Verifying windows 8 purchases (receipts) using PHP

北战南征 提交于 2019-12-18 17:00:54

问题


I need to verify in-app purchases made in Windows 8 applications server-side using PHP. MSDN's documentation page has an example only in C#. Right now I've spent a whole day by searching for a way to do it in PHP. No success. All over the internet there are only .NET examples on this topic.

I've found some partial information about signed XML and x509, some libraries (xmlseclibs - useless, uses openssl_* functions which do not support sha256; phpseclib - looks promising but their documentation and examples are poor with no help).

Is it possible to do it somehow without learning everything about signed XML, RSA and x509? Right now I've read almost everything but everywhere is info only about encoding. Nothing about verifying.


回答1:


I managed to verify WP8 IAP receipt using xmlseclibs library.

Also, you need php curl enabled.

do {
    $doc = new DOMDocument();

    $xml = $_POST['receipt_data']; // your receipt xml here!

    // strip unwanted chars - IMPORTANT!!!
    $xml = str_replace(array("\n","\t", "\r"), "", $xml);
    //some (probably mostly WP8) receipts have unnecessary spaces instead of tabs
    $xml = preg_replace('/\s+/', " ", $xml);
    $xml = str_replace("> <", "><", $xml);

    $doc->loadXML($xml);
    $receipt = $doc->getElementsByTagName('Receipt')->item(0);
    $certificateId = $receipt->getAttribute('CertificateId');

    $ch = curl_init("https://lic.apps.microsoft.com/licensing/certificateserver/?cid=$certificateId");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

    $publicKey = curl_exec($ch);
    $errno = curl_errno($ch);
    $errmsg = curl_error($ch);
    curl_close($ch);

    if ($errno != 0) {
        $verifyFailed = true;
        break;
    }

    // Verify xml signature
    require('./xmlseclibs.php');
    $objXMLSecDSig = new XMLSecurityDSig();
    $objDSig = $objXMLSecDSig->locateSignature($doc);
    if (!$objDSig) {
        $verifyFailed = true;
        break;
    }
    try {
        $objXMLSecDSig->canonicalizeSignedInfo();
        $retVal = $objXMLSecDSig->validateReference();
        if (!$retVal) {
            throw new Exception("Error Processing Request", 1);
        }
        $objKey = $objXMLSecDSig->locateKey();
        if (!$objKey) {
            throw new Exception("Error Processing Request", 1);
        }
        $key = NULL;
        $objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
        if (! $objKeyInfo->key && empty($key)) {
            $objKey->loadKey($publicKey);
        }
        if (!$objXMLSecDSig->verify($objKey)) {
            throw new Exception("Error Processing Request", 1);
        }
    } catch (Exception $e) {
        $verifyFailed = true;
        break;
    }

    $productReceipt = $doc->getElementsByTagName('ProductReceipt')->item(0);
    $prodictId = $productReceipt->getAttribute('ProductId');
    $purchaseDate = $productReceipt->getAttribute('PurchaseDate');
} while(0);

if ($verifyFailed) {
    // invalid receipt
} else {
    // valid receipt
}



回答2:


Speak for yourself. I love phpseclib's "build your own example" approach to documentation.

That said, I don't think phpseclib can really be used in this case. So you have the SignatureValue tag. What does that signature cover though? With XML Signatures, my understanding is that the signature covers a normalized form of the XML. xmlseclibsnormalizes an XML doc but phpseclib doesn't as it's a crypto lib - not an XML lib.



来源:https://stackoverflow.com/questions/13672076/verifying-windows-8-purchases-receipts-using-php

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!