app-store-server-api
Version:
A client for the App Store Server API
119 lines (118 loc) • 6.18 kB
JavaScript
;
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.decodeNotificationPayload = exports.decodeRenewalInfo = exports.decodeTransaction = exports.decodeTransactions = void 0;
const crypto_1 = require("crypto");
const jose = __importStar(require("jose"));
const AppleRootCertificate_1 = require("./AppleRootCertificate");
const Errors_1 = require("./Errors");
function decodeTransactions(signedTransactions, rootCertFingerprint) {
return __awaiter(this, void 0, void 0, function* () {
return Promise.all(signedTransactions.map(transaction => decodeJWS(transaction, rootCertFingerprint)));
});
}
exports.decodeTransactions = decodeTransactions;
function decodeTransaction(transaction, rootCertFingerprint) {
return __awaiter(this, void 0, void 0, function* () {
return decodeJWS(transaction, rootCertFingerprint);
});
}
exports.decodeTransaction = decodeTransaction;
function decodeRenewalInfo(info, rootCertFingerprint) {
return __awaiter(this, void 0, void 0, function* () {
return decodeJWS(info, rootCertFingerprint);
});
}
exports.decodeRenewalInfo = decodeRenewalInfo;
function decodeNotificationPayload(payload, rootCertFingerprint) {
return __awaiter(this, void 0, void 0, function* () {
return decodeJWS(payload, rootCertFingerprint);
});
}
exports.decodeNotificationPayload = decodeNotificationPayload;
/**
* Decodes and verifies an object signed by the App Store according to JWS.
* See: https://developer.apple.com/documentation/appstoreserverapi/jwstransaction
* @param token JWS token
* @param rootCertFingerprint Root certificate to validate against. Defaults to Apple's G3 CA but can be overriden for testing purposes.
*/
function decodeJWS(token, rootCertFingerprint = AppleRootCertificate_1.APPLE_ROOT_CA_G3_FINGERPRINT) {
return __awaiter(this, void 0, void 0, function* () {
// Extracts the key used to sign the JWS from the header of the token
const getKey = (protectedHeader, _token) => __awaiter(this, void 0, void 0, function* () {
// RC 7515 stipulates that the key used to sign the JWS must be the first in the chain.
// https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
var _a, _b;
// jose will not import the certificate unless it is in a proper PKCS8 format.
const certs = (_b = (_a = protectedHeader.x5c) === null || _a === void 0 ? void 0 : _a.map(c => `-----BEGIN CERTIFICATE-----\n${c}\n-----END CERTIFICATE-----`)) !== null && _b !== void 0 ? _b : [];
validateCertificates(certs, rootCertFingerprint);
return jose.importX509(certs[0], "ES256");
});
const { payload } = yield jose.compactVerify(token, getKey);
const decoded = new TextDecoder().decode(payload);
const json = JSON.parse(decoded);
return json;
});
}
/**
* Validates a certificate chain provided in the x5c field of a decoded header of a JWS.
* The certificates must be valid and have been signed by the provided
* @param certificates A chain of certificates
* @param rootCertFingerprint Expected SHA256 signature of the root certificate
* @throws {CertificateValidationError} if any of the validation checks fail
*/
function validateCertificates(certificates, rootCertFingerprint) {
if (certificates.length === 0)
throw new Errors_1.CertificateValidationError([]);
const x509certs = certificates.map(c => new crypto_1.X509Certificate(c));
// Check dates
const now = new Date();
const datesValid = x509certs.every(c => new Date(c.validFrom) < now && now < new Date(c.validTo));
if (!datesValid)
throw new Errors_1.CertificateValidationError(certificates);
// Check that each certificate, except for the last, is issued by the subsequent one.
if (certificates.length >= 2) {
for (let i = 0; i < x509certs.length - 1; i++) {
const subject = x509certs[i];
const issuer = x509certs[i + 1];
if (subject.checkIssued(issuer) === false || subject.verify(issuer.publicKey) === false) {
throw new Errors_1.CertificateValidationError(certificates);
}
}
}
// Ensure that the last certificate in the chain is the expected root CA.
if (x509certs[x509certs.length - 1].fingerprint256 !== rootCertFingerprint) {
throw new Errors_1.CertificateValidationError(certificates);
}
}