我正在尝试使用PHP验证来自Windows应用商店的收据。
我正在使用以下代码:
<?php
include('Crypt/RSA.php');
include('File/X509.php');
$xml_str ='<Receipt Version="1.0" ReceiptDate="2012-08-30T23:08:52Z" CertificateId="b809e47cd0110a4db043b3f73e83acd917fe1336" ReceiptDeviceId="4e362949-acc3-fe3a-e71b-89893eb4f528">
<ProductReceipt Id="6bbf4366-6fb2-8be8-7947-92fd5f683530" ProductId="Product1" PurchaseDate="2012-08-30T23:08:52Z" ExpirationDate="2012-09-02T23:08:49Z" ProductType="Durable" AppId="55428GreenlakeApps.CurrentAppSimulatorEventTest_z7q3q7z11crfr" />
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>Uvi8jkTYd3HtpMmAMpOm94fLeqmcQ2KCrV1XmSuY1xI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>TT5fDET1X9nBk9/yKEJAjVASKjall3gw8u9N5Uizx4/Le9RtJtv+E9XSMjrOXK/TDicidIPLBjTbcZylYZdGPkMvAIc3/1mdLMZYJc+EXG9IsE9L74LmJ0OqGH5WjGK/UexAXxVBWDtBbDI2JLOaBevYsyy+4hLOcTXDSUA4tXwPa2Bi+BRoUTdYE2mFW7ytOJNEs3jTiHrCK6JRvTyU9lGkNDMNx9loIr+mRks+BSf70KxPtE9XCpCvXyWa/Q1JaIyZI7llCH45Dn4SKFn6L/JBw8G8xSTrZ3sBYBKOnUDbSCfc8ucQX97EyivSPURvTyImmjpsXDm2LBaEgAMADg==</SignatureValue>
</Signature>
</Receipt>';
if( !$xml = simplexml_load_string( $xml_str ) )
{
echo 'Unable to load XML string<br />';
}
else
{
print 'XML String loaded successfully<br />';
}
$ch = curl_init();
//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, "https://lic.apps.microsoft.com/licensing/certificateserver/?cid=".$xml["CertificateId"]);
curl_setopt($ch, CURLOPT_FRESH_CONNECT, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$responseFromServer = curl_exec($ch);
//echo $responseFromServer;
echo '<br/>';
$x509 = new File_X509();
$cert=$x509->loadX509($responseFromServer);
print_r($cert);
echo $x509->getPublicKey();
echo '<br/>';
//close connection
curl_close($ch);
$signatureInfo2='<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>Uvi8jkTYd3HtpMmAMpOm94fLeqmcQ2KCrV1XmSuY1xI=</DigestValue>
</Reference>
</SignedInfo>';
$data = $xml->Signature->SignatureValue;
echo $data;
echo '<br/>';
$dom = new DOMDocument();
$dom->loadXML($signatureInfo2);
$canonicalized = $dom->C14N(TRUE, FALSE);
echo $canonicalized;
echo '<br/>';
$rsa = new Crypt_RSA();
$key = $x509->getPublicKey();
$key1 = 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnK+P74KmRbczKst4ztFx 4wVDceo+2U1xJzaS5dlUns1UAPSitkZb66FyoWDFFHSacPrcZtZqov1uw/UDmE6t XvNxi4VgvSEYfzkpkmLdHpIFSwfonMkR93baWHCebLKVNobj3+CPzXNOjrl5TLA/ TFOFIPSAQ9h0gwRKroRkaMVeuGLhB+OuOaAdeC5RGstPiWZZCmf5lYcf7Hc0gX63 WtV/wpHO0joJ00jN3fw5zuQysFdlmJ/u4v6wanuP6KeiKkDKz6R8npvUp8votMYl DAPtSMJF9IbNILxzOsw8MEzA4k2qWwsvS55jMeuaDKueoYbEMnSxJqrqvJVWFAxMywIDAQAB';
if($rsa->loadKey($key1))
{ // public key
$rsa->setPublicKey();
$rsa->setHash('sha256');
echo $rsa->verify($canonicalized, $data) ? 'verified' : 'unverified';
}
?>
我关注this link。但我总是把“坏”作为输出。
有人可以告诉我这里我做错了吗?
由于
答案 0 :(得分:2)
我设法使用xmlseclibs库来验证WP8 IAP收据。 Windows Store没有太大区别。
此外,您需要启用php curl。
do {
$doc = new DOMDocument();
$xml = $_POST['receipt_data']; // your receipt xml here!
// strip unwanted chars - IMPORTANT!!!
$xml = str_replace(array("\n","\t", "\r"), "", $xml);
//some (probably mostly WP8) receipts have unnecessary spaces instead of tabs
$xml = preg_replace('/\s+/', " ", $xml);
$xml = str_replace("> <", "><", $xml);
$doc->loadXML($xml);
$receipt = $doc->getElementsByTagName('Receipt')->item(0);
$certificateId = $receipt->getAttribute('CertificateId');
$ch = curl_init("https://lic.apps.microsoft.com/licensing/certificateserver/?cid=$certificateId");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$publicKey = curl_exec($ch);
$errno = curl_errno($ch);
$errmsg = curl_error($ch);
curl_close($ch);
if ($errno != 0) {
$verifyFailed = true;
break;
}
// Verify xml signature
require('./xmlseclibs.php');
$objXMLSecDSig = new XMLSecurityDSig();
$objDSig = $objXMLSecDSig->locateSignature($doc);
if (!$objDSig) {
$verifyFailed = true;
break;
}
try {
$objXMLSecDSig->canonicalizeSignedInfo();
$retVal = $objXMLSecDSig->validateReference();
if (!$retVal) {
throw new Exception("Error Processing Request", 1);
}
$objKey = $objXMLSecDSig->locateKey();
if (!$objKey) {
throw new Exception("Error Processing Request", 1);
}
$key = NULL;
$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
if (! $objKeyInfo->key && empty($key)) {
$objKey->loadKey($publicKey);
}
if (!$objXMLSecDSig->verify($objKey)) {
throw new Exception("Error Processing Request", 1);
}
} catch (Exception $e) {
$verifyFailed = true;
break;
}
$productReceipt = $doc->getElementsByTagName('ProductReceipt')->item(0);
$prodictId = $productReceipt->getAttribute('ProductId');
$purchaseDate = $productReceipt->getAttribute('PurchaseDate');
} while(0);
if ($verifyFailed) {
// invalid receipt
} else {
// valid receipt
}
如果您正在处理WP8应用内购买,则xml中的CertificateId
可能如下所示A656B9B1B3AA509EEA30222E6D5E7DBDA9822DCD
。但是以下链接给出了404错误:
https://lic.apps.microsoft.com/licensing/certificateserver/?cid=A656B9B1B3AA509EEA30222E6D5E7DBDA9822DCD
所以你不能用curl获得证书。而是用这个替换卷曲部分:
$publicKey = <<<EOT
-----BEGIN CERTIFICATE-----
MIIDFDCCAgCgAwIBAgIQrih3cQuSeL1CgpLFusfJsTAJBgUrDgMCHQUAMB8xHTAb
BgNVBAMTFElhcFJlY2VpcHRQcm9kdWN0aW9uMB4XDTEyMDIxNzAxMTYyNFoXDTM5
MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUSWFwUmVjZWlwdFByb2R1Y3Rpb24wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDb0CeltVqOOIJiwNGgAr7Z0K4r
AYsHCa1oSFPJXtokz134bi2neJ8bHIKAnT0kwa3xViUxwp3+OZd2t2PshDv0ucZ5
dus6WCnuAw/MHVAodgLQMqYiKeM7VTIi3S1s3iV/66Y8KP7jH3CmE2XCXOQae+bQ
UuyGsTit0ScU7+MofODoNhvONs54n/K1WVnct2wWBpn8GGAS+l2mzOF0jXbMSjtz
7wuK77GeydG+x9paLuHIyCso7tjOqv/lvol5IIX0VnC5G2vC6dWR6MkNL5FzLXns
SuQgoYEUZXPlXJhsmv6oyyenaP0PpYJZcCLLVi1L2hcVo8B2DIEg3I3t8ch/AgMB
AAGjVDBSMFAGA1UdAQRJMEeAEHGLK3BRpCWDa2vU50kI73ehITAfMR0wGwYDVQQD
ExRJYXBSZWNlaXB0UHJvZHVjdGlvboIQrih3cQuSeL1CgpLFusfJsTAJBgUrDgMC
HQUAA4IBAQC4jmOu0H3j7AwVBvpQzPMLBd0GTimBXmJw+nruE+0Hh/0ywGTFNE+K
cQ21L4v+IuP8iMh3lpOcPb23ucuaoNSdWi375/KxrW831dbh+goqCZP7mWbxpnSn
FnuV+R1VPsQjdS+0tg5gjDKNMSx/2fH8krLAkidJ7rvUNmtEWMeVNk0/ZM/ECino
bMSSwbqUuc9Qql9T1epe+xv34a6eek+m4W0VXnLSuKhQS5jdILsyeJWHROZF5mrh
3DQuS0Ll5FzKmJxHf0hyXAo03SSA+x3JphAU4oYbkE9nRTU1tR6iq1D9ZxfQmvzm
IbMfyJ/y89PLs/ewHopSK7vQmGFjfjIl
-----END CERTIFICATE-----
EOT;
(证书来自MSDN sample code。我将其转换为PEM格式。)
它现在可以用XD了!
答案 1 :(得分:0)
您的$ canonicalized应该只删除带有“Signature”元素(及其所有子节点)的收据。之后,您可以执行base64_encode(hash('sha256',$ canonicalized,TRUE))以查看是否匹配DigestValue,然后再进入验证阶段。
除上述问题外,收据&amp;您使用的证书已过时,即使是来自Microsoft的“官方样本”:http://code.msdn.microsoft.com/wpapps/In-app-purchase-receipt-c3e0bce4 也无法使用他们的c#示例代码验证签名。
我花了好几天在网上找到工作收据和证书,但最终没有运气=(