def get(self, request, *args, **kwargs): ota_enrollment = get_object_or_404(OTAEnrollment, pk=kwargs["pk"]) if not ota_enrollment.enrollment_secret.is_valid(): # should not happen raise SuspiciousOperation return build_payload_response(sign_payload_openssl(build_profile_service_payload(ota_enrollment)), "zentral_profile_service")
def post(self, request, *args, **kwargs): # Verify payload signature, extract signed payload try: certificates, payload = verify_signed_payload(request.read()) except ValueError as error: self.abort("posted data is not signed", signature_error=str(error)) for certificate_i_cn, certificate_bytes, signing_certificate in certificates: if verify_apple_iphone_device_ca_issuer_openssl(certificate_bytes): break payload = plistlib.loads(payload) self.serial_number = payload["SERIAL"] self.udid = payload["UDID"] try: es_request = verify_enrollment_secret( "dep_profile", self.kwargs["dep_profile_secret"], self.user_agent, self.ip, self.serial_number, self.udid) except EnrollmentSecretVerificationFailed as e: self.abort("secret verification failed: '{}'".format(e.err_msg)) # Start a DEP enrollment session dep_enrollment_session = DEPEnrollmentSession.objects.create_from_dep_profile( es_request.enrollment_secret.dep_profile, self.serial_number, self.udid, payload) # Get the MDM push certificate push_certificate = ( dep_enrollment_session.enrollment_secret.meta_business_unit. metabusinessunitpushcertificate.push_certificate) payload = build_mdm_payload(dep_enrollment_session, push_certificate) filename = "zentral_mdm" self.post_event("success", **dep_enrollment_session.serialize_for_event()) return build_payload_response(sign_payload_openssl(payload), filename)
def get(self, request, *args, **kwargs): return build_payload_response( sign_payload_openssl(build_root_ca_configuration_profile()), "zentral_root_ca")
def post(self, request, *args, **kwargs): # Verify payload signature, extract signed payload try: certificates, payload = verify_signed_payload(request.read()) except ValueError: self.abort("posted data is not signed") # find out which CA signed the certificate used to sign the payload # if iPhone CA: phase 2 # if SCEP CA: phase 3 # if unknown: phase 2 # TODO: verify. seen with self signed cert in 10.13 beta in VMWare. for certificate_i_cn, certificate_bytes, signing_certificate in certificates: if verify_apple_iphone_device_ca_issuer_openssl(certificate_bytes): phase = 2 break elif verify_zentral_scep_ca_issuer_openssl(certificate_bytes): phase = 3 break else: self.post_event( "warning", reason="unknown signing certificate issuer '{}'".format( certificate_i_cn)) phase = 2 payload = plistlib.loads(payload) self.serial_number = payload["SERIAL"] self.udid = payload["UDID"] if phase == 2: # Verify the challenge challenge = payload.get("CHALLENGE") if not challenge: self.abort("missing challenge", phase=phase) try: es_request = verify_enrollment_secret("ota_enrollment", challenge, self.user_agent, self.ip, self.serial_number, self.udid) except EnrollmentSecretVerificationFailed as e: self.abort("secret verification failed: '{}'".format( e.err_msg), phase=phase) # Start an OTA enrollment session ota_enrollment_session = OTAEnrollmentSession.objects.create_from_ota_enrollment( es_request.enrollment_secret.ota_enrollment, self.serial_number, self.udid, payload) payload = build_ota_scep_payload(ota_enrollment_session) filename = "zentral_ota_scep" elif phase == 3: # get the serial number from the DN of the payload signing certificate serial_number = signing_certificate.subject.get_attributes_for_oid( NameOID.SERIAL_NUMBER)[0].value if self.serial_number != serial_number: self.abort( "signing certificate DN serial number != payload serial number", phase=phase) # get the ota enrollment session from the DN of the payload signing certificate cn = signing_certificate.subject.get_attributes_for_oid( NameOID.COMMON_NAME)[0].value _, ota_enrollment_session_secret = cn.split("$") try: ota_enrollment_session = ( OTAEnrollmentSession.objects.select_for_update( ).select_related("ota_enrollment", "enrollment_secret__meta_business_unit"). get(enrollment_secret__secret=ota_enrollment_session_secret )) except OTAEnrollmentSession.DoesNotExist: self.abort( "could not find ota enrollment session from payload signing certificate", phase=phase) # verify and update ota enrollment session status try: ota_enrollment_session.set_phase3_status() except EnrollmentSessionStatusError: self.abort("ota enrollment session has wrong status", phase=phase) # verify DN mbu ota_enrollment_session_mbu = ota_enrollment_session.enrollment_secret.meta_business_unit o = signing_certificate.subject.get_attributes_for_oid( NameOID.ORGANIZATION_NAME)[0] if int(o.value.split("$")[-1]) != ota_enrollment_session_mbu.pk: self.abort("DN mbu doesn't match ota enrollment session mbu", phase=phase) # Get the MDM push certificate push_certificate = ota_enrollment_session_mbu.metabusinessunitpushcertificate.push_certificate payload = build_mdm_payload(ota_enrollment_session, push_certificate) filename = "zentral_mdm" self.post_event("success", phase=phase) return build_payload_response(sign_payload_openssl(payload), filename) return HttpResponse()