Trying to create apple developers push certificate for ECC algorithm as communication with APNS required ES256 alg as documented here.
NOTE: APNs supports only provider authentication tokens that are
signed with the ES256 algorithm. Unsecured JWTs, or JWTs signed with
other algorithms, are rejected, and your provider receives the
InvalidProviderToken (403) response.
Getting error below,
CSR algorithm/size incorrect. Expected: RSA(2048)
Any idea why?
Note: I have created proper ECC based signingcert from Keychain app.
I have changed stripe csr file extension from stripe.certSigningRequest to stripe.csr and Its working fine for me.
Related
I'm reading this article on iOS push certificates, and I'm confused about this paragraph:
Your backend sends notifications through Apple's servers to your application. To ensure that unwanted parties are not sending notifications to your application, Apple needs to know that only your servers can connect with theirs. Apple therefore requires you to create an SSL certificate to be able to send push notifications.
My understanding of SSL certificates is that if a server has one, that server is able to encrypt data that it sends to a device. But it says here Apple needs to know that only your servers can connect with theirs. I don't understand how having an SSL certificate ensures that. Does anyone have any insight?
The article shouldn't have used the term SSL Certificate. SSL is the Secure Sockets Layer (which was superseded by TLS many years ago). SSL and TLS define the handshake that is used to negotiate encryption on a connection.
Enabling SSL on a web server required you to have a certificate to verify your server's identity and so this became known colloquially as an "SSL certificate".
While it isn't often used on the web, in SSL/TLS both parties can present a certificate so that there is mutual authentication.
What you typically have is actually an x.509 certificate. This is the case with the push notification service.
An x.509 certificate contains some information including the identity of the certificate holder, their private key and a signature from a trusted party that can be used to verify the information.
For push notifications, the developer generates a certificate request and submits this to Apple who sign it with their private key. Apple is the trusted party in this case.
When this certificate is subsequently presented to Apple's server they can verify that signature using their public key to confirm the identity of the connecting party.
You have has encrypted the message with their private key (Apple can decrypt it with the public key included in the certificate).
What this means is, that as long as the developer has kept their private key secure (which is why you wouldn't connect directly to the push service from your app, for example) then Apple can be sure of the identity of the server making the connection.
If someone was trying to impersonate your server then, as long as you have kept your private key secure, they can't encrypt the data properly. If they use a forged certificate that uses a public/private key pair known to them then the signature on the certificate won't be valid and Apple will reject it.
I have build a PKCS#10 Certificate request with proof of possession element that will be sent towards Certification Authority via ACS to obtain the User certificate. In Android app it is used the SpongyCastle package (SpongyCastle)
Has anyone any idea how to do that in swift?
Thanks
I found my solution!
Just used that library (https://github.com/cbaker6/CertificateSigningRequestSwift) and changed the function "buldCertificationRequestInfo" in order to have the certificate as was wanted.
I'm trying to configure my iOS app to receiver notifications with Firebase.
If I export the certificate and the private key without a password and try to upload it (production or development) on Firebase console I get the error "Incorrect password".
If I export the certificate and the private key with a password I get the error "An unknown server error ocurred" or "There was an error reading your certificate".
I don't understand why that is happening. I did follow the tutorial correctly. Can someone help me?
You should be using an APNS Authentication Key rather than the certificates. This is the new preferred method in iOS for a provider to register and send messages with APNS
From Firebase:
Configuration with auth keys is recommended as they are the more
current method for sending notifications to iOS
From Apple:
For a provider to communicate with APNs, it must employ a valid
authentication key certificate (for token-based connection trust) or
SSL certificate (for certificate-based connection trust). You obtain
either of these certificates from your online developer account, as
explained in “Configure push notifications” in Xcode Help. To choose
between the two certificate types, read Provider-to-APNs Connection
Trust. Whichever certificate type you choose, provider connection
trust is prerequisite to a provider sending push notification requests
to APNs.
while exporting just select the Apple Push Service part and don't select the private key from Keychain Access and export than in firebase Production APNs certificate browse the p12 file you just created, it will work.
I don't know when this implementation will be deprecated but it works as of now (19 Feb 2018).
You should export only the certificate and don't select the private key . Please see this screenshot
I recently noticed a new option when creating a certificate for a given iOS client.
The option is titled
Apple Push Notification Authentication Key (Sandbox & Production)
Get an authentication key to generate server-side tokens. You can use
these tokens as an alternative to certificates for your notification
requests.
One authentication key can be used for multiple apps and does not
expire.
How does one go about setting this up?
Apple Push Notification token-based authentication is an alternative to using provider certificates to connect to APNs. The provider API supports JSON Web Token (or JWT), an open standard, to pass authentication claims to APNs along with the push message.
To generate a provider token, obtain a private key for signing the
token as described in Creating a Universal Provider Tokenin App
Distribution Guide. You should construct a token with header
containing a 10 character Key ID (kid). The token claims portion
contains Issuer (iss) which is a 10 character Team ID. Your Team ID
and Key ID values can be obtained from your developer account. The
claims shall also contain Issued At (iat) which is the number of
seconds from Epoch in UTC when the token was generated. The token must
be signed with the Elliptic Curve Digital Signature Algorithm (ECDSA)
using the P-256 curve and the SHA-256 hash algorithm (ES256),
specified as a value in the algorithm key (alg).
{
"alg": "ES256",
"kid": "ABC123DEFG"
}
{
"iss": "DEF123GHIJ",
"iat": 1437179036
}
For additional information along with list of available libraries for generating signed JSON web tokens, refer to https://jwt.io
This is a swift library to sign your JSON Web Token (or JWT) : kylef/JSONWebToken.swift
Note: Only providers tokens signed with ES256 algorithm are supported
by APNs. Unsecured JWT or JWT signed with other algorithms will be
rejected with a response indicating an Invalid Provider Token.
SOURCE : APPLE : Provider Authentication Tokens
WWDC 2016 - Session 724 : Token Based Authentication
PS:
The biggest difference is that The Key Way will not be expired than Certificate will be expired after one year.
I am developing mdm server and I have a problem with one of enrollment steps. The problem is scep step. I implement a scep server which handles Device CACert request and sends our server certificate in der format. After that, device sends encrypted and signed csr. But I can not verify signature of message. I think device creates a self-signed-certificate and sign message with it. We think that because signature certificate's common name is changing each "PKIOperation" request. But we must verify this signature because of security.
For example in each 3 enrollment request, certificate of csr signature changes. Their common names are:
CN=6E4F65AD-1E64-4E4D-A96E-2039EB140041
CN=2E33C2CC-14B8-47AC-938B-DCC7F8DA8715
CN=6817ED48-AB79-4FF0-A1A9-42C2AC303672
Note: The other steps of enrollment device sign messages with proper certificate and I can verify them. Only scep PKIOperation request is my problem. Is there any profile flag to set or something to solve this problem?
I may be wrong in some details, because I touched this about two years ago.
However, as I remember it's part of a protocol
If you take a look at SCEP draft: https://datatracker.ietf.org/doc/html/draft-nourse-scep-23#page-30 you will see this:
When building a pkiMessage, clients MUST have a certificate to sign
the PKCS#7 [RFC2315] signed-data (because PKCS#7 [RFC2315] requires
it). Clients MUST either use an existing certificate, or create a
self-signed certificate (see Section 2.3).
If the requester does not have an appropriate existing
certificate, then a locally generated self-signed certificate
MUST be used instead. The self-signed certificate MUST use the
same subject name as in the PKCS#10 request.
However, I was under impression that iOS device uses certificate/private keys which are built into the device. And this certificate is signed using Apple certs. And actually, as I remember they had exactly the format of CN, which you shown.
So, generally speaking it's ok if device uses self-signed certificate for first communication to the SCEP server (PKIOperation) and uses a certificate issued by your CA later on.