转自:http://cloudfields.net/blog/ios-push-notifications-encryption/

The serious pains of setting up a Remote Push Notification in an iOS app come not from coding the app itself. They mostly relate in making the intermediate environment to connect with the Apple Push Notification Servers (APNS) and the security behind it…

I will not refer to anything specific to the xCode or Obj-C coding of Push Notifications here.  A very nice and simple implementation for Apple Push Notifications management is the  PHP-Mysql—Apple-Push-Notification-Server developed by Benjamin Ortuzar. What I’m covering in this post refers on how to create the encryption .pem files needed for the management system to communicate with the APNS.

If you decide not to use Benjamin Ortuzar’s system and go on making your own instead, you’ll probably need all the same the encryption files covered here. If on the other hand you choose to use a service providing Push Notifications like Urban Airship, you won’t need anything from below.

Things taken for granted in this post:

  1. You already have a Apple Developer ID,
  2. You have already setup the App ID and enabled it for Push Notifications,
  3. You have created the development and production certificate for Push Notifications for your app,
  4. You have the private key in your keychain (it must be there since its needed for the certificate creation above).

All we need is 2 files:

  1. the private key .p12 file (let’s call it pkey.p12). This can be found in the Keys section of the OSX keychain. Right click on it, select export, enter the filename in .p12 file format and enter its password.
  2. the SSL certificate (let’s call this sslcert.cer). For this post, I’m using the development certificate and this can be either downloaded from the Developer Connection website (same page where you created it) or you can simply drag and drop it to Finder/Desktop from the My Certificates section in the keychain.

Having done the above, open Ternimal in a Mac OSX. A Linux distribution with openssl installed will do the job as well (100% compatible and tested on Fedora Core 18). If your Linux doesn’t have openssl, type

sudo yum install openssl

for RedHat-type distributions or

sudo apt-get install openssl

for Debian.

Step 1: The Certificate

At first we need to convert the sslcert.cer to a .pem format the APNS will understand. Just type in Terminal:

$ openssl x509 -inform der -in sslcert.cer -out certificate.pem

and let’s call the output file certificate.pem.

Step 2: The Private Key

Same must be done for the private key. This is a bit more complex as it involves a security pass phrase. Again on Terminal:

$ openssl pkcs12 -nocerts -in pkey.p12 -out pkey.pem

You will be asked to enter the password protecting the pkey.p12 file and then enter a pass phrase that will protect the output pem file. We call the output pkey.pem and we’ll use it later on. Type the password, type the pass phrase, remember the pass phrase and let’s proceed…

Step 3: Merging the pem

Where we need to merge the two files into a single pem file. Extremely simple:

$ cat certificate.pem pkey.pem > apn_cert.pem

The created apns_cert.pem file will have the same pass phrase entered in step 2 and is the file needed for communication with the APNS servers.

At this point, the only thing left is to test if the file is correct.

Step 4: Testing

So far, the required pem file for the APNS communication is ready but we need to test it. The openssl command provides this as well. Since we used the development certificate on this post, we are going to test the sandbox APNS using this command:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns_cert.pem -key apns_cert.pem

And type the pass phrase again. After that, if all is done correctly, the connection will open with a wall of text letting you know what is going on. Typing a couple of characters, it will disconnect which is normal. If there is an error in the file, openssl will give an error message and you’ll have to read the whole wall of text to find what went wrong.

An indication of a successful connection will look something like this:

CONNECTED(00000003)

depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)

verify return:1

depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C

verify return:1

depth=0 C = US, ST = California, L = Cupertino, O = Apple Inc., OU = iTMS Engineering, CN = gateway.sandbox.push.apple.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com

i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)

---

Server certificate

-----BEGIN CERTIFICATE-----

where the certificate data are printed and then:

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com

issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

---

No client certificate CA names sent

---

SSL handshake has read 4318 bytes and written 2172 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID: D85E15E39624323B4EBA268214077587711A2EEC4FB083C7F79435EC1A0E58EC

Session-ID-ctx:

Master-Key: D433A396CE2FCF8C97C2E53B1C4F08BFAB738D343D5D4E69D2F6E42268A67EB490AFA554FA59FB4337F7FFA34AFC0A3A

Key-Arg : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

TLS session ticket:

followed by the ticket data.

Finally, with the pem file created, you can use it in any application or system you have developed or used to manage Push Notifications. Copy it where it needs to be and start sending…

(转)pem, cer, p12 and the pains of iOS Push Notifications encryption的更多相关文章

  1. Send Push Notifications to iOS Devices using Xcode 8 and Swift 3, APNs Auth Key

    Send Push Notifications to iOS Devices using Xcode 8 and Swift 3 OCT 6, 2016 Push notifications are ...

  2. 实战p12文件转pem文件

    1.首先生成一个ssl的证书 选择app IDS 后实现下面这个(这里不详细说明怎么生成了) 点击Download按钮,我就下载Development的ssl证书,下载成功后,双击运行,会打开钥匙串程 ...

  3. (转)实战p12文件转pem文件

    需要实现这个功能的一般都是app开发证书不支持通配符(即com.xxx.xxx.xxx格式),在业务需求上类似消息推送这样的业务. 1.首先生成一个ssl的证书 选择app IDS 后实现下面这个(这 ...

  4. pem文件转p12

    p12->pem cer.p12: openssl pkcs12 -clcerts -nokeys -out cer.pem -in cer.p12 key.p12: openssl pkcs1 ...

  5. iOS推送证书转pem文件

    iOS推送证书转 .pem文件. 推送证书转pem文件openssl x509 -in apns_miaobozhibo.cer -inform der -out apns_miaobozhibo.p ...

  6. Atitti.数字证书体系cer pfx attilax总结

    Atitti.数字证书体系cer pfx attilax总结 一.数字证书常见标准 1 数字证书文件格式(cer和pfx)的区别: 1 二.数字证书存储内容 2 X.509是一种非常通用的证书格式. ...

  7. c#上iOS apns p12文件制作记录 iOS推送证书制件

    前期一些准备工作可参考:http://jingyan.baidu.com/article/7082dc1c6bb86de40a89bd1a.html 1.在桌面上建一个"apns_p12&q ...

  8. c#上iOS apns p12文件制作记录

    1.在桌面上建一个"apns_p12"文件夹,所有的保存和生成文件都放在这里 2.从钥匙串中生成CertificateSigningRequest.certSigningReque ...

  9. iOS 推送证书生成pem

    cert: openssl x509 -in aps_development\ \(8\).cer -inform der -out pushDeveCerTopem.pem key: openssl ...

随机推荐

  1. windows下配置两个或多个Tomcat启动的方法

    确保window的环境变量中找不到CATALINA_HOME和CATALINA_BASE 修改server.xml,用解压版的tomcat,不要用安装版的. 1.修改http访问端口 conf下的se ...

  2. checkbox遍历操作, 提交所有选中项的值

    <div class="content_list pad_10 hidden" > <h3>修改可配送地区</h3> <input typ ...

  3. wildfly部署solr.war

    1.添加solr/home配置,有两种途径: 一个是修改solr.war包的web.xml,路径如下:solr-4.7.2.rar\WEB-INF\web.xml,添加如下内容:

  4. MSSQL 字符串替换语句

    MSSQL替换语句:update 表名 set 字段名=replace(cast(字段名 as varchar(8000)),'abc.com','123.com')例如:update PE_Arti ...

  5. vsftp关于"550 create directory operation failed"问题解决

    前提: 昨天晚上配置好了vsftp, 但登陆后,除了浏览,什么也干不了.(如新建文件/文件夹, 删除文件, 重命名等都不可操作) 都是弹出 "550 create directory ope ...

  6. 2013中国大数据技术大会——BDTC2013

    阿里飞天平台总架构师唐洪分享了飞天开放平台. 飞天平台特点:同时支持在线和离线应用:安全控制:分布式部署,监控和诊断:无单点故障,可用性99.9%:数据3副本,数据可靠性“10个9”. 阿里飞天平台总 ...

  7. JQuery操作下拉框 select

    要实现这种效果: html代码 1<script src="js/jquery-1.7.2.min.js"></script> 2 <table> ...

  8. php经典面试题

    1. 用PHP打印出前一天的时间,打印格式是2007年5月10日 22:21:21 2. PHP代码如下:$a="hello"; $b=&$a;unset($b);$b=& ...

  9. await使用中的阻塞和并发

    本文讨论,通过将Lambda还原成最普通的代码段,来解释上篇提出的疑问.并更正上篇中一些不太正确的写法.最后会给出无需等待Async方法返回值时,对Async方法使用await的建议,供大家参考.第一 ...

  10. C程序设计语言练习题1-17

    练习1-17 编写一个程序,打印长度大于80个字符的所有输入行. 代码如下: #include <stdio.h> // 包含标准库的信息. #define MAXROW 10 // 最大 ...