Difference between revisions of "Tatsu Signing Server"

From The iPhone Wiki
Jump to: navigation, search
(Apple Employee Edit)
(It was fun while it lasted.)
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
The '''Tatsu Signing Server''' ('''TSS''') is a service provided by Apple. Apple provides a list of available services at [http://gs.apple.com/TSS/ gs.apple.com].
+
The '''Tatsu Signing Server''' ('''TSS''') is a collection of services provided by Apple. In late 2012, the list of available services was briefly made public at [https://web.archive.org/web/20121128012112/http://gs.apple.com/TSS/ gs.apple.com]. This index page has since been removed, although at least one archived capture exists.
  +
TSS is accessed chiefly for use of the [[SHSH Protocol]] to receive signed blobs for a given iOS build. This is achieved with the SHSH controller at http://gs.apple.com/TSS/controller.
There is an Apple internal equivalent, known as Spidercab, running at [http://tatsu-tss-internal.apple.com:80 tatsu-tss-internal.apple.com] and [http://tss-int.apple.com:80 tss-int.apple.com] which are only accessible within Apple's VPN. SpiderCab is used to sign internal/debug and test builds of iOS, including old versions that are no longer signed on production.
 
  +
  +
There is an Apple internal equivalent, known as SpiderCab, running at [http://tatsu-tss-internal.apple.com:80 tatsu-tss-internal.apple.com] and [http://tss-int.apple.com:80 tss-int.apple.com], which are only accessible within Apple's VPN. SpiderCab is used to sign internal/debug and test builds of iOS, including old versions that are no longer signed on production.
  +
  +
'''Note: As of 2/18/2020, access to TSS SOAP services is forbidden, likely to all outside of Apple's internal network.''' Reliable communication to the TSS server requires the appropriate HTTP header, as described in [[SHSH Protocol#Communication]]. If you are communicating with a TSS service and not the SHSH controller itself, you must additionally provide a <code>SOAPAction:</code> header containing the URL of the service you are accessing. Also note that '''not all TSS servers accept SOAP requests.'''
  +
  +
== Services ==
  +
  +
There are two services provided, both accessible via [https://en.wikipedia.org/wiki/SOAP SOAP] requests. They are located in http://gs.apple.com/TSS/services/ under their respective names. A sample request concerning "getReceiptPacketStatus" from the "tatsuReceiptsStatusPort" service is demonstrated below:
  +
  +
> POST /TSS/services/tatsuReceiptsStatusPort HTTP/1.1
  +
> Host: gs.apple.com
  +
> User-Agent: InetURL/1.0
  +
> Accept: */*
  +
> Content-Length: 588
  +
> Content-Type: text/xml;charset=utf-8
  +
> SOAPAction: http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort
  +
  +
SOAP XML:
  +
<?xml version="1.0" encoding="UTF-8"?>
  +
<soapenv:Envelope
  +
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  +
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  +
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  +
  +
<soapenv:Body>
  +
<ns1:getReceiptPacketStatus
  +
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
  +
xmlns:ns1="http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort">
  +
<ns1:param0
  +
xsi:type="ns2:ReceiptDataPacketStatusRequest"
  +
xmlns:ns2="http://receiptsstatus.web.tss.apple.com">
  +
<ns2:status><nowiki><code>1</code></nowiki></ns2:status>
  +
</ns1:param0>
  +
</ns1:getReceiptPacketStatus>
  +
</soapenv:Body>
  +
  +
</soapenv:Envelope>
  +
  +
Response:
  +
<?xml version="1.0" encoding="utf-8"?>
  +
<soapenv:Envelope
  +
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  +
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  +
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  +
  +
<soapenv:Body>
  +
<ns1:getReceiptPacketStatusResponse
  +
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
  +
xmlns:ns1="http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort">
  +
  +
<param1 href="#id0"/>
  +
</ns1:getReceiptPacketStatusResponse>
  +
<multiRef
  +
id="id0"
  +
soapenc:root="0"
  +
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
  +
xsi:type="ns2:ReceiptDataPacketStatusResponse"
  +
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
  +
xmlns:ns2="http://receiptsstatus.web.tss.apple.com">
  +
  +
<batchIdhref="#id1"/>
  +
<status href="#id2"/>
  +
<ip xsi:type="xsd:string">10.108.105.161</ip>
  +
</multiRef>
  +
<multiRef
  +
id="id1"
  +
soapenc:root="0"
  +
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
  +
xsi:type="xsd:long"
  +
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
  +
0
  +
</multiRef>
  +
<multiRef
  +
id="id2"
  +
soapenc:root="0"
  +
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
  +
xsi:type="ns3:status"
  +
xmlns:ns3="http://receiptsstatus.web.tss.apple.com"
  +
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
  +
  +
<nowiki><code href="#id3"/></nowiki>
  +
<desc xsi:type="xsd:string"></desc>
  +
</multiRef>
  +
<multiRef
  +
id="id3"
  +
soapenc:root="0"
  +
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
  +
xsi:type="xsd:int"
  +
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
  +
3
  +
</multiRef>
  +
</soapenv:Body>
  +
  +
</soapenv:Envelope>
  +
  +
This type of SOAP request/response can be performed with a cURL request, like so (where <code>soap.xml</code> is the location of the aforementioned SOAP XML):
  +
  +
curl -i -m 1.0 -H "Content-Type: text/xml;charset=utf-8" -A InetURL/1.0 -H "SOAPAction: http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort" -H "Host: gs.apple.com" -d @soap.xml http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort
  +
  +
'''Note: ''' The server may occasionally return <code>java.lang.NullPointerException</code> despite a valid response. Retrying the request will likely remedy this. ''Is this a race condition bug on the server side?''
  +
  +
===PacketPort===
  +
  +
====pushDataPacket====
  +
  +
* '''Input Message''' (<code>pushDataPacketRequest</code>)
  +
* '''Output Message''' (<code>pushDataPacketResponse</code>)
  +
  +
===tatsuReceiptsStatusPort===
  +
  +
====Custom Types====
  +
  +
These are custom types defined by the http://receiptsstatus.web.tss.apple.com/ namespace, documented below:
  +
  +
* <code>status</code> contains a status code and the description for the aforementioned code. The only known status code is 3.
  +
** <code>code</code> (Integer)
  +
** <code>desc</code> (String)
  +
* <code>ReceiptDataPacketStatusRequest</code>
  +
** <code>code</code> (Number)
  +
* <code>ReceiptDataPacketStatusResponse</code>
  +
** <code>[no name]</code> (Long)
  +
** <code>status</code> (type=<code>status</code>)
  +
** <code>ip</code> (String)
  +
* <code>ExpireTSAQueryRequest</code>
  +
** <code>tsa</code> (Number)
  +
* <code>ExpireTSAQueryResponse</code>
  +
  +
====getReceiptPacketStatus====
  +
  +
Returns an unknown number, a status type, and a [https://en.m.wikipedia.org/wiki/Reserved_IP_addresses private IP address] (likely meant to be accessed within Apple’s internal VPN).
  +
  +
* '''Input Message''' (<code>getReceiptPacketStatusRequest</code>)
  +
** <code>param0</code> (type=<code>ReceiptDataPacketStatusRequest</code>)
  +
* '''Output Message''' (<code>getReceiptPacketStatusResponse</code>)
  +
** <code>param1</code> (type=<code>ReceiptDataPacketStatusResponse</code>)
  +
  +
====queryTASExpireTSA====
  +
  +
* '''Input Message''' (<code>queryTASExpireTSARequest</code>)
  +
** <code>param2</code> (type=<code>ExpireTSAQueryRequest</code>)
  +
* '''Output Message''' (<code>queryTASExpireTSAResponse</code>)
  +
** <code>param3</code> (type=<code>ExpireTSAQueryResponse</code>)
  +
  +
====updateTSSStatus====
  +
  +
* '''Input Message''' (<code>updateTSSStatusRequest</code>)
  +
** <code>param4</code> (type=<code>status</code>)
  +
* '''Output Message''' (<code>updateTSSStatusResponse</code>)
  +
** <code>param5</code> (type=<code>status</code>)
  +
  +
== Notes ==
  +
  +
[https://www.soapui.org SoapUI], a test automation framework for the SOAP protocol, lists Apple among their largest users [https://www.soapui.org/downloads/download-soapui-pro-trial.html].
  +
  +
===Server Details===
  +
It is of moderate security concern to know that the TSS server runs [http://tomcat.apache.org/ Apache Tomcat], which is exposed, alongside version number, in the default 404 page. The SOAP implementation used is [http://axis.apache.org/axis/ Apache Axis] (Java).
   
 
== References ==
 
== References ==
 
* [[TinyUmbrella]]
 
* [[TinyUmbrella]]
  +
* [https://www.w3.org/TR/2000/NOTE-SOAP-20000508 SOAP specification]
   
 
== External Links ==
 
== External Links ==
* [http://gs.apple.com/TSS/ List of available services]
+
* [https://web.archive.org/web/20121128012112/http://gs.apple.com/TSS/ List of available services (archive.org)]
 
{{stub|Apple Inc.}}
 

Latest revision as of 19:40, 28 March 2020

The Tatsu Signing Server (TSS) is a collection of services provided by Apple. In late 2012, the list of available services was briefly made public at gs.apple.com. This index page has since been removed, although at least one archived capture exists. TSS is accessed chiefly for use of the SHSH Protocol to receive signed blobs for a given iOS build. This is achieved with the SHSH controller at http://gs.apple.com/TSS/controller.

There is an Apple internal equivalent, known as SpiderCab, running at tatsu-tss-internal.apple.com and tss-int.apple.com, which are only accessible within Apple's VPN. SpiderCab is used to sign internal/debug and test builds of iOS, including old versions that are no longer signed on production.

Note: As of 2/18/2020, access to TSS SOAP services is forbidden, likely to all outside of Apple's internal network. Reliable communication to the TSS server requires the appropriate HTTP header, as described in SHSH Protocol#Communication. If you are communicating with a TSS service and not the SHSH controller itself, you must additionally provide a SOAPAction: header containing the URL of the service you are accessing. Also note that not all TSS servers accept SOAP requests.

Services

There are two services provided, both accessible via SOAP requests. They are located in http://gs.apple.com/TSS/services/ under their respective names. A sample request concerning "getReceiptPacketStatus" from the "tatsuReceiptsStatusPort" service is demonstrated below:

> POST /TSS/services/tatsuReceiptsStatusPort HTTP/1.1
> Host: gs.apple.com
> User-Agent: InetURL/1.0
> Accept: */*
> Content-Length: 588
> Content-Type: text/xml;charset=utf-8
> SOAPAction: http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort

SOAP XML:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
	xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Body>
	<ns1:getReceiptPacketStatus
		soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
		xmlns:ns1="http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort">
		<ns1:param0
			xsi:type="ns2:ReceiptDataPacketStatusRequest"
			xmlns:ns2="http://receiptsstatus.web.tss.apple.com">
			<ns2:status><code>1</code></ns2:status>
		</ns1:param0>
	</ns1:getReceiptPacketStatus>
</soapenv:Body>

</soapenv:Envelope>

Response:

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope
	xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Body>
	<ns1:getReceiptPacketStatusResponse
		soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
		xmlns:ns1="http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort">

		<param1 href="#id0"/>
	</ns1:getReceiptPacketStatusResponse>
	<multiRef
		id="id0"
		soapenc:root="0"
		soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
		xsi:type="ns2:ReceiptDataPacketStatusResponse"
		xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
		xmlns:ns2="http://receiptsstatus.web.tss.apple.com">

		<batchIdhref="#id1"/>
		<status href="#id2"/>
		<ip xsi:type="xsd:string">10.108.105.161</ip>
	</multiRef>
	<multiRef
		id="id1"
		soapenc:root="0"
		soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
		xsi:type="xsd:long"
		xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
		0
	</multiRef>
	<multiRef
		id="id2"
		soapenc:root="0"
		soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
		xsi:type="ns3:status"
		xmlns:ns3="http://receiptsstatus.web.tss.apple.com"
		xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">

		<code href="#id3"/>
		<desc xsi:type="xsd:string"></desc>
	</multiRef>
	<multiRef
		id="id3"
		soapenc:root="0"
		soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
		xsi:type="xsd:int"
		xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
		3
	</multiRef>
</soapenv:Body>

</soapenv:Envelope>

This type of SOAP request/response can be performed with a cURL request, like so (where soap.xml is the location of the aforementioned SOAP XML):

curl -i -m 1.0 -H "Content-Type: text/xml;charset=utf-8" -A InetURL/1.0 -H "SOAPAction: http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort" -H "Host: gs.apple.com" -d @soap.xml http://gs.apple.com/TSS/services/tatsuReceiptsStatusPort

Note: The server may occasionally return java.lang.NullPointerException despite a valid response. Retrying the request will likely remedy this. Is this a race condition bug on the server side?

PacketPort

pushDataPacket

  • Input Message (pushDataPacketRequest)
  • Output Message (pushDataPacketResponse)

tatsuReceiptsStatusPort

Custom Types

These are custom types defined by the http://receiptsstatus.web.tss.apple.com/ namespace, documented below:

  • status contains a status code and the description for the aforementioned code. The only known status code is 3.
    • code (Integer)
    • desc (String)
  • ReceiptDataPacketStatusRequest
    • code (Number)
  • ReceiptDataPacketStatusResponse
    • [no name] (Long)
    • status (type=status)
    • ip (String)
  • ExpireTSAQueryRequest
    • tsa (Number)
  • ExpireTSAQueryResponse

getReceiptPacketStatus

Returns an unknown number, a status type, and a private IP address (likely meant to be accessed within Apple’s internal VPN).

  • Input Message (getReceiptPacketStatusRequest)
    • param0 (type=ReceiptDataPacketStatusRequest)
  • Output Message (getReceiptPacketStatusResponse)
    • param1 (type=ReceiptDataPacketStatusResponse)

queryTASExpireTSA

  • Input Message (queryTASExpireTSARequest)
    • param2 (type=ExpireTSAQueryRequest)
  • Output Message (queryTASExpireTSAResponse)
    • param3 (type=ExpireTSAQueryResponse)

updateTSSStatus

  • Input Message (updateTSSStatusRequest)
    • param4 (type=status)
  • Output Message (updateTSSStatusResponse)
    • param5 (type=status)

Notes

SoapUI, a test automation framework for the SOAP protocol, lists Apple among their largest users [1].

Server Details

It is of moderate security concern to know that the TSS server runs Apache Tomcat, which is exposed, alongside version number, in the default 404 page. The SOAP implementation used is Apache Axis (Java).

References

External Links