apple_receipt 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a381d5ac7037e9d434c0e0af717672f32d84f157b1086753aaf93e01951a2b42
-  data.tar.gz: f2722e6a2b589703f451035b4a34c2aa97aedbaa469e362443448c50d7bfcb3c
+  metadata.gz: f3234acf1d422b851c6e997c905ee974df3be03d446431d894498bf1f0e7e61e
+  data.tar.gz: db024ff11f3ae9a78a98275c9feb9f7fef8d536949a895866ad760a16d3eb185
 SHA512:
-  metadata.gz: e4f99e107fd8623e73bcc07ce0e095f6c1c44c345207355f915d0e49d31957325fb838869b5d4176907e23307901431be6d28e9ead4b7c81fde6003ee6bad39d
-  data.tar.gz: 5be1092bdcc3577e4d581284d6c998c8293e02aab9632fea8dee360c9c6b442e4bf6bcb7be1852c0a83534c86a97399ffac97797f0e312e4ec6cab0db6f87f57
+  metadata.gz: b7fdcd0d79dee2feedc4c95e8aebd124b58790fc0e12c916fe0a2f948db329eb4a859f299f09507019ee49e8f76809f0e630987d17cfac1267989f0765223cee
+  data.tar.gz: 551a6353876874102e79864b16dca85487054ed6d975a927b2b9ed69bbe22b5228e8aae820c5da249d8627a470e90694dd5ab7e0020bebc7a80f44525ad520f6

data/.rubocop.yml

@@ -1,2 +1,6 @@
 AllCops:
   TargetRubyVersion: 2.5
+
+Metrics/BlockLength:
+  Exclude:
+    - spec/**/*

data/.travis.yml

@@ -3,3 +3,5 @@ language: ruby
 rvm:
   - 2.5.0
 before_install: gem install bundler -v 1.16.1
+notifications:
+  email: false

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Apple Receipt changelog
+
+## v0.2.0
+
+- Added ISC license [\#5](https://github.com/koenrh/apple_receipt/pull/5)
+- Added missing dependencies ([\#3](https://github.com/koenrh/apple_receipt/pull/3) and [\#4](https://github.com/koenrh/apple_receipt/pull/4))
+- Added support for 'version 2' receipts ([\#1](https://github.com/koenrh/apple_receipt/pull/1))

data/CODE_OF_CONDUCT.md

@@ -23,7 +23,7 @@ include:
 Examples of unacceptable behavior by participants include:
 
 * The use of sexualized language or imagery and unwelcome sexual attention or
-advances
+  advances
 * Trolling, insulting/derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information, such as a physical or electronic
@@ -67,8 +67,5 @@ members of the project's leadership.
 
 ## Attribution
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at [http://contributor-covenant.org/version/1/4][version]
-
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/),
+[version 1.4](https://www.contributor-covenant.org/version/1/4/code-of-conduct.html).

data/LICENSE.txt

@@ -1,21 +1,15 @@
-The MIT License (MIT)
+ISC License
 
-Copyright (c) 2018 Koen Rouwhorst
+Copyright (c) 2018, Koen Rouwhorst
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+Permission to use, copy, modify, and/or distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
 
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
+TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+THIS SOFTWARE.

data/README.md

@@ -1,8 +1,15 @@
-# AppleReceipt
+# Apple Receipt
 
+[![Gem Version](https://badge.fury.io/rb/apple_receipt.svg)](https://badge.fury.io/rb/apple_receipt)
 [![Build Status](https://travis-ci.org/koenrh/apple_receipt.svg?branch=master)](https://travis-ci.org/koenrh/apple_receipt)
+[![Dependency Status](https://beta.gemnasium.com/badges/github.com/koenrh/apple_receipt.svg)](https://beta.gemnasium.com/projects/github.com/koenrh/apple_receipt)
 
-This gem allows you to to locally/cryptographically verify Apple receipts.
+This gem allows you to read and verify Apple receipts. It was originally built
+to locally (server-side) verify the validity of receipts that are embedded in
+[Status Update Notifications](https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/StoreKitGuide/Chapters/Subscriptions.html#//apple_ref/doc/uid/TP40008267-CH7-SW13).
+These receipts have a different format than [documented](https://developer.apple.com/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html#//apple_ref/doc/uid/TP40010573-CH1-SW2)
+App Store receipts you might be familiar with, which are [PKCS #7](https://tools.ietf.org/html/rfc2315)
+containers with a payload (receipt data) encoded using [ASN.1](https://www.itu.int/itu-t/recommendations/rec.aspx?rec=X.690).
 
 ## Installation
 
@@ -25,39 +32,74 @@ Or install it yourself as:
 ```ruby
 require 'apple_receipt'
 
-# check validity (certificate chain, and signature)
+# Check receipt's validity (certificate chain, and signature)
 receipt_raw = File.read('./receipt.txt')
 receipt = AppleReceipt::Receipt.new(receipt_raw)
 receipt.valid?
 # => true
 
-# read purchase info
+# Read receipt's data (data in example shortened for brevity)
 receipt.purchase_info
-# => {"original-purchase-date-pst"=>"2017-12-23 09:03:53 America/Los_Angeles",
-#  "quantity"=>"1",
-#  "unique-vendor-identifier"=>"D895D8DB-AEDF-4530-B7E5-E0C9A9A394B6",
-#  "original-purchase-date-ms"=>"1514048633000",
-#  "expires-date-formatted"=>"2018-01-23 17:03:44 Etc/GMT",
-#  "is-in-intro-offer-period"=>"false",
-#  "purchase-date-ms"=>"1514048624000",
-#  "expires-date-formatted-pst"=>"2018-01-23 09:03:44 America/Los_Angeles",
-#  "is-trial-period"=>"false",
-#  "item-id"=>"1190360447",
-#  "unique-identifier"=>"fed543dc24065fa2ab23ef08b0b44c0a0c9ed375",
-#  "original-transaction-id"=>"160000408504141",
-#  "expires-date"=>"1516727024000",
-#  "app-item-id"=>"947936149",
-#  "transaction-id"=>"160000408504141",
-#  "bvrs"=>"7000",
-#  "web-order-line-item-id"=>"160000091314729",
-#  "version-external-identifier"=>"825366855",
-#  "bid"=>"com.foo.bar",
-#  "product-id"=>"com.foo.bar.monthly",
-#  "purchase-date"=>"2017-12-23 17:03:44 Etc/GMT",
-#  "purchase-date-pst"=>"2017-12-23 09:03:44 America/Los_Angeles",
-#  "original-purchase-date"=>"2017-12-23 17:03:53 Etc/GMT"}
+# => {
+#   "quantity"=>"1",
+#   "expires-date-formatted"=>"2018-01-23 17:03:44 Etc/GMT",
+#   "is-in-intro-offer-period"=>"false",
+#   "is-trial-period"=>"false",
+#   "item-id"=>"1190360447",
+#   "app-item-id"=>"947936149",
+#   "transaction-id"=>"160000408504141",
+#   "web-order-line-item-id"=>"160000011000001",
+#   "bid"=>"com.foo.bar",
+#   "product-id"=>"com.foo.bar.monthly",
+#   "purchase-date"=>"2017-12-23 17:03:44 Etc/GMT",
+#   "original-purchase-date"=>"2017-12-23 17:03:53 Etc/GMT"
+# }
 ```
 
+## Apple receipts
+
+A receipt is encoded as base64, and is formatted as a [NeXTSTEP](https://en.wikipedia.org/wiki/Property_list#NeXTSTEP)
+dictionary:
+
+```
+{
+  "signature" = "[base64-encoded signature]";
+  "purchase-info" = "[base64-encoded purchase data]";
+  "pod" = "[integer]";
+  "signing-status" = "0";
+}
+```
+
+### Signature
+
+The `signature` entry contains base64-encoded binary data, which has the following
+layout:
+
+- **1 byte** - Receipt version (e.g. version 3).
+- **128 bytes** (version 2) or **256 bytes** (version 3) - Signature.
+- **4 bytes** - Length (in number of bytes) of the certificate.
+- **N bytes** - DER-encoded certificate.
+
+The version 2 and 3 receipt certificates are signed, respectively, by:
+
+- **Apple iTunes Store Certification Authority** (version 2)
+  - Serial: 26 (`0x1a`)
+  - Subject: `C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple iTunes Store Certification Authority`
+- **Apple Worldwide Developer Relations Certification Authority** (version 3)
+  - Serial: 134752589830791184 (`0x1debcc4396da010`)
+  - Subject: `C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority`
+
+Both certificates chain up to:
+
+- **Apple Root CA**
+  - Serial: 2 (`0x2`)
+  - Subject: `C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA`
+
+### Purchase info
+
+The `purchase-info` entry contains a base64-encoded NeXTSTEP dictionary that contains
+the actual receipt data (purchase info).
+
 ## Contributing
 
 Bug reports and pull requests are welcome on [GitHub](https://github.com/koenrh/apple_receipt).
@@ -67,4 +109,4 @@ code of conduct.
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+The gem is available as open source under the terms of the [ISC License](https://opensource.org/licenses/ISC).

data/apple_receipt.gemspec

@@ -5,6 +5,7 @@ lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'apple_receipt/version'
 
+# rubocop:disable Metrics/BlockLength
 Gem::Specification.new do |spec|
   spec.name          = 'apple_receipt'
   spec.version       = AppleReceipt::VERSION
@@ -30,8 +31,13 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
+  spec.add_dependency 'json', '~> 2.0'
+  spec.add_dependency 'openssl', '~> 2.0'
+
   spec.add_development_dependency 'bundler', '~> 1.16'
   spec.add_development_dependency 'minitest', '~> 5.0'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'mocha', '~> 1.3'
+  spec.add_development_dependency 'rake', '~> 12.0'
   spec.add_development_dependency 'rubocop', '~> 0.50'
 end
+# rubocop:enable Metrics/BlockLength

data/lib/apple_receipt/receipt.rb

@@ -11,17 +11,20 @@ module AppleReceipt
   class Receipt
     def initialize(raw_receipt)
       receipt_decoded = Base64.decode64(raw_receipt)
-      @version, @signature, @cert, @data = ReceiptParser.parse(receipt_decoded)
+      @version,
+        @signature,
+        @certificate,
+        @data = ReceiptParser.parse(receipt_decoded)
     end
 
     def purchase_info
-      NextStepParser.parse(data)
+      @purchase_info ||= NextStepParser.parse(data)
     end
 
     def valid?
       Validator.new(self).valid?
     end
 
-    attr_reader :version, :signature, :cert, :data
+    attr_reader :version, :signature, :certificate, :data
   end
 end

data/lib/apple_receipt/receipt_parser.rb

@@ -3,6 +3,7 @@
 require 'base64'
 require 'openssl'
 require 'json'
+require 'set'
 
 require 'apple_receipt/next_step_parser'
 
@@ -11,24 +12,38 @@ module AppleReceipt
   module ReceiptParser
     module_function
 
-    def bla(input)
+    SIGNATURE_LENGTH_MAPPING = {
+      2 => 128,
+      3 => 256
+    }.freeze
+
+    def parse(input)
       receipt_hash = NextStepParser.parse(input)
+
+      unless Set['signature', 'purchase-info'].subset?(receipt_hash.keys.to_set)
+        raise ArgumentError, 'Missing required fields'
+      end
+
       signature_decoded = Base64.decode64(receipt_hash['signature'])
-      data = Base64.decode64(receipt_hash['purchase-info'])
+      data_decoded = Base64.decode64(receipt_hash['purchase-info'])
 
-      sig = StringIO.new(signature_decoded)
-      [sig, data]
+      version, signature, receipt_cert = read_signature(signature_decoded)
+      [version, signature, receipt_cert, data_decoded]
     end
 
-    def parse(input)
-      sig, data = bla(input)
-
+    def read_signature(signature_decoded)
+      sig = StringIO.new(signature_decoded)
       version = sig.read(1).unpack('C').first # 8-bit unsigned (unsigned char)
-      signature = sig.read(256)
+
+      unless SIGNATURE_LENGTH_MAPPING.keys.include?(version)
+        raise ArgumentError, "Unsupported receipt version: #{version}"
+      end
+
+      signature = sig.read(SIGNATURE_LENGTH_MAPPING[version])
       cert_size = sig.read(4).unpack('L>')[0] # 32-bit unsigned, big-endian
       receipt_cert = OpenSSL::X509::Certificate.new(sig.read(cert_size))
 
-      [version, signature, receipt_cert, data]
+      [version, signature, receipt_cert]
     end
   end
 end

data/lib/apple_receipt/validator.rb

@@ -5,27 +5,44 @@ require 'openssl'
 module AppleReceipt
   # Validator allows one to check the validity of a receipt.
   class Validator
-    def initialize(receipt)
-      root_cert_pem = File.read('./certificates/AppleIncRootCertificate.cer')
-      root_cert = OpenSSL::X509::Certificate.new(root_cert_pem)
+    INTERMEDIATE_CERT_MAPPING = {
+      3 => 'AppleWorldwideDeveloperRelationsCertificationAuthority',
+      2 => 'AppleITunesStoreCertificationAuthority'
+    }.freeze
 
-      intermediate_cert_pem = File.read('./certificates/AppleWWDRCA.cer')
-      intermediate_cert = OpenSSL::X509::Certificate.new(intermediate_cert_pem)
+    def initialize(receipt, certificates: [])
+      populate_certificate_store(receipt.version, certificates)
+      @receipt = receipt
+    end
+
+    def populate_certificate_store(version, provided_certificates)
+      if provided_certificates.any?
+        add_certificates(provided_certificates)
+      else
+        add_named_certificate('AppleRootCA')
+        add_named_certificate(INTERMEDIATE_CERT_MAPPING[version])
+      end
+    end
 
-      store.add_cert(root_cert)
-      store.add_cert(intermediate_cert)
+    def add_named_certificate(name)
+      cert_file = File.read("./certificates/#{name}.cer")
+      store.add_cert(OpenSSL::X509::Certificate.new(cert_file))
+    end
 
-      @receipt = receipt
+    def add_certificates(certificates)
+      certificates.each do |cert|
+        store.add_cert(cert)
+      end
     end
 
     def valid?
-      store.verify(receipt.cert) &&
+      store.verify(receipt.certificate) &&
         public_key.verify(OpenSSL::Digest::SHA1.new,
                           receipt.signature, signed_data)
     end
 
     def public_key
-      receipt.cert.public_key
+      receipt.certificate.public_key
     end
 
     def signed_data

data/lib/apple_receipt/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AppleReceipt
-  VERSION = '0.1.1'
+  VERSION = '0.2.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: apple_receipt
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Koen Rouwhorst
@@ -10,6 +10,34 @@ bindir: exe
 cert_chain: []
 date: 2018-01-27 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -38,20 +66,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -76,16 +118,16 @@ files:
 - ".gitignore"
 - ".rubocop.yml"
 - ".travis.yml"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - apple_receipt.gemspec
-- bin/console
-- bin/setup
-- certificates/AppleIncRootCertificate.cer
-- certificates/AppleWWDRCA.cer
+- certificates/AppleITunesStoreCertificationAuthority.cer
+- certificates/AppleRootCA.cer
+- certificates/AppleWorldwideDeveloperRelationsCertificationAuthority.cer
 - lib/apple_receipt.rb
 - lib/apple_receipt/next_step_parser.rb
 - lib/apple_receipt/receipt.rb

data/bin/console

@@ -1,15 +0,0 @@
-#!/usr/bin/env ruby
-# frozen_string_literal: true
-
-require 'bundler/setup'
-require 'apple_receipt'
-
-# You can add fixtures and/or initialization code here to make experimenting
-# with your gem easier. You can also use a different console, if you like.
-
-# (If you use this, don't forget to add pry to your Gemfile!)
-# require "pry"
-# Pry.start
-
-require 'irb'
-IRB.start(__FILE__)

data/bin/setup

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here