Generating Apple Wallet Pass - ios

I'm trying to generate Apple Wallet pass for one of my client but for some reasons related to Certificate signing I cannot generate a valid pass file. I've tried to use public key and private key for generating the Wallet pass but no success.
I might be missing the correct files here, can someone please guide me through the file generation process here?
There is no issue with my Web service to generate the .pkpass file by using an old certificate file (Issued by WWDR bak in 2020).
I'm using this pass file validator to validate the file.
attached screenshot for

Related

tcpdf certification by.. is invalid

I followed the steps indicated in Example 052 (https://tcpdf.org/examples/example_052/) for generating a pdf with digital signature using tcpdf with a self signed crt. I read also that part about adding the pdf to Adobe List of Trusted Identities. For testing purpose I've added the tcpdf.crt file to trusted identities and it works fine.
But..I can't ask the clients to do the same. The pdf file received should be already validated when is open or at least don't display the message: "Certification by My company is invalid". So, what crt should i use for getting a validated pdf file? I tried to use the crt available for my secured website but I'm getting the same error.
Thank you

Unable to locate the pvt key for a csr generated using Windows MMC snap-in

To access a public server, I was asked to generate a CSR. I generated the CSR using the Windows MMC snap-in, which was then validated by the authorities, and a CER file was issued to me. I have successfully imported that CER file as well.
However, I am unable to locate the private key corresponding to this CSR. Need serious help here. No option was specified to save the pvt key, even though the checkbox to make it exportable was selected.
The MMC console mentions that a private key exists for this certificate - but does not specify where.
Have managed to export the certificate to a PFX file (asked for a passcode - provided one) - but for all my attempts, extracting the private key from PFX without using any commercial tool is proving to be challenging (using any commercial or online tool is not permitted, unfortunately). (Have trawled through quite a few SO posts - too numerous to be listed).
Will be happy to write a program (in C or Assembly) if that helps extract the private key.
Thanks for your attention.

iOS AWS SNS Create platform application fail with error "There was an error reading the selected certificate."

After downloading my certificate from the apple developer portal, I successfully create a p12 file but whenever I try to create a platform application on aws, enter the certificate password, I just keep getting the error below.
There was an error reading the selected certificate. Verify the
password and try again.
I have tried with short and no passwords but nothing seems to accept the password.
Any ideas?
I was able to make this work, by doing the following:
Delete all old keys related to previous attempts in your Keychain > login (macos)
Request a new certificate from Request Certificate from Authority. Make sure no keys are selected when you execute this function.
I chose a single word in lowercase for Common name.
Add certificate to Apple Developer Portal
Download the CSR
Double click on the CSR to import the keys into your Keychain.
Your private key should have a dropdown with the certificate listed. My previous attempts did not have this. Export the p12.
The p12 worked in AWS SNS when entering the password, the public and private keys were extracted from the p12.

Identity certificate - IOS MDM

I have few questions regarding Identity certificate in Profile Payload.
Forgive the ignorance, if some questions are basic.
1.) I found that, we can either use SCEP standard or PKCS12 certificate directly for device identification. SCEP is recommended, since private key will be known only to the device. So in case If I am going to implement SCEP server, do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
2.) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
3.) What if the identity certificate is expired?
As a basic version while playing around, I tried to add my own p12 certificate to the Payload without using SCEP.
I tried to add the base64 encoded p12 certificate in the identity payloadcontent key,as mentioned in some link reference. I got an error
The identity certificate for “Test MDM Profile” could not be found
while installing profile.
identity_payload['PayloadType'] = 'com.apple.security.pkcs12'
identity_payload['PayloadUUID'] = "RANDOM-UUID-STRING"
identity_payload['PayloadVersion'] = 1
identity_payload['PayloadContent'] = Base64.encode64(File.read "identity.p12")
identity_payload['Password'] = 'p12Secret'
When I checked 'Configuration Profile key reference', it was mentioned that I should send Binary representation of Payload in Data.
So I tried,
identity_payload['PayloadContent'] = ConvertToBinary(File.read "identity.p12")
I got,
The password for the certificate “IdentityCertificate” is incorrect
I am supplying valid password for exporting the p12 certificate.
What am I doing wrong?
Answering your question:
1) Do I need to maintain the list of Public key of Identity certificates mapped to the device, so that I can use it later for encrypting?
Yes. You need some kind of mapping. You can do couple of ways:
Just store it in DB a mapping between certificate common name and device UDID.
Make CN contain UDID (I like this method, because it simplifies initial checks)
And as you pointed out you will need public key to encrypt payloads for this device.
2) What is the best possible way to implement SCEP server.? Is there any reliable robust methods available to adopt it instead of writing everything on our own?
There are open source implementation of SCEP. As example jSCEP have it (I used it) and EJBCA have it (I used it too). I saw other implementation (in Ruby and so on). So, you can find an choose something which works with your stack.
3) You need to renew identity certificate before it expeires (the same way as for any other certificates).
4) If your profile doesn't work, I would recommend you to create the same profile in iPhone Configuration Utility and compare with yours. Most of the time, you missed just one tag or something like that (it will take a lot to figure it out without comparing it with working one).

Blackberry code signing 'unable to request signatures...'

I have taken a project created by someone else on another machine.
I have filled in the signed keys form and had my keys emailed to me.
I have double clicked on each to install them: I then go to the signature tool in the vmTools folder. selected my .cod file (built today).
I then get the list of cod files with 'not registered' next to them in the status column.
I hit the request button and get the error. 'unable to request signatures until this application has been registered with all signing authorities. what am I missing?
It sounds like the signing server may be down, you can check the current status of the signing server here:
isthesigningserverdown.com
It is always a quick and easy start to troubleshooting signatures.
Please see this blackberry.com reference.
To prevent this being lost to link rot, I pasted the important content below.
Note: if you're using the Eclipse plugin, not the old JDE, then you would go to the BlackBerry menu, select Sign, and either Install New Keys or Import Existing Keys. You must use all three files that BlackBerry (RIM) gave you. For example, to install brand new keys:
client-RBB-12341231.csi
client-RCR-12341231.csi
client-RRT-12341231.csi
or for an Import of existing keys:
sigtool.csk
sigtool.db
Problem
In certain situations, when you attempt to sign your application using the SignatureTool application, you receive the following error:
Unable to request signatures until this application has been registered with all signing authorities required.
Cause
You are attempting to request code-signing signatures for your application but the SignatureTool is not registered with all the required signing authorities.
There are two types of RIM Code Signing framework signatures:
Required Signatures - This is specified by the .csl file associated with the .cod file. A required signature is necessary to load your application on the device.
Optional Signatures - This is specified by the .cso file associated with the .cod file. An optional signature indicates that the system may perform a runtime signature check on the application. If the application is not signed, it is not allowed to execute the intended method.
The SignatureTool prevents you from signing the application since it waits until all required signatures are in place. Required signatures are necessary for the application to load successfully on the device.
Resolution
There are several different scenarios where the SignatureTool is not registered with the required code-signing servers.
Scenario 1 - Not Registered with Public Signing Authorities
There are three public-signing authorities (RBB, RRT, and RCR) that represent different sections of the controlled application programming interface (API). When you receive code-signing keys, you receive three .csi files representing the three code-signing servers. It is important to register with all three servers. To determine which signature keys have been successfully installed and/or missing, please review this article
Scenario 2 - Attempting to use a Controlled Signing Authority
There is an additional public-signing authority, the Certicom™ Crypto (RCC) signing authority, that controls access to Certicom cryptography functions on the device. Go to Certicom for more information on accessing the Certicom API’s on the device.
Scenario 3 - Attempting to use an Inaccessible Signing Authority
Research In Motion® maintains its own internal signing authorities for the protection of API’s that are not exposed or data that is not public. It is not possible to gain access to these signing authorities and any reference to Research In Motion internal methods or data should be removed from your application to allow the SignatureTool to sign your application.
Note: JDE 4.1 allows you to turn on code-signing warnings under Preferences. This determines the areas of your application that are attempting to use signatures from each signing authority.
Here's one more useful guide on the BlackBerry website
Occasionally RIM's signing server fails. I've seen it down for hours at a time.

Resources