On Wed, Feb 5, 2014 at 8:00 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
There is no magic, the password must exist in some place. If not possible require the password, is possible to follow the same approach provided for password reset functionality.

If you want to stick to the KeyStore, you still need to provide the password in some place, but that’s more suitable when you have a key exchange or something like this.

So if you patiently read my the code proposed, you will realize that is possible to achieve it via property file, database or whatever:

@Test
    public void testPasswordValidationWithRandomSaltProvided() throws Exception {
        Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
        byte[] salt = new Random().randomBytes();
        byte[] IV = new Random().randomBytes();
        int iterations = 100000;

        read.secretFile(“secret.properties”);
        String PASSWORD = read.load(“password_to_my_superpassphrase”);


yeah, but that is really per variant, not global. So we would need a lot of these secret file :-) 



So, the passphrase is upload to the server (for all iOS variants), w/ this HTTP request:

http://aerogear.org/docs/specs/aerogear-push-rest/Variants/iOS/


Somewhen later a totally different system submits a HTTP request to trigger the PUSH message delivery:
http://aerogear.org/docs/specs/aerogear-push-rest/Sender/

And internally, only for iOS variant, all it needs is the certificate (from the apple developer portal) + its passphrase

Perhaps I am wrong, but I feel that if (for iOS variants) we start to require "password_to_my_superpassphrase" on the request for creating the logical construct of the variant,
and use the same for the Sender, we would have that magical password, but I fear that this opens a new can of worms.

 

        //Encrypt step
        SecretKey secretKey = pbkdf2.generateSecretKey(PASSWORD, salt, iterations);
        CryptoBox box1 = new CryptoBox(secretKey.getEncoded());
        String passphrase = "My bonnie lies over the ocean";
        byte[] ciphertext = box1.encrypt(IV, passphrase.getBytes());

        //Decrypt step
        SecretKey recoveredKey = pbkdf2.generateSecretKey(PASSWORD, salt, iterations);
}

If it’s not clear, let me know where should I introduce this functionality rather than a pet project and I can do that.


The AGPUSH-358 ticket is still yours :-) I just felt looking at it, while reading up on our crypto bits.

 

--
abstractj

On February 5, 2014 at 4:47:04 PM, Matthias Wessendorf (matzew@apache.org) wrote:
> > as said in the comments, I don't have that PASSWORD here
>
>
> That is only submitted when the user creates a new iOS variant,
> it's never entered when the server tries to connect to the APNs




--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf