•   almost 12 years ago

Can https://remote.mintchipchallenge/ act as a broker?

I'm trying to send money to one of my hosted mintchips without having the certificate installed locally and am wondering if its possible to do so?

For example, I'm sending money from my physical to hosted mintchip, could I not just create the value message and post it to https://remote.mintchipchallenge.com/mintchip/receipts as described in the API: http://developer.mintchipchallenge.com/api/hosted/LoadValueMessage.html?

  • 11 comments

  •   •   almost 12 years ago

    The certs for the physical mint chips are located on the device so you should be able to sign your value request message with the private cert on the local chip and include the public key for verication by the value message receiver on the hosted site.

    if you manage to successfully load the value on the hosted site could you post you methods here. I have not been as to get the hosted site so accept a valid value message. Thx.

  •   •   almost 12 years ago

    In theory, for a hosted (remote) MintChip, there should not be anything to prevent receiving a value message without intervention by the owner of the remote MintChip. Like a direct deposit to your bank account -- you don't have to accept the deposit, it is processed without your intervention.
    The sample hosted MintChip uses the client certificate to associate the user with a specific MintChip, which is necessary for all functions except accepting a value message, since the value message can *only* be accepted by the specific MintChip it is created for. Opening https://remote.mintchipchallenge.com/mintchip/receipts prompts for the client certificate.
    A different broker implementation could forego the browser authentication and process the value message based solely on it's contents.

  •   •   almost 12 years ago

    Gary,

    Have you and any luck loading a value message to a hosted mintchip through https://remote.mintchipchallenge.com/mintchip/receipts ? If so could you post a code snippet. I'm posting a valid value message using "Content-Type: application/vnd.scg.ecn-message" and getting "HTTP Error 400. The request has an invalid header name"

  •   •   almost 12 years ago

    Stephen,

    I think I made it a little further with a status code 455: incorrect payee. I'm not sure if you're using the .NET code but I basically just copied their ExecutePost method in RemoteMintChip.cs. Give that a try.

    Gary, any help you can provide will be much appreciated!

  •   •   almost 12 years ago

    Gary,

    I just re-read your message. So you are saying that the https://remote.mintchipchallenge.com/mintchip/receipts expects to see the client certificate for the PAYEE which means we can't do a direct deposit like you suggested.

    I wonder if they could open this up, it would make things so much simpler and be more realistic. Feedback from the MintChip team would be appreciated!

    Thanks

  •   •   almost 12 years ago

    Dickson

    It sounds like "incorrect payee" would indicate there is an issue with the assembly of your value message request and not your posting method.

  •   •   almost 12 years ago

    I just did a very basic test of the the remote API. First, I generated a $5 value message from a local chip using the Windows sample program.
    I attempted to post this value message for hosted MintChip 'a' (using curl on the command line) using MintChip 'b' certificate. This returned a "HTTP/1.1 455 Incorrect payee" response. I tried using the 'correct' certificate and the value message got processed. Out of curiosity, I reposted the value message and got "HTTP/1.1 455 Duplicate VTM".

    Interesting thing to note: the content type was set automatically by curl to 'application/x-www-form-urlencoded' and accepted anyway.

    Conclusion: a value message can only be processed by the authenticated (by certificate) owner of the receiving hosted MintChip.

  •   •   almost 12 years ago

    Gary, Very interesting. Tried curl on the command line and still can't get the remote server to accept the value message. Could you post your command, please. Are you specifying cert locations?

  •   •   almost 12 years ago

    curl -v -S -k -E 1310000000004617.p12:PASSWORD --cert-type P12 --data @20120429152807.ecn https://remote.mintchipchallenge.com/mintchip/receipts

    "-v -S" are for verbose and show errors.
    -k allows connecting to site with 'insecure' SSL
    -E specifies client cert location, change PASSWORD obviously
    --cert-type tells what format client-cert is in
    --data with the '@' specifies filename to read for POST data

  •   •   almost 12 years ago

    Thanks for testing it out Gary and confirming what I suspected.

    I wonder if someone from the MintChip team can respond on whether this restriction can be lifted so that we can do things like direct deposit.

  •   •   almost 12 years ago

    Gary,

    Worked like a charm! Didn't realize --cert-type P12 was an option. I'd converted the .p12 to .pem . Also, just FYI, on my successful post I was able to pass -d $DATA which was the raw base64 code inline instead of including it as a file.

    Thank you.

Comments are closed.