o "iJ@s0ddlmZmZmZddlmZddlmZddlZddl Z ddl Z ddl Z ddl Z ddl mZddlmZmZddlmZddlmZmZdd lmZmZdd lmZdd lmZdd lmZd dl m!Z!d dl"m#Z#d dl$m%Z%d dl&m'Z'GdddZ(GdddZ)GdddeZ*Gddde+Z,dS))ListOptionalDict) b64decode)IntEnumN)x509)hashes serialization)ECDSA)SHA1SHA256)ocspoid)crypto)AppTransaction)_get_cattrs_converter) Environment)ResponseBodyV2DecodedPayload)JWSTransactionDecodedPayload)JWSRenewalInfoDecodedPayloadc @seZdZdZ ddeedededede e f dd Z d ed e fd d Z ded efddZded efddZde ede e de efddZded efddZded efddZdS)SignedDataVerifierz] A class providing utility methods for verifying and decoding App Store signed data. Nroot_certificatesenable_online_checks environment bundle_id app_apple_idcCsDt||_||_||_||_||_|tjkr|dur tddSdS)Nz9appAppleId is required when the environment is Production) _ChainVerifier_chain_verifier _environment _bundle_id _app_apple_id_enable_online_checksr PRODUCTION ValueError)selfrrrrrr&j/var/www/html/premium_crap/venv/lib/python3.10/site-packages/appstoreserverlibrary/signed_data_verifier.py__init__s zSignedDataVerifier.__init__signed_renewal_inforeturncCs0tt||t}|j|jkrttj|S)a Verifies and decodes a signedRenewalInfo obtained from the App Store Server API, an App Store Server Notification, or from a device See https://developer.apple.com/documentation/appstoreserverapi/jwsrenewalinfo :param signed_renewal_info: The signedRenewalInfo field :return: The decoded renewal info after verification :throws VerificationException: Thrown if the data could not be verified ) rr structure_decode_signed_objectrrVerificationExceptionVerificationStatusINVALID_ENVIRONMENT)r%r)decoded_renewal_infor&r&r'verify_and_decode_renewal_info/s  z1SignedDataVerifier.verify_and_decode_renewal_infosigned_transactioncCsFtt||t}|j|jkrttj|j |j kr!ttj |S)a Verifies and decodes a signedTransaction obtained from the App Store Server API, an App Store Server Notification, or from a device See https://developer.apple.com/documentation/appstoreserverapi/jwstransaction :param signed_transaction: The signedTransaction field :return: The decoded transaction info after verification :throws VerificationException: Thrown if the data could not be verified ) rrr+r,bundleIdr r-r.INVALID_APP_IDENTIFIERrrr/)r%r2decoded_transaction_infor&r&r'$verify_and_decode_signed_transaction>s     z7SignedDataVerifier.verify_and_decode_signed_transactionsigned_payloadcCs||}tt|t}d}d}d}|jr#|jj}|jj}|jj}n-|jr3|jj}|jj}|jj}n|j rP|j j}|j j}|j j rM|j j drMt j }nt j}|||||S)a Verifies and decodes an App Store Server Notification signedPayload See https://developer.apple.com/documentation/appstoreservernotifications/signedpayload :param signedPayload: The payload received by your server :return: The decoded payload after verification :throws VerificationException: Thrown if the data could not be verified NSANDBOX)r,rrr+datar3 appAppleIdrsummaryexternalPurchaseTokenexternalPurchaseId startswithrr8r#_verify_notification)r%r7 decoded_dictdecoded_signed_notificationrrrr&r&r'verify_and_decode_notificationNs*   z1SignedDataVerifier.verify_and_decode_notificationcCsB||jks|jtjkr||jkrttj||jkrttjdSN) r rrr#r!r-r.r4r/)r%rrrr&r&r'r?ns    z'SignedDataVerifier._verify_notificationsigned_app_transactioncCsf||}tt|t}|j}|j|jks"|jtj kr'|j |j kr't t j||jkr1t t j|S)a[ Verifies and decodes a signed AppTransaction See https://developer.apple.com/documentation/storekit/apptransaction :param signed_app_transaction: The signed AppTransaction :return: The decoded AppTransaction after validation :throws VerificationException: Thrown if the data could not be verified )r,rrr+ receiptTyper3r rrr#r:r!r-r.r4r/)r%rDr@decoded_app_transactionrr&r&r'!verify_and_decode_app_transactionts $   z4SignedDataVerifier.verify_and_decode_app_transaction signed_objc Cs,zvtj|ddid}|jtjks|jtjkr|WSt|}|d}|dus-t|dkr1t d|d}|dus>d|krBt d |d durN|d n|d }|j sZ|dur^t nt |d }|j ||j |}tj||dgd WSty} z| d} ~ wt y} zttj| d} ~ ww)Nverify_signatureF)optionsx5crzx5c claim was emptyalgES256zAlgorithm was not ES256 signedDatereceiptCreationDatei) algorithms)jwtdecoderrXCODE LOCAL_TESTINGget_unverified_headergetlen Exceptionr"timeintr verify_chainr-r.VERIFICATION_FAILURE) r%rH decoded_jwtunverified_headers x5c_headeralgorithm_header signed_dateeffective_date signing_keyer&r&r'r,s,   "" z(SignedDataVerifier._decode_signed_objectrC)__name__ __module__ __qualname____doc__rbytesboolrstrrrZr(rr1rr6rrBr?rrGdictr,r&r&r&r'rs(  " rc@seZdZdZdZddeefddZdeede d e d efd d Z deede d e d efd dZ de jdefddZdejdejdejfddZdeed eefddZdeedefddZdS)r iTrcCs||_||_i|_dSrC)enable_strict_checksrverified_certificates_cache)r%rrnr&r&r'r(s z_ChainVerifier.__init__ certificatesperform_online_checksrbr*cCsJ|rt|dkr||}|dur|S|j|||d}|r#||||S)Nr)rprqrb)rWget_cached_public_key_verify_chain_without_cachingput_verified_public_key)r%rprqrbcached_public_keyverified_public_keyr&r&r'r[s  z_ChainVerifier.verify_chainc Cst|jdkr ttjt|dkrttjt}z@|jD]}ttj |}| |q|j r8| tj jttj t|ddd}ttj t|ddd}t|||g} Wntym} zttj| d} ~ ww|tjj|tjjdz | | } Wnty} zttj| d} ~ ww|| dd|| dd|r|| d| d | d || d| d| d |jtj j!tj"j#d $S) NrT)validater)tzz1.2.840.113635.100.6.11.1z1.2.840.113635.100.6.2.1encodingformat)%rWrr-r.INVALID_CERTIFICATEINVALID_CHAIN_LENGTHr X509Storeload_certificate FILETYPE_ASN1add_certrn set_flagsX509StoreFlags X509_STRICTrX509StoreContextrXset_timedatetime fromtimestamptimezoneutcverify_certificateget_verified_chainr\ check_oidto_cryptographycheck_ocsp_status public_key public_bytesr EncodingPEM PublicFormatSubjectPublicKeyInforR) r%rprqrb trusted_storetrusted_cert_bytes trusted_cert leaf_certintermediate_certverification_contextrd trusted_chainr&r&r'rssJ        z,_ChainVerifier._verify_chain_without_cachingcertrc Cs>z |jt|WdSty}zttj|d}~wwrC) extensionsget_extension_for_oidrObjectIdentifierrXr-r.r\)r%rrrdr&r&r'rs  z_ChainVerifier.check_oidissuerrootcCst}|||t}|}|jtj j j j }dd|D}|D]'}t j|jj ddi|tjjd} | jdkrQt| j} | jtjjkrQ|g} | jD] } | tj| qWd} | D]Q}| jr| !jtjjtj"j#d}t$%}|&||'|(|(\}}t)*t+}|,||-| jkr|} nqg| j.r| j.|j/0kr|} nqg| durt1t2j3| jtjjd|jtjjdkrn.t4}|5||5|t6|| g}|7t j8j9| j:tj;j j| j?| j@tA| jB| jCD]8}t}||||jD}|}|jEtjFjGkrO|jH|jHkrO|jI|jIkrO|jJ|jJkrOdSqq)t1t2j3) NcSs g|] }|jtjjjkr|qSr&) access_methodrrAuthorityInformationAccessOIDOCSP).0valr&r&r' s z4_ChainVerifier.check_ocsp_status..z Content-Typezapplication/ocsp-request)headersr9r{)r|)Kr OCSPRequestBuilderadd_certificaterr buildrrrr ExtensionOIDAUTHORITY_INFORMATION_ACCESSvaluerequestspostaccess_locationrr rDER status_codeload_der_ocsp_responsecontentresponse_statusOCSPResponseStatus SUCCESSFULrpappendrX509from_cryptographyresponder_key_hash get_pubkeyto_cryptography_keyrrasn1DecoderstartenterreadrHashr updatefinalizeresponder_namesubjectrfc4514_stringr-r.r\rrrrExtendedKeyUsageOID OCSP_SIGNINGget_extension_for_classExtendedKeyUsage_usagesrverify signaturetbs_response_bytesr signature_hash_algorithm responseshash_algorithmcertificate_statusOCSPCertStatusGOOD serial_numberissuer_key_hashissuer_name_hash)r%rrrbuilderreqauthority_valuesocspsor ocsp_respcerts ocsp_cert signing_certpotential_signing_certsubject_public_key_infodecoder_rdigestrrsingle_responser&r&r'rs                 z _ChainVerifier.check_ocsp_statuscCs8|jt|}|durdS|dtkrdS|dS)Nrr)rorVtuplerY)r%rprvr&r&r'rr9s z$_ChainVerifier.get_cached_public_keyrvcCshttj}||f|jt|<t|jtjkr0t|jD]\}}|dtkr/|j|=qdSdS)Nr) rYrCACHE_TIME_LIMITrorrWMAXIMUM_CACHE_SIZElistitems)r%rprvcache_expirationkvr&r&r'rtAsz&_ChainVerifier.put_verified_public_keyN)T)rerfrgrrrrir(rkrjrZr[rsr Certificaterrrrrrrrtr&r&r&r'rs $_rc@s(eZdZdZdZdZdZdZdZdZ dS) r.rrrzrwN) rerfrgOKr\r4r~r INVALID_CHAINr/r&r&r&r'r.Isr.cs"eZdZdeffdd ZZS)r-statuscstd|j||_dS)Nz Verification failed with status )superr(namer)r%r __class__r&r'r(Ts zVerificationException.__init__)rerfrgr.r( __classcell__r&r&rr'r-Ssr-)-typingrrrbase64renumrrYrrrQr cryptographyrcryptography.hazmat.primitivesrr ,cryptography.hazmat.primitives.asymmetric.ecr %cryptography.hazmat.primitives.hashesr r cryptography.x509r rOpenSSLr+appstoreserverlibrary.models.AppTransactionr+appstoreserverlibrary.models.LibraryUtilityrmodels.Environmentr#models.ResponseBodyV2DecodedPayloadr#models.JWSTransactionDecodedPayloadr#models.JWSRenewalInfoDecodedPayloadrrrr.rXr-r&r&r&r's4           -