is getting the certificate out of the embedded.mobileprovision, decode it and save it to a file or pass it by piping.

---

If I split the sommand up, we get the following:

a. Get the certificate out of the embedded.mobileprovision:

security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist && /usr/libexec/PlistBuddy -c 'Print :DeveloperCertificates' tmp.plist > encodedcert.b64

b. Decode the retrieved base64 to a .cer file:

base64 -d encodedcert.b64 certificate.cer

c. Read it with openssl:

openssl x509 -inform DER -noout -text -in certificate.cer

Unfortunatly, the generated certificate.cer file by my base64 command is zero bytes long...

Who can help me out further?

Answer 1

I've successfully been able to get to the certificate information.

The problem was that my PlistBuddy command was wrong. I should have used 'DeveloperCertificates:0' instead of ':DeveloperCertificates'.

I also did not need the base64 stuff.

So the working commandline to get the info from the enterprise certificate in an embedded.mobileprovision profile is

security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist && /usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' tmp.plist | openssl x509 -inform DER -noout -enddate

---

Split up into three parts:

1. Get a plist from the embedded.mobileprovision:

   security cms -D -i Payload/*.app/embedded.mobileprovision > tmp.plist
   

2. Get the first certificate from the plist:

   /usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' tmp.plist |
   

3. Read the certificate passed through the pipe and extract the enddate (-text instead of -enddate gives you the entire certificate information):

   openssl x509 -inform DER -noout -enddate
   

---

Edit: Here is the command without a temporary plist file:

 /usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' /dev/stdin <<< $(security cms -D -i Payload/*.app/embedded.mobileprovision) | openssl x509 -inform DER -noout -enddate