Our customers want to use an MDM (mobile device management) solution (MobileIron) to install client certificates onto corporate iOS devices, in order to limit access to certain corporate web services to corporate devices only.
MobileIron installs the client certificate into Settings > General > Profiles, which is the default location for certificates in iOS, and Safari can respond with this certificate when a corporate web service challenges it for one.
But I need the same thing to happen from within a custom app. When our app gets challenged for a certificate, I need to be able to respond with the certificate from Settings > General > Profiles. I have examples of responding with a certificate which is bundled with our app, and with a certificate which our app stores within its own keychain, but I do not have an example of responding with a certificate installed on the device in Settings > General > Profiles.
Can anyone explain to me more about what the NSURLAuthenticationChallengeSender protocol method -performDefaultHandlingForAuthenticationChallenge: does? Does default handling mean that iOS effectively responds to the challenge on behalf of the app? Can this response include a client certificate stored in Settings > General > Profiles?
Update
If the MDM could install a client certificate into the app keychain, that would be perfect.
Apple tech support pointed me to the following tech note in response:
https://developer.apple.com/library/ios/qa/qa1745/_index.html
To summarise, what we want to do is not supported.
MobileIron's AppConnect 2.1 update solves this problem, no special code required. X.509 certificates can be pushed with the AppConnect Configuration, and the AppConnect framework intercepts any authentication challenges when it can respond with an eligible cert. Certs can be created on-the-fly at first launch, revoked later, customized per-user or per-device, and different URL's can use different certs.
If anyone is using the code snippet on this page, stop, it's not needed. After wrapping your unmodified app, or linking-in the AppConnect framework, add an MI_AC_CLIENT_CERT_1 key to your AppConnect Configuration, pointing to a Certificate Enrollment configuration (i.e. SCEP, Entrust, Symantec PKI, PIV-D, etc.). Add a MI_AC_CLIENT_1_RULE key with a URL (with optional wildcard). There is no step 3. Your app will now automatically use certs for authentication.
Full details are in MobileIron's AppConnect and AppTunnel Guide docs, under "Certificate authentication from AppConnect apps to enterprise services".
I just came back from an onsite at a customer who was using MobileIron and was looking to do just this. MobileIron development support provided us with this snippet of code, which imports a certificate provided by the AppConnect Wrapper through MobileIron's Core Config technology.
It's not pretty, but as it was provided by them I was not allowed to modify it. It works though! You insert this into your AppDelegate.h:
- (NSString *)appConnectConfigChangedTo:(NSDictionary *)newConfig;
And this into your AppDelegate.m, right after the aforemention pragma mark:
#pragma mark UIApplicationDelegate implementation
- (NSString *)appConnectConfigChangedTo:(NSDictionary *)newConfig{
//NSLog(#"New config: %#", newConfig); //unsecure
NSLog(#"New config retrieved"); //confirm we got a new config
NSString *certStr = [newConfig valueForKey:#"kUserCert"]; //Store certificate as String
NSString *certPassword = [newConfig valueForKey:#"kUserCert_MI_CERT_PW"]; //Store certificate password as string
NSData *cert = [[NSData alloc] initWithBase64EncodedString:certStr options:0]; //only for iOS7+, decodes base64 encoded certificate
CFDataRef pkcs12Data = (__bridge CFDataRef)cert; //Extract identity & certificate objects from
CFStringRef password = (__bridge CFStringRef)certPassword; //the cert data Identity
SecIdentityRef myIdentity = nil; //Initialize variable for identity
SecCertificateRef myCertificate = nil; //Initialize variable for certificate
OSStatus status = extractIdentityAndTrust(pkcs12Data, password, &myIdentity, nil); //Use Apple-provided method for extracting Identity and Trust
if (status != errSecSuccess || myIdentity == nil) { NSLog(#"Failed to extract identity and trust: %ld", status);} //Likely due to corruption
else { SecIdentityCopyCertificate(myIdentity, &myCertificate); } //This method is supposed to store the Certificate, but Fiori doesn't see it here
const void *certs[] = { myCertificate }; //Initialize an array for one certificate
CFArrayRef certsArray = CFArrayCreate(NULL, certs, 1, NULL); //Make the array the way Apple wants it to be
NSURLCredential *credential = [NSURLCredential credentialWithIdentity:myIdentity certificates:(__bridge NSArray*)certsArray persistence:NSURLCredentialPersistencePermanent]; //MobileIron's method of Credential storage
NSMutableDictionary *secIdentityParams = [[NSMutableDictionary alloc] init]; //Initialize Dictionary to store identity
[secIdentityParams setObject:(__bridge id)myIdentity forKey:(__bridge id)kSecValueRef]; //Build the secIdentityParams dictionary in the way the next method expects it to be
OSStatus certInstallStatus = SecItemAdd((__bridge CFDictionaryRef) secIdentityParams, NULL); //Add the identity to the keychain for Fiori consumption
if (myIdentity) CFRelease(myIdentity); //Free
if (certsArray) CFRelease(certsArray); //Up
if (myCertificate) CFRelease(myCertificate); //Memory
return nil; //Success
}
// Copied from Apple document on Certificates:
// http://developer.apple.com/library/mac/documentation/security/conceptual/CertKeyTrustProgGuide/CertKeyTrustProgGuide.pdf
OSStatus extractIdentityAndTrust(CFDataRef inP12data, CFStringRef password, SecIdentityRef *identity, SecTrustRef *trust){
OSStatus securityError = errSecSuccess;
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
CFArrayRef items = nil;
securityError = SecPKCS12Import(inP12data, options, &items);
if (securityError == errSecSuccess) {
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex(items, 0);
if (identity && CFDictionaryGetValueIfPresent(myIdentityAndTrust, kSecImportItemIdentity, (const void **)identity)) {
CFRetain(*identity);
}
if (trust && CFDictionaryGetValueIfPresent(myIdentityAndTrust, kSecImportItemTrust, (const void **)trust)) {
CFRetain(*trust);
}
}
if (options) {CFRelease(options);}
if (items) {CFRelease(items);}
return securityError;
}
Once you've built your app, ask the MobileIron administrator to 'wrap' the app so that it can use AppConnect. Once that is done and the wrapped app is deployed to test users via MobileIron, set up a Core Config that take a User Certificate specific for the provisioned user and pushes it to the provisioned devices under the Core Config key "kUserCert".
Related
I’m trying to connect to a webpage link using a Waveshare Sim7020 module through a Raspberry Pico, using https AT commands, but the connect command returns an error.
My final objective is to send a telegram message from it using a bot link for it like explained in https://core.telegram.org/bots/api#making-requests using this method:
https://api.telegram.org/bot\<token>/METHOD_NAME
This is not working for me, so thinking that maybe this is complex I’m trying to connect to google, bur the problem continues. I have also syncronized the time on the module with a server. I’m wondering that it could be a certificate problem? These are the functions used:
from machine import Pin, ADC
import os
import utime
import binascii
#import ujson
#print sys info
print(os.uname())
#using pin defined
ADC0= ADC(Pin(26))
sensor_temp = ADC(4)
led_pin =25 #onboard led
pwr_en = 14 #pin to control the power of sim7020x
uart_port = 0
uart_baute = 115200
APN = "cmnbiot"
i=0
reading=0
temperature=0
#indicate program started visually
led_onboard = machine.Pin(led_pin, machine.Pin.OUT)
def led_blink():
led_onboard.value(1)
utime.sleep(0.5)
led_onboard.value(0)
utime.sleep(0.5)
led_onboard.value(1)
utime.sleep(0.5)
led_onboard.value(0)
def hexStr_to_str(hex_str):
hex = hex_str.encode('utf-8')
str_bin = binascii.unhexlify(hex)
return str_bin.decode('utf-8')
def str_to_hexStr(string):
str_bin = string.encode('utf-8')
return binascii.hexlify(str_bin).decode('utf-8')
#power on the sim800c
def powerOn(pwr_en):
pwr_key = machine.Pin(pwr_en, machine.Pin.OUT)
pwr_key.value(1)
#power down the sim800c
def powerDown(pwr_en):
pwr_key = machine.Pin(pwr_en, machine.Pin.OUT)
pwr_key.value(0)
#2 sec timeout is arbitrarily chosen
def sendCMD_waitResp(cmd, timeout=2000):
print("CMD: " + cmd)
uart.write((cmd+'\r\n').encode())
waitResp(timeout)
print()
def waitResp(timeout=2000):
prvMills = utime.ticks_ms()
resp = b""
while (utime.ticks_ms()-prvMills)<timeout:
if uart.any():
resp = b"".join([resp, uart.read(1)])
print((resp).decode())
def sendCMD_waitRespLine(cmd, timeout=2000):
print("CMD: " + cmd)
uart.write((cmd+'\r\n').encode())
waitRespLine(timeout)
print()
def waitRespLine(timeout=2000):
prvMills = utime.ticks_ms()
while (utime.ticks_ms()-prvMills)<timeout:
if uart.any():
print((uart.readline()).decode())
#APN Manual configuration
def apnConfig(APN):
sendCMD_waitResp("AT+CFUN=0") #Disable RF
sendCMD_waitResp("AT*MCGDEFCONT=\"IP\",\""+ APN +"\"") #Set the APN manually
sendCMD_waitResp("AT+CFUN=1") #Enable RF
utime.sleep(1)
sendCMD_waitResp("AT+CGATT?") #Inquiry PS service
sendCMD_waitResp("AT+CGREG?")
sendCMD_waitResp("AT+CGCONTRDP") #Attached PS domain and got IP address automatically
Then this are the AT command tests and APN configuration:
#print uart info
uart = machine.UART(uart_port, uart_baute, bits=8, parity=None, stop=1)
print(uart)
#power on the board
powerOn(pwr_en)
#clear bufer in UART
waitResp()
#AT commands test
atCommandTest()
#APN Manual configuration
apnConfig(APN)
Then this is the time syncronization:
sendCMD_waitResp("AT+CSNTPSTART=\"[ntp.i2t.ehu.es](http://ntp.i2t.ehu.es/)\"")
sendCMD_waitResp("AT+CCLK?")
sendCMD_waitResp("AT+CSNTPSTOP")
sendCMD_waitResp("AT+CSNTPSTART=\"[ntp.i2t.ehu.es](http://ntp.i2t.ehu.es/)\",\"+01\"")
sendCMD_waitResp("AT+CCLK?")
sendCMD_waitResp("AT+CSNTPSTOP")
sendCMD_waitResp("AT+CURTC=1")
sendCMD_waitResp("AT+CRESET")
sendCMD_waitResp("AT+CURTC?")
sendCMD_waitResp("AT+CSNTPSTART=\"[ntp.i2t.ehu.es](http://ntp.i2t.ehu.es/)\"")
sendCMD_waitResp("AT+CCLK?")
sendCMD_waitResp("AT+CSNTPSTOP")
sendCMD_waitResp("AT+CURTC=1")
sendCMD_waitResp("AT+CURTC?")
sendCMD_waitResp("AT+CSNTPSTART=\"[ntp.i2t.ehu.es](http://ntp.i2t.ehu.es/)\",\"+01\"")
sendCMD_waitResp("AT+CCLK?")
sendCMD_waitResp("AT+CSNTPSTOP")
And this is the connection try out, where on create says OK but on connect says “ERROR”:
sendCMD_waitResp("AT+CHTTPCREATE=\"https://www.google.com/\"")
sendCMD_waitResp("AT+CHTTPCON=0")
sendCMD_waitRespLine("CAT+HTTPSEND=0,0,\"nextlink\"")
waitResp()
sendCMD_waitResp("CAT+HTTPDISCON=0")
sendCMD_waitResp("CAT+HTTPDESTROY=0")
Any ideas on what could be happening?
I am using the pix2pix network provided on the TensorFlow website(https://www.tensorflow.org/tutorials/generative/pix2pix) and I want to have the result of the test set in every epoch to find out the model performance on my data. In this regard, I rewrote the fit function according to an example that exists in the guidance of tensorboard (https://www.tensorflow.org/tensorboard/get_started). It has 2 "for" loops in each epoch to train on the training dataset and then get the result on the test dataset but it takes too much time (1.5 hours) for ** every epoch** for mine. The data is included 540 images for the training dataset and 55 images for the test dataset, every image is of size 1600x1200. I put the related parts of the code below for more clarity. Other parts are the same as the original code except for the generator structure which is changed considering the size of images in the dataset.
I ran code on google Colab pro, with TPU and High Ram runtime.
Very thankful in advance for your response.
#tf.function
def train_step(input_image, target):
with tf.GradientTape() as gen_tape, tf.GradientTape() as disc_tape:
gen_output = generator(input_image, training=True)
disc_real_output = discriminator([input_image, target], training=True)
disc_generated_output = discriminator([input_image, gen_output], training=True)
gen_total_loss, gen_gan_loss, gen_l1_loss = generator_loss(disc_generated_output, gen_output, target)
disc_loss = discriminator_loss(disc_real_output, disc_generated_output)
generator_gradients = gen_tape.gradient(gen_total_loss,
generator.trainable_variables)
discriminator_gradients = disc_tape.gradient(disc_loss,
discriminator.trainable_variables)
generator_optimizer.apply_gradients(zip(generator_gradients,
generator.trainable_variables))
discriminator_optimizer.apply_gradients(zip(discriminator_gradients,
discriminator.trainable_variables))
return gen_total_loss, gen_gan_loss, gen_l1_loss, disc_loss
#tf.function
def test_step(input_image, target):
gen_output = generator(input_image)
disc_real_output = discriminator([input_image, target])
disc_generated_output = discriminator([input_image, gen_output])
gen_total_loss, gen_gan_loss, gen_l1_loss =
generator_loss(disc_generated_output, gen_output, target)
disc_loss = discriminator_loss(disc_real_output, disc_generated_output)
return gen_total_loss, gen_gan_loss, gen_l1_loss, disc_loss
EPOCHS = 5
for epoch in range(EPOCHS):
for (train_input_img, train_target_img) in train_dataset:
gen_total_train_loss, gen_gan_train_loss, gen_l1_train_loss, disc_train_loss = train_step(train_input_img, train_target_img)
with train_summary_writer.as_default():
tf.summary.scalar('gen_total_train_loss',gen_total_train_loss , step=epoch)
tf.summary.scalar('gen_gan_train_loss', gen_gan_train_loss, step=epoch)
tf.summary.scalar('gen_l1_train_loss', gen_l1_train_loss, step=epoch)
tf.summary.scalar('disc_train_loss', disc_train_loss, step=epoch)
for (test_input_img, test_target_img) in test_dataset:
gen_total_test_loss, gen_gan_test_loss, gen_l1_test_loss, disc_test_loss = test_step(test_input_img, test_target_img)
with test_summary_writer.as_default():
tf.summary.scalar('gen_total_test_loss',gen_total_test_loss , step=epoch)
tf.summary.scalar('gen_gan_test_loss', gen_gan_test_loss, step=epoch)
tf.summary.scalar('gen_l1_test_loss', gen_l1_test_loss, step=epoch)
tf.summary.scalar('disc_test_loss', disc_test_loss, step=epoch)
template = 'Epoch {}, gen_total_test_loss: {}, gen_gan_test_loss: {}, gen_l1_test_loss: {},disc_test_loss: {}'
print (template.format(epoch+1,gen_total_test_loss,gen_gan_test_loss,gen_l1_test_loss,disc_test_loss))
I’ve faced the following issue, and shortly the notification picture does not show up with iOS 15 under some conditions.
It seems that during INImage processing for INSendMessageIntent, it tries to generate an internal URL with intents-remote-image-proxy if the given source is not a remote URL. But proper URL doesn’t seem to be generated in some cases and the expected image doesn’t show up.
Here the weirdest part for me is that the problem only happens when I release my app (for example to the TestFlight), and with the XCode debug build my implementation works perfectly.
[This is the error trace when I release the app]
default 16:29:26.149259+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': sender image _uri: (null)
default 16:29:26.149777+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': url created from image's _identifier
default 16:29:26.149823+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': contentURL scheme does not match scheme 'intents-remote-image-proxy'. Attempting to get a corresponding url with 'intents-remote-image-proxy' scheme. contentURL: 'B4BBA163-2F98-AFCC-8A8D-1178AC8399B5'
default 16:29:26.149869+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': Getting proxied image synchronously for content url 'B4BBA163-2F98-AFCC-8A8D-1178AC8399B5'.
*** error 16:29:26.150077+0900 NotificationExt -[INImageServiceConnection synchronousServiceProxyWithErrorHandler:]_block_invoke Error (from connection <private>; pid: 0) when using image service: Error Domain=NSCocoaErrorDomain Code=4099 UserInfo={NSDebugDescription=<private>}
*** error 16:29:26.150238+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': Error getting proxied image synchronously for content url 'B4BBA163-2F98-AFCC-8A8D-1178AC8399B5' error: Couldn’t communicate with a helper application.
default 16:29:26.150280+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': Final contentURL 'B4BBA163-2F98-AFCC-8A8D-1178AC8399B5' to persist. Finished in: 0.000854 seconds
With XCode debug build, it works perfectly with generating the proper URL with 'intents-remote-image-proxy' scheme. How this kind of URL ('intents-remote-image-proxy:?proxyIdentifier=F9EFABF4-3A8F-174A-65E3-BD5B2EBEB2AF.png&storageServiceIdentifier=com.apple.Intents.INImageServiceConnection') can be generaged?
[This is the trace of the successful case with XCode debug build]
default 18:37:38.366065+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': sender image _uri: (null)
default 18:37:38.366822+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': url created from image's _identifier
default 18:37:38.366879+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': contentURL scheme does not match scheme 'intents-remote-image-proxy'. Attempting to get a corresponding url with 'intents-remote-image-proxy' scheme. contentURL: 'F9EFABF4-3A8F-174A-65E3-BD5B2EBEB2AF'
default 18:37:38.366920+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': Getting proxied image synchronously for content url 'F9EFABF4-3A8F-174A-65E3-BD5B2EBEB2AF'.
default 18:37:38.367166+0900 NotificationExt Persisting INImage for Intent Type 'INSendMessageIntent': Final contentURL 'intents-remote-image-proxy:?proxyIdentifier=F9EFABF4-3A8F-174A-65E3-BD5B2EBEB2AF.png&storageServiceIdentifier=com.apple.Intents.INImageServiceConnection' to persist. Finished in: 0.000929 seconds
Here is the part of my code snippet.
let friendImg = INImage(imageData: img.jpegData(compressionQuality: 0.1)!)
let senderPerson = INPerson(
personHandle: INPersonHandle(value: nil, type: .unknown),
nameComponents: nil,
displayName: “test”,
image: friendImg,
contactIdentifier: nil,
customIdentifier: nil,
isMe: false,
suggestionType: .none
)
let intent = INSendMessageIntent(
recipients: nil,
outgoingMessageType: .outgoingMessageText,
content: nil,
speakableGroupName: INSpeakableString(spokenPhrase: “test”),
conversationIdentifier: nil,
serviceName: nil,
sender: senderPerson,
attachments: nil
)
intent.setImage(friendImg, forParameterNamed: \.sender)
let interaction = INInteraction(intent: intent, response: nil)
interaction.direction = .incoming
interaction.donate(completion: nil)
do {
content = try content.updating(from: intent) as! UNMutableNotificationContent
} catch {
//…
}
}
Plus, I've done the following as well:
Added NSExtension → NSExtensionAttributes (dictionary) → IntentsSupported (array) → INSendMessageIntent (string) in Notification Service Extension's Info.plist
Enabled the Communication Notifications capability on my main app target
Any Idea on this issue? Is there anything suspected?
Recently we upgraded from WPS v7.0 to v8.5. We updated the portlets and few parts of the code to have them compatible and working on the new platform (v8.5). However, we found some peculiar behavior regarding which am looking for some information. Here it goes:
Premise: These portlets use cookies for regions in the form of codes e.g oh for Ohio, ny for New York, etc.
Earlier in WPS v7.0, the portlet action URLs that were generated were of the form:
http://<host>:<port>/wps/portal/!ut/p/b1/04_SjzQ0M.... and so on.
Now, on the new platform (v8.5), the URLs are a little bit different of the below form.
http://<host>:<port>/wps/portal/oh/!ut/p/z1/pZBNCsIwE... (in the case of Ohio)
http://<host>:<port>/wps/portal/ny/!ut/p/z1/pZBNCsIwE... (in the case of New York)
Now coming to peculiar part. The URL on the 8.5 contain the cookie value (in this case: oh for Ohio) as a part of the context.
I traced and checked the logs for the ActionURL tag and other URL implementation classes like BasicURLImpl, BaseURLImpl, PortletURLProviderImpl but have not found any clue on how the cookie value is getting to be part of the action url while it is getting generated.
EDIT:
I was able to decode the URL (following this post: WebSphere Portal decode url) and saw that the cookie values are coming up as shared parameters (global) (ref: IBM WebSphere Portal Remote State Service and Fragment Service) which I consider them as public render parameters. Sample excerpt from decode url output here below:
<shared-parameters id="global">
<shared-parameter nsuri="http://www.ibm.com/xmlns/prod/websphere/portal/publicparams" localpart="path-info">
<value>oh</value>
</shared-parameter>
</shared-parameters>
At this point, my opinion is somehow the cookie values are being set as public render parameters but not sure how.
Our goal is not to have the cookie value as a part of the URL. Any clues to settings, configuration or anything that would help in the direction of getting the preferred outcome is appreciated.
Thanks.
After debugging through the actionURL creation, it is observed that the cookie values are being passed as friendly path in the below observed path. As of now, do not have an idea on how these values are being passed as a friendly path.
PortletURLImpl
.provider
.request (PortletRequestWRapper).
.request(ExtendedLocaleRequest).
.request(ExtendedLocaleRequest).
.request(FriendlySelectionHttpServletRequestWrapper)
.friendlyPath= /oh
.contextPath = /wps
.originalPathInfo = /
.pathInfo = /
.servletPath= /portal
.request (MappingURLRequestWrapper)
.contextPath = /wps
.servletPath= /portal
.originalPathInfo = /oh
Finally the issue is now fixed by adding the following property in the WAS admin console:
Under Resource environment providers > WP ConfigService > Custom properties
Add the property
Name: friendly.pathinfo.enabled
Value: false
Description: Whether URL mappings and friendly URLs can contain path information to a content item as part of the URL.
I'm Integrating my rails application with payfort using payfort api merchant page 2.0 I've made a form that collects user data and in my back end I do calculate the signature so the result is like this
`
parametsrs ={
:access_code=>"4XiE5d2D9Yvbbb9YMYPE",
:card_number=>4005550000000001,
:card_security_code=>123,
:expiry_date=>1705,
:language=>"en",
:merchant_identifier=>"MpFMkQYk",
:merchant_reference=>139,
:service_command=>" TOKENIZATION"
:signature => "d0f49bf93d76939dd9f841302f4d6ca87151a54ceffca725b38cdaf9a1a2fdb0"}
`
but whenever I submit this form I got this response invalid extra parameters
can anyone help me with that?
you need to remove rails extra parameters like utf8 , authenticity_token , _method before submitting to payfort