app-store-server-library 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 68c6886cd483c131d26e25b15df4a451e99a37e516411f707ccb93a99b29ab1e
-  data.tar.gz: 8395d65f9f774a231796b1dd244436e929085cdb77ddc0fa3e46abffdaf382a0
+  metadata.gz: 59036d7d3426ae6c07d940f6a46157f1e456f7070e3347a3db9d9ceb9495d063
+  data.tar.gz: 222c38a16941624f9592c44cdb43f9ba804e01370b7d77b2bd3c860ed10ad8c7
 SHA512:
-  metadata.gz: 4f96b3130f5c882be04265e4314725c8d2074594c8bfd3d46ad42ff37b96f9c10211019f94eed55ae1ff556353440ae17000cfd216ce6ccaec4fc4942e2d9ad5
-  data.tar.gz: e27151ab5ca970b3e4ab4d0125d6bc1c403fd65a960aae1176b10c4e189fe6f3cdf790025313c7c0954b6f46183c0045aeb348149df3c0ae7214d8779b74fee3
+  metadata.gz: 8a69b06b6d7f1250b7f8a22451b3a4455675cc3cd3a2e0692488c75f860217701edaf5a748e3278ae19d5955c0e3b37b146e1fd17136a0795d48d1fb9c8a994b
+  data.tar.gz: 05c6ff8cfae8baa8cd670d604459ea1dce7c209e86183272064e84e8f20eccac4c770df0c30e886f7d6f18483b59181242bb0a4fd53ec2a0e1c95bbe2a14f64e

data/README.md

@@ -0,0 +1,6 @@
+# Apple App Store Server Ruby Library
+The Ruby server library for the [App Store Server API](https://developer.apple.com/documentation/appstoreserverapi) and [App Store Server Notifications](https://developer.apple.com/documentation/appstoreservernotifications). 
+
+Inspired by [Apple App Store Server Node.js Library](https://github.com/apple/app-store-server-library-node)
+
+## TODO: readme

data/lib/app_store/signed_data_verifier.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'json'
+require 'base64'
+require 'jwt'
+
+module AppStore
+  class SignedDataVerifier
+    ENVIRONMENTS = {
+      sandbox: 'Sandbox',
+      production: 'Production',
+      xcode: 'Xcode',
+      local_testing: 'LocalTesting'
+    }.freeze
+    MAX_SKEW = 60_000
+
+    attr_reader :root_certificates, :bundle_id, :environment, :app_apple_id
+
+    def initialize(root_certificates, environment, bundle_id, app_apple_id = nil)
+      @root_certificates = root_certificates.map { |cert| OpenSSL::X509::Certificate.new(cert) }
+      @bundle_id = bundle_id
+      @environment = environment
+      @app_apple_id = app_apple_id
+      return unless environment == ENVIRONMENTS[:production] && app_apple_id.nil?
+
+      raise 'app_apple_id is required when the environment is Production'
+    end
+
+    def verify_and_decode_transaction(signed_transaction_info)
+      decoded_jwt = verify_jwt(signed_transaction_info)
+      raise VerificationException, :invalid_app_identifier if decoded_jwt['bundleId'] != bundle_id
+      raise VerificationException, :invalid_environment if decoded_jwt['environment'] != environment
+
+      decoded_jwt
+    end
+
+    def verify_and_decode_renewal_info(signed_renewal_info)
+      decoded_renewal_info = verify_jwt(signed_renewal_info)
+      raise VerificationException, :invalid_environment if decoded_renewal_info['environment'] != @environment
+
+      decoded_renewal_info
+    end
+
+    def verify_and_decode_notification(signed_payload)
+      decoded_jwt = verify_jwt(signed_payload)
+      app_apple_id, bundle_id, environment = extract_info(decoded_jwt)
+      verify_notification(bundle_id, app_apple_id, environment)
+      decoded_jwt
+    end
+
+    def verify_and_decode_app_transaction(signed_app_transaction)
+      decoded_app_transaction = verify_jwt(signed_app_transaction) do |t|
+        t['receiptCreationDate'].nil? ? Time.now : Time.parse(t['receiptCreationDate'])
+      end
+      environment = decoded_app_transaction['receiptType']
+      if @bundle_id != decoded_app_transaction['bundleId'] || (@environment == :production && @app_apple_id != decoded_app_transaction['appAppleId'])
+        raise VerificationException, :invalid_app_identifier
+      end
+      raise VerificationException, :invalid_environment if @environment != environment
+
+      decoded_app_transaction
+    end
+
+    private
+
+    def verify_jwt(jws)
+      decoded_jwt = JWT.decode(jws, nil, false)
+      payload = decoded_jwt[0]
+      chain = decoded_jwt[1]['x5c'] || []
+      raise VerificationException, :invalid_chain_length if chain.size != 3
+
+      certificate_chain = chain[0..1].map { |cert| OpenSSL::X509::Certificate.new(Base64.decode64(cert)) }
+      effective_date = payload['signedDate'] ? Time.at(payload['signedDate'] / 1000) : Time.current
+      public_key = verify_certificate_chain(root_certificates, certificate_chain[0], certificate_chain[1], effective_date)
+      JWT.decode(jws, public_key, true, algorithm: 'ES256')
+
+      payload
+    rescue JWT::DecodeError, JWT::VerificationError => e
+      raise VerificationException.new(:verification_failure, e)
+    end
+
+    def verify_certificate_chain(trusted_roots, leaf, intermediate, effective_date)
+      root_cert = trusted_roots.find do |root|
+        intermediate.verify(root.public_key) && intermediate.issuer == root.subject
+      rescue OpenSSL::X509::CertificateError => _e
+        next
+      end
+
+      validity = !root_cert.nil?
+      validity &&= leaf.verify(intermediate.public_key) && leaf.issuer == intermediate.subject
+      validity &&= intermediate.extensions.any? { |ext| ext.oid == 'basicConstraints' && ext.value.start_with?('CA:TRUE') }
+      validity &&= leaf.extensions.any? { |ext| ext.oid == '1.2.840.113635.100.6.11.1' }
+      validity &&= intermediate.extensions.any? { |ext| ext.oid == '1.2.840.113635.100.6.2.1' }
+
+      raise VerificationException, :verification_failure unless validity
+
+      check_dates(leaf, effective_date)
+      check_dates(intermediate, effective_date)
+      check_dates(root_cert, effective_date)
+
+      leaf.public_key
+    end
+
+    def check_dates(cert, effective_date)
+      valid_from = cert.not_before
+      valid_to = cert.not_after
+      return unless valid_from > effective_date + MAX_SKEW || valid_to < effective_date - MAX_SKEW
+
+      raise VerificationException, :invalid_certificate
+    end
+
+    def extract_info(decoded_jwt)
+      app_apple_id = decoded_jwt.dig('data', 'appAppleId') ||
+                     decoded_jwt.dig('summary', 'appAppleId') ||
+                     decoded_jwt.dig('externalPurchaseToken', 'appAppleId')
+      bundle_id = decoded_jwt.dig('data', 'bundleId') ||
+                  decoded_jwt.dig('summary', 'bundleId') ||
+                  decoded_jwt.dig('externalPurchaseToken', 'bundleId')
+      environment = if decoded_jwt.dig('externalPurchaseToken', 'externalPurchaseId')&.start_with?('SANDBOX')
+                      ENVIRONMENTS[:sandbox]
+                    else
+                      ENVIRONMENTS[:production]
+                    end
+      [app_apple_id, bundle_id, environment]
+    end
+
+    def verify_notification(bundle_id, app_apple_id, environment)
+      if @bundle_id != bundle_id || (environment == ENVIRONMENTS[:production] && @app_apple_id != app_apple_id)
+        raise VerificationException, :invalid_app_identifier
+      end
+      raise VerificationException, :invalid_environment if @environment != environment
+    end
+  end
+end

data/lib/app_store/verification_exception.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module AppStore
+  class VerificationException < StandardError; end
+end

data/lib/app_store/verification_status.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module AppStore
+  module VerificationStatus
+    OK = :ok
+    VERIFICATION_FAILURE = :verification_failure
+    INVALID_APP_IDENTIFIER = :invalid_app_identifier
+    INVALID_ENVIRONMENT = :invalid_environment
+    INVALID_CHAIN_LENGTH = :invalid_chain_length
+    INVALID_CERTIFICATE = :invalid_certificate
+    FAILURE = :failure
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: app-store-server-library
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Illia Kasianenko
@@ -30,7 +30,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- lib/app_store_server_library.rb
+- README.md
+- lib/app-store-server-library.rb
+- lib/app_store/signed_data_verifier.rb
+- lib/app_store/verification_exception.rb
+- lib/app_store/verification_status.rb
 homepage: https://github.com/got2be/app-store-server-library
 licenses: []
 metadata: