apns-http2 Certificate should contain "push" keyword

Hi, The apns cert that we are using to send notification doesn't contain"push" keyword for CN. You have a check present for "push" keyword while validating the certificate and there are many others where you check specific strings to be present in the apns cert.

Due to this issue we are not able send notifications because cert validation fails. Please help what we can do here.

Jun 20 '18 14:06 rohitsahay2000

Out of curiosity, what does your certificate’s CN say? Please mask out the bundle ID, team ID and anything else that’s sensitive.

On 20 Jun 2018, at 19:52, rohitsahay2000 [email protected] wrote:

Hi, The apns cert that we are using to send notification doesn't contain"push" keyword for CN. You have a check present for "push" keyword while validating the certificate and there are many others where you check specific strings to be present in the apns cert.

Due to this issue we are not able send notifications because cert validation fails. Please help what we can do here.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

Jun 21 '18 04:06 judepereira

That's not the point. All sensitive information is masked out. Why the strings are hardcoded ?

` if (!cn.toLowerCase().contains("push")) { throw new CertificateException("Not a push certificate - " + cn); }

    if (production && cn.toLowerCase().contains("apple development ios push services")) {
        throw new CertificateEnvironmentMismatchException("Invalid environment for this certificate");
    } else if (!production && cn.toLowerCase().contains("apple production ios push services")) {
        throw new CertificateEnvironmentMismatchException("Invalid environment for this certificate");
    }

`

The certs need not contain the strings that are hardcoded in the cert validation which is being done.

Jun 21 '18 05:06 rohitsahay2000

CN is like this: CN=APSP:0226d278-d925-4044-af07-a346da05e2c5/C=IN

As you can see this doesn't contain any strings against which validation is being done. For example: "push", "apple development ios push services","apple production ios push services". Please let us know what we can do to get this working. Would be a great help!!

Jun 21 '18 06:06 rohitsahay2000

@rohitsahay2000 Until now, all the certificates issued by Apple have contained those strings. It validates the certificate and ensures that you don't accidentally try to use your developer certificate (which has happened many times in the past).

I'll issue a new certificate for APNs tomorrow and check the CN on it.

Jun 21 '18 16:06 judepereira

@judepereira : Did you check? Have we removed the hardcoding?

Nov 15 '18 13:11 rohitsahay2000

any update on this?

I just downloaded a production certificate and it has CN=Apple Development IOS Push Services: myBunldleId

I doubled checked. It is the production certificate and it has development in it.

May 09 '19 10:05 drunkendaddy

java.security.cert.CertificateException: Not a push certificate - VoIP Services: com.test.app
	at com.clevertap.apns.CertificateUtils.validateCertificate(CertificateUtils.java:135)
	at com.clevertap.apns.clients.SyncOkHttpApnsClient.<init>(SyncOkHttpApnsClient.java:131)
	at com.clevertap.apns.clients.AsyncOkHttpApnsClient.<init>(AsyncOkHttpApnsClient.java:72)
	at com.clevertap.apns.clients.ApnsClientBuilder.build(ApnsClientBuilder.java:170)

VoIP Push certification not working...

May 22 '19 03:05 chanoo

hi I am facing with is bug how to slove it?

Sep 14 '20 04:09 nthung82

It would be great to be able to change behavior with some boolean flag. (include verifying or not)

Mar 15 '21 10:03 DziubaR