Apple网站推送:推送包的签名验证失败

时间:2015-03-23 11:10:36

标签: php openssl apple-push-notifications

Apple Website Push Notification guide之后,我收到了回复/endpoint/v1/log的错误消息:Signature verification of push package failed.

但是,当我使用

手动下载和验证时 
curl -O $endpoint/push/v1/pushPackages/x/y
unzip y
openssl smime -verify -in signature -inform der -content manifest.json -noverify

我得到Verification successful

证书在Apple Developer控制台下正确添加,ZIP的生成非常简单:

$z = new ZipArchive();
$z->open($tmp, ZIPARCHIVE::CREATE);
$manifest = [];
$data = json_encode([
    'websiteName' => $name,
    'websitePushId' => $pushId,
    'allowedDomains' => $domains,
    'webServiceURL' => "$endpoint/push"
]);
$manifest['website.json'] = sha1($data);
$z->addFromString('website.json', $data);
$data = file_get_contents('static/favicon.png');
foreach (['16x16','16x16@2x','32x32','32x32@2x','128x128','128x128@2x'] as $f) {
    $f = 'icon.iconset/icon_'.$f.'.png';
    $manifest[$f] = sha1($data);
    $z->addFromString($f, $data);
}
file_put_contents('/tmp/manifest.json', json_encode($manifest));
$z->addFile('/tmp/manifest.json','manifest.json');
$pem = file_get_contents('etc/aweb.pem');
$cert = openssl_x509_read($pem);
$pk = openssl_pkey_get_private($pem, 'developer');
openssl_pkcs7_sign(
    '/tmp/manifest.json', '/tmp/signature',
    $cert, $pk, array(), PKCS7_BINARY | PKCS7_DETACHED
);
// PEM to DER
$pem = file_get_contents('/tmp/signature');
preg_match('~Content-Disposition:[^\n]+\s*?([A-Za-z0-9+=/\r\n]+)\s*?-----~', $pem, $matches);
$data = base64_decode($matches[1]);
$z->addFromString('signature', $data);
$z->close();

请注意-noverify的使用,因为尽管有人尝试,我仍然无法正确设置证书链:

curl -L https://www.apple.com/appleca/AppleIncRootCertificate.cer | openssl x509 -inform der > certs.pem
curl -L http://developer.apple.com/certificationauthority/AppleWWDRCA.cer | openssl x509 -inform der >> certs.pem
openssl smime -verify -in signature -inform der -content manifest.json -CAfile certs.pem

产量

Verification failure
140184513181352:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:342:Verify error:unsupported certificate purpose

另外一个:我发现文档令人难以置信不清楚ZIP文件是否应该包含根目录(如果是,它应该被命名)。经过几个小时的Missing files错误后,我终于认为ZIP 包含根目录。

1 个答案:

答案 0 :(得分:1)

我设法找到了问题:window.safari.pushNotification.requestPermission的第二个pushId参数包含一个拼写错误,并且在manifest.json中的websitePushId不匹配。

结论:Safari部分的错误报告极其误导;)。

相关问题
最新问题