there is about 5% of in-app purchases that doesn't verify with apple (https://buy.itunes.apple.com/verifyReceipt) and error code is 21002. i suspect that "signature" that received with the receipt is not valid (maybe fraud attempt). i have base64_decoded "purchase-info" and all important fields (bid, item-id, product-id etc) looks correct. so, i have downloaded apple root certificates (http://www.apple.com/certificateauthority/) and tried by myself to validate "signature" for "purchase-info" to see how it can be done in command line, but failed all the time.
can someone help me with the set of actions that i need to perform to verify signature of "purchase-info" in command line using openssl for example?
here is receipt generated by SANDBOX purchase that could be verified with apple SANDBOX service using POST request. prior it should be base64_encoded:
{"signature" = "AlMaoeJKrxXOkgKlL6ArGQh4nrJ1z0Dmd6riqhaNQaVS6Oaem8QzP5/RiAXlXri/oSzWHCyI1jCI5VMyGUoOKlqTeaVlW2xZBPDA9keqqQjCCp/R8NsTlkgUr5W4FIkF+Ey/tk8DwQIMZYMyp1BJhjXh3FqMAEbcYuJjGfreqBOlAAADVzCCA1MwggI7oAMCAQICCGUUkU3ZWAS1MA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEzMDEGA1UEAwwqQXBwbGUgaVR1bmVzIFN0b3JlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA5MDYxNTIyMDU1NloXDTE0MDYxNDIyMDU1NlowZDEjMCEGA1UEAwwaUHVyY2hhc2VSZWNlaXB0Q2VydGlmaWNhdGUxGzAZBgNVBAsMEkFwcGxlIGlUdW5lcyBTdG9yZTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrRjF2ct4IrSdiTChaI0g8pwv/cmHs8p/RwV/rt/91XKVhNl4XIBimKjQQNfgHsDs6yju++DrKJE7uKsphMddKYfFE5rGXsAdBEjBwRIxexTevx3HLEFGAt1moKx509dhxtiIdDgJv2YaVs49B0uJvNdy6SMqNNLHsDLzDS9oZHAgMBAAGjcjBwMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNh3o4p2C0gEYtTJrDtdDC5FYQzowDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBSpg4PyGUjFPhJXCBTMzaN+mV8k9TAQBgoqhkiG92NkBgUBBAIFADANBgkqhkiG9w0BAQUFAAOCAQEAEaSbPjtmN4C/IB3QEpK32RxacCDXdVXAeVReS5FaZxc+t88pQP93BiAxvdW/3eTSMGY5FbeAYL3etqP5gm8wrFojX0ikyVRStQ+/AQ0KEjtqB07kLs9QUe8czR8UGfdM1EumV/UgvDd4NwNYxLQMg4WTQfgkQQVy8GXZwVHgbE/UC6Y7053pGXBk51NPM3woxhd3gSRLvXj+loHsStcTEqe9pBDpmG5+sk4tw+GK3GMeEN5/+e1QT9np/Kl1nj+aBw7C0xsy0bFnaAd1cSS6xdory/CUvM6gtKsmnOOdqTesbp0bs8sn6Wqs0C9dgcxRHuOMZ2tm8npLUm7argOSzQ==";
"purchase-info" = "ewoJIm9yaWdpbmFsLXB1cmNoYXNlLWRhdGUtcHN0IiA9ICIyMDEzLTEyLTIzIDAyOjIzOjUwIEFtZXJpY2EvTG9zX0FuZ2VsZXMiOwoJInVuaXF1ZS1pZGVudGlmaWVyIiA9ICIwMDAwYjAwOTI3YzgiOwoJIm9yaWdpbmFsLXRyYW5zYWN0aW9uLWlkIiA9ICIxMDAwMDAwMDk3MjAzMjM0IjsKCSJidnJzIiA9ICIxLjEwLjAyMSI7CgkidHJhbnNhY3Rpb24taWQiID0gIjEwMDAwMDAwOTcyMDMyMzQiOwoJInF1YW50aXR5IiA9ICIxIjsKCSJvcmlnaW5hbC1wdXJjaGFzZS1kYXRlLW1zIiA9ICIxMzg3Nzk0MjMwODIyIjsKCSJ1bmlxdWUtdmVuZG9yLWlkZW50aWZpZXIiID0gIjdCNzAxNzYxLUZDMTktNDYxNi05REVFLTUwRjVCNDRDNTUxMCI7CgkicHJvZHVjdC1pZCIgPSAiY2FzaGllcl9pb3NfZGVmYXVsdF81X3QiOwoJIml0ZW0taWQiID0gIjY0MTcwNDMzNCI7CgkiYmlkIiA9ICJIb0ZUZXN0IjsKCSJwdXJjaGFzZS1kYXRlLW1zIiA9ICIxMzg3Nzk0MjMwODIyIjsKCSJwdXJjaGFzZS1kYXRlIiA9ICIyMDEzLTEyLTIzIDEwOjIzOjUwIEV0Yy9HTVQiOwoJInB1cmNoYXNlLWRhdGUtcHN0IiA9ICIyMDEzLTEyLTIzIDAyOjIzOjUwIEFtZXJpY2EvTG9zX0FuZ2VsZXMiOwoJIm9yaWdpbmFsLXB1cmNoYXNlLWRhdGUiID0gIjIwMTMtMTItMjMgMTA6MjM6NTAgRXRjL0dNVCI7Cn0=";
"environment" = "Sandbox";
"pod" = "100";
"signing-status" = "0";}
UPDATE #1: Thanks to Rhythmic Fistman for the lead:
I checked signature from sandbox and it successfully parsed with:
openssl asn1parse -inform der
When I tried to do the same with signature from REAL receipt I got this error:
base64 -D real.signature.txt | openssl asn1parse -inform der
Error in encoding 28178:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:/SourceCache/OpenSSL098/OpenSSL098-50/src/crypto/asn1/asn1_lib.c:150:
Here is the signature from REAL receipt that successfully verifies with Apple but it's signature cannot be parsed with: openssl asn1parse -inform der
Aqzwtl7Vcj9JrOuptPKWkuR1mPgjsA92Da/Wu0Dl4/Lnsb3yhiXry7NcXpMOkY3AxkoMCAK30QvVwYXd51Q4A8idQR2O/dsCTQRx8iOK7ewDctXm6REI2x85KIybGTZGw7eun7jTzfsdVm4kyzgLfD7lZH0AaVojP7k0wDGrleA1AAADVzCCA1MwggI7oAMCAQICCGUUkU3ZWAS1MA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNVBAYTAlVTMRMwEQYDVQQKDApBcHBsZSBJbmMuMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEzMDEGA1UEAwwqQXBwbGUgaVR1bmVzIFN0b3JlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA5MDYxNTIyMDU1NloXDTE0MDYxNDIyMDU1NlowZDEjMCEGA1UEAwwaUHVyY2hhc2VSZWNlaXB0Q2VydGlmaWNhdGUxGzAZBgNVBAsMEkFwcGxlIGlUdW5lcyBTdG9yZTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrRjF2ct4IrSdiTChaI0g8pwv/cmHs8p/RwV/rt/91XKVhNl4XIBimKjQQNfgHsDs6yju++DrKJE7uKsphMddKYfFE5rGXsAdBEjBwRIxexTevx3HLEFGAt1moKx509dhxtiIdDgJv2YaVs49B0uJvNdy6SMqNNLHsDLzDS9oZHAgMBAAGjcjBwMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUNh3o4p2C0gEYtTJrDtdDC5FYQzowDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBSpg4PyGUjFPhJXCBTMzaN+mV8k9TAQBgoqhkiG92NkBgUBBAIFADANBgkqhkiG9w0BAQUFAAOCAQEAEaSbPjtmN4C/IB3QEpK32RxacCDXdVXAeVReS5FaZxc+t88pQP93BiAxvdW/3eTSMGY5FbeAYL3etqP5gm8wrFojX0ikyVRStQ+/AQ0KEjtqB07kLs9QUe8czR8UGfdM1EumV/UgvDd4NwNYxLQMg4WTQfgkQQVy8GXZwVHgbE/UC6Y7053pGXBk51NPM3woxhd3gSRLvXj+loHsStcTEqe9pBDpmG5+sk4tw+GK3GMeEN5/+e1QT9np/Kl1nj+aBw7C0xsy0bFnaAd1cSS6xdory/CUvM6gtKsmnOOdqTesbp0bs8sn6Wqs0C9dgcxRHuOMZ2tm8npLUm7argOSzQ==
UPDATE #2:
Here is the real receipt that fails verification with 21002:
eyJwb2QiPSIyIjsicHVyY2hhc2UtaW5mbyI9ImV5SmhjSEF0YVhSbGJTMXBaQ0k5SWpVNE5qWXpORE16TVNJN0ltSjJjbk1pUFNJeExqRXdJanNpY0hWeVkyaGhjMlV0WkdGMFpTSTlJakl3TVRNdE1USXRNalVnTURnNk5EZzZOVEFnUlhSakwwZE5WQ0k3SW5GMVlXNTBhWFI1SWowaU1TSTdJbUpwWkNJOUlraHZSaTFUYkc5MGN5STdJblpsY25OcGIyNHRaWGgwWlhKdVlXd3RhV1JsYm5ScFptbGxjaUk5SWpJd01EUTRNalkxTkNJN0luQjFjbU5vWVhObExXUmhkR1V0Y0hOMElqMGlNakF4TXkweE1pMHlOU0F3TURvME9EbzFNQ0JCYldWeWFXTmhMMHh2YzE5QmJtZGxiR1Z6SWpzaWNIVnlZMmhoYzJVdFpHRjBaUzF0Y3lJOUlqRXpPRGM1TmpFek16QTNNekVpT3lKMWJtbHhkV1V0ZG1WdVpHOXlMV2xrWlc1MGFXWnBaWElpUFNKRE1UUXhNa0l4TnkweU9EVXdMVFEwUVRVdFFURTRNeTB5UVRFeVJEWTNPRGhDUmtFaU95SnZjbWxuYVc1aGJDMXdkWEpqYUdGelpTMWtZWFJsTFcxeklqMGlNVE00TnprMk1UTXpNRGN6TVNJN0ltOXlhV2RwYm1Gc0xYUnlZVzV6WVdOMGFXOXVMV2xrSWowaU5EYzBNell3T0RNek9UYzFOVEE1TkRNd01DSTdJbWwwWlcwdGFXUWlQU0kzTnpnMk5qRTFOekFpT3lKdmNtbG5hVzVoYkMxd2RYSmphR0Z6WlMxa1lYUmxMWEJ6ZENJOUlqSXdNVE10TVRJdE1qVWdNREE2TkRnNk5UQWdRVzFsY21sallTOU1iM05mUVc1blpXeGxjeUk3SW5CeWIyUjFZM1F0YVdRaVBTSndjbTl0YjE5cGIzTmZNREE0WHpFMU1GOHlNREF3TUNJN0luUnlZVzV6WVdOMGFXOXVMV2xrSWowaU5EYzBNell3T0RNek9UYzFOVEE1TkRNd01DSTdJbTl5YVdkcGJtRnNMWEIxY21Ob1lYTmxMV1JoZEdVaVBTSXlNREV6TFRFeUxUSTFJREE0T2pRNE9qVXdJRVYwWXk5SFRWUWlPeUoxYm1seGRXVXRhV1JsYm5ScFptbGxjaUk5SWpFME9EbGhPR05rTmpCbVpXVmpPVFUyTjJObU1qSmpNalU1Tm1Wak56RTNaREZoTURrME5qa2lPMzA9Ijsic2lnbmF0dXJlIj0iQXBkeEpkdE53UFUyckE1L2NuM2tJTzFPVGsyNWZlREthMGFhZ3l5UnZlV2xjRmxnbHY2UkY2em5raUJTM3VtOVVjN3BWb2IrUHFaUjJUOHd5VnJITnBsb2YzRFgzSXFET2xXcSs5MGE3WWwrcXJSN0E3ald3dml3NzA4UFMrNjdQeUhSbmhPL0c3YlZxZ1JwRXI2RXVGeWJpVTFGWEFpWEpjNmxzMVlBc3NReEFBQURWekNDQTFNd2dnSTdvQU1DQVFJQ0NHVVVrVTNaV0FTMU1BMEdDU3FHU0liM0RRRUJCUVVBTUg4eEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUtEQXBCY0hCc1pTQkpibU11TVNZd0pBWURWUVFMREIxQmNIQnNaU0JEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURXpNREVHQTFVRUF3d3FRWEJ3YkdVZ2FWUjFibVZ6SUZOMGIzSmxJRU5sY25ScFptbGpZWFJwYjI0Z1FYVjBhRzl5YVhSNU1CNFhEVEE1TURZeE5USXlNRFUxTmxvWERURTBNRFl4TkRJeU1EVTFObG93WkRFak1DRUdBMVVFQXd3YVVIVnlZMmhoYzJWU1pXTmxhWEIwUTJWeWRHbG1hV05oZEdVeEd6QVpCZ05WQkFzTUVrRndjR3hsSUdsVWRXNWxjeUJUZEc5eVpURVRNQkVHQTFVRUNnd0tRWEJ3YkdVZ1NXNWpMakVMTUFrR0ExVUVCaE1DVlZNd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFNclJqRjJjdDRJclNkaVRDaGFJMGc4cHd2L2NtSHM4cC9Sd1YvcnQvOTFYS1ZoTmw0WElCaW1LalFRTmZnSHNEczZ5anUrK0RyS0pFN3VLc3BoTWRkS1lmRkU1ckdYc0FkQkVqQndSSXhleFRldngzSExFRkdBdDFtb0t4NTA5ZGh4dGlJZERnSnYyWWFWczQ5QjB1SnZOZHk2U01xTk5MSHNETHpEUzlvWkhBZ01CQUFHamNqQndNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVOaDNvNHAyQzBnRVl0VEpyRHRkREM1RllRem93RGdZRFZSMFBBUUgvQkFRREFnZUFNQjBHQTFVZERnUVdCQlNwZzRQeUdVakZQaEpYQ0JUTXphTittVjhrOVRBUUJnb3Foa2lHOTJOa0JnVUJCQUlGQURBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQUVhU2JQanRtTjRDL0lCM1FFcEszMlJ4YWNDRFhkVlhBZVZSZVM1RmFaeGMrdDg4cFFQOTNCaUF4dmRXLzNlVFNNR1k1RmJlQVlMM2V0cVA1Z204d3JGb2pYMGlreVZSU3RRKy9BUTBLRWp0cUIwN2tMczlRVWU4Y3pSOFVHZmRNMUV1bVYvVWd2RGQ0TndOWXhMUU1nNFdUUWZna1FRVnk4R1had1ZIZ2JFL1VDNlk3MDUzcEdYQms1MU5QTTN3b3hoZDNnU1JMdlhqK2xvSHNTdGNURXFlOXBCRHBtRzUrc2s0dHcrR0szR01lRU41LytlMVFUOW5wL0tsMW5qK2FCdzdDMHhzeTBiRm5hQWQxY1NTNnhkb3J5L0NVdk02Z3RLc21uT09kcVRlc2JwMGJzOHNuNldxczBDOWRnY3hSSHVPTVoydG04bnBMVW03YXJnT1N6UT09Ijsic2lnbmluZy1zdGF0dXMiPSIwIjt9