Make sure to re-use the DeviceCertificate instead of generating a new one every time

This prevented iTunes from using a pairing made by libimobiledevice giving an error
that the device sent invalid data.

3 files changed, 30 insertions, 10 deletions

diff --git a/common/userpref.c b/common/userpref.c
index 571b660..55ab9c4 100644
--- a/common/userpref.c
+++ b/common/userpref.c
@@ -1115,7 +1115,7 @@ userpref_error_t userpref_device_record_get_keys_and_certs(const char *udid, gnu
  *
  * @return 1 if the certificates were successfully retrieved, 0 otherwise
  */
-userpref_error_t userpref_device_record_get_certs_as_pem(const char *udid, key_data_t *pem_root_cert, key_data_t *pem_host_cert)
+userpref_error_t userpref_device_record_get_certs_as_pem(const char *udid, key_data_t *pem_root_cert, key_data_t *pem_host_cert, key_data_t *pem_device_cert)
 {
         if (!udid || !pem_root_cert || !pem_host_cert)
                 return USERPREF_E_INVALID_ARG;
@@ -1124,6 +1124,7 @@ userpref_error_t userpref_device_record_get_certs_as_pem(const char *udid, key_d
         uint64_t length = 0;
         plist_t root_cert = NULL;
         plist_t host_cert = NULL;
+        plist_t dev_cert = NULL;
         if (userpref_device_record_get_value(udid, USERPREF_HOST_CERTIFICATE_KEY, &host_cert) &&
                 userpref_device_record_get_value(udid, USERPREF_ROOT_CERTIFICATE_KEY, &root_cert)) {
                 if (host_cert && plist_get_node_type(host_cert) == PLIST_DATA) {
@@ -1143,6 +1144,18 @@ userpref_error_t userpref_device_record_get_certs_as_pem(const char *udid, key_d
                         buffer = NULL;
                 }
 
+                if (pem_device_cert) {
+                        userpref_device_record_get_value(udid, USERPREF_DEVICE_CERTIFICATE_KEY, &dev_cert);
+                        if (dev_cert && plist_get_node_type(dev_cert) == PLIST_DATA) {
+                                plist_get_data_val(dev_cert, &buffer, &length);
+                                pem_device_cert->data = (unsigned char*)malloc(length);
+                                memcpy(pem_device_cert->data, buffer, length);
+                                pem_device_cert->size = length;
+                                free(buffer);
+                                buffer = NULL;
+                        }
+                }
+
                 return USERPREF_E_SUCCESS;
         } else {
                 if (pem_root_cert->data) {
diff --git a/common/userpref.h b/common/userpref.h
index 8e38136..da9d454 100644
--- a/common/userpref.h
+++ b/common/userpref.h
@@ -75,7 +75,7 @@ LIBIMOBILEDEVICE_INTERNAL userpref_error_t userpref_device_record_get_keys_and_c
 LIBIMOBILEDEVICE_INTERNAL userpref_error_t userpref_device_record_get_keys_and_certs(const char *udid, gnutls_x509_privkey_t root_privkey, gnutls_x509_crt_t root_crt, gnutls_x509_privkey_t host_privkey, gnutls_x509_crt_t host_crt);
 #endif
 LIBIMOBILEDEVICE_INTERNAL userpref_error_t userpref_device_record_set_keys_and_certs(const char *udid, key_data_t * root_key, key_data_t * root_cert, key_data_t * host_key, key_data_t * host_cert);
-LIBIMOBILEDEVICE_INTERNAL userpref_error_t userpref_device_record_get_certs_as_pem(const char *udid, key_data_t *pem_root_cert, key_data_t *pem_host_cert);
+LIBIMOBILEDEVICE_INTERNAL userpref_error_t userpref_device_record_get_certs_as_pem(const char *udid, key_data_t *pem_root_cert, key_data_t *pem_host_cert, key_data_t *pem_device_cert);
 
 LIBIMOBILEDEVICE_INTERNAL userpref_error_t userpref_set_device_record(const char *udid, plist_t device_record);
 userpref_error_t userpref_remove_device_record(const char *udid);
diff --git a/src/lockdown.c b/src/lockdown.c
index c0ea645..2b0ab89 100644
--- a/src/lockdown.c
+++ b/src/lockdown.c
@@ -890,7 +890,13 @@ static lockdownd_error_t generate_pair_record_plist(const char *udid, char* syst
         key_data_t host_cert = { NULL, 0 };
         key_data_t root_cert = { NULL, 0 };
 
-        ret = lockdownd_gen_pair_cert_for_udid(udid, public_key, &device_cert, &host_cert, &root_cert);
+        userpref_error_t uret = userpref_device_record_get_certs_as_pem(udid, &root_cert, &host_cert, &device_cert);
+        if ((uret == USERPREF_E_SUCCESS) && (root_cert.size > 0) && (host_cert.size > 0) && (device_cert.size > 0)) {
+                ret = LOCKDOWN_E_SUCCESS;
+        }
+
+        if (ret != LOCKDOWN_E_SUCCESS)
+                ret = lockdownd_gen_pair_cert_for_udid(udid, public_key, &device_cert, &host_cert, &root_cert);
         if (ret != LOCKDOWN_E_SUCCESS) {
                 return ret;
         }
@@ -1059,6 +1065,12 @@ static lockdownd_error_t lockdownd_do_pair(lockdownd_client_t client, lockdownd_
                                                 plist_free(escrow_bag);
                                                 escrow_bag = NULL;
                                         }
+
+                                        /* store DeviceCertificate upon successful pairing */
+                                        plist_t devcrt = plist_dict_get_item(dict_record, USERPREF_DEVICE_CERTIFICATE_KEY);
+                                        if (devcrt && plist_get_node_type(devcrt) == PLIST_DATA) {
+                                                userpref_device_record_set_value(client->udid, USERPREF_DEVICE_CERTIFICATE_KEY, plist_copy(devcrt));
+                                        }
                                 }
                         }
                 } else {
@@ -1366,7 +1378,7 @@ lockdownd_error_t lockdownd_gen_pair_cert_for_udid(const char *udid, key_data_t
                         key_data_t pem_root_cert = { NULL, 0 };
                         key_data_t pem_host_cert = { NULL, 0 };
 
-                        uret = userpref_device_record_get_certs_as_pem(udid, &pem_root_cert, &pem_host_cert);
+                        uret = userpref_device_record_get_certs_as_pem(udid, &pem_root_cert, &pem_host_cert, NULL);
                         if (USERPREF_E_SUCCESS == uret) {
                                 /* copy buffer for output */
                                 membp = BIO_new(BIO_s_mem());
@@ -1505,7 +1517,7 @@ lockdownd_error_t lockdownd_gen_pair_cert_for_udid(const char *udid, key_data_t
                                         gnutls_datum_t pem_root_cert = { NULL, 0 };
                                         gnutls_datum_t pem_host_cert = { NULL, 0 };
 
-                                        uret = userpref_device_record_get_certs_as_pem(udid, &pem_root_cert, &pem_host_cert);
+                                        uret = userpref_device_record_get_certs_as_pem(udid, &pem_root_cert, &pem_host_cert, NULL);
 
                                         if (USERPREF_E_SUCCESS == uret) {
                                                 /* copy buffer for output */
@@ -1560,11 +1572,6 @@ lockdownd_error_t lockdownd_gen_pair_cert_for_udid(const char *udid, key_data_t
 
         gnutls_free(der_pub_key.data);
 #endif
-        /* save device cert in config */
-        if (odevice_cert->size) {
-                userpref_device_record_set_value(udid, USERPREF_DEVICE_CERTIFICATE_KEY, plist_new_data((char*)odevice_cert->data, (uint64_t)odevice_cert->size));
-        }
-
         return ret;
 }