2

如何使用 xmlsec1 验证 Win8 inapp-purchase 收据?这是我想做的事情:

  1. 我的样品收据(保存在文件中receipt.xml):

    <?xml version="1.0"?>
    <Receipt Version="1.0" ReceiptDate="2012-08-30T23:10:05Z" CertificateId="b809e47cd0110a4db043b3f73e83acd917fe1336" ReceiptDeviceId="4e362949-acc3-fe3a-e71b-89893eb4f528">
    <AppReceipt Id="8ffa256d-eca8-712a-7cf8-cbf5522df24b" AppId="55428GreenlakeApps.CurrentAppSimulatorEventTest_z7q3q7z11crfr" PurchaseDate="2012-06-04T23:07:24Z" LicenseType="Full" />
    <ProductReceipt Id="6bbf4366-6fb2-8be8-7947-92fd5f683530" ProductId="Product1" PurchaseDate="2012-08-30T23:08:52Z" ExpirationDate="2012-09-02T23:08:49Z" ProductType="Durable" AppId="55428GreenlakeApps.CurrentAppSimulatorEventTest_z7q3q7z11crfr" />
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <Reference URI="">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
                <DigestValue>cdiU06eD8X/w1aGCHeaGCG9w/kWZ8I099rw4mmPpvdU=</DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>SjRIxS/2r2P6ZdgaR9bwUSa6ZItYYFpKLJZrnAa3zkMylbiWjh9oZGGng2p6/gtBHC2dSTZlLbqnysJjl7mQp/A3wKaIkzjyRXv3kxoVaSV0pkqiPt04cIfFTP0JZkE5QD/vYxiWjeyGp1dThEM2RV811sRWvmEs/hHhVxb32e8xCLtpALYx3a9lW51zRJJN0eNdPAvNoiCJlnogAoTToUQLHs72I1dECnSbeNPXiG7klpy5boKKMCZfnVXXkneWvVFtAA1h2sB7ll40LEHO4oYN6VzD+uKd76QOgGmsu9iGVyRvvmMtahvtL1/pxoxsTRedhKq6zrzCfT8qfh3C1w==</SignatureValue>
    </Signature>
    

  2. 使用,我使用此 urlCertificateId检索证书并将其保存到文件中。以下是它的内容:cert

    -----BEGIN CERTIFICATE-----
    MIIDyTCCArGgAwIBAgIQNP+YKvSo8IVArhlhpgc/xjANBgkqhkiG9w0BAQsFADCB
    jjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Jl
    ZG1vbmQxHjAcBgNVBAoMFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UECwwN
    V2luZG93cyBTdG9yZTEgMB4GA1UEAwwXV2luZG93cyBTdG9yZSBMaWNlbnNpbmcw
    HhcNMTExMTE3MjMwNTAyWhcNMzYxMTEwMjMxMzQ0WjCBjjELMAkGA1UEBhMCVVMx
    EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1JlZG1vbmQxHjAcBgNVBAoM
    FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UECwwNV2luZG93cyBTdG9yZTEg
    MB4GA1UEAwwXV2luZG93cyBTdG9yZSBMaWNlbnNpbmcwggEiMA0GCSqGSIb3DQEB
    AQUAA4IBDwAwggEKAoIBAQCcr4/vgqZFtzMqy3jO0XHjBUNx6j7ZTXEnNpLl2VSe
    zVQA9KK2RlvroXKhYMUUdJpw+txm1mqi/W7D9QOYTq1e83GLhWC9IRh/OSmSYt0e
    kgVLB+icyRH3dtpYcJ5sspU2huPf4I/Nc06OuXlMsD9MU4Ug9IBD2HSDBEquhGRo
    xV64YuEH4645oB14LlEay0+JZlkKZ/mVhx/sdzSBfrda1X/Ckc7SOgnTSM3d/DnO
    5DKwV2WYn+7i/rBqe4/op6IqQMrPpHyem9Sny+i0xiUMA+1IwkX0hs0gvHM6zDww
    TMDiTapbCy9LnmMx65oMq56hhsQydLEmquq8lVYUDEzLAgMBAAGjITAfMB0GA1Ud
    DgQWBBREzrOBz7zw+HWskxonOXAPMa6+NzANBgkqhkiG9w0BAQsFAAOCAQEAeVtN
    4c6muxO6yfht9SaxEfleUBIjGfe0ewLBp00Ix7b7ldJ/lUQcA6y+Drrl7vjmkHQK
    OU3uZiFbCxTvgTcoz9o+1rzR/WPXmqH5bqu6ua/UrobGKavAScqqI/G6o56Xmx/y
    oErWN0VapN370crKJvNWxh3yw8DCl+W0EcVRiWX5lFsMBNBbVpK4Whp+VhkSJilu
    iRpe1B35Q8EqOz/4RQkOpVI0dREnuSYkBy/h2ggCtiQ5yfvH5zCdcfhFednYDevS
    axmt3W5WuHz8zglkg+OQ3qpXaXySRlrmLdxEmWu2MOiZbQkU2ZjBSQmvFAOy0dd6
    P1YLS4+Eyh5drQJc0Q==
    -----END CERTIFICATE-----
    
  3. 然后我试试这个:xmlsec1 --verify --print-debug --pubkey-cert-pem cert receipt.xml。这是输出:

    func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha256:subj=unknown:error=12:invalid data:data and digest do not match
    FAIL
    SignedInfo References (ok/all): 0/1
    Manifests References (ok/all): 0/0
    = VERIFICATION CONTEXT
    == Status: invalid
    == flags: 0x00000000
    == flags2: 0x00000000
    == Key Info Read Ctx:
    = KEY INFO READ CONTEXT
    == flags: 0x00000000
    == flags2: 0x00000000
    == enabled key data: all
    == RetrievalMethod level (cur/max): 0/1
    == TRANSFORMS CTX (status=0)
    == flags: 0x00000000
    == flags2: 0x00000000
    == enabled transforms: all
    === uri: NULL
    === uri xpointer expr: NULL
    == EncryptedKey level (cur/max): 0/1
    === KeyReq:
    ==== keyId: NULL
    ==== keyType: 0x00000000
    ==== keyUsage: 0xffffffff
    ==== keyBitsSize: 0
    === list size: 0
    == Key Info Write Ctx:
    = KEY INFO WRITE CONTEXT
    == flags: 0x00000000
    == flags2: 0x00000000
    == enabled key data: all
    == RetrievalMethod level (cur/max): 0/1
    == TRANSFORMS CTX (status=0)
    == flags: 0x00000000
    == flags2: 0x00000000
    == enabled transforms: all
    === uri: NULL
    === uri xpointer expr: NULL
    == EncryptedKey level (cur/max): 0/1
    === KeyReq:
    ==== keyId: NULL
    ==== keyType: 0x00000001
    ==== keyUsage: 0xffffffff
    ==== keyBitsSize: 0
    === list size: 0
    == Signature Transform Ctx:
    == TRANSFORMS CTX (status=0)
    == flags: 0x00000000
    == flags2: 0x00000000
    == enabled transforms: all
    === uri: NULL
    === uri xpointer expr: NULL
    === Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
    === Transform: rsa-sha256 (href=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256)
    == Signature Method:
    === Transform: rsa-sha256 (href=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256)
    == SignedInfo References List:
    === list size: 1
    = REFERENCE VERIFICATION CONTEXT
    == Status: invalid
    == URI: ""
    == Reference Transform Ctx:
    == TRANSFORMS CTX (status=2)
    == flags: 0x00000000
    == flags2: 0x00000000
    == enabled transforms: all
    === uri: NULL
    === uri xpointer expr: NULL
    === Transform: enveloped-signature (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
    === Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
    === Transform: sha256 (href=http://www.w3.org/2001/04/xmlenc#sha256)
    === Transform: membuf-transform (href=NULL)
    == Digest Method:
    === Transform: sha256 (href=http://www.w3.org/2001/04/xmlenc#sha256)
    == Manifest References List:
    === list size: 0
    Error: failed to verify file "receipt.xml"
    

难道我做错了什么?我应该提供哪些参数来正确验证收据?或者它确实无效(那么有人可以向我提供有效的收据吗?)?

4

1 回答 1

2

我发现如果从receipt.xml. 如果文件在下载和保存时确实包含此文件,您可能需要运行该文件sed或删除它(如果它确实存在并且您不是自己不小心添加了它)。

# xmlsec1 --verify --print-debug --pubkey-cert-pem cert receipt.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: succeeded
== flags: 0x00000000
== flags2: 0x00000000
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: rsa
==== keyType: 0x00000001
==== keyUsage: 0x00000002
==== keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x00000000
== flags2: 0x00000000
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
==== keyId: NULL
==== keyType: 0x00000001
==== keyUsage: 0xffffffff
==== keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: exc-c14n (href=http://www.w3.org/2001/10/xml-exc-c14n#)
=== Transform: rsa-sha256 (href=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256)
=== Transform: membuf-transform (href=NULL)
== Signature Method:
=== Transform: rsa-sha256 (href=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256)
== Signature Key:
== KEY
=== method: RSAKeyValue
=== key type: Private
=== key usage: -1
=== rsa key: size = 2048
=== list size: 1
=== X509 Data:
==== Certificate:
==== Subject Name: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Windows Store/CN=Windows Store Licensing
==== Issuer Name: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Windows Store/CN=Windows Store Licensing
==== Issuer Serial: 34FF982AF4A8F08540AE1961A6073FC6
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: ""
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x00000000
== flags2: 0x00000000
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: enveloped-signature (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
=== Transform: c14n (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
=== Transform: sha256 (href=http://www.w3.org/2001/04/xmlenc#sha256)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha256 (href=http://www.w3.org/2001/04/xmlenc#sha256)
== Manifest References List:
=== list size: 0

请记住,签名对确切的文件有效,一个字符一个字符。对文件的任何更改,甚至是用于格式化的空格,都会使签名无效。我怀疑当您打开文件时进行了一些格式设置,也许您使用该格式保存了它。

编辑

我忘记了您在发布的内容中也缺少结束标记receipt.xml。不过,我怀疑它在您的文件副本中,因为xmlsec1如果不是,我会告诉您的(正如它告诉我的那样;我必须手动添加它)。

尝试xmllint --noblanks --output receipt.xml receipt.xml删除不需要的空格和 CR/LF。

于 2014-04-10T19:30:24.197 回答