I've read verifying detached signature with BC, but still I don't know how I can verify Mdm-Signature of MDM message from iOS device.
Apple's Mobile Device Management Protocol Reference document said as follows:
If the value of the SignMessage field in the MDM payload is set to true, each message coming from the device will carry an additional HTTP header named Mdm-Signature. This header contains a BASE64-encoded CMS Detached Signature of the message.
So I set the value of the SignMessage field to true. Then the device carried an header named Mdm-Signature. And I used the method provided by the article of the link above, verifySign(byte[] signedData, byte[]bPlainText) like below (I modified return type to boolean. It returns true if verification successed):
boolean verified = verifySign(Base64.decode(request.getHeader("Mdm-Signature")),
IOUtils.toString(request.getInputStream(), "utf-8").getBytes());
(The variable "request" above is the instance of HttpServletRequest class that is passed to doPut method of HttpServlet class.)
But the value of "verified" is false.
So what I wonder is what paramter exactly I have to pass to the method verifySign().
See also followings:
- The client includes an “Mdm-Signature:” header in the HTTP PUT messages it sends to the server
- This signature is a base-64 encoded, .DER format, SMIME signature
- The content which is signed is not included in the signature, but is instead the content of the PUT itself — the message being sent
to the MDM server- Finally, it’s signed using the private Identity key that was sent to the device at MDM enrollment
These are from this page. What I also wonder from these is whether the server needs client public key to verify detached signature. No need?