cthulhu/ios-receipt-parser

Utility to parse Apple-issued PKCS#7 container with receipts

v1.0.0 2020-09-01 19:18 UTC

This package is auto-updated.

Last update: 2021-03-01 00:31:25 UTC


README

This library can be used to parse Apple billing receipts in accordance with https://developer.apple.com/library/archive/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html and https://developer.apple.com/library/archive/releasenotes/General/ValidateAppStoreReceipt/Chapters/ReceiptFields.html without calling Apple servers.

This is required, in particular, when you use latest XCode features to test your billing flow: https://developer.apple.com/documentation/xcode/setting_up_storekit_testing_in_xcode, because receipts generated this way are signed by you local special-purpose certificate and cannot be validated via Apple's own servers.

In all other cases, you should strongly prefer to validate all receipts against Apple servers.

Installation

composer install cthulhu/ios-receipt-parser

Usage

Primary use case is to parse receipt generated by StoreKit for you locally, so you don't have to validate the signatures:

<?php

use Cthulhu\IosReceiptParser\InApp;
use Cthulhu\IosReceiptParser\Parser;
use Cthulhu\IosReceiptParser\Receipt;

include __DIR__ . '/vendor/autoload.php';

const RECEIPT = 'MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwGggCSABIIDIjGCAx4wDwIBAAIBAQQHDAVYY29kZTALAgEBAgEBBAMCAQAwIQIBAgIBAQQZDBdjb20uZmxpbnRjYXN0LmV2ZXJtYXRjaDAMAgEDAgEBBAQMAjU3MBACAQQCAQEECJP3/b8GAAAAMBwCAQUCAQEEFCSQtOs5g6T0ehkSsSndhJtK1VADMAoCAQgCAQEEAhYAMCICAQwCAQEEGhYYMjAyMC0wOS0wMVQxNjo1ODo0OSswMzAwMIHSAgERAgEBBIHJMYHGMAwCAgalAgEBBAMCAQEwGwICBqYCAQEEEgwQcnUuc3ViLnZpcC53ZWVrMjANAgIGpwIBAQQEDAI1NzAjAgIGqAIBAQQaFhgyMDIwLTA5LTAxVDE2OjU4OjQyKzAzMDAwDQICBqkCAQEEBAwCNTYwIwICBqoCAQEEGhYYMjAyMC0wOS0wMVQxNjo1ODozNSswMzAwMCMCAgasAgEBBBoWGDIwMjAtMDktMDFUMTY6NTg6NDkrMDMwMDAMAgIGtwIBAQQDAgEAMIHSAgERAgEBBIHJMYHGMAwCAgalAgEBBAMCAQEwGwICBqYCAQEEEgwQcnUuc3ViLnZpcC5tb250aDANAgIGpwIBAQQEDAI1ODAjAgIGqAIBAQQaFhgyMDIwLTA5LTAxVDE2OjU4OjQ5KzAzMDAwDQICBqkCAQEEBAwCNTYwIwICBqoCAQEEGhYYMjAyMC0wOS0wMVQxNjo1ODozNSswMzAwMCMCAgasAgEBBBoWGDIwMjAtMDktMDFUMTY6NTk6MTkrMDMwMDAMAgIGtwIBAQQDAgEAMIGeAgERAgEBBIGVMYGSMAwCAgalAgEBBAMCAQEwGwICBqYCAQEEEgwQcnUuc3ViLnZpcC53ZWVrMjANAgIGpwIBAQQEDAI1NjAjAgIGqAIBAQQaFhgyMDIwLTA5LTAxVDE2OjU4OjM1KzAzMDAwIwICBqwCAQEEGhYYMjAyMC0wOS0wMVQxNjo1ODo0MiswMzAwMAwCAga3AgEBBAMCAQAwIgIBFQIBAQQaFhg0MDAxLTAxLTAxVDAzOjAwOjAwKzAzMDAAAAAAAACgggN4MIIDdDCCAlygAwIBAgIBATANBgkqhkiG9w0BAQsFADBfMREwDwYDVQQDDAhTdG9yZUtpdDERMA8GA1UECgwIU3RvcmVLaXQxETAPBgNVBAsMCFN0b3JlS2l0MQswCQYDVQQGEwJVUzEXMBUGCSqGSIb3DQEJARYIU3RvcmVLaXQwHhcNMjAwNDAxMTc1MjM1WhcNNDAwMzI3MTc1MjM1WjBfMREwDwYDVQQDDAhTdG9yZUtpdDERMA8GA1UECgwIU3RvcmVLaXQxETAPBgNVBAsMCFN0b3JlS2l0MQswCQYDVQQGEwJVUzEXMBUGCSqGSIb3DQEJARYIU3RvcmVLaXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDbf5A8LHMP25cmS5O7CvihIT7IYdkkyF4fdT7ak9sxGpGAub/lDMs8uw5EYib6BCm2Sedv4BvmDWjNJW7Ddgj1SguuenQ8xKkLs89iD/u0vPfbhF4o60cN8e2LrPWfsAk4o257yyZQChrhidFydgs5TMtPbsCzX7eVurmoXUp0q+9vQaV+CY26PT3NcFfY7e/V2nfIkwQc7wmIeGXOgfKNcucHGm4mEvcysQ27OJBrBsT8DeWVUM2RyLol9FjJjOFx20pF8y0ZlgNWgaZE7nV3W1PPeKxduj5fUCtcKYzdwtcqF98itNfkeKivqG2nwdpoLWbMzykLUCzjwvvmXxLBAgMBAAGjOzA5MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgKEMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQCyAOA88ejpYr3A1h1Anle5OJB3dlLSqEtwbrhnmfuzilWf7x0ouF8q0XOfNUc3u0bTdhDy8GnszWKZcflgioRIOMS9i2cluatsM2Wt2MKaeEgP6czBJw3Gz2Q8bYBZM4zKNgYqERuNSc4I/2bARyhL61rBKwlWLKWqCQN7MjHc6IV4SM7AxRIRag8Mri8Fym96ZH8gLHXmTLES0/3jH14NfbhY16B85H9jq5eaK8Mq2NCy4dVaDTkbb2coqRKD1od4bZm9XrMK4JjO9urDjm1p67dAgT2HPXBR0cRdjaXcf2pYGt5gdjdS7P+sGV0MFS+KD/WJyNcrHR7sK5EFpz1PMYIBjzCCAYsCAQEwZDBfMREwDwYDVQQDDAhTdG9yZUtpdDERMA8GA1UECgwIU3RvcmVLaXQxETAPBgNVBAsMCFN0b3JlS2l0MQswCQYDVQQGEwJVUzEXMBUGCSqGSIb3DQEJARYIU3RvcmVLaXQCAQEwDQYJYIZIAWUDBAIBBQAwDQYJKoZIhvcNAQELBQAEggEArXrh7l/+6+UC0mX/0MF1vvPDk/DAZrWrauQ81Ed01cFzNqqG8DqK5lK9IA02V+G7D9XcxYaDb3gYusFsoghfDe6IEI10g4W+PusqaN3tKJTsZ429X02vQFA0ummgeGl2zD48NqlVHpZPElCu0v7DfIM14PqciEAEU1ebH/+b3kPY1YoDwC6hhCcW8bsUqbuMiZdCXPysRTHVR0ohTpRFtbxZ4nc28ozOP57M0RMnFrk+fe0Al1TtM/OSdFv4IYNEyMX9i+9ROA17Mz6SjmqYfy1KiKaGkpR093HeynMUUefIJzgjHA5Q9m/xI7BUqQKuPsyRv28fQLSPZCcmiLm5RwAAAAAAAA==';

$receipt = (new Parser())->parseUnverified(RECEIPT);

// Just for documentation purpose
assert($receipt instanceof Receipt);

var_dump($receipt->getBundleId());

foreach ($receipt->getInApp() as $inApp) {
    // Just for documentation purpose
    assert($inApp instanceof InApp);

    var_dump("{$inApp->getQuantity()} x {$inApp->getProductIdentifier()}");
}

Verifying signatures

You can pass Parser another instance of PKCS#7 reader which will actually verify signature. Currently, only one such reader in implemented, which requires you to also install symfony/process, have openssl installed in your system, and also you php must be configured to allow to exec shell script.

<?php

use Cthulhu\IosReceiptParser\ASN1\OpenSslProcessPkcs7Reader;
use Cthulhu\IosReceiptParser\Parser;

include __DIR__ . '/vendor/autoload.php';

$parser = new Parser(new OpenSslProcessPkcs7Reader());

// certificates must be PEM-encoded x.509 certificates
$receipt = $parser->parseUsingOnlyTrustedCerts(RECEIPT, CERT_OR_PATH_TO_CERT, OTHER_CERT);

var_dump($receipt->getBundleId());

parseUsingOnlyTrustedCerts being used guarantees the signature in PKCS#7 has been validated against one of the certificates you have provided. The certificates are considered trusted (their own signatures are not verified), so take care to only pass this function known-valid certificates.