Hi, Sergio,

sergio_c_2 · ‎07-21-2015

Hello,

I'm developing an application that communicates with a server through an SSL tunnel. For this, I use the API of intel xdk called API Secure. Specifically these functions:
https://software.intel.com/en-us/node/560364

The problem I have, is when i create the instance with the function: "intel.security.secureTransport.open (success, fail, options);"
https://software.intel.com/es-es/node/560365

This function can receive 4 options. My problem comes when I want to include the server key. I don´t know what is the format of the server key.
¿I have to put the path?, ¿I have to put the serverkey.pem like a string?

If you could help me I would be very grateful, sorry for my English

Thank You So Much

PaulF_IntelCorp · ‎07-21-2015

That API is part of the security SDK, which we are not experts on. Let me see if I can find out if they have a forum for questions regarding that API. Unfortunately, it's very hard for us to be experts on all the plugin APIs.

PaulF_IntelCorp · ‎07-23-2015

A member of the team that owns the Security API plugin should be contacting you via this forum.

Ohad_B_Intel · ‎07-23-2015

The public key parameter should be the public key of the server that your app communicates with, the format is PEM, you should provide the serverkey.pem as a string.

Let me know if you need farther details.

sergio_c_2 · ‎07-23-2015

Ok, I understand the idea. I have some questions:

1º)In my case, i want to connect with a server by SSL. With this function is posible connect by SSL with a server which has certificate self-signed?

if it is not posible, i don´t understand what makes this function, because if i want to connect with a server which has the certificates signed by CA authorized, I can use the next javascritp code, and i don´t have to add the serverkey.pem

peticionHttp.open("GET", url, true);
peticionHttp.send();

2º) What is the server key?

I have the certificate server in format.pem, attached below:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10645769954857470286 (0x93bd5f5ec7ce494e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=ES, ST=Cantabria, O=UNICAN, OU=TLMAT, CN=MOBIWALLET CA/emailAddress=pcm27@alumnos.unican.es
Validity
Not Before: Mar 4 17:13:29 2015 GMT
Not After : Mar 3 17:13:29 2016 GMT
Subject: C=ES, ST=Cantabria, L=Santander, O=UNICAN, OU=TLMAT, CN=mobiwallet server/emailAddress=pcm27@alumnos.unican.es
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:a3:8f:e3:b4:3f:0d:0e:e6:22:83:4d:34:83:
d4:af:41:c4:6b:dd:0a:6f:87:42:2b:ef:23:3d:3d:
ff:e0:d7:04:b3:4b:2f:15:f9:22:4e:3d:22:8b:db:
87:7e:a5:92:f7:5e:1c:04:a9:24:92:bb:b0:91:98:
87:43:17:b6:70:97:08:8d:c8:c7:7d:8d:68:3f:d0:
ea:c6:e3:f5:43:f9:bd:f1:bb:51:6e:8f:06:8e:b3:
bf:97:d3:50:0a:37:7a:b1:c7:4c:c4:41:bc:65:e2:
0f:74:9b:1e:2e:3b:d2:5b:1a:39:c4:65:aa:4d:19:
49:a9:fe:96:2a:9b:a1:5b:4c:de:37:7f:14:c3:6a:
0c:d6:c3:c1:4c:6b:7d:93:80:fe:85:26:a9:49:6a:
ab:ad:2a:8b:9d:3e:7e:37:07:c4:10:2c:9d:9e:4f:
26:05:1c:0d:42:49:f9:71:92:ce:c7:36:8b:f6:67:
bf:62:9d:87:93:21:1a:a1:b4:61:66:8b:63:02:a1:
30:5a:93:9b:06:b5:5d:ef:6d:8f:fc:67:42:bf:eb:
9e:8b:8a:40:8d:66:fe:43:93:ad:d8:7f:af:80:7f:
35:59:ba:1a:ae:1c:ba:ff:43:68:55:c3:84:9a:1c:
2c:dc:0f:6f:d7:90:f5:f8:62:61:11:43:3a:f2:ff:
e8:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A4:B1:00:18:02:39:B5:94:85:13:6F:33:3C:BB:5F:A5:0F:DF:E7:F0
X509v3 Authority Key Identifier:
keyid:64:5B:C9:0F:C7:BA:84:C7:A6:4C:DF:0E:D9:89:58:D8:DF:81:44:E4

Signature Algorithm: sha256WithRSAEncryption
bb:97:b3:e9:b5:7c:ba:46:17:b0:73:11:a9:78:c3:1d:ef:4c:
b9:4b:4f:f1:60:1e:78:c3:06:dd:11:1c:98:01:ab:91:4d:af:
c0:74:0b:71:cc:00:95:29:ea:06:56:0b:c2:09:76:cf:95:f2:
e9:2a:2b:94:70:92:92:7c:76:05:dd:ce:dd:bf:86:3c:8e:0f:
93:95:46:c8:ab:08:10:02:01:68:fc:1f:81:05:ce:f9:97:fb:
20:f2:3b:21:25:c5:bc:ea:6d:2f:7b:10:46:10:f9:f6:51:72:
b2:d2:7e:b5:78:28:40:9b:45:6c:62:65:7c:ff:f7:8c:19:65:
17:e6:e2:06:04:45:57:28:49:c1:8d:36:6d:01:8c:87:a6:75:
5d:42:02:87:e9:53:a4:3f:c5:1a:48:4b:5e:f2:fb:2e:e1:15:
ec:0a:46:7d:77:fc:cd:33:f9:f1:37:26:19:da:bd:07:e1:11:
d0:fc:97:97:1b:25:71:1d:51:ad:6d:ca:1e:40:fb:31:7b:05:
57:13:7e:3b:6f:db:18:50:34:5e:f5:35:f2:45:fe:b4:6b:5c:
76:e0:0b:c6:8f:b0:5b:b7:c1:db:7e:a8:48:8a:a9:32:73:5e:
45:14:9c:b0:16:18:70:bc:80:77:26:09:d8:99:99:37:c0:5b:
2a:75:88:0b

sorry for my English

Thank You So Much

Ohad_B_Intel · ‎07-24-2015

1. Self-signed public key is currently supported in iOS only. In Android and Windows this feature is not supported yet.

Public key pinning forces a specific server public key. In case you do not provide a public key -> communication is allowed with any server that has root CA signature. In case you provide a public key --> communication is allowed with this server (and if the server has root CA signature passing sensitive data is allowed).

As I wrote before, the public key is supported only in iOS in the current plugin version (1.2.0). Are you using a self-signed certificate?

2. The serverKey option is the certificate's public key of the server in PEM format and base64 encoding. You can extract it with the following openssl command (assuming the server’s cert called format.pem):

openssl x509 -pubkey -noout -in format.pem  > pubkey.pem

The output of this command is a public key file (pubkey.pem) with a base64 strings which looks like:

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryQICCl6NZ5gDKrnSztO

3Hy8PEUcuyvg/ikC+VcIo2SFFSf18a3IMYldIugqqqZCs4/4uVW3sbdLs/6PfgdX

7O9D22ZiFWHPYA2k2N744MNiCD1UE+tJyllUhSblK48bn+v1oZHCM0nYQ2NqUkvS

j+hwUU3RiWlsdx3D2s9wSdNt7XUtW05a/FXehsPSiJfKvHJJnGOX0BgTvkLnkAOTd

OrUZ/wK69DdfdfIvrN4vs9Nes8vbwPa/ddZEzGR0cQMt0JBkhk9kU/qwqUseP1QRJ

5I1jR4gsPL/3434e9K35PxZWuDp3U0UPAZ3PjFAh+5T+fc7gzCs9dPzSHloruU+gl

FQIDAQAB

-----END PUBLIC KEY——

Copy the entire string of this file (including the begin public key and end public key lines) and paste it into the serverKey option of the intel.security.secureTransport.open(success, fail, options) API.

sergio_c_2 · ‎07-27-2015

Thank you very much for your help, but it still does not work for me.

When I run the application i can see the next message error in the "debugger":

Maybe I have not explained well what i want, and i can not use this API for my problem.

I'm trying to establish an SSL connection between my application and a server. The problem is that the CA signing certificates server and client is not a licensed CA, because it is a CA created by myself. Therefore certificates that are created on the server and client, are not signed by a trusted authority.

The esay solution would be to add my own CA to the list of authorized CA used by the application.

Therefore:

1º) Is possible to add my own CA to the list of CA authorized to my application?

2º)If that is not possible, is there anyway to make the SSL connection?

sorry for my English

Thank You So Much

Ohad_B_Intel · ‎07-29-2015

App Security API plugin on the Intel XDK Emulator has some limited functionality compared to the plugin installed on device.

Making Secure Transport calls with a public key parameter of a server with a self-signed certificate will fail in the emulator (that is the error you see) to make it work you need to install the cert on your machine.

To do that on Windows you need to:

Open “mmc” from the start menu
FileàAdd/remove snap-inàchoose ”certificates” and click Add à choose “my user account” press finishà press OK.
Certificates snap in was added, double click on it. àopen “trusted root certification authorities”à left click on certificates -àclick “All Tasks” click “import”.
Add the certificate using the Wizard: Click nextàbrowse to the cert file for your server; click next à click next.
The cert should now be in the list of the trusted root certification authorities, make sure it is.
Close and reopen the XDK.

In the current plugin version (1.2.0) public key of self-signed certificate is support on Android only. Next version (1.3.0) that will be published shortly, will add public key support for iOS.

.

sergio_c_2 · ‎07-29-2015

Thank you.
I've got to answer the server using the steps you've shown me. For testing with the simulator it works perfectly.

But I found another problem ...
When I generate the apk and install it on my android device, the server does not respond.
I guess the problem is the same, I have to install the self-signed certificate on my device ...

When I try to install the certificate on my samsung galaxy s3, the device does not recognize me the certificate.

Could you tell me the steps to install a self-signed certificate on a android as you helped me with the installation in Windows device?

Your help is being really useful to me, because the application I'm trying to develop, is my "final career project"

Thank You So Much

PaulF_IntelCorp · ‎07-29-2015

BTW -- when building for a real device you need to be sure you have the whitelist set properly. The default on most of the templates and samples is "*" (meaning everything). See this post for more details: https://software.intel.com/en-us/forums/topic/559482

Dan_S_Intel · ‎07-30-2015

Hi, Sergio,

If you want to use a self-sign certificate on a real Android device you don't need to install a root ca certificate like you did in the XDK emulator case.

What you should do is to provide the public key in pem format and encoded to a base64 string (please use the explanation above of how to retrieve the public key from a certificate file) and use this string in the open API.

Please take a look into the following example where the url should be replace with your url and the serverKey should be set with your server public key:

var options = { url: "https://yoururl.com",
serverKey: "-----BEGIN PUBLIC KEY-----\nMIIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxxTAMSoZgjeXUwO6gyZ\nR9riyFtIZQ2XtYIw8BmJXRewkVwDANxxxd7xoAa6KtGUwsljbJQ3zsYXHgKmXc0g\nqDoinlfO2DUG4eiYv0x0ToEEdHyj6OZS2wi0ZZBCwzQj7Ydk+hHzuciE1G0spAtx\nJnlB9BV2X7xDpmsBvqXIf0Gu4csA7EcAZeHrT15vL2N/jP7TEhfXj1HlVyGewSHW\nj69tupq3BnE9J6C4k+S1QJzJC1qf3QX6psFkaTQV8zusLwHs5tDD9WjLhJcaoles\nqpVoST1Ud4tzqWc3NzcKW9vPxJTGAkhjk5OB0PQP1BHqDPM/M8xofwIk1iwtG1Wh\nEwIDAQMM\n-----END PUBLIC KEY-----" };

intel.security.secureTransport.open(
   function (instanceID) {
       alert("success callback is called, instance id is: "+instanceID);
},
function (errorMsg) {
       alert("failed callback is called, error is: "+errorMsg);
},
options);

Please try this out and let us know if it does work for you on your Android device. If you still get an error please send us the error message that you see on the screen (should be popped up as an alert window).

Also note that we often see in case of network API errors which are related to network. ( the device should have an Internet connectivity without proxy server). So, please open you browser on you Android and make sure you can access http://www.google.com to eliminate the network issues.

Thanks,

Dan.

sergio_c_2 · ‎07-30-2015

Hello everybody,

First I respond to Paul Fischer:

I put in the whitelist "*" for both internal and external option
Putting these options my app does not work

Second I answer to Dan S.:

Ohad .B explain to me the following:

1. Self-signed public key is Currently only supported in iOS. In Android and Windows esta feature is not supported yet. Public key pinning forces to specific server public key. In case you do not Provide a public key -> communication is allowed With That server has any root CA signature. In case you Provide a public key -> communication is allowed With this server (and if the server has root CA signature passing sensitive data is allowed)

From what I understand this explanation, it is not possible to develop it on an Android device.

Anyway I tested with the option that you've set your me:

When I press a button that runs the code it is as follows:

function prueba3(){
    var options = { url: "https://193.144.201.45:8443/MobiWallet/rest/UserActions/mb/registerUser", 'method':'POST', serverKey: "-----BEGIN PUBLIC KEY-----\nMIIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmxxTAMSoZgjeXUwO6gyZ\nR9riyFtIZQ2XtYIw8BmJXRewkVwDANxxxd7xoAa6KtGUwsljbJQ3zsYXHgKmXc0g\nqDoinlfO2DUG4eiYv0x0ToEEdHyj6OZS2wi0ZZBCwzQj7Ydk+hHzuciE1G0spAtx\nJnlB9BV2X7xDpmsBvqXIf0Gu4csA7EcAZeHrT15vL2N/jP7TEhfXj1HlVyGewSHW\nj69tupq3BnE9J6C4k+S1QJzJC1qf3QX6psFkaTQV8zusLwHs5tDD9WjLhJcaoles\nqpVoST1Ud4tzqWc3NzcKW9vPxJTGAkhjk5OB0PQP1BHqDPM/M8xofwIk1iwtG1Wh\nEwIDAQMM\n-----END PUBLIC KEY-----" };

    intel.security.secureTransport.open(
        function (instanceID) {
            alert("success callback is called, instance id is: "+instanceID);
            instance=instanceID;
        },
        function (errorMsg) {
            alert("failed callback is called, error is: "+errorMsg);
        },
        options
    );
    
    // Define the head Content-type
    intel.security.secureTransport.setHeaderValue(    
        function(){console.log('success setting header value');}, 
        function(errorObj){console.log('fail: code = '+errorObj.code+', message = '+errorObj.message);},
        {'instanceID':instance, 'key':'Content-Type', 'value':'application/xml'}
    );
    
    // Send the request
    var request_body ='<MW_NEW_USER>\n'+
   '<MW_VERSION>1.0</MW_VERSION>\n'+
   '<MW_USR_ID>pabloCosio2</MW_USR_ID>\n'+
   '<MW_SURNAME>Cosio Molleda</MW_SURNAME>\n'+
   '<MW_NAME>Pablo</MW_NAME>\n'+
   '<MW_GENRE>male</MW_GENRE>\n'+
   '<MW_PASSPORTID>72074825L</MW_PASSPORTID>\n'+
   '<MW_BIRTHDATE>1959-01-23</MW_BIRTHDATE>\n'+
   '<MW_POSTCODE>39015</MW_POSTCODE>\n'+
   '<MW_CITY>Herrera de Camargo</MW_CITY>\n'+
   '<MW_ADDRESS>Avenida de Bilbao numer4 2 derecha</MW_ADDRESS>\n'+
   '<MW_EMAIL>pcosio.89@gmail.com</MW_EMAIL>\n'+
   '<MW_MOBILE>699858966</MW_MOBILE>\n'+
   '<MW_PHONE2>666666666</MW_PHONE2>\n'+
   '</MW_NEW_USER>'
    
    intel.security.secureTransport.sendRequest(
        function(response){alert(response.responseBody);}, 
        function(errorObj){console.log('fail: code = '+errorObj.code+', message = '+errorObj.message);},
        {'instanceID':instance, 'requestBody':request_body }
    );     
}

In the simulator it works perfectly, but when I generate the apk and run on the device, I get an alert windows with the following information:

success callback is called, instance id is:43

But I do not return the server response.
In the simulator it returns an alert window with the contents of the server response.

sorry for my English

Thank You So Much

Dan_S_Intel · ‎07-30-2015

Can you modify line 41(the fail callback) with the following and paste the content of the alert window?

	
				function(errorObj){alert('fail: code = '+errorObj.code+', message = '+errorObj.message);},

sergio_c_2 · ‎07-30-2015

Hi Dan S.

I modified the line of code you've shown me, but the result I get is the same, it is only displayed the alert window creating the instance.

I have attached a link where you can get the code of the application and the .apk if you want to try it.

https://www.dropbox.com/s/9shda82inespdwi/Application_test_SSL.rar?dl=0

Thank You So Much

Ohad_B_Intel · ‎08-02-2015

Hey Sergio,

You have used the public key that Dan provided you (which is just an example of public key format, it works in the XDK emulator since the emulator does not verify the public key but fails on device due to the public key enforcement).

I have performed the following changes in you code:

Changed the public key to be your server’s public key.
Wrote a synchronized code (App Security API calls are asynchronous so you should write your code in the success callback in case you have a dependency in the former API call).
Changed all console.log to alert.

var options = { url: "https://193.144.201.45:8443/MobiWallet/rest/UserActions/mb/registerUser", 'method':'POST', serverKey: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Na+wc+lWweKrvDCdWJe\nzIX0Z/wgmBltmerIdMUpxiOIPpAzmzixv6mkIGiqrCRHWPeQZ2tgZfzq9XyJc1Pb\nsOtEqJIT+5AsUNgBbtGhyo241PQjrDynekUQkVv1\nsMs1tE6GdMm1alkji5FhgheN\n0+QcaB5uaEjeQf61PZTAUgogHj+ou2YzoJbNptMYeN4n4gIrNiDmBNL9TgsXZkVX\niCjnUE/iMaq8Ps3r67OQycM4REXywq5jaw5uK5MXO2hSh0Ooliwyv2IKLqJ1EoMj\nq2ik9BVmrlRNj8V3Y4iCsxMtqSqI8LZtxpI4JuhLQws7h+1p37DgfyAHQdZwT4be\nYwIDAQAB\n-----END PUBLIC KEY-----" };

intel.security.secureTransport.open(

function (instanceID) {

alert("Succeeded in open, instance id is: "+instanceID);

var myInstanceID=instanceID;

// Define the head Content-type

intel.security.secureTransport.setHeaderValue(

function(){

alert('Succeeded in setHeaderValue');

// Send the request

var request_body ='<MW_NEW_USER>\n'+

'<MW_VERSION>1.0</MW_VERSION>\n'+

'<MW_USR_ID>pabloCosio2</MW_USR_ID>\n'+

'<MW_SURNAME>Cosio Molleda</MW_SURNAME>\n'+

'<MW_NAME>Pablo</MW_NAME>\n'+

'<MW_GENRE>male</MW_GENRE>\n'+

'<MW_PASSPORTID>72074825L</MW_PASSPORTID>\n'+

'<MW_BIRTHDATE>1959-01-23</MW_BIRTHDATE>\n'+

'<MW_POSTCODE>39015</MW_POSTCODE>\n'+

'<MW_CITY>Herrera de Camargo</MW_CITY>\n'+

'<MW_ADDRESS>Avenida de Bilbao numer4 2 derecha</MW_ADDRESS>\n'+

'<MW_EMAIL>pcosio.89@gmail.com</MW_EMAIL>\n'+

'<MW_MOBILE>699858966</MW_MOBILE>\n'+

'<MW_PHONE2>666666666</MW_PHONE2>\n'+

'</MW_NEW_USER>'

intel.security.secureTransport.sendRequest(

function(response){

alert('Succeeded in sendRequest, response.responseBody = ' + response.responseBody);

},

function(errorObj){

alert('Failed in sendRequest, code = '+errorObj.code+', message = '+errorObj.message);

},

{'instanceID':myInstanceID, 'requestBody':request_body }

);

},

function(errorObj){

alert('Failed in setHeaderValue, code = '+errorObj.code+', message = '+errorObj.message);

},

{'instanceID':myInstanceID, 'key':'Content-Type', 'value':'application/xml'}

);

},

function (errorObj) {

alert('Failed in open, code = '+errorObj.code+', message = '+errorObj.message);

},

options

);

I tested it on Android device and it worked, can you please give it a try?

Thanks,

Ohad

Ohad_B_Intel · ‎08-02-2015

To extract public key from a server (I already did it for you, but I am writing it for other users):

In case you do not have the certificate file (otherwise skip this bullet): Download the certificate from the server URL (using browser go to the server’ URL, right click on the certificate (left side of the navigation bar), go to connection tab, click on certificate information, go to Details tab, copy to File, Next, Base 64 encoded x.509 (.cer), Next, c:\cert.cer, Save, Next and Finish).
Extract the public key from the certificate file using OpenSSL command line tool: openssl x509 -pubkey -noout -in cert.cer > pubkey.pem
Copy the pubkey.pem content to your app JavaScript file (using text editor)
Add ‘\n’ (without apostrophe) and delete spaces to end up with a single line
In your case the public key is: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4Na+wc+lWweKrvDCdWJe\nzIX0Z/wgmBltmerIdMUpxiOIPpAzmzixv6mkIGiqrCRHWPeQZ2tgZfzq9XyJc1Pb\nsOtEqJIT+5AsUNgBbtGhyo241PQjrDynekUQkVv1\nsMs1tE6GdMm1alkji5FhgheN\n0+QcaB5uaEjeQf61PZTAUgogHj+ou2YzoJbNptMYeN4n4gIrNiDmBNL9TgsXZkVX\niCjnUE/iMaq8Ps3r67OQycM4REXywq5jaw5uK5MXO2hSh0Ooliwyv2IKLqJ1EoMj\nq2ik9BVmrlRNj8V3Y4iCsxMtqSqI8LZtxpI4JuhLQws7h+1p37DgfyAHQdZwT4be\nYwIDAQAB\n-----END PUBLIC KEY-----"

sergio_c_2 · ‎08-03-2015

Hi OHAD B.

Thank you very much, your help has been very important for me and my project.
I finally managed to establish the SSL connection on my android device.

One last question, because if it possible, I would like the SSL connection was even safer.

In my project once the SSL connection is established. (as you've told me so far), through a consultative function, I downloaded from the server a user certificate in pkcs12 format.

It is possible to establish an SSL connection with mutual authentication with this certificate?

Thank You So Much

Ohad_B_Intel · ‎08-03-2015

The current APP Security API plugin version does not support a mutual authentication (client verification is not supported), we may add it in future version.

sergio_c_2 · ‎08-03-2015

hello Ohad B.

Thank you very much for your help again. If this version is not possible, I will make only the SSL server authentication.

If it is possible when you add this improvement it in future version, you can inform me about that?

Thank you so much

sergio_c_2 · ‎08-26-2015

hello again Ohad B.

I have another question about using this API

When I sent https request (GET, POST) with this API. It is possible to obtain the Status Code?

For example in this cases:

1º Status Code 200

2º Status Code 403

Thank you very much for your help

Ohad_B_Intel · ‎08-27-2015

Hi Sergio,

The SendRequest API has two callbacks (success and fail), if the send operation succeeded then the success callback is called, otherwise the fail callback is called.

There is no way to extract the HTTP code (200 OK/403 forbidden), but from the callback you can understand if succeeded or failed (fail callback returns error code with details for the failure root cause).

intel xdk SSL (API Secure