Unable to Verify MAC using IBM WAS 8.0 JRE

[Elías Ake]

This is the error I get when running pushy-0.4.1.jar with WAS 8.0 JRE jre:

java.io.IOException: Unable to verify MAC.

at com.ibm.crypto.provider.PKCS12KeyStore.engineLoad(Unknown Source)

at java.security.KeyStore.load(KeyStore.java:409)

at mx.com.relayrides.pushy.apns.util.SSLContextUtil.createDefaultSSLContext(SSLContextUtil.java:68)

at mx.com.relayrides.pushy.apns.util.SSLContextUtil.createDefaultSSLContext(SSLContextUtil.java:46)

at sendAPN.SendAPNs.sendAPN(SendAPNs.java:110)

at sendAPN.SendAPNs.main(SendAPNs.java:55)

however, the same code of my method works perfectly with Sun JRE 7.  This is my code in my method:

public void sendAPN(Map<String, String> data, String registrationId, 

String pathFile, String pw, String message) 

throws UnrecoverableKeyException, KeyManagementException, KeyStoreException, NoSuchAlgorithmException, 

CertificateException, IOException, MalformedTokenStringException, InterruptedException{

LOG.info("rutaCertificado:"+pathFile+"\nregistrationId:"+registrationId);

final PushManager<SimpleApnsPushNotification> pushManager = new PushManager<SimpleApnsPushNotification>(

ApnsEnvironment.getSandboxEnvironment(),

SSLContextUtil.createDefaultSSLContext(pathFile, pw),

null,

null,

null,

new PushManagerConfiguration(),

"ExamplePushManager"

);

pushManager.start();

final byte[] token = TokenUtil.tokenStringToByteArray(registrationId);

final ApnsPayloadBuilder payloadBuilder = new ApnsPayloadBuilder();

payloadBuilder.setAlertBody(message);

payloadBuilder.setSoundFileName("ring-ring.aiff");

if (data != null){

for (Map.Entry<String, String> entry: data.entrySet()){

payloadBuilder.addCustomProperty(entry.getKey(), entry.getValue());

}

}

final String payload = payloadBuilder.buildWithDefaultMaximumLength();

pushManager.getQueue().put(new SimpleApnsPushNotification(token, payload));

LOG.info("Mensaje enviado");

}

what I was seeing is that when I use the WAS JRE 8.0, the WAS uses this class, which is where it fails:

com.ibm.crypto.provider.PKCS12KeyStore

but when I use the JRE 7 sun, the JRE use this other class and working properly:

sun.security.pkcs12.PKCS12KeyStore

Please Help me and

thank you very much for your help

[Chris Eager]

Hi Elías,

My first thought is that your WAS JRE doesn’t have the root authority certificate for Apple’s push service in its truststore. According to Apple [1], their root issuer is Entrust. On my local Oracle JDK 7, there are 4 Entrust certificates:

keytool -list -keystore /Library/Java/JavaVirtualMachines/jdk1.7.0_65.jdk/Contents/Home/jre/lib/security/cacerts | grep -i entrust

entrustevca, Apr 23, 2010, trustedCertEntry, 

entrustrootcag2, Jun 22, 2010, trustedCertEntry, 

entrust2048ca, Jun 22, 2010, trustedCertEntry, 

entrustsslca, Jan 9, 2003, trustedCertEntry, 

Can you check if this is the case? It looks like Entrust should be in the default truststore, but perhaps yours has a customized set of certificates.

[1]: https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/CommunicatingWIthAPS.html#//apple_ref/doc/uid/TP40008194-CH101-SW1

--
Pushy is an open-source Java library for sending APNs (iOS and OS X) push notifications. Pushy is brought to you by the engineers at RelayRides.
---
You received this message because you are subscribed to the Google Groups "pushy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pushy-apns+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Elías Ake]

Thank you Chris:

the error posted was because the .p12 file had no password.  Then I put a password and was able to create the SSLContext.

However now i get the error:

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine  problem

.....

Caused by: com.ibm.jsse2.util.g: End user tried to act as a CA.

Now i think that this error is what you mention, the Entrust certificates. I will investigate how to configure it and I will run the command that you mention.

thank

[Elías Ake]

this are my entrust certificates in the server:

Is this configuration Ok??

What configuration is missing?

thanks a lot.