我试图validation一个Windowsapp store在PHP的IAP收据。 基本上,试图将此示例代码转换为PHP http://msdn.microsoft.com/en-us/library/windows/apps/jj649137.aspx 。 收件人看起来像这样
<Receipt Version="1.0" ReceiptDate="2012-08-30T23:08:52Z" CertificateId="b809e47cd0110a4db043b3f73e83acd917fe1336" ReceiptDeviceId="4e362949-acc3-fe3a-e71b-89893eb4f528"> <ProductReceipt Id="6bbf4366-6fb2-8be8-7947-92fd5f683530" ProductId="Product1" PurchaseDate="2012-08-30T23:08:52Z" ExpirationDate="2012-09-02T23:08:49Z" ProductType="Durable" AppId="55428GreenlakeApps.CurrentAppSimulatorEventTest_z7q3q7z11crfr" /> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <DigestValue>Uvi8jkTYd3HtpMmAMpOm94fLeqmcQ2KCrV1XmSuY1xI=</DigestValue> </Reference> </SignedInfo> <SignatureValue>TT5fDET1X9nBk9/yKEJAjVASKjall3gw8u9N5Uizx4/Le9RtJtv+E9XSMjrOXK/TDicidIPLBjTbcZylYZdGPkMvAIc3/1mdLMZYJc+EXG9IsE9L74LmJ0OqGH5WjGK/UexAXxVBWDtBbDI2JLOaBevYsyy+4hLOcTXDSUA4tXwPa2Bi+BRoUTdYE2mFW7ytOJNEs3jTiHrCK6JRvTyU9lGkNDMNx9loIr+mRks+BSf70KxPtE9XCpCvXyWa/Q1JaIyZI7llCH45Dn4SKFn6L/JBw8G8xSTrZ3sBYBKOnUDbSCfc8ucQX97EyivSPURvTyImmjpsXDm2LBaEgAMADg==</SignatureValue> </Signature> </Receipt> 我已经检索到这样的服务器的证书
function getCertificate($certID) { $url = 'https://lic.apps.microsoft.com/licensing/certificateserver/?cid=' . $certID; $path = '/mypath/certs/' . $certID; if(!file_exists($path)) { $fp = fopen($path, 'w'); $ch = curl_init($url); curl_setopt($ch, CURLOPT_FILE, $fp); $data = curl_exec($ch); curl_close($ch); fclose($fp); } $cert = file_get_contents($path); //var_dump(openssl_x509_parse($cert)); return openssl_x509_read($cert); }
我假设SignatureValue是我的签名。 据我所知,我需要的函数是openssl_verify,但我不知道我应该使用什么参数作为validation总是失败。
$data = $receiptXML->Signature->SignatureValue; $pubkeyid = openssl_get_publickey($cert); // state whether signature is okay or not $ok = openssl_verify($receipt, $data, $pubkeyid, OPENSSL_ALGO_SHA256); if($ok == 1) { echo "good"; } elseif($ok == 0) { echo "bad"; } else { echo "ugly, error checking signature"; } // free the key from memory openssl_free_key($pubkeyid);
有谁知道我在这里出了什么地方?
我花了几天的时间来验证收据,最后让它工作。
<?php /** * Date: 01.11.2013 * Time: 23:09 * @author: Philipp Serrer */ namespace Ephisa\Service\WindowsStore; require_once subpath . 'vendor/xmlseclibs/xmlseclibs.php'; use Ephisa\Cache; class Receipt { private $doc; private $objXMLSecDSig; private $objDSig; function __construct($xml, $isFile = false) { if ($isFile) { $xml = file_get_contents($xml); } // strip unwanted chars - IMPORTANT!!! $xml = str_replace(array("\n","\t", "\r"), "", $xml); //some (probably mostly WP8) receipts have unnecessary spaces instead of tabs $xml = preg_replace('/\s+/', " ", $xml); $xml = str_replace("> <", "><", $xml); $doc = new \DOMDocument(); $doc->loadXML($xml); $objXMLSecDSig = new \XMLSecurityDSig(); $objDSig = $objXMLSecDSig->locateSignature($doc); if (!$objDSig) { throw new InvalidSignatureException(); } //canonicalize $objXMLSecDSig->canonicalizeSignedInfo(); $this->objDSig = $objDSig; $this->objXMLSecDSig = $objXMLSecDSig; $this->doc = $doc; } /** * Returns the key for verification. * * @return null|\XMLSecurityKey */ function getKey() { $objKey = $this->objXMLSecDSig->locateKey(); $keyInfo = \XMLSecEnc::staticLocateKeyInfo($objKey, $this->objDSig); if (!$keyInfo->key) { $xpath = new \DOMXPath($this->doc); $query = 'string(/Receipt/@CertificateId)'; $id = $xpath->evaluate($query); Cache::instance()->setLifetime(60*60*24*7, 'win-store-cert'); $cert = Cache::instance()->get($id, 'win-store-cert', function() use ($id) { return file_get_contents('https://lic.apps.microsoft.com/licensing/certificateserver/?cid=' . $id); }); $objKey->loadKey($cert, false); } return $objKey; } /** * Verifies the given receipt * * @return bool Returns TRUE on success */ function verify() { try { if (!$this->objXMLSecDSig->validateReference()) { return false; } return (bool)$this->objXMLSecDSig->verify($this->getKey()); } catch (\Exception $e) { // failure... } return false; } }
此代码是我的框架的一部分,因此包含一些框架依赖代码(缓存),但我认为,你得到的主要想法,以及它是如何工作的。 当然,你必须包含在https://github.com/robrichards/xmlseclibs上提供的php xmlseclibs
首先,我会建议证书以二进制模式写入。 这使得它不容易出错。 所以我会推荐的是
if(!file_exists($path)) { $fp = fopen($path, 'wb');
我在这里假定$ CERTID将具有来自XML收据的CertificateId的值。 请按照您在代码中声明的方式进行重命名。
$cert = getCertificate($CERTID) if($cert == 0) { echo "bad"; } else { $data = $receiptXML->Signature->SignatureValue; $pubkeyid = openssl_get_publickey($cert); // state whether signature is okay or not $ok = openssl_verify($receiptXML, $data, $pubkeyid, OPENSSL_ALGO_SHA256); if($ok == 1) { echo "good"; } elseif($ok == 0) { echo "bad"; } else { echo "ugly, error checking signature"; } }
希望这可以帮助 :)