The configured certificate seems to be ignored

[lukaskubanek]

First and foremost, thank you for creating this useful library!

I’ve started integrating it into my project for performing on-device app receipt validation. Since I’d like to utilize StoreKit Testing in Xcode, I have to differentiate the certificate used for validation (see this section). In the README, you show a snippet for this configuration step. However, I checked the source code and noticed that the configured certificate in AppReceiptValidator.Parameters isn’t used at all. While the certificate (represented as Data) is passed to checkSignatureAuthenticity(…), the certificate that gets used is the one extracted from the receipt.

https://github.com/IdeasOnCanvas/AppReceiptValidator/blob/8cd736e038e56ed7d2d1f8f4021b0d7cc99cb8eb/Sources/AppReceiptValidator/AppReceiptValidator.swift#L152-L159

I was wondering whether there should be a check for the correct certificate. If I understand it correctly, it should now be possible to create a receipt using an arbitrary certificate, and as long as the fields are matching, the library would interpret it as valid. Is my understanding correct? What would be the recommended way to fix this?

[hannesoid]

First and foremost, thank you for creating this useful library!

much appreciated!

Oh, good catch! That looks like a bug/regression that might have crept in when moving away from OpenSSL as a dependency. Until it's fixed, I recommend as a workaround to disable the AppReceiptValidator.Parameters.signatureValidation in DEBUG builds.

I quickly tried changing it to let rootCert: X509Certificate = try .init(data: appleRootCertificateData): The initializer works, but the tests that verify signatures fail, so probably something with unpacking or verifying is not in line.

[hannesoid]

Looking at https://www.objc.io/issues/17-security/receipt-validation/ it seems we are doing the integrity check might be omitting the authenticity check.

[lukaskubanek]

Until it's fixed, I recommend as a workaround to disable the AppReceiptValidator.Parameters.signatureValidation in DEBUG builds.

Thanks for the suggestion. I haven’t yet started working on the part related to StoreKit and in-app purchases, so I don’t have an urgent need for a workaround. Also, if I understand it correctly, the validation should go through even for receipts created in the Xcode StoreKit testing environment, as the certificate from the container is used anyway.

Looking at https://www.objc.io/issues/17-security/receipt-validation/ it seems we are doing the integrity check might be omitting the authenticity check.

I’m a total newbie in this field, but yeah, it looks like it. Not sure how one could validate a certificate chain against a root certificate, though.

[aquarius]

@hannesoid @lukaskubanek Any update on this or can we close this issue?

[hannesoid]

There's no update (the issue still exists)

[lukaskubanek]

As @hannesoid says, the issue is unsolved. However, while utilizing StoreKit Xcode Testing, I noticed that it actually doesn’t write receipt files, and thus there’s no need for receipt validation with a different certificate. I’m using StoreKit 2, which even comes with its own verification. So, I currently don’t have a use case for configuring the validation certificate.

Handling the authenticity part would still be desired to make the check secure. Or, if you don’t want to spend much effort on it, at least you could remove the option for configuring a custom certificate.

[hannesoid]

thanks for the update and the info on storekit testing!

you could remove the option for configuring a custom certificate.

sounds like a good idea

[hannesoid]

It seemed less complicated than I thought, I think I found a way to do the missing authenticity check, should also work with custom supplied root certificates (allthough probably not really a use case) #80