ios - 使用命令行(openssl)验证iTunes iOS应用内收据(购买信息和签名)

Question

大约有5％的应用程序内购买未使用苹果(https://buy.itunes.apple.com/verifyReceipt)进行验证，错误代码为21002。我怀疑与收据一起收到的“签名”无效(可能是欺诈尝试)。我有base64_decoded“购买信息”，所有重要字段(出价，商品ID，产品ID等)看起来都是正确的。因此，我已经下载了苹果根证书(http://www.apple.com/certificateauthority/)，并亲自尝试验证“purchase-info”的“签名”，以查看如何在命令行中完成此操作，但始终失败。

有人可以帮助我完成一些操作，例如，我需要使用openssl在命令行中验证“purchase-info”的签名吗？

这是SANDBOX购买产生的收据，可以使用POST请求通过Apple SANDBOX服务进行验证。之前应该使用base64_encoded:

{"signature" = "AlMaoeJKrxXOkgKlL6ArGQh4nrJ1z0Dmd6riqhaNQaVS6Oaem8QzP5/RiAXlXri/oSzWHCyI1jCI5VMyGUoOKlqTeaVlW2xZBPDA9keqqQjCCp/R8NsTlkgUr5W4FIkF+Ey/tk8DwQIMZYMyp1BJhjXh3FqMAEbcYuJjGfreqBOlAAADVzCCA1MwggI7oAMCAQICCGUUkU3ZWAS1MA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEzMDEGA1UEAwwqQXBwbGUgaVR1bmVzIFN0b3JlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA5MDYxNTIyMDU1NloXDTE0MDYxNDIyMDU1NlowZDEjMCEGA1UEAwwaUHVyY2hhc2VSZWNlaXB0Q2VydGlmaWNhdGUxGzAZBgNVBAsMEkFwcGxlIGlUdW5lcyBTdG9yZTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrRjF2ct4IrSdiTChaI0g8pwv/cmHs8p/RwV/rt/91XKVhNl4XIBimKjQQNfgHsDs6yju++DrKJE7uKsphMddKYfFE5rGXsAdBEjBwRIxexTevx3HLEFGAt1moKx509dhxtiIdDgJv2YaVs49B0uJvNdy6SMqNNLHsDLzDS9oZHAgMBAAGjcjBwMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNh3o4p2C0gEYtTJrDtdDC5FYQzowDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBSpg4PyGUjFPhJXCBTMzaN+mV8k9TAQBgoqhkiG92NkBgUBBAIFADANBgkqhkiG9w0BAQUFAAOCAQEAEaSbPjtmN4C/IB3QEpK32RxacCDXdVXAeVReS5FaZxc+t88pQP93BiAxvdW/3eTSMGY5FbeAYL3etqP5gm8wrFojX0ikyVRStQ+/AQ0KEjtqB07kLs9QUe8czR8UGfdM1EumV/UgvDd4NwNYxLQMg4WTQfgkQQVy8GXZwVHgbE/UC6Y7053pGXBk51NPM3woxhd3gSRLvXj+loHsStcTEqe9pBDpmG5+sk4tw+GK3GMeEN5/+e1QT9np/Kl1nj+aBw7C0xsy0bFnaAd1cSS6xdory/CUvM6gtKsmnOOdqTesbp0bs8sn6Wqs0C9dgcxRHuOMZ2tm8npLUm7argOSzQ==";
"purchase-info" = "ewoJIm9yaWdpbmFsLXB1cmNoYXNlLWRhdGUtcHN0IiA9ICIyMDEzLTEyLTIzIDAyOjIzOjUwIEFtZXJpY2EvTG9zX0FuZ2VsZXMiOwoJInVuaXF1ZS1pZGVudGlmaWVyIiA9ICIwMDAwYjAwOTI3YzgiOwoJIm9yaWdpbmFsLXRyYW5zYWN0aW9uLWlkIiA9ICIxMDAwMDAwMDk3MjAzMjM0IjsKCSJidnJzIiA9ICIxLjEwLjAyMSI7CgkidHJhbnNhY3Rpb24taWQiID0gIjEwMDAwMDAwOTcyMDMyMzQiOwoJInF1YW50aXR5IiA9ICIxIjsKCSJvcmlnaW5hbC1wdXJjaGFzZS1kYXRlLW1zIiA9ICIxMzg3Nzk0MjMwODIyIjsKCSJ1bmlxdWUtdmVuZG9yLWlkZW50aWZpZXIiID0gIjdCNzAxNzYxLUZDMTktNDYxNi05REVFLTUwRjVCNDRDNTUxMCI7CgkicHJvZHVjdC1pZCIgPSAiY2FzaGllcl9pb3NfZGVmYXVsdF81X3QiOwoJIml0ZW0taWQiID0gIjY0MTcwNDMzNCI7CgkiYmlkIiA9ICJIb0ZUZXN0IjsKCSJwdXJjaGFzZS1kYXRlLW1zIiA9ICIxMzg3Nzk0MjMwODIyIjsKCSJwdXJjaGFzZS1kYXRlIiA9ICIyMDEzLTEyLTIzIDEwOjIzOjUwIEV0Yy9HTVQiOwoJInB1cmNoYXNlLWRhdGUtcHN0IiA9ICIyMDEzLTEyLTIzIDAyOjIzOjUwIEFtZXJpY2EvTG9zX0FuZ2VsZXMiOwoJIm9yaWdpbmFsLXB1cmNoYXNlLWRhdGUiID0gIjIwMTMtMTItMjMgMTA6MjM6NTAgRXRjL0dNVCI7Cn0=";
"environment" = "Sandbox";
"pod" = "100";
"signing-status" = "0";}

更新1:感谢节奏拳手的带领:

我检查了来自沙箱的签名，并成功解析为:

openssl asn1parse-通知der

当我尝试对REAL收据的签名进行相同操作时，出现以下错误:

base64 -D real.signature.txt | openssl asn1parse -inform der
Error in encoding 28178:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/asn1/asn1_lib.c:150:

以下是REAL收据中的签名，该签名已成功通过Apple验证，但无法使用以下命令进行解析:openssl asn1parse -inform der

Aqzwtl7Vcj9JrOuptPKWkuR1mPgjsA92Da/Wu0Dl4/Lnsb3yhiXry7NcXpMOkY3AxkoMCAK30QvVwYXd51Q4A8idQR2O/dsCTQRx8iOK7ewDctXm6REI2x85KIybGTZGw7eun7jTzfsdVm4kyzgLfD7lZH0AaVojP7k0wDGrleA1AAADVzCCA1MwggI7oAMCAQICCGUUkU3ZWAS1MA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEzMDEGA1UEAwwqQXBwbGUgaVR1bmVzIFN0b3JlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA5MDYxNTIyMDU1NloXDTE0MDYxNDIyMDU1NlowZDEjMCEGA1UEAwwaUHVyY2hhc2VSZWNlaXB0Q2VydGlmaWNhdGUxGzAZBgNVBAsMEkFwcGxlIGlUdW5lcyBTdG9yZTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrRjF2ct4IrSdiTChaI0g8pwv/cmHs8p/RwV/rt/91XKVhNl4XIBimKjQQNfgHsDs6yju++DrKJE7uKsphMddKYfFE5rGXsAdBEjBwRIxexTevx3HLEFGAt1moKx509dhxtiIdDgJv2YaVs49B0uJvNdy6SMqNNLHsDLzDS9oZHAgMBAAGjcjBwMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNh3o4p2C0gEYtTJrDtdDC5FYQzowDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBSpg4PyGUjFPhJXCBTMzaN+mV8k9TAQBgoqhkiG92NkBgUBBAIFADANBgkqhkiG9w0BAQUFAAOCAQEAEaSbPjtmN4C/IB3QEpK32RxacCDXdVXAeVReS5FaZxc+t88pQP93BiAxvdW/3eTSMGY5FbeAYL3etqP5gm8wrFojX0ikyVRStQ+/AQ0KEjtqB07kLs9QUe8czR8UGfdM1EumV/UgvDd4NwNYxLQMg4WTQfgkQQVy8GXZwVHgbE/UC6Y7053pGXBk51NPM3woxhd3gSRLvXj+loHsStcTEqe9pBDpmG5+sk4tw+GK3GMeEN5/+e1QT9np/Kl1nj+aBw7C0xsy0bFnaAd1cSS6xdory/CUvM6gtKsmnOOdqTesbp0bs8sn6Wqs0C9dgcxRHuOMZ2tm8npLUm7argOSzQ==

更新＃2:

这是未通过21002验证的真实收据:

eyJwb2QiPSIyIjsicHVyY2hhc2UtaW5mbyI9ImV5SmhjSEF0YVhSbGJTMXBaQ0k5SWpVNE5qWXpORE16TVNJN0ltSjJjbk1pUFNJeExqRXdJanNpY0hWeVkyaGhjMlV0WkdGMFpTSTlJakl3TVRNdE1USXRNalVnTURnNk5EZzZOVEFnUlhSakwwZE5WQ0k3SW5GMVlXNTBhWFI1SWowaU1TSTdJbUpwWkNJOUlraHZSaTFUYkc5MGN5STdJblpsY25OcGIyNHRaWGgwWlhKdVlXd3RhV1JsYm5ScFptbGxjaUk5SWpJd01EUTRNalkxTkNJN0luQjFjbU5vWVhObExXUmhkR1V0Y0hOMElqMGlNakF4TXkweE1pMHlOU0F3TURvME9EbzFNQ0JCYldWeWFXTmhMMHh2YzE5QmJtZGxiR1Z6SWpzaWNIVnlZMmhoYzJVdFpHRjBaUzF0Y3lJOUlqRXpPRGM1TmpFek16QTNNekVpT3lKMWJtbHhkV1V0ZG1WdVpHOXlMV2xrWlc1MGFXWnBaWElpUFNKRE1UUXhNa0l4TnkweU9EVXdMVFEwUVRVdFFURTRNeTB5UVRFeVJEWTNPRGhDUmtFaU95SnZjbWxuYVc1aGJDMXdkWEpqYUdGelpTMWtZWFJsTFcxeklqMGlNVE00TnprMk1UTXpNRGN6TVNJN0ltOXlhV2RwYm1Gc0xYUnlZVzV6WVdOMGFXOXVMV2xrSWowaU5EYzBNell3T0RNek9UYzFOVEE1TkRNd01DSTdJbWwwWlcwdGFXUWlQU0kzTnpnMk5qRTFOekFpT3lKdmNtbG5hVzVoYkMxd2RYSmphR0Z6WlMxa1lYUmxMWEJ6ZENJOUlqSXdNVE10TVRJdE1qVWdNREE2TkRnNk5UQWdRVzFsY21sallTOU1iM05mUVc1blpXeGxjeUk3SW5CeWIyUjFZM1F0YVdRaVBTSndjbTl0YjE5cGIzTmZNREE0WHpFMU1GOHlNREF3TUNJN0luUnlZVzV6WVdOMGFXOXVMV2xrSWowaU5EYzBNell3T0RNek9UYzFOVEE1TkRNd01DSTdJbTl5YVdkcGJtRnNMWEIxY21Ob1lYTmxMV1JoZEdVaVBTSXlNREV6TFRFeUxUSTFJREE0T2pRNE9qVXdJRVYwWXk5SFRWUWlPeUoxYm1seGRXVXRhV1JsYm5ScFptbGxjaUk5SWpFME9EbGhPR05rTmpCbVpXVmpPVFUyTjJObU1qSmpNalU1Tm1Wak56RTNaREZoTURrME5qa2lPMzA9Ijsic2lnbmF0dXJlIj0iQXBkeEpkdE53UFUyckE1L2NuM2tJTzFPVGsyNWZlREthMGFhZ3l5UnZlV2xjRmxnbHY2UkY2em5raUJTM3VtOVVjN3BWb2IrUHFaUjJUOHd5VnJITnBsb2YzRFgzSXFET2xXcSs5MGE3WWwrcXJSN0E3ald3dml3NzA4UFMrNjdQeUhSbmhPL0c3YlZxZ1JwRXI2RXVGeWJpVTFGWEFpWEpjNmxzMVlBc3NReEFBQURWekNDQTFNd2dnSTdvQU1DQVFJQ0NHVVVrVTNaV0FTMU1BMEdDU3FHU0liM0RRRUJCUVVBTUg4eEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUtEQXBCY0hCc1pTQkpibU11TVNZd0pBWURWUVFMREIxQmNIQnNaU0JEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURXpNREVHQTFVRUF3d3FRWEJ3YkdVZ2FWUjFibVZ6SUZOMGIzSmxJRU5sY25ScFptbGpZWFJwYjI0Z1FYVjBhRzl5YVhSNU1CNFhEVEE1TURZeE5USXlNRFUxTmxvWERURTBNRFl4TkRJeU1EVTFObG93WkRFak1DRUdBMVVFQXd3YVVIVnlZMmhoYzJWU1pXTmxhWEIwUTJWeWRHbG1hV05oZEdVeEd6QVpCZ05WQkFzTUVrRndjR3hsSUdsVWRXNWxjeUJUZEc5eVpURVRNQkVHQTFVRUNnd0tRWEJ3YkdVZ1NXNWpMakVMTUFrR0ExVUVCaE1DVlZNd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFNclJqRjJjdDRJclNkaVRDaGFJMGc4cHd2L2NtSHM4cC9Sd1YvcnQvOTFYS1ZoTmw0WElCaW1LalFRTmZnSHNEczZ5anUrK0RyS0pFN3VLc3BoTWRkS1lmRkU1ckdYc0FkQkVqQndSSXhleFRldngzSExFRkdBdDFtb0t4NTA5ZGh4dGlJZERnSnYyWWFWczQ5QjB1SnZOZHk2U01xTk5MSHNETHpEUzlvWkhBZ01CQUFHamNqQndNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVOaDNvNHAyQzBnRVl0VEpyRHRkREM1RllRem93RGdZRFZSMFBBUUgvQkFRREFnZUFNQjBHQTFVZERnUVdCQlNwZzRQeUdVakZQaEpYQ0JUTXphTittVjhrOVRBUUJnb3Foa2lHOTJOa0JnVUJCQUlGQURBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQUVhU2JQanRtTjRDL0lCM1FFcEszMlJ4YWNDRFhkVlhBZVZSZVM1RmFaeGMrdDg4cFFQOTNCaUF4dmRXLzNlVFNNR1k1RmJlQVlMM2V0cVA1Z204d3JGb2pYMGlreVZSU3RRKy9BUTBLRWp0cUIwN2tMczlRVWU4Y3pSOFVHZmRNMUV1bVYvVWd2RGQ0TndOWXhMUU1nNFdUUWZna1FRVnk4R1had1ZIZ2JFL1VDNlk3MDUzcEdYQms1MU5QTTN3b3hoZDNnU1JMdlhqK2xvSHNTdGNURXFlOXBCRHBtRzUrc2s0dHcrR0szR01lRU41LytlMVFUOW5wL0tsMW5qK2FCdzdDMHhzeTBiRm5hQWQxY1NTNnhkb3J5L0NVdk02Z3RLc21uT09kcVRlc2JwMGJzOHNuNldxczBDOWRnY3hSSHVPTVoydG04bnBMVW03YXJnT1N6UT09Ijsic2lnbmluZy1zdGF0dXMiPSIwIjt9

Answer 1

看着签名，
base64 -D signature.b64 | openssl asn1parse -inform der
它看起来像证书，前面还有一些额外的内容:

  0:d=0    hl=2 l=    83 prim: INTEGER                     :1AA1E24AAF15CE9202A52FA02B1908789EB275CF40E677AAE2AA168D41A552E8E69E9BC4333F9FD18805E55EB8BFA12CD61C2C88D63088E55332194A0E2A5A9379A5655B6C5904F0C0F647AAA908C20A9FD1F0
 85:d=0    hl=2 l=    19 prim: priv [ 27 ]             
106:d=0    hl=2 l=    50 prim: cont [ 3 ]                
158:d=0    hl=2 l=     9 prim: OBJECT                        :sha1WithRSAEncryption
169:d=0    hl=2 l=     0 prim: NULL                            
171:d=0    hl=2 l= 127 cons: SEQUENCE                    
173:d=1    hl=2 l=    11 cons: SET                             
175:d=2    hl=2 l=     9 cons: SEQUENCE                    
177:d=3    hl=2 l=     3 prim: OBJECT                        :countryName
182:d=3    hl=2 l=     2 prim: PRINTABLESTRING     :US
186:d=1    hl=2 l=    19 cons: SET                             
188:d=2    hl=2 l=    17 cons: SEQUENCE                    
190:d=3    hl=2 l=     3 prim: OBJECT                        :organizationName
195:d=3    hl=2 l=    10 prim: UTF8STRING                :Apple Inc.

该长整数可能是签名，但我无法在线找到证书(Apple iTunes Store证书颁发机构)。我猜您可以从证书中提取公钥，并使用 openssl dgst -verify...进行验证，但这不能证明任何事情。

尽管这很有趣，但是iTunes验证程序告诉您的是收据无效且与真实交易不符-为什么重要？

更新

前面的那个长整数实际上不是asn1。对于这两个签名，跳过133个字节将为您提供上述证书:
dd bs=1 if=hiss-sig.der skip=133 > PurchaseReceiptCertificate.cer
更新2

查看真正的失败收据，直接解码会给出看似合理的购买信息，但捆绑包ID看起来与您的沙盒( "bid" = "HoFTest";)不同，并且 unique-identifier看起来有点小。签名部分具有证书，仍然不知道如何解释这133个字节。