lxcid/receipt_decoding_test.rb

## receipt_decoding_test.rb
# Copyright (c) 2013 Stan Chang Khin Boon (http://lxcid.com/)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.

# References
# - In-App Purchase Receipt Validation on iOS (http://developer.apple.com/library/ios/#releasenotes/StoreKit/IAP_ReceiptValidation/_index.html)
# - CargoBay (https://github.com/mattt/CargoBay)

require 'test/unit'
require 'base64'
require 'openssl'
require 'osx/plist'

class ReceiptDecodingTest < Test::Unit::TestCase
  def test_receipt_decoding
    the_root_certificate_pem = <<-CERTIFICATE
-----BEGIN CERTIFICATE-----
MIIEuzCCA6OgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzET
MBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDYwNDI1MjE0
MDM2WhcNMzUwMjA5MjE0MDM2WjBiMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBw
bGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
FjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDkkakJH5HbHkdQ6wXtXnmELes2oldMVeyLGYne+Uts9QerIjAC6Bg+
+FAJ039BqJj50cpmnCRrEdCju+QbKsMflZ56DKRHi1vUFjczy8QPTc4UadHJGXL1
XQ7Vf1+b8iUDulWPTV0N8WQ1IxVLFVkds5T39pyez1C6wVhQZ48ItCD3y6wsIG9w
tj8BMIy3Q88PnT3zK0koGsj+zrW5DtleHNbLPbU6rfQPDgCSC7EhFi501TwN22IW
q6NxkkdTVcGvL0Gz+PvjcM3mo0xFfh9Ma1CWQYnEdGILEINBhzOKgbEwWOxaBDKM
aLOPHd5lc/9nXmW8Sdh2nzMUZaF3lMktAgMBAAGjggF6MIIBdjAOBgNVHQ8BAf8E
BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUK9BpR5R2Cf70a40uQKb3
R01/CF4wHwYDVR0jBBgwFoAUK9BpR5R2Cf70a40uQKb3R01/CF4wggERBgNVHSAE
ggEIMIIBBDCCAQAGCSqGSIb3Y2QFATCB8jAqBggrBgEFBQcCARYeaHR0cHM6Ly93
d3cuYXBwbGUuY29tL2FwcGxlY2EvMIHDBggrBgEFBQcCAjCBthqBs1JlbGlhbmNl
IG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0
YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBj
b25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZp
Y2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMA0GCSqGSIb3DQEBBQUAA4IBAQBc
NplMLXi37Yyb3PN3m/J20ncwT8EfhYOFG5k9RzfyqZtAjizUsZAS2L70c5vu0mQP
y3lPNNiiPvl4/2vIB+x9OYOLUyDTOMSxv5pPCmv/K/xZpwUJfBdAVhEedNO3iyM7
R6PVbyTi69G3cN8PReEnyvFteO3ntRcXqNx+IjXKJdXZD9Zr1KIkIxH3oayPc4Fg
xhtbCS+SsvhESPBgOJ4V9T0mZyCKM2r3DYLP3uujL/lTaltkwGMzd/c6ByxW69oP
IQ7aunMZT7XZNn/Bh1XZp5m5MkL72NVxnn6hUrcbvZNCJBIqxw8dtk2cXmPIS4AX
UKqK1drk/NAJBzewdXUh
-----END CERTIFICATE-----
CERTIFICATE
    the_root_certificate = OpenSSL::X509::Certificate.new(the_root_certificate_pem)
    assert_not_nil the_root_certificate, 'Root certificate could not be instantiated'

    the_intermediate_certificate_pem = <<-CERTIFICATE
-----BEGIN CERTIFICATE-----
MIIECzCCAvOgAwIBAgIBGjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzET
MBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlv
biBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDkwNTE5MTgz
MTMwWhcNMTYwNTE4MTgzMTMwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECgwKQXBw
bGUgSW5jLjEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
MzAxBgNVBAMMKkFwcGxlIGlUdW5lcyBTdG9yZSBDZXJ0aWZpY2F0aW9uIEF1dGhv
cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKS8rzKUQz4LvDeH
zWOJ8szZviBNWrT+h2fSmt4aVJ2i89+H5EzLkxF4oDCPNEHB075mbUdsmLjsetXJ
3aXk6sZw9DXQkfez2AoRmas6Yjq9e/RWT9ufJJNRUHwg1WZNZvMYpBOWIhb9Maf0
OWab+2JpXEuflKhL6OxbZFoYeYoWdWNCpEnZjDPerXvWOQT04p0KaYzrSxIoSzRI
B5sOWfkfYrADnza4TqPTdVnU8zoFysUzO/jABgkIk9vnTb8R81IspRY1FfNBAs0C
0fz1+MWEvWNqhta2mfaGrl/9A9Qoilpdr7xldNH3GsOSCPQcrWnoAkwOlRUHvL5q
b8GzraECAwEAAaOBrjCBqzAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQUNh3o4p2C0gEYtTJrDtdDC5FYQzowHwYDVR0jBBgwFoAUK9Bp
R5R2Cf70a40uQKb3R01/CF4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5h
cHBsZS5jb20vYXBwbGVjYS9yb290LmNybDAQBgoqhkiG92NkBgICBAIFADANBgkq
hkiG9w0BAQUFAAOCAQEAdaaQ5pqn22VwpgmTbwjfLNvpKI1AG1deoOr07BNlG3FK
TdyASE/y5an7hWy3Hp3b9BhIEHkX6sM9h9i0eW0UUK3Svz1O/A3ixQOUdYBzTaWh
kf4c3hUXrIlxKm8PZwrTnDChaPvPcBfK2UD8+Bu/zrDErvRKLamZhwZCCYYiaoRA
OfS7rFYY95ocAYFcjG5B8l0ZLBccSUbZHH6TEhPIZ5nC6oPjoowOuDsq3xy/S4tv
Grjul2dK2Kuvi6TaXIceILjF87HEmKI3+J7GmmulrfZ4lg6CjwRGHLKl/ZowUSj9
UgQVA9U8rf72eODqNe9ltSF226Tvy3LvVGsBDcfdGg==
-----END CERTIFICATE-----
CERTIFICATE
    the_intermediate_certificate = OpenSSL::X509::Certificate.new(the_intermediate_certificate_pem)
    assert_not_nil the_intermediate_certificate, 'Intermediate certificate could not be instantiated'

    # Base 64 encoded transaction receipt
    the_transaction_receipt_encoded = "ewoJInNpZ25hdHVyZSIgPSAiQWtZdVBNRGc1bjl5NDBRL2pXT08vVU5KeUZBbzNjTytvUmpJWklLWXQ3L00wNUV5WHFKTkhKR1BRbm1kYTRaeTBCcUdzejFtMmZwU0pRYXRUMDNWL2IwVGZBcjQrcDhib2ZVUmpDTFk5TlgzNkxDZ1dEandTMVN4UmFvKzRlazcycTUzTWVHVlNrR295NUUyN2pTejVQMmZRZHM4UHZ3UGlkM0R4M081OTQvd0FBQURWekNDQTFNd2dnSTdvQU1DQVFJQ0NHVVVrVTNaV0FTMU1BMEdDU3FHU0liM0RRRUJCUVVBTUg4eEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUtEQXBCY0hCc1pTQkpibU11TVNZd0pBWURWUVFMREIxQmNIQnNaU0JEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURXpNREVHQTFVRUF3d3FRWEJ3YkdVZ2FWUjFibVZ6SUZOMGIzSmxJRU5sY25ScFptbGpZWFJwYjI0Z1FYVjBhRzl5YVhSNU1CNFhEVEE1TURZeE5USXlNRFUxTmxvWERURTBNRFl4TkRJeU1EVTFObG93WkRFak1DRUdBMVVFQXd3YVVIVnlZMmhoYzJWU1pXTmxhWEIwUTJWeWRHbG1hV05oZEdVeEd6QVpCZ05WQkFzTUVrRndjR3hsSUdsVWRXNWxjeUJUZEc5eVpURVRNQkVHQTFVRUNnd0tRWEJ3YkdVZ1NXNWpMakVMTUFrR0ExVUVCaE1DVlZNd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFNclJqRjJjdDRJclNkaVRDaGFJMGc4cHd2L2NtSHM4cC9Sd1YvcnQvOTFYS1ZoTmw0WElCaW1LalFRTmZnSHNEczZ5anUrK0RyS0pFN3VLc3BoTWRkS1lmRkU1ckdYc0FkQkVqQndSSXhleFRldngzSExFRkdBdDFtb0t4NTA5ZGh4dGlJZERnSnYyWWFWczQ5QjB1SnZOZHk2U01xTk5MSHNETHpEUzlvWkhBZ01CQUFHamNqQndNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVOaDNvNHAyQzBnRVl0VEpyRHRkREM1RllRem93RGdZRFZSMFBBUUgvQkFRREFnZUFNQjBHQTFVZERnUVdCQlNwZzRQeUdVakZQaEpYQ0JUTXphTittVjhrOVRBUUJnb3Foa2lHOTJOa0JnVUJCQUlGQURBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQUVhU2JQanRtTjRDL0lCM1FFcEszMlJ4YWNDRFhkVlhBZVZSZVM1RmFaeGMrdDg4cFFQOTNCaUF4dmRXLzNlVFNNR1k1RmJlQVlMM2V0cVA1Z204d3JGb2pYMGlreVZSU3RRKy9BUTBLRWp0cUIwN2tMczlRVWU4Y3pSOFVHZmRNMUV1bVYvVWd2RGQ0TndOWXhMUU1nNFdUUWZna1FRVnk4R1had1ZIZ2JFL1VDNlk3MDUzcEdYQms1MU5QTTN3b3hoZDNnU1JMdlhqK2xvSHNTdGNURXFlOXBCRHBtRzUrc2s0dHcrR0szR01lRU41LytlMVFUOW5wL0tsMW5qK2FCdzdDMHhzeTBiRm5hQWQxY1NTNnhkb3J5L0NVdk02Z3RLc21uT09kcVRlc2JwMGJzOHNuNldxczBDOWRnY3hSSHVPTVoydG04bnBMVW03YXJnT1N6UT09IjsKCSJwdXJjaGFzZS1pbmZvIiA9ICJld29KSW05eWFXZHBibUZzTFhCMWNtTm9ZWE5sTFdSaGRHVXRjSE4wSWlBOUlDSXlNREV5TFRFeUxUQXhJREl6T2pFMU9qVTBJRUZ0WlhKcFkyRXZURzl6WDBGdVoyVnNaWE1pT3dvSkluQjFjbU5vWVhObExXUmhkR1V0YlhNaUlEMGdJakV6TlRRME16STFOVFF3TURBaU93b0pJblZ1YVhGMVpTMXBaR1Z1ZEdsbWFXVnlJaUE5SUNJd01EQXdZakF3T1RJNE1UZ2lPd29KSW05eWFXZHBibUZzTFhSeVlXNXpZV04wYVc5dUxXbGtJaUE5SUNJeE1EQXdNREF3TURVNU5qTXlNemcxSWpzS0NTSmxlSEJwY21WekxXUmhkR1VpSUQwZ0lqRXpOVFEwTXpZeE5UUXdNREFpT3dvSkluUnlZVzV6WVdOMGFXOXVMV2xrSWlBOUlDSXhNREF3TURBd01EVTVOak15TXpnMUlqc0tDU0p2Y21sbmFXNWhiQzF3ZFhKamFHRnpaUzFrWVhSbExXMXpJaUE5SUNJeE16VTBORE15TlRVME1EQXdJanNLQ1NKM1pXSXRiM0prWlhJdGJHbHVaUzFwZEdWdExXbGtJaUE5SUNJeE1EQXdNREF3TURJMk5ETTJNamt3SWpzS0NTSmlkbkp6SWlBOUlDSTNJanNLQ1NKbGVIQnBjbVZ6TFdSaGRHVXRabTl5YldGMGRHVmtMWEJ6ZENJZ1BTQWlNakF4TWkweE1pMHdNaUF3TURveE5UbzFOQ0JCYldWeWFXTmhMMHh2YzE5QmJtZGxiR1Z6SWpzS0NTSnBkR1Z0TFdsa0lpQTlJQ0kxT0RBeE9UTTVNemNpT3dvSkltVjRjR2x5WlhNdFpHRjBaUzFtYjNKdFlYUjBaV1FpSUQwZ0lqSXdNVEl0TVRJdE1ESWdNRGc2TVRVNk5UUWdSWFJqTDBkTlZDSTdDZ2tpY0hKdlpIVmpkQzFwWkNJZ1BTQWlZMjl0TG1SZlgySjFlbm91WjJGblgzQnNkWE11YVc5ekxqQXdNUzVoY25NdWNISmxiV2wxYlM0eGVTSTdDZ2tpY0hWeVkyaGhjMlV0WkdGMFpTSWdQU0FpTWpBeE1pMHhNaTB3TWlBd056b3hOVG8xTkNCRmRHTXZSMDFVSWpzS0NTSnZjbWxuYVc1aGJDMXdkWEpqYUdGelpTMWtZWFJsSWlBOUlDSXlNREV5TFRFeUxUQXlJREEzT2pFMU9qVTBJRVYwWXk5SFRWUWlPd29KSW1KcFpDSWdQU0FpWTI5dExtUXRMV0oxZW5vdVoyRm5MWEJzZFhNdWFXOXpMakF3TVNJN0Nna2ljSFZ5WTJoaGMyVXRaR0YwWlMxd2MzUWlJRDBnSWpJd01USXRNVEl0TURFZ01qTTZNVFU2TlRRZ1FXMWxjbWxqWVM5TWIzTmZRVzVuWld4bGN5STdDZ2tpY1hWaGJuUnBkSGtpSUQwZ0lqRWlPd3A5IjsKCSJlbnZpcm9ubWVudCIgPSAiU2FuZGJveCI7CgkicG9kIiA9ICIxMDAiOwoJInNpZ25pbmctc3RhdHVzIiA9ICIwIjsKfQ=="

    the_transaction_receipt_decoded = Base64.decode64(the_transaction_receipt_encoded)
    the_transaction_receipt = OSX::PropertyList.load(the_transaction_receipt_decoded) # Property list in OpenStep format

    the_purchase_info_encoded = the_transaction_receipt['purchase-info']
    the_purchase_info_decoded = Base64.decode64(the_purchase_info_encoded)
    the_purchase_info = OSX::PropertyList.load(the_purchase_info_decoded) # Property list in OpenStep format

    # Binary format looks as follows:
    #
    # +-----------------+-----------+------------------+-------------+
    # | RECEIPT VERSION | SIGNATURE | CERTIFICATE SIZE | CERTIFICATE |
    # +-----------------+-----------+------------------+-------------+
    # |          1 byte | 128 bytes |          4 bytes |             |
    # +-----------------+-----------+------------------+-------------+
    # | big endian                                                   |
    # +--------------------------------------------------------------+
    #
    # 1. Extract receipt version, signature and certificate(s).
    # 2. Check receipt version == 2.
    # 3. Sanity check that signature is 128 bytes.
    # 4. Sanity check certification size <= remaining payload data.
    the_signature_encoded = the_transaction_receipt['signature']
    the_signature_decoded = Base64.decode64(the_signature_encoded)
    the_receipt_version, the_signature, the_certificate_size, the_certificate_der = the_signature_decoded.unpack('CA128L>A*')
    the_certificate = OpenSSL::X509::Certificate.new(the_certificate_der)

    assert_equal the_receipt_version, 2, 'The receipt version must be 2'
    assert_equal the_signature.length, 128, 'The signature must be 128 bytes in size'
    assert_equal the_certificate_size, the_certificate_der.length, 'The certificate expected and actual size must match'
    assert_not_nil the_certificate, 'Certificate could not be instantiated'

    # Make sure that the certificate is issued by Apple.
    the_store = OpenSSL::X509::Store.new
    the_store.add_cert(the_root_certificate)
    the_store.add_cert(the_intermediate_certificate)
    assert the_store.verify(the_certificate), the_store.error_string

    # Another way to verify that the certificate is signed/issued by the intermediate certificate
    assert the_certificate.verify(the_intermediate_certificate.public_key), 'Certificate is not signed/issued by intermediate certificate'

    # Verify the signature
    the_public_key = the_certificate.public_key
    assert the_public_key.verify(OpenSSL::Digest::SHA1.new, the_signature, [the_receipt_version, the_purchase_info_decoded].pack('CA*')), 'Signature verification failed'

    # The transaction receipt is not compromised and is from Apple.

    # Accompanied receipt (returned by Apple)
    the_receipt = {
      "original_purchase_date_ms"=> "1354432554000",
      "original_purchase_date_pst"=> "2012-12-01 23=>15=>54 America\/Los_Angeles",
      "transaction_id"=> "1000000059632385",
      "quantity"=> "1",
      "bid"=> "com.d--buzz.gag-plus.ios.001",
      "original_transaction_id"=> "1000000059632385",
      "bvrs"=> "7",
      "expires_date_formatted"=> "2012-12-02 08=>15=>54 Etc\/GMT",
      "purchase_date"=> "2012-12-02 07=>15=>54 Etc\/GMT",
      "expires_date"=> "1354436154000",
      "product_id"=> "com.d__buzz.gag_plus.ios.001.ars.premium.1y",
      "purchase_date_ms"=> "1354432554000",
      "expires_date_formatted_pst"=> "2012-12-02 00=>15=>54 America\/Los_Angeles",
      "purchase_date_pst"=> "2012-12-01 23=>15=>54 America\/Los_Angeles",
      "original_purchase_date"=> "2012-12-02 07=>15=>54 Etc\/GMT",
      "item_id"=> "580193937",
      "web_order_line_item_id"=> "1000000026436290",
      "unique_identifier"=> "0000b0092818"
    }

    assert_equal the_receipt['bid'], the_purchase_info['bid'], 'Mismatch bundle ID'
    assert_equal the_receipt['product_id'], the_purchase_info['product-id'], 'Mismatch product ID'
    assert_equal the_receipt['quantity'], the_purchase_info['quantity'], 'Mismatch quantity'
    assert_equal the_receipt['item-id'], the_purchase_info['item_id'], 'Mismatch item ID'
    # This is the device unique vendor identifier (iOS 6 and above)
    assert_equal the_receipt['unique-vendor-identifier'], the_purchase_info['unique_vendor_identifier'], 'Mismatch unique vendor identifier'
    # This is the device unique identifier (iOS 5 and below)
    assert_equal the_receipt['unique-identifier'], the_purchase_info['unique_identifier'], 'Mismatch unique identifier'
  end
end
	# Copyright (c) 2013 Stan Chang Khin Boon (http://lxcid.com/)
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy
	# of this software and associated documentation files (the "Software"), to deal
	# in the Software without restriction, including without limitation the rights
	# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	# copies of the Software, and to permit persons to whom the Software is
	# furnished to do so, subject to the following conditions:
	#
	# The above copyright notice and this permission notice shall be included in
	# all copies or substantial portions of the Software.
	#
	# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
	# THE SOFTWARE.

	# References
	# - In-App Purchase Receipt Validation on iOS (http://developer.apple.com/library/ios/#releasenotes/StoreKit/IAP_ReceiptValidation/_index.html)
	# - CargoBay (https://github.com/mattt/CargoBay)

	require 'test/unit'
	require 'base64'
	require 'openssl'
	require 'osx/plist'

	class ReceiptDecodingTest < Test::Unit::TestCase
	def test_receipt_decoding
	the_root_certificate_pem = <<-CERTIFICATE
	-----BEGIN CERTIFICATE-----
	MIIEuzCCA6OgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzET
	MBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlv
	biBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDYwNDI1MjE0
	MDM2WhcNMzUwMjA5MjE0MDM2WjBiMQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBw
	bGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
	FjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
	ggEKAoIBAQDkkakJH5HbHkdQ6wXtXnmELes2oldMVeyLGYne+Uts9QerIjAC6Bg+
	+FAJ039BqJj50cpmnCRrEdCju+QbKsMflZ56DKRHi1vUFjczy8QPTc4UadHJGXL1
	XQ7Vf1+b8iUDulWPTV0N8WQ1IxVLFVkds5T39pyez1C6wVhQZ48ItCD3y6wsIG9w
	tj8BMIy3Q88PnT3zK0koGsj+zrW5DtleHNbLPbU6rfQPDgCSC7EhFi501TwN22IW
	q6NxkkdTVcGvL0Gz+PvjcM3mo0xFfh9Ma1CWQYnEdGILEINBhzOKgbEwWOxaBDKM
	aLOPHd5lc/9nXmW8Sdh2nzMUZaF3lMktAgMBAAGjggF6MIIBdjAOBgNVHQ8BAf8E
	BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUK9BpR5R2Cf70a40uQKb3
	R01/CF4wHwYDVR0jBBgwFoAUK9BpR5R2Cf70a40uQKb3R01/CF4wggERBgNVHSAE
	ggEIMIIBBDCCAQAGCSqGSIb3Y2QFATCB8jAqBggrBgEFBQcCARYeaHR0cHM6Ly93
	d3cuYXBwbGUuY29tL2FwcGxlY2EvMIHDBggrBgEFBQcCAjCBthqBs1JlbGlhbmNl
	IG9uIHRoaXMgY2VydGlmaWNhdGUgYnkgYW55IHBhcnR5IGFzc3VtZXMgYWNjZXB0
	YW5jZSBvZiB0aGUgdGhlbiBhcHBsaWNhYmxlIHN0YW5kYXJkIHRlcm1zIGFuZCBj
	b25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFuZCBjZXJ0aWZp
	Y2F0aW9uIHByYWN0aWNlIHN0YXRlbWVudHMuMA0GCSqGSIb3DQEBBQUAA4IBAQBc
	NplMLXi37Yyb3PN3m/J20ncwT8EfhYOFG5k9RzfyqZtAjizUsZAS2L70c5vu0mQP
	y3lPNNiiPvl4/2vIB+x9OYOLUyDTOMSxv5pPCmv/K/xZpwUJfBdAVhEedNO3iyM7
	R6PVbyTi69G3cN8PReEnyvFteO3ntRcXqNx+IjXKJdXZD9Zr1KIkIxH3oayPc4Fg
	xhtbCS+SsvhESPBgOJ4V9T0mZyCKM2r3DYLP3uujL/lTaltkwGMzd/c6ByxW69oP
	IQ7aunMZT7XZNn/Bh1XZp5m5MkL72NVxnn6hUrcbvZNCJBIqxw8dtk2cXmPIS4AX
	UKqK1drk/NAJBzewdXUh
	-----END CERTIFICATE-----
	CERTIFICATE
	the_root_certificate = OpenSSL::X509::Certificate.new(the_root_certificate_pem)
	assert_not_nil the_root_certificate, 'Root certificate could not be instantiated'

	the_intermediate_certificate_pem = <<-CERTIFICATE
	-----BEGIN CERTIFICATE-----
	MIIECzCCAvOgAwIBAgIBGjANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzET
	MBEGA1UEChMKQXBwbGUgSW5jLjEmMCQGA1UECxMdQXBwbGUgQ2VydGlmaWNhdGlv
	biBBdXRob3JpdHkxFjAUBgNVBAMTDUFwcGxlIFJvb3QgQ0EwHhcNMDkwNTE5MTgz
	MTMwWhcNMTYwNTE4MTgzMTMwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECgwKQXBw
	bGUgSW5jLjEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkx
	MzAxBgNVBAMMKkFwcGxlIGlUdW5lcyBTdG9yZSBDZXJ0aWZpY2F0aW9uIEF1dGhv
	cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKS8rzKUQz4LvDeH
	zWOJ8szZviBNWrT+h2fSmt4aVJ2i89+H5EzLkxF4oDCPNEHB075mbUdsmLjsetXJ
	3aXk6sZw9DXQkfez2AoRmas6Yjq9e/RWT9ufJJNRUHwg1WZNZvMYpBOWIhb9Maf0
	OWab+2JpXEuflKhL6OxbZFoYeYoWdWNCpEnZjDPerXvWOQT04p0KaYzrSxIoSzRI
	B5sOWfkfYrADnza4TqPTdVnU8zoFysUzO/jABgkIk9vnTb8R81IspRY1FfNBAs0C
	0fz1+MWEvWNqhta2mfaGrl/9A9Qoilpdr7xldNH3GsOSCPQcrWnoAkwOlRUHvL5q
	b8GzraECAwEAAaOBrjCBqzAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB
	/zAdBgNVHQ4EFgQUNh3o4p2C0gEYtTJrDtdDC5FYQzowHwYDVR0jBBgwFoAUK9Bp
	R5R2Cf70a40uQKb3R01/CF4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5h
	cHBsZS5jb20vYXBwbGVjYS9yb290LmNybDAQBgoqhkiG92NkBgICBAIFADANBgkq
	hkiG9w0BAQUFAAOCAQEAdaaQ5pqn22VwpgmTbwjfLNvpKI1AG1deoOr07BNlG3FK
	TdyASE/y5an7hWy3Hp3b9BhIEHkX6sM9h9i0eW0UUK3Svz1O/A3ixQOUdYBzTaWh
	kf4c3hUXrIlxKm8PZwrTnDChaPvPcBfK2UD8+Bu/zrDErvRKLamZhwZCCYYiaoRA
	OfS7rFYY95ocAYFcjG5B8l0ZLBccSUbZHH6TEhPIZ5nC6oPjoowOuDsq3xy/S4tv
	Grjul2dK2Kuvi6TaXIceILjF87HEmKI3+J7GmmulrfZ4lg6CjwRGHLKl/ZowUSj9
	UgQVA9U8rf72eODqNe9ltSF226Tvy3LvVGsBDcfdGg==
	-----END CERTIFICATE-----
	CERTIFICATE
	the_intermediate_certificate = OpenSSL::X509::Certificate.new(the_intermediate_certificate_pem)
	assert_not_nil the_intermediate_certificate, 'Intermediate certificate could not be instantiated'

	# Base 64 encoded transaction receipt
	the_transaction_receipt_encoded = "ewoJInNpZ25hdHVyZSIgPSAiQWtZdVBNRGc1bjl5NDBRL2pXT08vVU5KeUZBbzNjTytvUmpJWklLWXQ3L00wNUV5WHFKTkhKR1BRbm1kYTRaeTBCcUdzejFtMmZwU0pRYXRUMDNWL2IwVGZBcjQrcDhib2ZVUmpDTFk5TlgzNkxDZ1dEandTMVN4UmFvKzRlazcycTUzTWVHVlNrR295NUUyN2pTejVQMmZRZHM4UHZ3UGlkM0R4M081OTQvd0FBQURWekNDQTFNd2dnSTdvQU1DQVFJQ0NHVVVrVTNaV0FTMU1BMEdDU3FHU0liM0RRRUJCUVVBTUg4eEN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUtEQXBCY0hCc1pTQkpibU11TVNZd0pBWURWUVFMREIxQmNIQnNaU0JEWlhKMGFXWnBZMkYwYVc5dUlFRjFkR2h2Y21sMGVURXpNREVHQTFVRUF3d3FRWEJ3YkdVZ2FWUjFibVZ6SUZOMGIzSmxJRU5sY25ScFptbGpZWFJwYjI0Z1FYVjBhRzl5YVhSNU1CNFhEVEE1TURZeE5USXlNRFUxTmxvWERURTBNRFl4TkRJeU1EVTFObG93WkRFak1DRUdBMVVFQXd3YVVIVnlZMmhoYzJWU1pXTmxhWEIwUTJWeWRHbG1hV05oZEdVeEd6QVpCZ05WQkFzTUVrRndjR3hsSUdsVWRXNWxjeUJUZEc5eVpURVRNQkVHQTFVRUNnd0tRWEJ3YkdVZ1NXNWpMakVMTUFrR0ExVUVCaE1DVlZNd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFNclJqRjJjdDRJclNkaVRDaGFJMGc4cHd2L2NtSHM4cC9Sd1YvcnQvOTFYS1ZoTmw0WElCaW1LalFRTmZnSHNEczZ5anUrK0RyS0pFN3VLc3BoTWRkS1lmRkU1ckdYc0FkQkVqQndSSXhleFRldngzSExFRkdBdDFtb0t4NTA5ZGh4dGlJZERnSnYyWWFWczQ5QjB1SnZOZHk2U01xTk5MSHNETHpEUzlvWkhBZ01CQUFHamNqQndNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVVOaDNvNHAyQzBnRVl0VEpyRHRkREM1RllRem93RGdZRFZSMFBBUUgvQkFRREFnZUFNQjBHQTFVZERnUVdCQlNwZzRQeUdVakZQaEpYQ0JUTXphTittVjhrOVRBUUJnb3Foa2lHOTJOa0JnVUJCQUlGQURBTkJna3Foa2lHOXcwQkFRVUZBQU9DQVFFQUVhU2JQanRtTjRDL0lCM1FFcEszMlJ4YWNDRFhkVlhBZVZSZVM1RmFaeGMrdDg4cFFQOTNCaUF4dmRXLzNlVFNNR1k1RmJlQVlMM2V0cVA1Z204d3JGb2pYMGlreVZSU3RRKy9BUTBLRWp0cUIwN2tMczlRVWU4Y3pSOFVHZmRNMUV1bVYvVWd2RGQ0TndOWXhMUU1nNFdUUWZna1FRVnk4R1had1ZIZ2JFL1VDNlk3MDUzcEdYQms1MU5QTTN3b3hoZDNnU1JMdlhqK2xvSHNTdGNURXFlOXBCRHBtRzUrc2s0dHcrR0szR01lRU41LytlMVFUOW5wL0tsMW5qK2FCdzdDMHhzeTBiRm5hQWQxY1NTNnhkb3J5L0NVdk02Z3RLc21uT09kcVRlc2JwMGJzOHNuNldxczBDOWRnY3hSSHVPTVoydG04bnBMVW03YXJnT1N6UT09IjsKCSJwdXJjaGFzZS1pbmZvIiA9ICJld29KSW05eWFXZHBibUZzTFhCMWNtTm9ZWE5sTFdSaGRHVXRjSE4wSWlBOUlDSXlNREV5TFRFeUxUQXhJREl6T2pFMU9qVTBJRUZ0WlhKcFkyRXZURzl6WDBGdVoyVnNaWE1pT3dvSkluQjFjbU5vWVhObExXUmhkR1V0YlhNaUlEMGdJakV6TlRRME16STFOVFF3TURBaU93b0pJblZ1YVhGMVpTMXBaR1Z1ZEdsbWFXVnlJaUE5SUNJd01EQXdZakF3T1RJNE1UZ2lPd29KSW05eWFXZHBibUZzTFhSeVlXNXpZV04wYVc5dUxXbGtJaUE5SUNJeE1EQXdNREF3TURVNU5qTXlNemcxSWpzS0NTSmxlSEJwY21WekxXUmhkR1VpSUQwZ0lqRXpOVFEwTXpZeE5UUXdNREFpT3dvSkluUnlZVzV6WVdOMGFXOXVMV2xrSWlBOUlDSXhNREF3TURBd01EVTVOak15TXpnMUlqc0tDU0p2Y21sbmFXNWhiQzF3ZFhKamFHRnpaUzFrWVhSbExXMXpJaUE5SUNJeE16VTBORE15TlRVME1EQXdJanNLQ1NKM1pXSXRiM0prWlhJdGJHbHVaUzFwZEdWdExXbGtJaUE5SUNJeE1EQXdNREF3TURJMk5ETTJNamt3SWpzS0NTSmlkbkp6SWlBOUlDSTNJanNLQ1NKbGVIQnBjbVZ6TFdSaGRHVXRabTl5YldGMGRHVmtMWEJ6ZENJZ1BTQWlNakF4TWkweE1pMHdNaUF3TURveE5UbzFOQ0JCYldWeWFXTmhMMHh2YzE5QmJtZGxiR1Z6SWpzS0NTSnBkR1Z0TFdsa0lpQTlJQ0kxT0RBeE9UTTVNemNpT3dvSkltVjRjR2x5WlhNdFpHRjBaUzFtYjNKdFlYUjBaV1FpSUQwZ0lqSXdNVEl0TVRJdE1ESWdNRGc2TVRVNk5UUWdSWFJqTDBkTlZDSTdDZ2tpY0hKdlpIVmpkQzFwWkNJZ1BTQWlZMjl0TG1SZlgySjFlbm91WjJGblgzQnNkWE11YVc5ekxqQXdNUzVoY25NdWNISmxiV2wxYlM0eGVTSTdDZ2tpY0hWeVkyaGhjMlV0WkdGMFpTSWdQU0FpTWpBeE1pMHhNaTB3TWlBd056b3hOVG8xTkNCRmRHTXZSMDFVSWpzS0NTSnZjbWxuYVc1aGJDMXdkWEpqYUdGelpTMWtZWFJsSWlBOUlDSXlNREV5TFRFeUxUQXlJREEzT2pFMU9qVTBJRVYwWXk5SFRWUWlPd29KSW1KcFpDSWdQU0FpWTI5dExtUXRMV0oxZW5vdVoyRm5MWEJzZFhNdWFXOXpMakF3TVNJN0Nna2ljSFZ5WTJoaGMyVXRaR0YwWlMxd2MzUWlJRDBnSWpJd01USXRNVEl0TURFZ01qTTZNVFU2TlRRZ1FXMWxjbWxqWVM5TWIzTmZRVzVuWld4bGN5STdDZ2tpY1hWaGJuUnBkSGtpSUQwZ0lqRWlPd3A5IjsKCSJlbnZpcm9ubWVudCIgPSAiU2FuZGJveCI7CgkicG9kIiA9ICIxMDAiOwoJInNpZ25pbmctc3RhdHVzIiA9ICIwIjsKfQ=="

	the_transaction_receipt_decoded = Base64.decode64(the_transaction_receipt_encoded)
	the_transaction_receipt = OSX::PropertyList.load(the_transaction_receipt_decoded) # Property list in OpenStep format

	the_purchase_info_encoded = the_transaction_receipt['purchase-info']
	the_purchase_info_decoded = Base64.decode64(the_purchase_info_encoded)
	the_purchase_info = OSX::PropertyList.load(the_purchase_info_decoded) # Property list in OpenStep format

	# Binary format looks as follows:
	#
	# +-----------------+-----------+------------------+-------------+
	# \| RECEIPT VERSION \| SIGNATURE \| CERTIFICATE SIZE \| CERTIFICATE \|
	# +-----------------+-----------+------------------+-------------+
	# \| 1 byte \| 128 bytes \| 4 bytes \| \|
	# +-----------------+-----------+------------------+-------------+
	# \| big endian \|
	# +--------------------------------------------------------------+
	#
	# 1. Extract receipt version, signature and certificate(s).
	# 2. Check receipt version == 2.
	# 3. Sanity check that signature is 128 bytes.
	# 4. Sanity check certification size <= remaining payload data.
	the_signature_encoded = the_transaction_receipt['signature']
	the_signature_decoded = Base64.decode64(the_signature_encoded)
	the_receipt_version, the_signature, the_certificate_size, the_certificate_der = the_signature_decoded.unpack('CA128L>A*')
	the_certificate = OpenSSL::X509::Certificate.new(the_certificate_der)

	assert_equal the_receipt_version, 2, 'The receipt version must be 2'
	assert_equal the_signature.length, 128, 'The signature must be 128 bytes in size'
	assert_equal the_certificate_size, the_certificate_der.length, 'The certificate expected and actual size must match'
	assert_not_nil the_certificate, 'Certificate could not be instantiated'

	# Make sure that the certificate is issued by Apple.
	the_store = OpenSSL::X509::Store.new
	the_store.add_cert(the_root_certificate)
	the_store.add_cert(the_intermediate_certificate)
	assert the_store.verify(the_certificate), the_store.error_string

	# Another way to verify that the certificate is signed/issued by the intermediate certificate
	assert the_certificate.verify(the_intermediate_certificate.public_key), 'Certificate is not signed/issued by intermediate certificate'

	# Verify the signature
	the_public_key = the_certificate.public_key
	assert the_public_key.verify(OpenSSL::Digest::SHA1.new, the_signature, [the_receipt_version, the_purchase_info_decoded].pack('CA*')), 'Signature verification failed'

	# The transaction receipt is not compromised and is from Apple.

	# Accompanied receipt (returned by Apple)
	the_receipt = {
	"original_purchase_date_ms"=> "1354432554000",
	"original_purchase_date_pst"=> "2012-12-01 23=>15=>54 America\/Los_Angeles",
	"transaction_id"=> "1000000059632385",
	"quantity"=> "1",
	"bid"=> "com.d--buzz.gag-plus.ios.001",
	"original_transaction_id"=> "1000000059632385",
	"bvrs"=> "7",
	"expires_date_formatted"=> "2012-12-02 08=>15=>54 Etc\/GMT",
	"purchase_date"=> "2012-12-02 07=>15=>54 Etc\/GMT",
	"expires_date"=> "1354436154000",
	"product_id"=> "com.d__buzz.gag_plus.ios.001.ars.premium.1y",
	"purchase_date_ms"=> "1354432554000",
	"expires_date_formatted_pst"=> "2012-12-02 00=>15=>54 America\/Los_Angeles",
	"purchase_date_pst"=> "2012-12-01 23=>15=>54 America\/Los_Angeles",
	"original_purchase_date"=> "2012-12-02 07=>15=>54 Etc\/GMT",
	"item_id"=> "580193937",
	"web_order_line_item_id"=> "1000000026436290",
	"unique_identifier"=> "0000b0092818"
	}

	assert_equal the_receipt['bid'], the_purchase_info['bid'], 'Mismatch bundle ID'
	assert_equal the_receipt['product_id'], the_purchase_info['product-id'], 'Mismatch product ID'
	assert_equal the_receipt['quantity'], the_purchase_info['quantity'], 'Mismatch quantity'
	assert_equal the_receipt['item-id'], the_purchase_info['item_id'], 'Mismatch item ID'
	# This is the device unique vendor identifier (iOS 6 and above)
	assert_equal the_receipt['unique-vendor-identifier'], the_purchase_info['unique_vendor_identifier'], 'Mismatch unique vendor identifier'
	# This is the device unique identifier (iOS 5 and below)
	assert_equal the_receipt['unique-identifier'], the_purchase_info['unique_identifier'], 'Mismatch unique identifier'
	end
	end