转自:http://cloudfields.net/blog/ios-push-notifications-encryption/

The serious pains of setting up a Remote Push Notification in an iOS app come not from coding the app itself. They mostly relate in making the intermediate environment to connect with the Apple Push Notification Servers (APNS) and the security behind it…

I will not refer to anything specific to the xCode or Obj-C coding of Push Notifications here.  A very nice and simple implementation for Apple Push Notifications management is the  PHP-Mysql—Apple-Push-Notification-Server developed by Benjamin Ortuzar. What I’m covering in this post refers on how to create the encryption .pem files needed for the management system to communicate with the APNS.

If you decide not to use Benjamin Ortuzar’s system and go on making your own instead, you’ll probably need all the same the encryption files covered here. If on the other hand you choose to use a service providing Push Notifications like Urban Airship, you won’t need anything from below.

Things taken for granted in this post:

  1. You already have a Apple Developer ID,
  2. You have already setup the App ID and enabled it for Push Notifications,
  3. You have created the development and production certificate for Push Notifications for your app,
  4. You have the private key in your keychain (it must be there since its needed for the certificate creation above).

All we need is 2 files:

  1. the private key .p12 file (let’s call it pkey.p12). This can be found in the Keys section of the OSX keychain. Right click on it, select export, enter the filename in .p12 file format and enter its password.
  2. the SSL certificate (let’s call this sslcert.cer). For this post, I’m using the development certificate and this can be either downloaded from the Developer Connection website (same page where you created it) or you can simply drag and drop it to Finder/Desktop from the My Certificates section in the keychain.

Having done the above, open Ternimal in a Mac OSX. A Linux distribution with openssl installed will do the job as well (100% compatible and tested on Fedora Core 18). If your Linux doesn’t have openssl, type

sudo yum install openssl

for RedHat-type distributions or

sudo apt-get install openssl

for Debian.

Step 1: The Certificate

At first we need to convert the sslcert.cer to a .pem format the APNS will understand. Just type in Terminal:

$ openssl x509 -inform der -in sslcert.cer -out certificate.pem

and let’s call the output file certificate.pem.

Step 2: The Private Key

Same must be done for the private key. This is a bit more complex as it involves a security pass phrase. Again on Terminal:

$ openssl pkcs12 -nocerts -in pkey.p12 -out pkey.pem

You will be asked to enter the password protecting the pkey.p12 file and then enter a pass phrase that will protect the output pem file. We call the output pkey.pem and we’ll use it later on. Type the password, type the pass phrase, remember the pass phrase and let’s proceed…

Step 3: Merging the pem

Where we need to merge the two files into a single pem file. Extremely simple:

$ cat certificate.pem pkey.pem > apn_cert.pem

The created apns_cert.pem file will have the same pass phrase entered in step 2 and is the file needed for communication with the APNS servers.

At this point, the only thing left is to test if the file is correct.

Step 4: Testing

So far, the required pem file for the APNS communication is ready but we need to test it. The openssl command provides this as well. Since we used the development certificate on this post, we are going to test the sandbox APNS using this command:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns_cert.pem -key apns_cert.pem

And type the pass phrase again. After that, if all is done correctly, the connection will open with a wall of text letting you know what is going on. Typing a couple of characters, it will disconnect which is normal. If there is an error in the file, openssl will give an error message and you’ll have to read the whole wall of text to find what went wrong.

An indication of a successful connection will look something like this:

CONNECTED(00000003)

depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)

verify return:1

depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C

verify return:1

depth=0 C = US, ST = California, L = Cupertino, O = Apple Inc., OU = iTMS Engineering, CN = gateway.sandbox.push.apple.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com

i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)

---

Server certificate

-----BEGIN CERTIFICATE-----

where the certificate data are printed and then:

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com

issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

---

No client certificate CA names sent

---

SSL handshake has read 4318 bytes and written 2172 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID: D85E15E39624323B4EBA268214077587711A2EEC4FB083C7F79435EC1A0E58EC

Session-ID-ctx:

Master-Key: D433A396CE2FCF8C97C2E53B1C4F08BFAB738D343D5D4E69D2F6E42268A67EB490AFA554FA59FB4337F7FFA34AFC0A3A

Key-Arg : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

TLS session ticket:

followed by the ticket data.

Finally, with the pem file created, you can use it in any application or system you have developed or used to manage Push Notifications. Copy it where it needs to be and start sending…

(转)pem, cer, p12 and the pains of iOS Push Notifications encryption的更多相关文章

  1. Send Push Notifications to iOS Devices using Xcode 8 and Swift 3, APNs Auth Key

    Send Push Notifications to iOS Devices using Xcode 8 and Swift 3 OCT 6, 2016 Push notifications are ...

  2. 实战p12文件转pem文件

    1.首先生成一个ssl的证书 选择app IDS 后实现下面这个(这里不详细说明怎么生成了) 点击Download按钮,我就下载Development的ssl证书,下载成功后,双击运行,会打开钥匙串程 ...

  3. (转)实战p12文件转pem文件

    需要实现这个功能的一般都是app开发证书不支持通配符(即com.xxx.xxx.xxx格式),在业务需求上类似消息推送这样的业务. 1.首先生成一个ssl的证书 选择app IDS 后实现下面这个(这 ...

  4. pem文件转p12

    p12->pem cer.p12: openssl pkcs12 -clcerts -nokeys -out cer.pem -in cer.p12 key.p12: openssl pkcs1 ...

  5. iOS推送证书转pem文件

    iOS推送证书转 .pem文件. 推送证书转pem文件openssl x509 -in apns_miaobozhibo.cer -inform der -out apns_miaobozhibo.p ...

  6. Atitti.数字证书体系cer pfx attilax总结

    Atitti.数字证书体系cer pfx attilax总结 一.数字证书常见标准 1 数字证书文件格式(cer和pfx)的区别: 1 二.数字证书存储内容 2 X.509是一种非常通用的证书格式. ...

  7. c#上iOS apns p12文件制作记录 iOS推送证书制件

    前期一些准备工作可参考:http://jingyan.baidu.com/article/7082dc1c6bb86de40a89bd1a.html 1.在桌面上建一个"apns_p12&q ...

  8. c#上iOS apns p12文件制作记录

    1.在桌面上建一个"apns_p12"文件夹,所有的保存和生成文件都放在这里 2.从钥匙串中生成CertificateSigningRequest.certSigningReque ...

  9. iOS 推送证书生成pem

    cert: openssl x509 -in aps_development\ \(8\).cer -inform der -out pushDeveCerTopem.pem key: openssl ...

随机推荐

  1. Gamit的安装

    --2017-1-6修正 我这里用的是Gamit10.5,系统是Ubunt 14. 1:获取root权限(仅针对装好Ubunt后没有修改过root密码的用户,如果修改过密码,但是忘掉了,则请进入单用户 ...

  2. h5 canvas

    概述 Canvas API(画布)用于在网页实时生成图像,并且可以操作图像内容,基本上它是一个可以用JavaScript操作的位图(bitmap). 使用前,首先需要新建一个canvas网页元素. & ...

  3. css ie hack整理

    网上有很多关于ie hack的文章,可能由于文章发布后ie的版本还在升级.所以导致有些hack写法已经不适用了.以下是本人整理的ie6-11的一些hack常用写法.(以下默认文档模式为标准模式) 1. ...

  4. Shell中IFS用法

    一 .IFS的介绍    Shell 脚本中有个变量叫IFS(Internal Field Seprator) ,内部域分隔符.完整定义是The shell uses the value stored ...

  5. egrep和grep有什么区别

    grep默认不支持正则表达式,egrep默认支持正则表达式,egrep 等于 grep -E 命令.

  6. msi软件包无法安装

    安装某些msi软件包,提示“This advertised application will not be installed because it might be unsafe. Contact ...

  7. 您为这个网络适配器输入的IP地址xxx.xxx.xxx.xx已经分配给另一个适配器xxx...

    您为这个网络适配器输入的IP地址xxx.xxx.xxx.xx已经分配给另一个适配器‘xxx NIC’.... 2008年11月03日 星期一 08:51 问题现象:   在网卡的TCP/IP属性中无法 ...

  8. iOS 改变UITextField中光标颜色

    第一种: [[UITextField appearance] setTintColor:[UIColor blackColor]]; 这个方法会影响整个app的所有UITextFiled... 第二种 ...

  9. oracle查询blob类型

    下午要查询一个数据,要求是从 表t_report 中查找出 mainbody字段中包含“hibernate”字符串的所有信息.而mainbody字段是blob类型.百度后终于找到答案: DBMS_LO ...

  10. libusb简介

    概述 libusb是一个C库,它提供了通用的访问USB设备. 它的目的是供开发人员使用方便的生产与USB通信硬件的应用程序. 可移植的: 使用一个跨平台API,它提供了访问USB设备在Linux上,O ...