Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Petr Dvořák
    @petrdvorak
    We do not determine what URLs are pinned - this is your code that does that. We only provide you an updatable store of certificate fingerprints.
    Therefore, your code should look something like:
    if (pinnedUrlSet.contains(currentRequest.getUrl()) {
        // CertStore.validate(...)  
    }
    // super.validateUsingDefaultSystemValidations()
    Oleg Semen
    @semenoh
    Thanks
    PaholykS
    @riko105
    Hi there!
    Does the library support self-signed fingerprints chain validation?
    @hvge Thanks for specification. Already got it, works with auth challange validation)
    I noticed that ASCII format works when we need to convert String fallback fingerprint representation into raw Data
    Juraj Ďurech
    @hvge
    Well, it basically doesn't matter. What we do is simply find certificate hash in locally cached database. If it's a hash of self signed certificate, then yes, it does. I would not recommend you to do this, unless it's certificate of non-production server (like dev servers, test servers, etc...)
    Juraj Ďurech
    @hvge

    About that conversion... In our example, that fallback data and ASCII works, because we expects a JSON formatted sequence of bytes (with no UTF-8 chars at all). If I remember that correctly, then what you have asked before was a conversion to data required for a certificate validation. I'm not sure whether ASCII will work either. That's a complete different situation.

    Put an example code snippet here (I prefer a link to gist.github.com) and then we can talk about details.

    The certificate is typically in DER format (I'm pretty sure that on both platforms). It's a binary format but what's important, we don't care about that. We just calculate a hash from that data and that suppose to be in the database, manager by our library. (DER format https://en.wikipedia.org/wiki/X.690#DER_encoding)
    PaholykS
    @riko105
    @hvge according to encoding, yes I was talked in a different context, my fault )
    Returning to question about the self-signed comparison. I was pretty sure that you just compare the data of fingerprint, so the "authority" didn't take part in the data comparison.
    So I'm sure smth. like authority whitelist in framework is absent, if answer on my previous question is yes
    Juraj Ďurech
    @hvge
    @riko105 SSL certificate pinning is simply only about checking whether the certificate, received during the TLS handshake, is expected and known. We don't provide "authority", or any additional analysis of that certificate data. That's usually function provided by the operating system. So, our library is doing just what's promised in the description - It simply manages list of known hashes in secure way (e.g. it's difficult to inject attacker's hash) and allows your application to ask that database, whether the certificate is known or not.
    Juraj Ďurech
    @hvge
    Typically, if our library says - it's expected - then you should continue with TLS handshake as usual and operating system will do the rest of validation for you. If you're validating self-signed certificate in this way, then you have to tell OS, that "It's OK, I trust this certificate". As I said before, you should not use this technique on production servers.
    That's how it works on iOS. I'm not an Android expert, but I guess that it works like this in a very similar way.
    Michał Grzelak
    @michalgrzelak
    Morning Guys, In the first diagram in the tutorial on the link: https://developers.wultra.com/docs/develop/wultra-docs/tutorials/Authentication-in-Mobile-Apps/Server-Side-Tutorial you described a case with adding mobile device based on QR code generated by Internet Banking. What about a situation if a mobile app is the only banking app, without a web app? How this will look like?
    Petr Dvořák
    @petrdvorak
    @michalgrzelak Then you can use “custom credentials” flow and use, i.e., username, password and SMS OTP.
    If you would like some further assistance or intro, feel free to book a slot here: https://calendly.com/wultra/e-meeting
    Michał Grzelak
    @michalgrzelak
    @petrdvorak thanks a lot, we started building a banking app with your powerAuth libraries, and a couple or maybe tons of questions will appear in the next weeks.
    Petr Dvořák
    @petrdvorak
    👍 Excellent, sounds awesome and definitely lets talk more about this - we at least need to check if our OSS license is sufficient for you or if you might need a commercial software license for production.
    Petr Dvořák
    @petrdvorak
    (Of course, for development, pilot experiments or even an early production, OSS is good enough...)
    Michał Grzelak
    @michalgrzelak
    @petrdvorak Do you have the experience with combain your libraries with Evernym? https://www.evernym.com/
    Petr Dvořák
    @petrdvorak
    @michalgrzelak Hello, unfortunately not - banks that we mostly work with use different (usually proprietary) identity managment systems...
    Paweł Kunat
    @pkunat
    Hi, I have a question about mobile activation. As @michalgrzelak mentioned, we don't have a web version of our app, so we're using custom activation using a 6-digit activation code sent over sms. The question I wanted to ask is, do we have to implement logic related to limiting retries and code expiry on our side or can we somehow use your server for this? The pa_activation table seems to contain everything that's needed, but the values seem to be ignored during custom activation. Also, I'm not sure what the valid values for activation_otp_validation are (other than NONE = 0), I couldn't find any documentation for that.
    Juraj Ďurech
    @hvge
    Hi @pkunat, check additional OTP in our activation process - https://developers.wultra.com/docs/2020.11/powerauth-crypto/Additional-Activation-OTP
    Petr Dvořák
    @petrdvorak
    @pkunat Let’s organize a call. I think @hvge misunderstood your use-case since without the web part, our activation OTP is useless for you and you need to go with activation via custom attributes.
    Generally, in case you use custom attributes for activation, you need to handle custom attributes lifecycle.
    Michał Grzelak
    @michalgrzelak
    @petrdvorak we have a plan to implement the first iteration until the coming Friday, and then we'll definitely ask for a call with you, for a review of our approach.
    I have another question:
    image.png
    are those methods available from the ReactNative SDK?
    Petr Dvořák
    @petrdvorak
    Hello @michalgrzelak, I don’t think so - the non-native wrappers generally contain just a subset of methods to cover the most frequent use-cases. What is your use-case for the encryptors?
    Michał Grzelak
    @michalgrzelak
    Let me draw a diagram quickly to present the flow that we want to achieve.
    Michał Grzelak
    @michalgrzelak
    image.png
    flow which we want to achieve, more or less
    this flow presents the situation after activation, key exchange etc (...)
    Michał Grzelak
    @michalgrzelak
    and the question is: can I achieve encryption/decryption of every request/response with the current react-native-powerauth-mobile-sdk release?
    Petr Dvořák
    @petrdvorak
    Hello @michalgrzelak, this is not something that we would recommend. Our end-to-end encryption is used for one-off data transfers, for example, only when sending the payment data or during activation. This is because of the infrastructure setup: Your proxy server would need to call PAS for every single request/response cycle and this is just not feasible from the performance perspective.
    To fortify network communication, we recommend either using certificate/public key pinning, or using some gateway that is designed to handle the traffic (F5, etc.).

    Regarding the pinning approach: You can either use static pins and handle app updates, or deploy a dynamic SSL pinning solution, i.e.:

    https://developers.wultra.com/docs/develop/mobile-utility-server/index
    https://developers.wultra.com/docs/develop/ssl-pinning-android/index
    https://developers.wultra.com/docs/develop/ssl-pinning-ios/index

    PatoOrtega
    @PatoOrtega
    I need to implement dynamic ssl pinning in java but I see that they only have in kotlin, can you help me with documentation with java, thanks
    Petr Dvořák
    @petrdvorak
    Hello @PatoOrtega, we only have implementation in Kotlin, but you can use it in your Java project. We cannot help much with this, since it is a generic Java/Kotlin question. Read for example: https://kotlinlang.org/docs/mixing-java-kotlin-intellij.html#adding-kotlin-source-code-to-an-existing-java-project
    Rahul Kumar Borah
    @rborah:matrix.org
    [m]

    Hi Team Wultra,

    Do you have a react-native implementation of dynamic ssl pinning?
    Thanks

    Jan Kobersky
    @kober32
    Hello @rborah , we do not support react-native at the moment and there isn't any plan to do so right now.
    Patrik Bajer
    @dakgadan

    Zdravím, napadá vás, čím by mohlo být způsobeno, že klientce na mobil nechodí některé notifikace (přicházejí údajně např. notifikace o převodech mezi účty), ačkoli:

    select *
    from powerauth_webflow.ns_user_prefs
    where user_id = 'uživatel'

    vrátí auth_method_1 = 1
    activationId" : "d235fb82-8a7e-4dd2-95fd-XXXXXXXXXXXX"


    select * from POWERAUTH.V_PA_ACTIVATION where user_id = 'uživatel'

    vrátí user_id = 'uživatel'
    activation_status_id = 3
    activation_status = ACTIVE (u všech ostatních REMOVED)


    select * from POWERAUTH_PUSH_SERVER.PUSH_DEVICE_REGISTRATION where user_ID = 'uživatel'

    vrátí
    activationId = "d235fb82-8a7e-4dd2-95fd-XXXXXXXXXXXX"
    is_active = 1


    Ale zkoumané notifikace nedorazí? Např.:
    ID = 389769267
    activationId" : "d235fb82-8a7e-4dd2-95fd-XXXXXXXXXXXX"
    is_silent = 0
    is_personal = 1
    "Zaplaceno 470 Kč"
    timestamp: 28.07.22 13:04:33,498000000
    Status = 1

    Kolega se díval do svých logů, kde bohužel tuto notifikaci již nenašel (smazáno), ale u jiných nedávných notifikací dostává pro toto activationId jak "Received sendPushMessage request", tak "The sendPushMessage request succeeded"

    Klientka psala, že problémy začaly poté, co měla telefon v servisu (cca před měsícem). Prý se jí změnil i typ telefonu, který se jí zobrazuje (vivo) ale prý je to stále totéž zařízení. Zkoušela ho prý i vymazat a znovu přidat, ale notifikace o platbách prý stále nepřicházejí.

    Roman Štrobl
    @romanstrobl
    Dobrý den, o jaký typ telefonu se jedná (Android / iOS, značka zařízení)? Na serveru vše vypadá v pořádku, Status = 1 znamená, že push zpráva byla odeslána, stejně tak log zpráva i stav aktivace je ACTIVE.
    Jan Kobersky
    @kober32
    Zdravím, pokud tomu telefonu dělali nějakou obnovu ze zálohy nebo update systému, tak bych se primárně podíval, jestli jsou pro tu danou aplikaci na telefonu povolené notifikace. Bohužel vzhledem k tomu, jak si každý výrobce modifikuje android, je těžké napsat nějaký rozumný návod bez toho, abychom věděli přesně o který telfon a verze OS se jedná.
    Juraj Ďurech
    @hvge
    Zdravim, chcel by som len upozornit, ze toto je verejny kanal, takze vsetky informacie postnute sem, su verejne viditelne.
    Roman Štrobl
    @romanstrobl
    Doplňuji, že správný kanál je powerauth-equa