使用PHP对Windows Store IAP签名验证远程证书

Question

我正在尝试在PHP中为Windows应用商店应用验证IAP收据。基本上，尝试将此示例代码转换为PHP http://msdn.microsoft.com/en-us/library/windows/apps/jj649137.aspx。 收据看起来像这样

<Receipt Version="1.0" ReceiptDate="2012-08-30T23:08:52Z" CertificateId="b809e47cd0110a4db043b3f73e83acd917fe1336" ReceiptDeviceId="4e362949-acc3-fe3a-e71b-89893eb4f528">
    <ProductReceipt Id="6bbf4366-6fb2-8be8-7947-92fd5f683530" ProductId="Product1" PurchaseDate="2012-08-30T23:08:52Z" ExpirationDate="2012-09-02T23:08:49Z" ProductType="Durable" AppId="55428GreenlakeApps.CurrentAppSimulatorEventTest_z7q3q7z11crfr" />
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>Uvi8jkTYd3HtpMmAMpOm94fLeqmcQ2KCrV1XmSuY1xI=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>TT5fDET1X9nBk9/yKEJAjVASKjall3gw8u9N5Uizx4/Le9RtJtv+E9XSMjrOXK/TDicidIPLBjTbcZylYZdGPkMvAIc3/1mdLMZYJc+EXG9IsE9L74LmJ0OqGH5WjGK/UexAXxVBWDtBbDI2JLOaBevYsyy+4hLOcTXDSUA4tXwPa2Bi+BRoUTdYE2mFW7ytOJNEs3jTiHrCK6JRvTyU9lGkNDMNx9loIr+mRks+BSf70KxPtE9XCpCvXyWa/Q1JaIyZI7llCH45Dn4SKFn6L/JBw8G8xSTrZ3sBYBKOnUDbSCfc8ucQX97EyivSPURvTyImmjpsXDm2LBaEgAMADg==</SignatureValue>
    </Signature>
</Receipt>

我已经为此服务器检索了证书

function getCertificate($certID)
{
    $url  = 'https://lic.apps.microsoft.com/licensing/certificateserver/?cid=' . $certID;
    $path = '/mypath/certs/' . $certID;

    if(!file_exists($path)) {
        $fp = fopen($path, 'w');

        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_FILE, $fp);

        $data = curl_exec($ch);

        curl_close($ch);
        fclose($fp);
    }
    $cert = file_get_contents($path);
    //var_dump(openssl_x509_parse($cert));

    return openssl_x509_read($cert);
}

我认为SignatureValue是我的签名。据我所知，我需要的函数是openssl_verify，但我不确定我应该使用哪些参数，因为验证总是失败。

$data     = $receiptXML->Signature->SignatureValue;
$pubkeyid = openssl_get_publickey($cert);
// state whether signature is okay or not
$ok       = openssl_verify($receipt, $data, $pubkeyid, OPENSSL_ALGO_SHA256);
if($ok == 1) {
    echo "good";
} elseif($ok == 0) {
    echo "bad";
} else {
    echo "ugly, error checking signature";
}
// free the key from memory
openssl_free_key($pubkeyid);

有谁知道我在哪里出错？

Answer 1

我花了好几天验证收据，最后让它开始工作......

<?php
/**
 * Date: 01.11.2013
 * Time: 23:09
 * @author: Philipp Serrer
 */

namespace Ephisa\Service\WindowsStore;

require_once subpath . 'vendor/xmlseclibs/xmlseclibs.php';

use Ephisa\Cache;

class Receipt {

    private $doc;
    private $objXMLSecDSig;
    private $objDSig;

    function __construct($xml, $isFile = false)
    {
        if ($isFile) {
            $xml = file_get_contents($xml);
        }

        // strip unwanted chars - IMPORTANT!!!
        $xml = str_replace(array("\n","\t", "\r"), "", $xml);
        //some (probably mostly WP8) receipts have unnecessary spaces instead of tabs
        $xml = preg_replace('/\s+/', " ", $xml);
        $xml = str_replace("> <", "><", $xml);

        $doc = new \DOMDocument();
        $doc->loadXML($xml);

        $objXMLSecDSig = new \XMLSecurityDSig();
        $objDSig = $objXMLSecDSig->locateSignature($doc);

        if (!$objDSig) {
            throw new InvalidSignatureException();
        }

        //canonicalize
        $objXMLSecDSig->canonicalizeSignedInfo();

        $this->objDSig = $objDSig;
        $this->objXMLSecDSig = $objXMLSecDSig;
        $this->doc = $doc;
    }

    /**
     * Returns the key for verification.
     *
     * @return null|\XMLSecurityKey
     */
    function getKey()
    {
        $objKey = $this->objXMLSecDSig->locateKey();
        $keyInfo = \XMLSecEnc::staticLocateKeyInfo($objKey, $this->objDSig);

        if (!$keyInfo->key) {
            $xpath = new \DOMXPath($this->doc);
            $query = 'string(/Receipt/@CertificateId)';
            $id = $xpath->evaluate($query);

            Cache::instance()->setLifetime(60*60*24*7, 'win-store-cert');
            $cert = Cache::instance()->get($id, 'win-store-cert', function() use ($id) {
                return file_get_contents('https://lic.apps.microsoft.com/licensing/certificateserver/?cid=' . $id);
            });

            $objKey->loadKey($cert, false);
        }

        return $objKey;
    }

    /**
     * Verifies the given receipt
     *
     * @return bool Returns TRUE on success
     */
    function verify()
    {
        try {
            if (!$this->objXMLSecDSig->validateReference()) {
                return false;
            }

            return (bool)$this->objXMLSecDSig->verify($this->getKey());
        }
        catch (\Exception $e)
        {
            // failure...
        }

        return false;
    }
}

这段代码是我的框架的一部分，因此包含一些框架依赖代码（Cache），但我认为，你得到了主要的想法以及它是如何工作的。当然，您必须在https://github.com/robrichards/xmlseclibs

中包含php xmlseclibs

Answer 2

首先，我建议将证书写入二进制模式。它使它不容易出错。所以我建议的是

if(!file_exists($path)) {
        $fp = fopen($path, 'wb');

我在此假设$ CERTID将具有XML Receipt中 CertificateId 的值。请按照您在代码中声明的名称重命名。

$cert = getCertificate($CERTID)
if($cert == 0) {
    echo "bad";
} else {
    $data = $receiptXML->Signature->SignatureValue;
    $pubkeyid = openssl_get_publickey($cert);
    // state whether signature is okay or not
    $ok = openssl_verify($receiptXML, $data, $pubkeyid, OPENSSL_ALGO_SHA256);
    if($ok == 1) {
        echo "good";
    } elseif($ok == 0) {
        echo "bad";
    } else {
        echo "ugly, error checking signature";
    }

} 

希望这会有所帮助：）