在 iOS 7 上本地验证应用内收据和捆绑收据的完整解决方案

本文介绍了在 iOS 7 上本地验证应用内收据和捆绑收据的完整解决方案的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!


I have read a lot of docs and code that in theory will validate an in-app and/or bundle receipt.

鉴于我对 SSL、证书、加密等方面的知识几乎为零,我读过的所有解释,像这样有前途一个,我觉得很难理解.

Given that my knowledge of SSL, certificates, encryption, etc., is nearly zero, all of the explanations I have read, like this promising one, I have found difficult to understand.


They say the explanations are incomplete because every person has to figure out how to do it, or the hackers will have an easy job creating a cracker app that can recognize and identify patterns and patch the application. OK, I agree with this up to a certain point. I think they could explain completely how to do it and put a warning saying "modify this method", "modify this other method", "obfuscate this variable", "change the name of this and that", etc.

有没有好心人可以解释一下如何在 iOS 7 上本地验证、捆绑收据和应用内购买收据,因为我已经五岁了(好吧,让它 3),从上到下,清楚吗?

Can some good soul out there be kind enough to explain how to LOCALLY validate, bundle receipts and in-app purchase receipts on iOS 7 as I am five years old (ok, make it 3), from top to bottom, clearly?


如果您有一个版本可用于您的应用,并且您担心黑客会看到您是如何做到的,只需在此处发布之前更改您的敏感方法即可.混淆字符串,改变行的顺序,改变你做循环的方式(从使用 for 到阻塞枚举,反之亦然)等等.显然,每个使用可能被张贴在这里的代码的人都必须做同样的事情,不要冒险被轻易黑客入侵.

If you have a version working on your apps and your concerns are that hackers will see how you did it, simply change your sensitive methods before publishing here. Obfuscate strings, change the order of lines, change the way you do loops (from using for to block enumeration and vice-versa) and things like that. Obviously, every person that uses the code that may be posted here, has to do the same thing, not to risk being easily hacked.


这是我如何在我的应用内购买库中解决此问题的演练 RMStore.我将解释如何验证交易,包括验证整个收据.

Here's a walkthrough of how I solved this in my in-app purchase library RMStore. I will explain how to verify a transaction, which includes verifying the whole receipt.


Get the receipt and verify the transaction. If it fails, refresh the receipt and try again. This makes the verification process asynchronous as refreshing the receipt is asynchronous.

来自 RMStoreAppReceiptVerifier:

RMAppReceipt *receipt = [RMAppReceipt bundleReceipt]; const BOOL verified = [self verifyTransaction:transaction inReceipt:receipt success:successBlock failure:nil]; // failureBlock is nil intentionally. See below. if (verified) return; // Apple recommends to refresh the receipt if validation fails on iOS [[RMStore defaultStore] refreshReceiptOnSuccess:^{ RMAppReceipt *receipt = [RMAppReceipt bundleReceipt]; [self verifyTransaction:transaction inReceipt:receipt success:successBlock failure:failureBlock]; } failure:^(NSError *error) { [self failWithBlock:failureBlock error:error]; }];


收据在 [[NSBundle mainBundle] appStoreReceiptURL] 中,实际上是一个 PCKS7 容器.我很擅长密码学,所以我使用 OpenSSL 来打开这个容器.其他人显然纯粹是使用系统框架完成的.

Getting the receipt data

The receipt is in [[NSBundle mainBundle] appStoreReceiptURL] and is actually a PCKS7 container. I suck at cryptography so I used OpenSSL to open this container. Others apparently have done it purely with system frameworks.

将 OpenSSL 添加到您的项目并非易事.RMStore wiki 应该会有所帮助.

Adding OpenSSL to your project is not trivial. The RMStore wiki should help.

如果您选择使用 OpenSSL 打开 PKCS7 容器,您的代码可能如下所示.来自 RMAppReceipt:

If you opt to use OpenSSL to open the PKCS7 container, your code could look like this. From RMAppReceipt:

+ (NSData*)dataFromPKCS7Path:(NSString*)path { const char *cpath = [[path stringByStandardizingPath] fileSystemRepresentation]; FILE *fp = fopen(cpath, "rb"); if (!fp) return nil; PKCS7 *p7 = d2i_PKCS7_fp(fp, NULL); fclose(fp); if (!p7) return nil; NSData *data; NSURL *certificateURL = [[NSBundle mainBundle] URLForResource:@"AppleIncRootCertificate" withExtension:@"cer"]; NSData *certificateData = [NSData dataWithContentsOfURL:certificateURL]; if ([self verifyPKCS7:p7 withCertificateData:certificateData]) { struct pkcs7_st *contents = p7->d.sign->contents; if (PKCS7_type_is_data(contents)) { ASN1_OCTET_STRING *octets = contents->d.data; data = [NSData dataWithBytes:octets->data length:octets->length]; } } PKCS7_free(p7); return data; }


We'll get into the details of the verification later.


The receipt is expressed in ASN1 format. It contains general information, some fields for verification purposes (we'll come to that later) and specific information of each applicable in-app purchase.

在读取 ASN1 时,OpenSSL 再次派上用场.来自 RMAppReceipt,使用一些辅助方法:

Again, OpenSSL comes to the rescue when it comes to reading ASN1. From RMAppReceipt, using a few helper methods:

NSMutableArray *purchases = [NSMutableArray array]; [RMAppReceipt enumerateASN1Attributes:asn1Data.bytes length:asn1Data.length usingBlock:^(NSData *data, int type) { const uint8_t *s = data.bytes; const NSUInteger length = data.length; switch (type) { case RMAppReceiptASN1TypeBundleIdentifier: _bundleIdentifierData = data; _bundleIdentifier = RMASN1ReadUTF8String(&s, length); break; case RMAppReceiptASN1TypeAppVersion: _appVersion = RMASN1ReadUTF8String(&s, length); break; case RMAppReceiptASN1TypeOpaqueValue: _opaqueValue = data; break; case RMAppReceiptASN1TypeHash: _hash = data; break; case RMAppReceiptASN1TypeInAppPurchaseReceipt: { RMAppReceiptIAP *purchase = [[RMAppReceiptIAP alloc] initWithASN1Data:data]; [purchases addObject:purchase]; break; } case RMAppReceiptASN1TypeOriginalAppVersion: _originalAppVersion = RMASN1ReadUTF8String(&s, length); break; case RMAppReceiptASN1TypeExpirationDate: { NSString *string = RMASN1ReadIA5SString(&s, length); _expirationDate = [RMAppReceipt formatRFC3339String:string]; break; } } }]; _inAppPurchases = purchases;


每个应用内购买也在 ASN1 中.解析它与解析一般收据信息非常相似.

Getting the in-app purchases

Each in-app purchase is also in ASN1. Parsing it is very similar than parsing the general receipt information.

来自 RMAppReceipt,使用相同的辅助方法:

From RMAppReceipt, using the same helper methods:

[RMAppReceipt enumerateASN1Attributes:asn1Data.bytes length:asn1Data.length usingBlock:^(NSData *data, int type) { const uint8_t *p = data.bytes; const NSUInteger length = data.length; switch (type) { case RMAppReceiptASN1TypeQuantity: _quantity = RMASN1ReadInteger(&p, length); break; case RMAppReceiptASN1TypeProductIdentifier: _productIdentifier = RMASN1ReadUTF8String(&p, length); break; case RMAppReceiptASN1TypeTransactionIdentifier: _transactionIdentifier = RMASN1ReadUTF8String(&p, length); break; case RMAppReceiptASN1TypePurchaseDate: { NSString *string = RMASN1ReadIA5SString(&p, length); _purchaseDate = [RMAppReceipt formatRFC3339String:string]; break; } case RMAppReceiptASN1TypeOriginalTransactionIdentifier: _originalTransactionIdentifier = RMASN1ReadUTF8String(&p, length); break; case RMAppReceiptASN1TypeOriginalPurchaseDate: { NSString *string = RMASN1ReadIA5SString(&p, length); _originalPurchaseDate = [RMAppReceipt formatRFC3339String:string]; break; } case RMAppReceiptASN1TypeSubscriptionExpirationDate: { NSString *string = RMASN1ReadIA5SString(&p, length); _subscriptionExpirationDate = [RMAppReceipt formatRFC3339String:string]; break; } case RMAppReceiptASN1TypeWebOrderLineItemID: _webOrderLineItemID = RMASN1ReadInteger(&p, length); break; case RMAppReceiptASN1TypeCancellationDate: { NSString *string = RMASN1ReadIA5SString(&p, length); _cancellationDate = [RMAppReceipt formatRFC3339String:string]; break; } } }];

需要注意的是,某些应用内购买(例如消耗品和不可再生订阅)只会在收据中出现一次.您应该在购买后立即验证这些(同样,RMStore 可以帮助您).

It should be noted that certain in-app purchases, such as consumables and non-renewable subscriptions, will appear only once in the receipt. You should verify these right after the purchase (again, RMStore helps you with this).


Now we got all the fields from the receipt and all its in-app purchases. First we verify the receipt itself, and then we simply check if the receipt contains the product of the transaction.

下面是我们一开始回调的方法.来自 RMStoreAppReceiptVerificator:

Below is the method that we called back at the beginning. From RMStoreAppReceiptVerificator:

- (BOOL)verifyTransaction:(SKPaymentTransaction*)transaction inReceipt:(RMAppReceipt*)receipt success:(void (^)())successBlock failure:(void (^)(NSError *error))failureBlock { const BOOL receiptVerified = [self verifyAppReceipt:receipt]; if (!receiptVerified) { [self failWithBlock:failureBlock message:NSLocalizedString(@"The app receipt failed verification", @"")]; return NO; } SKPayment *payment = transaction.payment; const BOOL transactionVerified = [receipt containsInAppPurchaseOfProductIdentifier:payment.productIdentifier]; if (!transactionVerified) { [self failWithBlock:failureBlock message:NSLocalizedString(@"The app receipt doest not contain the given product", @"")]; return NO; } if (successBlock) { successBlock(); } return YES; }



Verifying the receipt

Verifying the receipt itself boils down to:

  • 检查收据是否有效 PKCS7 和 ASN1.我们已经隐含地做到了这一点.
  • 验证收据是否由 Apple 签名.这是在解析收据之前完成的,将在下面详细说明.
  • 检查收据中包含的捆绑标识符是否与您的捆绑标识符一致.您应该对您的捆绑包标识符进行硬编码,因为修改您的应用捆绑包并使用其他收据似乎并不难.
  • 检查收据中包含的应用版本是否与您的应用版本标识符一致.出于与上述相同的原因,您应该对应用版本进行硬编码.
  • 检查收据哈希以确保收据与当前设备对应.
  • 高级代码中的 5 个步骤,来自 RMStoreAppReceiptVerificator:

    The 5 steps in code at a high-level, from RMStoreAppReceiptVerificator:

    - (BOOL)verifyAppReceipt:(RMAppReceipt*)receipt { // Steps 1 & 2 were done while parsing the receipt if (!receipt) return NO; // Step 3 if (![receipt.bundleIdentifier isEqualToString:self.bundleIdentifier]) return NO; // Step 4 if (![receipt.appVersion isEqualToString:self.bundleVersion]) return NO; // Step 5 if (![receipt verifyReceiptHash]) return NO; return YES; }

    让我们深入了解第 2 步和第 5 步.

    Let's drill-down into steps 2 and 5.

    当我们提取数据时,我们浏览了收据签名验证.收据是用 Apple Inc. Root Certificate 签名的,该证书可以从 Apple Root Certificate Authority 下载.以下代码将 PKCS7 容器和根证书作为数据并检查它们是否匹配:

    Back when we extracted the data we glanced over the receipt signature verification. The receipt is signed with the Apple Inc. Root Certificate, which can be downloaded from Apple Root Certificate Authority. The following code takes the PKCS7 container and the root certificate as data and checks if they match:

    + (BOOL)verifyPKCS7:(PKCS7*)container withCertificateData:(NSData*)certificateData { // Based on: developer.apple/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html#//apple_ref/doc/uid/TP40010573-CH1-SW17 static int verified = 1; int result = 0; OpenSSL_add_all_digests(); // Required for PKCS7_verify to work X509_STORE *store = X509_STORE_new(); if (store) { const uint8_t *certificateBytes = (uint8_t *)(certificateData.bytes); X509 *certificate = d2i_X509(NULL, &certificateBytes, (long)certificateData.length); if (certificate) { X509_STORE_add_cert(store, certificate); BIO *payload = BIO_new(BIO_s_mem()); result = PKCS7_verify(container, NULL, store, NULL, payload, 0); BIO_free(payload); X509_free(certificate); } } X509_STORE_free(store); EVP_cleanup(); // Balances OpenSSL_add_all_digests (), per www.openssl/docs/crypto/OpenSSL_add_all_algorithms.html return result == verified; }


    This was done back at the beginning, before the receipt was parsed.

    收据中包含的哈希是设备 ID 的 SHA1、收据中包含的一些不透明值和捆绑包 ID.

    The hash included in the receipt is a SHA1 of the device id, some opaque value included in the receipt and the bundle id.

    这是您在 iOS 上验证收据哈希的方法.来自 RMAppReceipt:

    This is how you would verify the receipt hash on iOS. From RMAppReceipt:

    - (BOOL)verifyReceiptHash { // TODO: Getting the uuid in Mac is different. See: developer.apple/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html#//apple_ref/doc/uid/TP40010573-CH1-SW5 NSUUID *uuid = [[UIDevice currentDevice] identifierForVendor]; unsigned char uuidBytes[16]; [uuid getUUIDBytes:uuidBytes]; // Order taken from: developer.apple/library/content/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html#//apple_ref/doc/uid/TP40010573-CH1-SW5 NSMutableData *data = [NSMutableData data]; [data appendBytes:uuidBytes length:sizeof(uuidBytes)]; [data appendData:self.opaqueValue]; [data appendData:self.bundleIdentifierData]; NSMutableData *expectedHash = [NSMutableData dataWithLength:SHA_DIGEST_LENGTH]; SHA1(data.bytes, data.length, expectedHash.mutableBytes); return [expectedHash isEqualToData:self.hash]; }


    And that's the gist of it. I might be missing something here or there, so I might come back to this post later. In any case, I recommend browsing the complete code for more details.


