go-ios
go-ios copied to clipboard
danielpaulus
Adding http proxy doesn't work
Short story: Created certificate.p12 file that go-ios suggests doesn't work for adding http proxy.
Tried different ways of creating .p12 file and got different errors
- for .p12 that go-ios suggests it says "unknown digest algorithm"
- for .p12 with SHA1 it says its "algorithm not supported"
- for .p12 with DES it says "certificate rejected"
- for .p12 with root cert it says "expected exactly two safe bags in the PFX PDU"
Can anyone check what I'm doing wrong? What is the correct way of creating certificate.p12 file? There is one more opened bug, but i decided to give more info in this one.
Long story: Steps to reproduce the behavior:
- run the command
go-ios prepare create-cert
# output:
{"level":"info","msg":"supervision-cert.der"}
{"level":"info","msg":"supervision-cert.pem"}
{"level":"info","msg":"supervision-private-key.key"}
{"level":"info","msg":"supervision-private-key.pem"}
{"level":"info","msg":"supervision-csr.csr","time"}
{"level":"info","msg":"Golang does not have good PKCS12 format sadly. If you need a p12 file run this: 'openssl pkcs12 -export -inkey supervision-private-key.pem -in supervision-cert.pem -out certificate.p12 -password pass:a'"}
- run the command
openssl pkcs12 -export -inkey supervision-private-key.pem -in supervision-cert.pem -out certificate.p12 -password pass:a
# this creates certificate.p12
- run the command
go-ios erase --udid <UDID>
# press y when asked and wait for device to be factory reseted
# when device is rebooted, don't touch it, don't unlock it
- run the command
go-ios activate --udid <UDID>
# output:
{"level":"info","msg":"device successfully activated"}
- run the command
go-ios prepare --skip-all --udid <UDID> --certfile=/certificate.p12 --orgname=Test
# output:
{"level":"info","msg":"device is activated:true"}
{"level":"info","msg":"send flush request"}
{"level":"info","msg":"get cloud config"}
{"level":"info","msg":"supervising device"}
"ok"%
-
Take the device into hand, connect to wifi when prompted, press "Agree" on terms => You are now on home screen
-
Open settings, you will see message "This iPhone is supervised and managed by Test"
-
run the command
go-ios httpproxy --udid <UDID> 123.123.123.123 1234 usr123 pass123 --p12file=/certificate.p12 --password=a
output:
{"err":"pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1","level":"fatal","msg":"failed"}
Expected behavior httpproxy is added
Desktop:
- OS: macOS, M1, Sonoma 14.3.1
- OpenSSL 3.3.0 9 Apr 2024 (Library: OpenSSL 3.3.0 9 Apr 2024)
Smartphone:
- Device: iphone 8, iOS Version 16.7.8
- Device: iphone SE, iOS Version 17.3
Additional context It seems like something is wrong with certificate.p12 file, so I repeated steps 2-8 with different openssl command in step 2:
Try 1: create .p12 with SHA1 algorithm, different error
step 2: create .p12
openssl pkcs12 -export -inkey supervision-private-key.pem -in supervision-cert.pem -out certificate.p12 -password pass:a -macalg sha1
step 8: add http proxy, gives error:
{"err":"pkcs12: algorithm 1.2.840.113549.1.5.13 is not supported","level":"fatal","msg":"failed"}
Try 2: create .p12 with DES algorithm, better error
step 2: create .p12
openssl pkcs12 -export -inkey supervision-private-key.pem -in supervision-cert.pem -out certificate.p12 -password pass:a -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1
step 8: add http proxy
{"err":"escalate response had error map[Status:CertificateRejected]","level":"fatal","msg":"failed"}
This seems like certificate.p12 is valid, but is not trusted by device? so I ran the command:
go-ios profile add /certificate.p12
# open Settings, there is "Profile Downloaded", press on it (says its not signed), then "Install"
# after installing it, it show under General => VPN & Device Management
This didn't help. Adding http proxy still gets Status:CertificateRejected This gave me an idea that certificate.p12 file must also have Root cert trusted by iphone
Try 3: Signing the certificate.p12
openssl genrsa -out rootCA.key 2048
# this creates: rootCA.key
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 364 -out rootCA.pem -subj "/CN=Test/O=TestOrg/OU=TestUnit"
# this creates: rootCA.pem
openssl genrsa -out server.key 2048
# this creates: server.key
openssl req -new -key server.key -out server.csr -subj "/CN=Test/O=TestOrg/OU=TestUnit"
# creates: server.csr
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256
# creates: server.crt
openssl pkcs12 -export -inkey server.key -in server.crt -certfile rootCA.pem -out certificate.p12 -password pass:a -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1
# this creates: certificate.p12
Now I installed Root cert on iphone with
go-ios profile add ./rootCA.pem
# after installing it, enable it via General => About => Certificate Trust settings
But it didn't even get to trusting part, trying to add http proxy with newly created certificate.p12 gives error
go-ios httpproxy --udid <UDID> 123.123.123.123 1234 usr123 pass123 --p12file=/certificate.p12 --password=a
{"err":"pkcs12: expected exactly two safe bags in the PFX PDU","level":"fatal","msg":"failed"}
some people commented out bag checking in pkcs12.go on line 228 but i'm not even sure if that's the problem.
Looking at this pkcs12.go source code, it suggests using DecodeChain instead Decode on line 398, not sure what go-ios is using, and again if that's the problem.
