Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Juraj Ďurech
    @hvge
    That should not work. You're doing something wrong :) If you look at the library source code, the function directly compares fingerprint you provide against one stored in the cert store
    Basically, If you look closely at how all that validate() functions works, then you'll understand that encoding with .utf8 makes no sense. For example, validate(challenge:) gets a raw certificate bytes, encoded in DER format. The format is not important. The important thing is that it's just a sequence of bytes. Then we'll calculate hash from that sequence in valiadte(commonName: certificateData:) and then it falls at the bottom, to the function you're asking for.
    Juraj Ďurech
    @hvge
    There's no utf8encoding at all
    You can look at library's unit tests, to understand what's behind the scene. For example, run and debug following test in Xcode and try to understand what's going on :) https://github.com/wultra/ssl-pinning-ios/blob/develop/Tests/CertStoreTests_Network.swift
    Oleg Semen
    @semenoh
    HI
    is it possible to exclude some names from pinning ?
    or specify the only names should be pinned ?
    In my case images are stored on AWS and they do not appear on UI as they are under amazon certificate.
    I'm talking about ssl pinning on android https://github.com/wultra/ssl-pinning-android
    Petr Dvořák
    @petrdvorak
    We do not determine what URLs are pinned - this is your code that does that. We only provide you an updatable store of certificate fingerprints.
    Therefore, your code should look something like:
    if (pinnedUrlSet.contains(currentRequest.getUrl()) {
        // CertStore.validate(...)  
    }
    // super.validateUsingDefaultSystemValidations()
    Oleg Semen
    @semenoh
    Thanks
    PaholykS
    @riko105
    Hi there!
    Does the library support self-signed fingerprints chain validation?
    @hvge Thanks for specification. Already got it, works with auth challange validation)
    I noticed that ASCII format works when we need to convert String fallback fingerprint representation into raw Data
    Juraj Ďurech
    @hvge
    Well, it basically doesn't matter. What we do is simply find certificate hash in locally cached database. If it's a hash of self signed certificate, then yes, it does. I would not recommend you to do this, unless it's certificate of non-production server (like dev servers, test servers, etc...)
    Juraj Ďurech
    @hvge

    About that conversion... In our example, that fallback data and ASCII works, because we expects a JSON formatted sequence of bytes (with no UTF-8 chars at all). If I remember that correctly, then what you have asked before was a conversion to data required for a certificate validation. I'm not sure whether ASCII will work either. That's a complete different situation.

    Put an example code snippet here (I prefer a link to gist.github.com) and then we can talk about details.

    The certificate is typically in DER format (I'm pretty sure that on both platforms). It's a binary format but what's important, we don't care about that. We just calculate a hash from that data and that suppose to be in the database, manager by our library. (DER format https://en.wikipedia.org/wiki/X.690#DER_encoding)
    PaholykS
    @riko105
    @hvge according to encoding, yes I was talked in a different context, my fault )
    Returning to question about the self-signed comparison. I was pretty sure that you just compare the data of fingerprint, so the "authority" didn't take part in the data comparison.
    So I'm sure smth. like authority whitelist in framework is absent, if answer on my previous question is yes
    Juraj Ďurech
    @hvge
    @riko105 SSL certificate pinning is simply only about checking whether the certificate, received during the TLS handshake, is expected and known. We don't provide "authority", or any additional analysis of that certificate data. That's usually function provided by the operating system. So, our library is doing just what's promised in the description - It simply manages list of known hashes in secure way (e.g. it's difficult to inject attacker's hash) and allows your application to ask that database, whether the certificate is known or not.
    Juraj Ďurech
    @hvge
    Typically, if our library says - it's expected - then you should continue with TLS handshake as usual and operating system will do the rest of validation for you. If you're validating self-signed certificate in this way, then you have to tell OS, that "It's OK, I trust this certificate". As I said before, you should not use this technique on production servers.
    That's how it works on iOS. I'm not an Android expert, but I guess that it works like this in a very similar way.
    Michał Grzelak
    @michalgrzelak
    Morning Guys, In the first diagram in the tutorial on the link: https://developers.wultra.com/docs/develop/wultra-docs/tutorials/Authentication-in-Mobile-Apps/Server-Side-Tutorial you described a case with adding mobile device based on QR code generated by Internet Banking. What about a situation if a mobile app is the only banking app, without a web app? How this will look like?
    Petr Dvořák
    @petrdvorak
    @michalgrzelak Then you can use “custom credentials” flow and use, i.e., username, password and SMS OTP.
    If you would like some further assistance or intro, feel free to book a slot here: https://calendly.com/wultra/e-meeting
    Michał Grzelak
    @michalgrzelak
    @petrdvorak thanks a lot, we started building a banking app with your powerAuth libraries, and a couple or maybe tons of questions will appear in the next weeks.
    Petr Dvořák
    @petrdvorak
    👍 Excellent, sounds awesome and definitely lets talk more about this - we at least need to check if our OSS license is sufficient for you or if you might need a commercial software license for production.
    Petr Dvořák
    @petrdvorak
    (Of course, for development, pilot experiments or even an early production, OSS is good enough...)
    Michał Grzelak
    @michalgrzelak
    @petrdvorak Do you have the experience with combain your libraries with Evernym? https://www.evernym.com/
    Petr Dvořák
    @petrdvorak
    @michalgrzelak Hello, unfortunately not - banks that we mostly work with use different (usually proprietary) identity managment systems...
    Paweł Kunat
    @pkunat
    Hi, I have a question about mobile activation. As @michalgrzelak mentioned, we don't have a web version of our app, so we're using custom activation using a 6-digit activation code sent over sms. The question I wanted to ask is, do we have to implement logic related to limiting retries and code expiry on our side or can we somehow use your server for this? The pa_activation table seems to contain everything that's needed, but the values seem to be ignored during custom activation. Also, I'm not sure what the valid values for activation_otp_validation are (other than NONE = 0), I couldn't find any documentation for that.
    Juraj Ďurech
    @hvge
    Hi @pkunat, check additional OTP in our activation process - https://developers.wultra.com/docs/2020.11/powerauth-crypto/Additional-Activation-OTP
    Petr Dvořák
    @petrdvorak
    @pkunat Let’s organize a call. I think @hvge misunderstood your use-case since without the web part, our activation OTP is useless for you and you need to go with activation via custom attributes.
    Generally, in case you use custom attributes for activation, you need to handle custom attributes lifecycle.
    Michał Grzelak
    @michalgrzelak
    @petrdvorak we have a plan to implement the first iteration until the coming Friday, and then we'll definitely ask for a call with you, for a review of our approach.
    I have another question:
    image.png
    are those methods available from the ReactNative SDK?
    Petr Dvořák
    @petrdvorak
    Hello @michalgrzelak, I don’t think so - the non-native wrappers generally contain just a subset of methods to cover the most frequent use-cases. What is your use-case for the encryptors?
    Michał Grzelak
    @michalgrzelak
    Let me draw a diagram quickly to present the flow that we want to achieve.
    Michał Grzelak
    @michalgrzelak
    image.png
    flow which we want to achieve, more or less
    this flow presents the situation after activation, key exchange etc (...)
    Michał Grzelak
    @michalgrzelak
    and the question is: can I achieve encryption/decryption of every request/response with the current react-native-powerauth-mobile-sdk release?
    Petr Dvořák
    @petrdvorak
    Hello @michalgrzelak, this is not something that we would recommend. Our end-to-end encryption is used for one-off data transfers, for example, only when sending the payment data or during activation. This is because of the infrastructure setup: Your proxy server would need to call PAS for every single request/response cycle and this is just not feasible from the performance perspective.
    To fortify network communication, we recommend either using certificate/public key pinning, or using some gateway that is designed to handle the traffic (F5, etc.).

    Regarding the pinning approach: You can either use static pins and handle app updates, or deploy a dynamic SSL pinning solution, i.e.:

    https://developers.wultra.com/docs/develop/mobile-utility-server/index
    https://developers.wultra.com/docs/develop/ssl-pinning-android/index
    https://developers.wultra.com/docs/develop/ssl-pinning-ios/index