Debian: sign a mobileconfig profile for Apple devices doesn't work

[nqb]

Describe the bug On Debian, when you configure an Apple provisioner with signing option, it doesn't work.

I will continue to investigate but it seems that sign_profile function use a custom signonly_attached function only available in our RPM repos.

Current state:

• PacketFence 10.2 on CentOS use: perl-Crypt-SMIME-0.15-2.1.x86_64 from packetfence repo (with signonly_attached function)
• PacketFence 10.2 on Debian use: libcrypt-smime-perl 0.19-2 from Debian repos (without signonly_attached function)

Previous attempt to remove this custom code: https://github.com/inverse-inc/packetfence/issues/2660

To Reproduce Steps to reproduce the behavior:

1. Configure an Apple provisioner with signing feature
2. Try to provision an Apple devices

=> Error in http.portal.catalyst

Expected behavior Signing feature should work on all OS.

Additional context

Code of functions in perl-Crypt-SMIME-0.15-2.1.x86_64

sub signonly {
        my $this = shift;
        my $mime = shift;

        if(!defined($mime)) {
                die __PACKAGE__."#signonly: ARG[1] is not defined.\n";
        } elsif(ref($mime)) {
                die __PACKAGE__."#signonly: ARG[1] is a Ref. [$mime]\n";
        }

        # suppose that $mime is prepared.
        my $result = $this->_signonly($mime);
        $result =~ s/\r?\n|\r/\r\n/g;
        $result;
}

sub signonly_attached {
        my $this = shift;
        my $mime = shift;

        if(!defined($mime)) {
                die __PACKAGE__."#signonly: ARG[1] is not defined.\n";
        } elsif(ref($mime)) {
                die __PACKAGE__."#signonly: ARG[1] is a Ref. [$mime]\n";
        }

        # suppose that $mime is prepared.
        my $result = $this->_signonly_attached($mime);
        $result =~ s/\r?\n|\r/\r\n/g;
        $result;
}

I will need source code of RPM in order to understand where is defined _signonly_attached function.

[nqb]

_signonly_attached function is defined in SMIME.xs in source of Crypt-SMIME used in our packaging system.

I uploaded SMIME.xs

[nqb]

Issue is caused by the fact that:

• our patch Debian package is not on packetfence.org
• a version for libcrypt-smime-perl is not set in spec file

Consequently, we use upstream repositories.

I will do some tests with libcrypt-smime-perl_0.15-1_amd64.deb (with _signonly_attached function) and report.

[nqb]

libcrypt-smime-perl_0.15-1_amd64.deb has been added to debian-devel repo.

[nqb]

I tried to install PF under Debian after I installed libcrypt-smime-perl_0.15-1_amd64.deb (our old Debian package). I got following behavior if I hold Debian package:

The following packages have unmet dependencies:
 packetfence : PreDepends: fingerbank (>= 4.2.0) but it is not going to be installed
               PreDepends: fingerbank (< 5.0.0) but it is not going to be installed
               Depends: libapache2-mod-perl2 but it is not going to be installed
               Depends: libapache2-request-perl but it is not going to be installed
               Depends: libapache-ssllookup-perl but it is not going to be installed
               Depends: libwww-perl but it is not going to be installed
               Depends: libapache-dbi-perl but it is not going to be installed
               Depends: liblwp-useragent-determined-perl but it is not going to be installed
               Depends: liblwp-protocol-connect-perl but it is not going to be installed
               Depends: libhtml-formhandler-perl (= 1:0.40019-1) but it is not going to be installed
               Depends: libcrypt-le-perl but it is not going to be installed
               Depends: libmime-lite-tt-perl but it is not going to be installed
               Depends: libmime-lite-perl but it is not going to be installed
               Depends: libcrypt-openssl-pkcs12-perl but it is not going to be installed
               Depends: libcrypt-openssl-x509-perl but it is not going to be installed
               Depends: libcrypt-openssl-pkcs10-perl but it is not going to be installed
               Depends: libcrypt-openssl-rsa-perl but it is not going to be installed
               Depends: libwww-twilio-api-perl but it is not going to be installed
               Depends: libsoap-lite-perl (>= 1.0) but it is not going to be installed
               Depends: libnet-nessus-xmlrpc-perl (>= 0.4) but it is not going to be installed
               Depends: libnet-nessus-rest-perl (>= 0.7) but it is not going to be installed
               Depends: libcatalyst-perl (>= 5.90011) but it is not going to be installed
               Depends: libcatalyst-modules-perl but it is not going to be installed
               Depends: libcatalyst-authentication-credential-http-perl but it is not going to be installed
               Depends: libcatalyst-authentication-store-htpasswd-perl but it is not going to be installed
               Depends: libcatalyst-plugin-unicode-encoding-perl
               Depends: libcatalyst-view-tt-perl (>= 0.37) but it is not going to be installed
               Depends: libcatalyst-view-csv-perl but it is not going to be installed
               Depends: libhtml-formfu-perl but it is not going to be installed
               Depends: libcatalyst-plugin-smarturi-perl but it is not going to be installed
               Depends: libnet-oauth2-perl (>= 0.65) but it is not going to be installed

meaning that all these packages depends directly or indirectly to upstream libcrypt-smime-perl package.

It seems that our old package depends on libssl1.0.0 (>= 1.0.0). On the other hand, upstream package depends on libssl1.1 (>= 1.1.0) and perl-openssl-abi-1.1 (provided by perl-openssl-defaults).

We certainly need to adjust dependencies of your old package.

[jrouzierinverse]

It would just be easier to port the changes to the Crypt::SMIME version 0.19. To avoid dependency hell.

[nqb]

That's my guess too @jrouzierinverse

[jrouzierinverse]

I updated the revision in OBS, please retest

[jrouzierinverse]

Nico are you able to check the OBS for the changes?

[nqb]

@jrouzierinverse,

With our new way to package Perl dependencies, Crypt::SMIME is installed on Debian and RHEL systems without our patch (at version 0.27 from what I see in /usr/local/pf/lib_perl/lib/perl5/x86_64-linux-gnu-thread-multi/Crypt/SMIME.pm. It means that signing a mobileconfig profile is certainly broken on Debian 11 and RHEL8.

Not sure if it's easy to patch a Perl dependencies when pulled from CPAN, @fdurand certainly knows.

[nqb]

Crypt::SMIME has been removed from packetfence-perl pkg in 1.1.0 version.

Our own Crypt::SMIME packages with signonly_attached will be updated soon in 11.0 repositories. Once done, I will test again.

[nqb]

Packages added into 11.0 repositories, I will test tomorrow.

[nqb]

Debian 11 test

It failed with following error in httpd.portal.catalyst:

Aug 17 08:08:33 pfdeb11dev portal_catalyst[30970]: httpd.portal(30970) ERROR: [mac:00:03:00:11:11:02] Caught exception in captiveportal::View::MobileConfig->process "Usage: Crypt::SMIME::AUTOLOAD() at /usr/local/pf/lib/pf/provisioner/mobileconfig.pm line 307." (Catalyst::finalize)

[nqb]

wireless-profile.mobileconfig is correctly generated when I tried to download it on captive portal with latest libcrypt-smime-perl (Debian 11)

I'm not sure about the command I should use to validate that file is correctly signed.

[julsemaan]

You would need to try it with an iOS device or I'm pretty sure there is an openssl command to validate it. @jrouzierinverse, I recall you did validate those locally with openssl, do you recall the command, or have pointers to the right direction ?

[extrafu]

@lzammit Test that with the iPad.

[extrafu]

Bump

[julsemaan]

@lzammit did test this with me yesterday and it worked with the latest packetfence-perl. Closing this.