Offline revocation mode - x509certificate2

My question is similar to this question.
I am trying to check revocation list only using the local CRL.
I am using X509Chain.Build() with the following parameters:
var chainMachine = new X509Chain(true);
chainMachine.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
chainMachine.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(30);
chainMachine.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
chainMachine.ChainPolicy.VerificationTime = DateTime.Now;
chainMachine.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
But i get the following errors:
RevocationStatusUnknown => The revocation function is unable to check revocation for the certificate.
OfflineRevocation => The Revocation function was unable to check revocation for the certificate because the revocation server is
offline.
The weird thing is that once I try to check the revocation list online (as a result the CRL will be updated), the issue is resolved. so it looks that once there is anything in the cache the issue cannot be reproduced anymore.
I thought that maybe the error message is incorrect and what actually happens is that when the cache is empty there is some exception that causes this message to pop up.
another option is that maybe there is some flag that saying whether the cache has been updated sometime, and if it has never been updated it tries to get the info from an outside server
can anyone point out what is the reason for this issue?

X509RevocationMode.None: Do not check CRLs or OCSP.
X509RevocationMode.Offline: If a CRL is cached and still valid, use it for revocation. Otherwise, if the certificate should have had revocation checked (depending on EntireChain/ExcludeRoot/EndCertificateOnly), report OfflineVerification|RevocationStatusUnknown. (OCSP responses may also be cached if their nextUpdate value suggests to; but I'm not sure if it does or not).
X509RevocationMode.Online: If an OCSP endpoint is described in the certificate perform an OCSP check. If OCSP does not yield a conclusive answer and a CRL Distribution Point is defined, check the cache for the CRL. If it is valid, use it as the basis of revocation; otherwise download the CRL and cache it. If all attempts to find a revocation status fail, set RevocationStatusUnknown.
Offline mode is tricky, due to CRL expiration. Even if you just did an Online request an hour ago, it doesn't mean that Offline will work now. The best use I can think of for it is making the happy path fast; and if you get any errors other than RevocationStatusUnknown or OfflineRevocation then consider the chain failed... but either of those means ask again with Online mode.
(As can be determined via http://referencesource.microsoft.com, Offline corresponds to CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY, which is about as sparsely documented at https://msdn.microsoft.com/en-us/library/windows/desktop/aa376078(v=vs.85).aspx, but perhaps the "Check Cache Only" part is more enlightening)

Related

swift - Sign in With Apple "Sign Up not completed" error

Made all the setup for sign in with apple, but when pressing on continue and passing Face ID check I am getting "Sign Up not completed" error. However, no error is thrown to the delegate.
Then I tried to create a test project with my friend's Paid developer account and everything was fine, no errors. I haven't connected to the API, just trying to print Email and Fullname.
May be something is wrong with my company's Developer account?
I had the same issue. I did followings and it was working fine.
Go to developer apple and choose app's bundle id
Remove Sign In With Apple and save
Again go to your app's bundle id and add Sign In With Apple and save.
Hope this works!
I had created Auth Key with Apple Sign selected in which is never used. When I remove the unused Auth Key it worked.
I recently encountered this error and the root problem turned out to be some back-end data problem with my Apple account.
I ultimately had to raise an Apple Technical Support Request, generate some debug information for them, and then they ultimately fixed their back-end data for my account. The overall process took just under three weeks.
For me the reason was , I was using my bundle id in the place where Apple services ID should be entered in cognito user pool.
As suggested on this SO thread, this is sometimes an issue one Apple's end. I have tested with Apple's own project from the documentation and ran into the same issue.
I reached out to Apple DTS support and they replied the following:
The underlying issue was unexpected. We have confirmed the issue was
caused by an internal data feed sync operation and was resolved today.
So in my case, the issue went away after 2 days without any changes.
Sometimes, it just takes 2 days on Apple's side to process everything.
Spare yourself the hassle and just wait it out. If you have followed their documentation you did everything right:
https://help.apple.com/xcode/mac/11.0/#/dev50571b902
Just go to your project's signing capabilities, click + and add Sign in with Apple:
Add the SignInWithApple Button:
import AuthenticationServices
...
SignInWithAppleButton(.signUp) { request in
request.requestedScopes = [.fullName, .email]
} onCompletion: { result in
switch result {
case .success(let authResults):
handleSuccess(authorization: authResults)
case .failure(let error):
logger.error("SIWA login failure: \(error)")
}
}
.signInWithAppleButtonStyle(.white)

Error when downloading Apple Pass in Chrome for iOS

Issue with downloading Apple Pass on an iPhone device using Chrome and Firefox. It works fine on Safari. On Chrome for iOS it says:
Sorry, your Pass cannot be installed to Passbook at this time.
For Firefox it says:
Failed to Add Pass An error occurred while adding the pass to Wallet. Please try again later.
I tried just downloading the Apple Pass from a desktop browser and it downloads and I can install it fine on an iPhone/simulator which I'm assuming is not a problem with the pass itself but maybe rather something I'm missing in the response.
Here is the code I'm using to return the Apple Pass.
private void ReturnResponse(byte[] applePass)
{
Response.Clear();
Response.AddHeader("content-disposition", string.Formate("attachment; filename={0}", "sample.pkpass"));
Response.ContentType = "application/vnd.apple.pkpass"
Response.BinaryWrite(applePass);
Response.End();
}
Expected result:
Apple Pass opens and allows the user to add it to their Apple Wallet.
I realise this is question is over a year and a half old, but this is still an issue as of March 2021. After a lot of trial and error we managed to get it working on Chrome & Firefox. Our specific issue was that the request has to be a GET, and we had a form before the Pass was downloaded that submitted as a POST. Once we change the form to submit a GET the issue was resolved.
We tried to keep the POST and return a 201, which feels correct, but the issue persisted.
Changing our request method from a POST to a GET when serving the pkpass made it possible to download the pass using Google Chrome for Mobile on an iOS device.
This is untested, but I have found this link which I feel might be related:
https://github.com/eymengunay/php-passbook/issues/73
It says that the anchor you using to link to the pass should contain the this attribute:
target="_system"
I have not tested this resolution myself.
I just bought 20 access passes from a website. The site had the option to "add to apple wallet". It worked fine for 19 of them and then on the very last one I got this same error.
I did not do anything different when trying to add the 20th one.
Wondering if there is a limitation with the number of passes you can add?... but why would it be limited to a random number like 19?

Firebase Firestore missing or insufficient permissions using Expo (React Native)

I've been using FireStore for a project that works fine in the browser, but when I port the code to Expo, running on a iOS 11.2 iPhone X in the simulator, it keeps raising Error: Missing or insufficient permissions.
Auth is working fine, and when I check the client in the Firestore collection object, the appropriate UID is set, and testing the same code in the browser, everything works perfectly (no permissions problem). What I'm trying to say is that I'm 95% certain that the issue is with the Firebase lib/react native/expo combination, rather than with my code. Especially since it seems that making a call to Firestore in the browser, there are headers set, but when debugging the call in Reactotron (from Expo), it looks like the call the Firebase lib is making has no headers at all.
I doubt it makes a difference, but here are my auth rules:
service cloud.firestore {
match /databases/{database}/documents {
match /UserData/{userID} {
allow read, write: if request.auth.uid == userID;
}
match /MemberData/{userID} {
allow read: if request.auth.uid == userID;
}
}
}
The call I was trying to make (and there is definitely data in the doc) is the following:
profile = (await UserDataCollection.doc(`${idToken.uid}`).get()).data();
I'm curious if anyone else has run into this problem, and if so, are there any workarounds to make Firestore work?
As per previous comments, downgrading to 4.6.2 seems to fix the issue. I'm not sure the exact root cause but the behaviour of how the auth headers are sent seem to have changed (so potentially something there?). I'll update my answer if I get time to investigate further. Happy for one of the Firebase team to contact me for my account details if they want to verify on their side.

CFNetwork SSLHandshake failed (-9806) only on 3G/4G (Not on Wifi)

I understand this question has been asked in a similar vein a couple of times, but this error is only occurring on a 3G/4G connection, and not on a wifi connection.
I've also added the appropriate NSExceptionDomains and keys to my info.plist file, as many other answers on here have suggested, and this error does not seem to go away.
I have:
NSTemporaryExceptionAllowsInsecureHTTPLoads = YES
NSThirdPartyExceptionRequiresForwardSecrecy = NO
NSTemporaryExceptionMinimumTLSVersion = 1.0
NSIncludesSubdomains = YES
I am trying to make HTTPS requests to an Amazon EC2 instance (Linux).
Finally fixed the problem. Turns out I was missing a "www" in front of the URL I was trying to access. The SSL certificate was registered with the "www" in the domain name, and this inconsistency was throwing an error.
This might also explain why the error only occurs on mobile data, but I'm not too clear on the specifics so maybe someone else can explain that.

redirect_uri_mismatch Unity Google API on iOS

I created an app in Unity with Google Play Leaderboard support. I could easily make it work on Android, then I moved to OSX to build it for iPhone too.
First I got a problem, that Apple won't accept any bundle identifier with the '_' character in it, but my Android app bundle identifier had 2 of them...
However I found out, that in the Google Developer Console I can link another app to my app (to use the same Leaderboard) for iOS too, so I was quite happy. Unfortunately this doesn't seem to work. I get the *redirect_uri_mismatch* error message every time I try to log in.
On Android I used the UnityGPGPlugin but as it didn't work for me on iOS, I tried the PlayGameServices too. In UnityGPGPlugin I could set only the Application ID, so I thought that's why it is not working. In the PlayGameServices plugin there are two fields, one for the Application ID and one for the Client ID that made it look like that's really what I need. Unfortunately the error is still present and I really don't know what I could do with it. Here is the well known message:
Error: redirect_uri_mismatch
Request Details
cookie_policy_enforce=false
scope=https://www.googleapis.com/auth/appstate
https://www.googleapis.com/auth/games
https://www.googleapis.com/auth/plus.login
https://www.googleapis.com/auth/plus.moments.write
https://www.googleapis.com/auth/plus.me
https://www.googleapis.com/auth/plus.profile.agerange.read
https://www.googleapis.com/auth/plus.profile.language.read
https://www.googleapis.com/auth/plus.circles.members.read
response_type=code
access_type=offline
redirect_uri= < my bundle identifier without '_' characters >:/oauth2callback
state=16885367
gpsdk=1.5.0
verifier=12647966
display=page
client_id=123456789123-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
hl=en
The debug log contains only this:
2014-03-16 14:21:19.507 <my app>[1699:60b] GPGSAuthenticateWithCallback.
2014-03-16 14:21:19.509 <my app>[1699:60b] GPGSManager initializing and authenticating.
2014-03-16 14:21:19.512 <my app>[1699:60b] GPPSignIn initialized.
2014-03-16 14:21:19.514 <my app>[1699:60b] GPPSignIn attempting sign in now.
-> applicationWillResignActive()
-> applicationDidEnterBackground()
Does anyone know how could I solve this problem?
Thanks in advance!
Edit:
Maybe it wasn't obvious, but I have 2 bundle identifiers, both of them are linked to the same game service in Google Play Developer Console. The com.x.a_b_c belongs to the Android app, the com.x.abc belongs to the iOS app.
I was having redirect_uri_mismatch error while using UnityGPGPlugin. I was using "123456789123" as my Application ID instead of "123456789123-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx".
However, I manage to get through the Google Sign In page after changing all my setup to "123456789123-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" as my Application ID. Including the GPGApplicationID in Info.plist.
Sad to say that I am having another problem now, but at least that's how I manage to get through that error. :)

Resources