diff --git a/README.md b/README.md new file mode 100644 index 0000000..53a5498 --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +A very early version of a SCEP server and library written in go. Take this as notes on reading the [SCEP IETF draft](https://tools.ietf.org/html/draft-gutmann-scep-02) +The repo includes a sample CA and configuration profile you can use to try SCEP enrollment. + +# plans +`github.com/micromdm/scep` will become both a Go library and a standalone SCEP server/SCEP proxy. + + diff --git a/main.go b/main.go new file mode 100644 index 0000000..8879e14 --- /dev/null +++ b/main.go @@ -0,0 +1,217 @@ +package main + +import ( + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "errors" + "fmt" + "io" + "io/ioutil" + "log" + "net/http" + "os" + + "github.com/groob/pkcs7" +) + +func main() { + http.HandleFunc("/scep", scepHandler) + log.Fatal(http.ListenAndServe(":9001", nil)) +} + +const ( + certificatePEMBlockType = "CERTIFICATE" +) + +func scepHandler(w http.ResponseWriter, r *http.Request) { + q := r.URL.Query() + if _, ok := q["operation"]; !ok { + fmt.Println("no operation in query parameters, returning") + } + op := q.Get("operation") + switch op { + case "GetCACaps": + caps := []byte(`GetNextCACert +POSTPKIOperation`) + w.Write(caps) + case "GetCACert": + c, err := loadPEMCertFromFile("testca/ca.crt") + if err != nil { + fmt.Println(err) + return + } + w.Header().Set("Content-Type", "application/x-x509-ca-ra-cert") + chain, err := pkcs7.DegenerateCertificates([]*x509.Certificate{c}) + if err != nil { + fmt.Println(err) + return + } + w.Write(chain) + // c, err := loadPEMCertFromFile("/Users/vvrantch/code/go/src/github.com/micromdm/scep/ca/ca.crt") + // if err != nil { + // fmt.Println(err) + // return + // } + // w.Header().Set("Content-Type", "application/x-x509-ca-cert") + // w.Write(c.Raw) + return + case "PKIOperation": + handlePKIOperation(w, r) + default: + fmt.Println(r) + fmt.Printf("unknown op type: %s\n", op) + io.Copy(os.Stdout, r.Body) + } +} + +func handlePKIOperation(w http.ResponseWriter, r *http.Request) { + k := key() + c := cert() + data, err := ioutil.ReadAll(r.Body) + if err != nil { + fmt.Println(err) + return + } + ioutil.WriteFile("request", data, 0755) + msg, err := parsePKIMessage(data) + if err != nil { + fmt.Println(err) + return + } + err = msg.decrypt(c, k) + if err != nil { + fmt.Println(err) + return + } + err = msg.signCert(c, k) + if err != nil { + fmt.Println(err) + return + } + reply, err := msg.CertRep() + if err != nil { + fmt.Println(err) + return + } + ioutil.WriteFile("device.crt", msg.crtBytes, 0755) + ioutil.WriteFile("degenerate", reply.repDegenerate, 0755) + e7, err := pkcs7.Encrypt(reply.repDegenerate, reply.recipients) + if err != nil { + fmt.Println(err) + return + } + sd, err := pkcs7.NewSignedData(e7) + if err != nil { + fmt.Println(err) + return + } + config := pkcs7.SignerInfoConfig{ + ExtraSignedAttributes: []pkcs7.Attribute{ + pkcs7.Attribute{ + Type: oidSCEPpkiStatus, + Value: reply.pkiStatus, + }, + pkcs7.Attribute{ + Type: oidSCEPmessageType, + Value: reply.messageType, + }, + pkcs7.Attribute{ + Type: oidSCEPtransactionID, + Value: reply.transactionID, + }, + // pkcs7.Attribute{ + // Type: oidSCEPsenderNonce, + // Value: reply.senderNonce, + // }, + pkcs7.Attribute{ + Type: oidSCEPrecipientNonce, + Value: reply.recipientNonce, + }, + }, + } + cert, err := x509.ParseCertificate(msg.crtBytes) + if err != nil { + fmt.Println(err) + return + } + sd.AddCertificate(cert) + err = sd.AddSigner(c, k, config) + if err != nil { + fmt.Println(err) + return + } + response, err := sd.Finish() + if err != nil { + fmt.Println(err) + return + } + ioutil.WriteFile("response", response, 0755) + w.Header().Set("Content-Type", "application/x-pki-message") + w.Write(response) + pd, err := pkcs7.Parse(response) + if err != nil { + log.Fatal(err) + } + _ = pd + return +} + +func loadPEMCertFromFile(path string) (*x509.Certificate, error) { + data, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + pemBlock, _ := pem.Decode(data) + if pemBlock == nil { + return nil, errors.New("cannot find the next PEM formatted block") + } + if pemBlock.Type != certificatePEMBlockType || len(pemBlock.Headers) != 0 { + return nil, errors.New("unmatched type or headers") + } + crt, err := x509.ParseCertificate(pemBlock.Bytes) + if err != nil { + return nil, err + } + return crt, nil +} + +// helpers +func key() *rsa.PrivateKey { + data, err := ioutil.ReadFile("testca/ca.key") + if err != nil { + log.Fatal(err) + } + pemBlock, _ := pem.Decode(data) + if pemBlock == nil { + log.Fatal("PEM decode failed") + } + password := []byte("") + b, err := x509.DecryptPEMBlock(pemBlock, password) + if err != nil { + log.Fatal(err) + } + k, err := x509.ParsePKCS1PrivateKey(b) + if err != nil { + fmt.Println("keyfail") + log.Fatal(err) + } + return k +} + +func cert() *x509.Certificate { + data, err := ioutil.ReadFile("testca/ca.crt") + if err != nil { + log.Fatal(err) + } + pemBlock, _ := pem.Decode(data) + if pemBlock == nil { + log.Fatal("PEM decode failed") + } + cert, err := x509.ParseCertificate(pemBlock.Bytes) + if err != nil { + log.Fatal(err) + } + + return cert +} diff --git a/scep.go b/scep.go new file mode 100644 index 0000000..6be4155 --- /dev/null +++ b/scep.go @@ -0,0 +1,244 @@ +package main + +import ( + "crypto" + "crypto/rand" + "crypto/rsa" + "crypto/sha1" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "errors" + "math/big" + "time" + + "github.com/groob/pkcs7" +) + +// SCEP OIDs +var ( + oidSCEPmessageType = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 2} + oidSCEPpkiStatus = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 3} + oidSCEPfailInfo = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 4} + oidSCEPsenderNonce = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 5} + oidSCEPrecipientNonce = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 6} + oidSCEPtransactionID = asn1.ObjectIdentifier{2, 16, 840, 1, 113733, 1, 9, 7} +) + +// MessageType is a SCEP message type +type MessageType string + +// Message Types +const ( + CertRep MessageType = "3" + RenewalReq = "17" + UpdateReq = "18" + PKCSReq = "19" + CertPoll = "20" + GetCert = "21" + GetCRL = "22" +) + +// PKIStatus is a SCEP pkiStatus +type PKIStatus string + +// PKI Statuses +const ( + SUCCESS PKIStatus = "0" + FAILURE = "2" + PENDING = "3" +) + +// FailInfo is a SCEP failInfo type +type FailInfo string + +// failinfos +const ( + BadAlg FailInfo = "0" + BadMessageCheck = "1" + BadRequest = "2" + BadTime = "3" + BadCertID = "4" +) + +type pkiMessage struct { + raw []byte // the original content + envelopedContent []byte // the encrypted part of the msg + decryptedContent []byte + + messageType MessageType + pkiStatus PKIStatus + transactionID string + senderNonce []byte + recipientNonce []byte + csr *x509.CertificateRequest + crtBytes []byte + repDegenerate []byte + recipients []*x509.Certificate + signedCert *x509.Certificate +} + +func parsePKIMessage(data []byte) (*pkiMessage, error) { + // parse pkcs#7 signed data + p7, err := pkcs7.Parse(data) + if err != nil { + return nil, err + } + var msgType MessageType + err = p7.UnmarshalSignedAttribute(oidSCEPmessageType, &msgType) + if err != nil { + return nil, err + } + var tID string + err = p7.UnmarshalSignedAttribute(oidSCEPtransactionID, &tID) + if err != nil { + return nil, err + } + var sn []byte + err = p7.UnmarshalSignedAttribute(oidSCEPsenderNonce, &sn) + if err != nil { + return nil, err + } + // the csr is encrypted in the content of the pkcs#7 content + msg := &pkiMessage{ + raw: data, + envelopedContent: p7.Content, + messageType: msgType, + transactionID: tID, + senderNonce: sn, + recipients: p7.Certificates, + } + return msg, nil +} + +func (msg *pkiMessage) decrypt(cert *x509.Certificate, key *rsa.PrivateKey) error { + p7, err := pkcs7.Parse(msg.envelopedContent) + if err != nil { + return err + } + data, err := p7.Decrypt(cert, key) + if err != nil { + return err + } + msg.decryptedContent = data + + //parse csr + csr, err := x509.ParseCertificateRequest(data) + if err != nil { + return err + } + msg.csr = csr + return nil +} + +var ( + // Build CA based on RFC5280 + hostTemplate = x509.Certificate{ + // **SHOULD** be filled in a unique number + SerialNumber: big.NewInt(4), + // **SHOULD** be filled in host info + Subject: pkix.Name{}, + // NotBefore is set to be 10min earlier to fix gap on time difference in cluster + NotBefore: time.Now().Add(-600).UTC(), + // 10-year lease + NotAfter: time.Time{}, + // Used for certificate signing only + KeyUsage: 0, + + ExtKeyUsage: []x509.ExtKeyUsage{ + x509.ExtKeyUsageServerAuth, + x509.ExtKeyUsageClientAuth, + }, + UnknownExtKeyUsage: nil, + + // activate CA + BasicConstraintsValid: false, + + // 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey + // (excluding the tag, length, and number of unused bits) + // **SHOULD** be filled in later + SubjectKeyId: nil, + + // Subject Alternative Name + DNSNames: nil, + + PermittedDNSDomainsCritical: false, + PermittedDNSDomains: nil, + } +) + +func (msg *pkiMessage) signCert(crtAuth *x509.Certificate, keyAuth *rsa.PrivateKey) error { + id, err := GenerateSubjectKeyID(msg.csr.PublicKey) + if err != nil { + return err + } + tmpl := &x509.Certificate{ + SerialNumber: big.NewInt(4), + Subject: msg.csr.Subject, + NotBefore: time.Now().Add(-600).UTC(), + NotAfter: time.Now().AddDate(1, 0, 0).UTC(), + SubjectKeyId: id, + ExtKeyUsage: []x509.ExtKeyUsage{ + x509.ExtKeyUsageAny, + x509.ExtKeyUsageClientAuth, + }, + } + crt, err := x509.CreateCertificate(rand.Reader, tmpl, crtAuth, msg.csr.PublicKey, keyAuth) + if err != nil { + return err + } + msg.signedCert, err = x509.ParseCertificate(crt) + if err != nil { + return err + } + msg.crtBytes = crt + return nil +} + +func (msg *pkiMessage) CertRep() (*pkiMessage, error) { + certs := []*x509.Certificate{msg.signedCert} + deg, err := pkcs7.DegenerateCertificates(certs) + if err != nil { + return nil, err + } + + reply := &pkiMessage{ + messageType: CertRep, + senderNonce: msg.senderNonce, + recipientNonce: msg.senderNonce, + transactionID: msg.transactionID, + pkiStatus: SUCCESS, + repDegenerate: deg, + recipients: msg.recipients, + } + return reply, nil +} + +// rsaPublicKey reflects the ASN.1 structure of a PKCS#1 public key. +type rsaPublicKey struct { + N *big.Int + E int +} + +// GenerateSubjectKeyID generates SubjectKeyId used in Certificate +// ID is 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey +func GenerateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) { + var pubBytes []byte + var err error + switch pub := pub.(type) { + case *rsa.PublicKey: + pubBytes, err = asn1.Marshal(rsaPublicKey{ + N: pub.N, + E: pub.E, + }) + if err != nil { + return nil, err + } + default: + return nil, errors.New("only RSA public key is supported") + } + + hash := sha1.Sum(pubBytes) + + return hash[:], nil +} diff --git a/testca/ca.crt b/testca/ca.crt new file mode 100644 index 0000000..037b296 --- /dev/null +++ b/testca/ca.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFODCCAyCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMQwwCgYDVQQGEwNVU0Ex +EDAOBgNVBAoTB2V0Y2QtY2ExCzAJBgNVBAsTAkNBMB4XDTE2MDUyOTEzNDcwNVoX +DTI2MDUyOTEzNDcwOFowLTEMMAoGA1UEBhMDVVNBMRAwDgYDVQQKEwdldGNkLWNh +MQswCQYDVQQLEwJDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALEG +S866Uf79znmx8+BakJ17tox8VYem0NZzPc2jF4RVWXfT481Yz9jdsjZubMCFuJiI +JzpMBT7RzXvZvuzMzZEe77Tb0mM+83t5kVwWWuxkEz7HQn0tWxuLR7NGaAi5MH53 +pcSGRNH8RgC7WdhyQ/3HwNGWObe0wQT69tfz1pHDSvNR9v7DS9KIiGsMc+dcqayz +n3YQuwEV8nD1KGenxEFjFh0NsP5FKrzDrsvzdFOWLJ3jedfDCSQSe0y33syZIYAQ +wS2/b+io6GMWDQemcirN9QiI1NGkcN9zioPRuYPxkaxGNa0O+3cTgA8egTFMigvI +4ZFsmERfZkJM4sBMK1uUmxXKb87nA1zooPvPk1KGQChXBEnrkHPbkP1VO+yYOS4m +t9LDweGVS6GoC5vjqQgymOHecaNfKpBnU6t7fP/aEZUF+6mxRKofolR/hTknkVNc +q2nrXEJpz8J73Iq8rkL0rNAEu1h83npPAoUgdFhwHzlq9ShRbz+ZQTxdAv5MOVs+ +6F9qcmbv/6C4xc1N1xH2NAJ8aFZTxsw4ny43hi7DgyRh1LJxcb2Bp7JMaD56CMSA +0zJqxIiV5kGUwbmrBjXMyvjYzx/0qI3j3bZl3p8BjZgyjkvOP0nArP3bby5mEUYx +i7+YgPm8dfGIzPh19I4oFReszOJl+JrdLnbf45efAgMBAAGjYzBhMA4GA1UdDwEB +/wQEAwICBDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT6XD/PBaV7GbFEnxOm +3OJ3deamkzAfBgNVHSMEGDAWgBT6XD/PBaV7GbFEnxOm3OJ3deamkzANBgkqhkiG +9w0BAQsFAAOCAgEAC6yBHrRElZ7ovDrqjVBf8fLG+nINETPJ/kPTlTNtvqClLaeE +NKPH6JVp0/uusoKmqvE0LxyBEdP7waHQVq2XnfYggDCNjAUFxdv7OKAwlBjJ0JGs +5RsJ9DEehyLecnDDDhte92M2xUcfMet1BmuizLDDKaUU17sI1g/UNE+c7hViZA2J +e+wezVOUZqCY0pICsm4ar8JBY/pfUZ+1J00AZJtXuVWqK5GYGkrLZ7ZjNzzDF0cY +UmJxki5rj11XpCCQOZjVB+Pp3t7YpUOey1EC+1fKKrdS40zaRS3VVgh+Guavs5HV +egBzKDQUuRrZDbodJSv28RYlVbFTmkl3hGGNE0l2v0L2XHasZHoBkDZzz9nLuiI8 +ZdhWS+fn7dbswN9WzzB+dPzKS1WkTj5RXL/luI/7+fYNQyvIJYdnNCegyi2C2yTD +a/vmFJkBU+uLHWsW9a8R5Ca7A91ltJobTJE3uwxdXuZMTrmlWKsEbhqHCqO7d0j8 +IgYGxDo9ysfA4AOiNDxlp7lXxV/JFOsuGXNdFKcDFykLZ5u21X9ho9fptWJDP9JN +NNOXjC0Jv2UGZrHze6IqyL5JqxOGpK22PQIwpZwExwijUom+LH5VEXK1zpXzwC93 +WXWVtGOW4yEqv0VTn7vafIeM5GBTJ44ggpkp4RpFWoBMZcAFj8gE/9AUaHo= +-----END CERTIFICATE----- diff --git a/testca/ca.crt.info b/testca/ca.crt.info new file mode 100644 index 0000000..d8263ee --- /dev/null +++ b/testca/ca.crt.info @@ -0,0 +1 @@ +2 \ No newline at end of file diff --git a/testca/ca.key b/testca/ca.key new file mode 100644 index 0000000..1614d55 --- /dev/null +++ b/testca/ca.key @@ -0,0 +1,54 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,85186376af1462c4 + +jY1gAV22U2GeDZW0cVFw41uABS7fe7zKQen4aQQvkFJ5DPRlZFMI2qZ2MI1Oo265 +ek1Of/pcV52ct139NuVg9JZwkPPog40xUDn72IanZ2ZvJl/dcoHFn99T816Hu0p7 +YGKpvyyy3VYuxaarZV2aUNFye/o4bnAh4P0db6qa7/sGAKAhJ9PusNcSAXWWMz1l +QSCkdD30KrZOtf39StVnNSf2vPWAjAR/w3fEOVKqEehANP7yptDVOthiqrN+p58Q +kOGf3RnA5BJ21EY09W8rbgKE18EPI0UH9LVZEvRabZd4e/VSRNL6leNO7AiMLqA0 +3P7DAvjQDeTpYu3tZNWKFlmXv28KjwNo/4mclQTM8k5nkpQcLhGEVJanMlz0NAvZ ++BOgHGt1Vd8fXp5vBEMIz0tj7jJJnyEyd6tLRc7Pm7GaFjRy70rr/ZCO27HnKeWi +BVwFmZqG6Bcc1WvOGH/w549q/Xq1B3EgjSCShd7WQqINXMFOLJRg+MVZ9/EgWTrT +AEMkWwozb7hDJ56IdjE6PUop/5nbH87YjXHreV4kaGxgz3xD+sj6MGl8uw2JeT7b +6mFrK2d+704NU0Z56w8i0ydYeNn1uFmZqL9alYTDmAjOORXAR/ApvY6ctPXSpPTW +bXgv7LNWbcD8cNWuf/24dpI+kxbrIsKdGmucjQQ066Ce9qa2Kr7HEpH/CxxKCuBx +9KTHpb2ZZI1j6Zd9DQarEQm2D9fPaqEIq9XH46tNq8twXXEaYSTwwodSkwlovB5n +e4HlbiSuHB78ej2lQyFKquqWVYMRQ3dk5CUem/4XPF0L8dPvnifoQgBMpvJvzCG5 +BsIDQXKf0qLhQPrXwemhgY8fnZqDpuRTD6mdEXoPqvJC5L+3hzpPXHtCU94oqIbq +z4lkG1ARi9yS+WfUbXXZO95+7EBBg4lXzEZvXjqY6epUVjWCnoa873H9zfMZBuLL +XkxMQyDOnXaqYeqNsCahbdH4zuobR1SCNL4nt3iSaADaN6Lezwz8LPHxoM1kG1i6 +fvPa/uRo9aVsfWsovO+od2VmqLh1sfPZoOenZSKQsAVPYmEuV8XXVJ/B8NVvNTrt +DrfAR+vFe41liMHdTUndo8uG9/IO7JNC8u98zWjyvcr6cCukqE9H60Y9QvDgaSK5 +yD/D7B4ZAp6UjHOtD+jY1mjV+aL/2XeHJyQaDczHUKm1Vd5Um2c5f6NkZycrbtGE +7z5lR2SccnbbG6XVngYiZxdMLZCrQUnSfhke+zhzYM2Ng/7fxyz3mTyG5EYvxreU +6i0Psceh+vD9IEGHYbpRfV4Uozmk7AhEOfQN3ZDXZTA4LB5Svp7j3DcOmAGtCWGx +PWA3su4KzwrW40b5ommDhndPZNoSJfsrw2GJHV62AdfIxmAi5zvALJ31YdYvZsz2 +e8cf1Cl5oxeF/jgewEy6RTSkOUjvb0iTfVgreu4Tk/sBW37jdKhfW32INasCgEYb +0fq9DLXVcDk2neH/Sb78cE26JNXS3EtW1V4dvdkhvOjqRFP8O8vFggLi1mFQltAH +pmV143MSNkC/ikyOBahpQjGu89HZ0sLnJr2kzKf5LJTcN7kYAfxRejS7ofUByME1 +O9mrHOZGGNVNIgNesBXv42UEd0/SzwF4UKxHY72sEoTNLXliroaJORYbbvWw4GDI +91/vHKJMqMimoC37soS16wrsP/SabzusUXBayHD/PLkkmHBPV9++cO79b+HbVB0Q +6OpxBY7u6QhZnfTJv/W/InG404pumq8oz6bt7bXurbfC2QzviNHuyZ/IenbQ/y41 +K5URD3fdFYLC3OS38SSBBq32yncjJam0FOj2joUZ4iAAXSju1NSDskT8WbVy3BOq +tdTxekrxM9w98p17Og+Uf8966H2mQUIrz53Umc9V1974TVWdu0Y862ghJGSeLEbH +617VGwNN9hINdQE+iYaAVvbogEKSdCfljyVdIx1MuS1jeae5wUgReqqE+bopYgJm +oIXlVNI7tWX2y3JdG1vqCqKpq/UDzciLxAUdyGgwZESt9T3mvqQcdvWxsfREBGwX +XzbiDiGoom735dOOaGxvmyZUtJi7r5AonzJpR+qaRWoHNr8cqeU9be1wxBZ57Kln +2eKpwPIwdBTwxCjnc/kstuTsR45M8G37zOgh9XK38jS6FB/FzFytHtt9oPQBZBeb +3A6p7kqbbb4ynAgDiGEz9ExNNIQf3hQo9RAiaL2WeS9FTFB02hq5QgsgrGVXrR2V +45CKzP874sMPYP8xFQvmrMAXDy//zBXaOrNJHyNOVrtDLPerBNIC6GSKtFp30ynz +Te6GHFhcwqWfrN8N1l2oM79xvc2aKlsvI+YN0xTQklxqSdyCJSdhRUxmCIMN1JM0 +13Ean0HtO+z9u/nH3T2GtAhNySJAPAOXIAAER/74WNXNJNi7SmptNtWJOKKeKK3m +Jon7XC3Bx5NTnTM6UjrrXvwXvsJyf8G+SlkoZXZx9izgQYAANAsSblieSvPVppwM +/EfU6HIby2cBLQ1wTJiEDjYu7E1JKpAPBhqL0cN7aJea9tV7bmjoqzKhbwxACHkI +ymOZ1BDIF67M5fCLFCnCZEJcl2sgx4bRBaP6+p0uRWhplrus+8x1LAtNyB+V17in +nXacPqGELgqv+F6embq03retfaCbIwLwQYmaMU+QHg9jHc9j1AIf6fHSxhIRUPUz +PWMhy7dJdUcmm2GX2EGBrr7jH+H2y33W7y+0I2a4s5WdpIWsYUMFiBU+M+qJdAwY +O/n1Q8ZPdKdY9+c2RMzeO6Zvyc7f1hwoOy0FuYi748qaELV6rx1Tr2MDWl5/uhUa +vYMF4RshsKJY9OCUKvL9waqELZf4zEPyu875ZLm9eoJV2MFcokUuPcpAN+ljj6mx +S+1O9/kRioHo7FMs9rU3bHbCMbphLc0NdI363L/sM2kSFjRWxYv87z5fEQAoZGQR +d7HePVRbp09GC9Jk9p28F6ysgqS7PwlreRRp3Dj5vFJ422QviUWTP/jLj1QfukQR +0KXZhKhs0iSmfW9vlFnADS32l67fmycHMlN9yktvzcytm6dZ/XiQMHVDhZPlIGVC +frJ2R1MhmAdFEgIPZZGuoHeXFdlYq9HMpM9lbykJ1L7M36XqaW6GgRTnhf2g4iKJ +-----END RSA PRIVATE KEY----- diff --git a/testca/sceptest.mobileconfig b/testca/sceptest.mobileconfig new file mode 100644 index 0000000..8ee4942 --- /dev/null +++ b/testca/sceptest.mobileconfig @@ -0,0 +1,115 @@ + + + + + PayloadContent + + + PayloadContent + + Key Type + RSA + Keysize + 1024 + Retries + 3 + RetryDelay + 10 + URL + http://localhost:9001/scep + + PayloadDescription + Configures SCEP settings + PayloadDisplayName + SCEP + PayloadIdentifier + com.apple.security.scep.063D7953-1338-4BF0-8F99-913382996224 + PayloadType + com.apple.security.scep + PayloadUUID + 063D7953-1338-4BF0-8F99-913382996224 + PayloadVersion + 1 + + + PayloadCertificateFileName + ca.crt + PayloadContent + + LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZPRENDQXlD + Z0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREF0TVF3d0Nn + WURWUVFHRXdOVlUwRXgKRURBT0JnTlZCQW9UQjJWMFkyUXRZMkV4 + Q3pBSkJnTlZCQXNUQWtOQk1CNFhEVEUyTURVeU9URXpORGN3TlZv + WApEVEkyTURVeU9URXpORGN3T0Zvd0xURU1NQW9HQTFVRUJoTURW + Vk5CTVJBd0RnWURWUVFLRXdkbGRHTmtMV05oCk1Rc3dDUVlEVlFR + TEV3SkRRVENDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dJUEFE + Q0NBZ29DZ2dJQkFMRUcKUzg2NlVmNzl6bm14OCtCYWtKMTd0b3g4 + VlllbTBOWnpQYzJqRjRSVldYZlQ0ODFZejlqZHNqWnViTUNGdUpp + SQpKenBNQlQ3UnpYdlp2dXpNelpFZTc3VGIwbU0rODN0NWtWd1dX + dXhrRXo3SFFuMHRXeHVMUjdOR2FBaTVNSDUzCnBjU0dSTkg4UmdD + N1dkaHlRLzNId05HV09iZTB3UVQ2OXRmejFwSERTdk5SOXY3RFM5 + S0lpR3NNYytkY3FheXoKbjNZUXV3RVY4bkQxS0dlbnhFRmpGaDBO + c1A1RktyekRyc3Z6ZEZPV0xKM2plZGZEQ1NRU2UweTMzc3laSVlB + UQp3UzIvYitpbzZHTVdEUWVtY2lyTjlRaUkxTkdrY045emlvUFJ1 + WVB4a2F4R05hME8rM2NUZ0E4ZWdURk1pZ3ZJCjRaRnNtRVJmWmtK + TTRzQk1LMXVVbXhYS2I4N25BMXpvb1B2UGsxS0dRQ2hYQkVucmtI + UGJrUDFWTyt5WU9TNG0KdDlMRHdlR1ZTNkdvQzV2anFRZ3ltT0hl + Y2FOZktwQm5VNnQ3ZlAvYUVaVUYrNm14UktvZm9sUi9oVGtua1ZO + YwpxMm5yWEVKcHo4SjczSXE4cmtMMHJOQUV1MWg4M25wUEFvVWdk + Rmh3SHpscTlTaFJieitaUVR4ZEF2NU1PVnMrCjZGOXFjbWJ2LzZD + NHhjMU4xeEgyTkFKOGFGWlR4c3c0bnk0M2hpN0RneVJoMUxKeGNi + MkJwN0pNYUQ1NkNNU0EKMHpKcXhJaVY1a0dVd2JtckJqWE15dmpZ + engvMHFJM2ozYlpsM3A4QmpaZ3lqa3ZPUDBuQXJQM2JieTVtRVVZ + eAppNytZZ1BtOGRmR0l6UGgxOUk0b0ZSZXN6T0psK0pyZExuYmY0 + NWVmQWdNQkFBR2pZekJoTUE0R0ExVWREd0VCCi93UUVBd0lDQkRB + UEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJUNlhE + L1BCYVY3R2JGRW54T20KM09KM2RlYW1rekFmQmdOVkhTTUVHREFX + Z0JUNlhEL1BCYVY3R2JGRW54T20zT0ozZGVhbWt6QU5CZ2txaGtp + Rwo5dzBCQVFzRkFBT0NBZ0VBQzZ5QkhyUkVsWjdvdkRycWpWQmY4 + ZkxHK25JTkVUUEova1BUbFROdHZxQ2xMYWVFCk5LUEg2SlZwMC91 + dXNvS21xdkUwTHh5QkVkUDd3YUhRVnEyWG5mWWdnRENOakFVRnhk + djdPS0F3bEJqSjBKR3MKNVJzSjlERWVoeUxlY25ERERodGU5Mk0y + eFVjZk1ldDFCbXVpekxEREthVVUxN3NJMWcvVU5FK2M3aFZpWkEy + SgplK3dlelZPVVpxQ1kwcElDc200YXI4SkJZL3BmVVorMUowMEFa + SnRYdVZXcUs1R1lHa3JMWjdaak56ekRGMGNZClVtSnhraTVyajEx + WHBDQ1FPWmpWQitQcDN0N1lwVU9leTFFQysxZktLcmRTNDB6YVJT + M1ZWZ2grR3VhdnM1SFYKZWdCektEUVV1UnJaRGJvZEpTdjI4Ulls + VmJGVG1rbDNoR0dORTBsMnYwTDJYSGFzWkhvQmtEWnp6OW5MdWlJ + OApaZGhXUytmbjdkYnN3TjlXenpCK2RQektTMVdrVGo1UlhML2x1 + SS83K2ZZTlF5dklKWWRuTkNlZ3lpMkMyeVRECmEvdm1GSmtCVSt1 + TEhXc1c5YThSNUNhN0E5MWx0Sm9iVEpFM3V3eGRYdVpNVHJtbFdL + c0ViaHFIQ3FPN2QwajgKSWdZR3hEbzl5c2ZBNEFPaU5EeGxwN2xY + eFYvSkZPc3VHWE5kRktjREZ5a0xaNXUyMVg5aG85ZnB0V0pEUDlK + TgpOTk9YakMwSnYyVUdackh6ZTZJcXlMNUpxeE9HcEsyMlBRSXdw + WndFeHdpalVvbStMSDVWRVhLMXpwWHp3QzkzCldYV1Z0R09XNHlF + cXYwVlRuN3ZhZkllTTVHQlRKNDRnZ3BrcDRScEZXb0JNWmNBRmo4 + Z0UvOUFVYUhvPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + + PayloadDescription + Configures certificate settings. + PayloadDisplayName + ca.crt + PayloadIdentifier + com.apple.security.root.2E5B325F-84CA-4914-844F-703F9C4B11CE + PayloadType + com.apple.security.root + PayloadUUID + 2E5B325F-84CA-4914-844F-703F9C4B11CE + PayloadVersion + 1 + + + PayloadDisplayName + scept + PayloadIdentifier + vvrantchmbp.local.A795EFE8-60CA-47DA-92F3-FE2E435D800F + PayloadRemovalDisallowed + + PayloadType + Configuration + PayloadUUID + 7F0CF6ED-09FF-490E-AD53-89ACB920CD37 + PayloadVersion + 1 + +