search

enudler / Apple-Pay-Signature-Verification

Implementation of apple pay signature verification.
22 stars 11 forks source link

Need help - ApplePaySignatureVerifier-165 Failed to validate chain #5

Closed yramakanth closed 8 years ago

yramakanth commented 8 years ago

Hi There,

i am using the code to verify the apple pay signature and found the line 165 - PKIXCertPathBuilderResult pkixCertPathBuilderResult = (PKIXCertPathBuilderResult) builder.build(pkixParams); is throwing an exception - Exception in thread "main" java.lang.Exception: Failed to validate chain of trust for apple certificates.i am using applePaySignatureExpirationInMs as 1000. Can you please let me know the root cause. Please let me know if you need any other details.

Thanks Ramakanth

enudler commented 8 years ago

Can you please share the full stack trace?

My best guess is that this signature is older than 1 second and that's why it fails. Apple recommends on adding this check to prevent replay attacks.

yramakanth commented 8 years ago

Hi Enudler,

Than you very much for reply. Below is the stack trace. I think i am seeing this error every time.

Exception in thread "main" java.lang.Exception: Failed to validate chain of trust for apple certificates. at com.myapple.ApplePaySignatureVerifier.verifyCertificate(ApplePaySignatureVerifier.java:165) at com.myapple.ApplePaySignatureVerifier.validate(ApplePaySignatureVerifier.java:76) at com.myapple.Main.main(Main.java:117)

enudler commented 8 years ago

Hi, no problem.

Did you change the paymentJsonData to something valid? Did you change the AppleRootCA-G3.cer?

yramakanth commented 8 years ago

Hi , Please tell me are you talking about {Version : "some_data", data:"some_data",signature:"some_date",header:"some_data"} should have a valid data?. I havent changed the certificate.

yramakanth commented 8 years ago

Hi Enudler, i have some sample data. Can you please tell me where i can get the correct sample data.

enudler commented 8 years ago

Change to this: private static final long APPLE_PAY_SIGNATURE_EXPIRATION_IN_MS = 99999999999l;

And try with this data:

private static final String paymentJsonData =

"{\n" + " \"data\": \"2DzU9u6byIY4qCs3lW4KgK3JWC6Ac+x28Ck5PLCjQPJ+y6vCrEXqmBfdEm8uWT02lpGtYeo51WVOevuyX6cFguHIUzsCrhdvfSCV456G768lzbH6SwEk5ST/qiKI/rTQbeDAle7l5Njlil50hmVUTLqhmhS3ouC43+rf2NDR7y7Fr+JVkkHBqdEcONJnqFms+SfEPdNXNVccITdO/dkw3FAkXIy1lro1upZkjZSFdm5HCApRkDiTv6FLiUz/osKZsYKWQV+IEZdXjZZ3WF7Zmn8tOvwZdZy4NMq39oQFVt7VA7VRWs/RgPl0BK2xiGqTz1YFW+J6XE62MfW7yc8tFsJlIwTW7uCHY2ENwTFn11flN+7R64PSfPobUWlMjI3jiY+hMtynSkuSUImxXV0J76N4ItX60ce4E8o3ipZe0v6hLjNapr4Y6OcmTKnG0hy0X3f/cczN1K/YXLWkFco=\",\n" + " \"header\": {\n" + " \"ephemeralPublicKey\": \"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtxcxQw0rS30y28P45MB/owA1H9OSeTIkiiuACxEpY7usak/He4suC446HPrPimw4+vZKO2nx+Ntyu13uALT3bA==\",\n" + " \"publicKeyHash\": \"spzGX6upCJhx5UD8vCo1+LcIi7+fkxEUaVmhbX18cJM=\",\n" + " \"transactionId\": \"79ccd07eb432f80067d8e5bbc4c38ee1def7fcc1827f6ba5b63bf47b283ebf89\"\n" + " },\n" + " \"signature\": \"MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMIICvzCCAmWgAwIBAgIIQpCV6UIIb4owCgYIKoZIzj0EAwIwejEuMCwGA1UEAwwlQXBwbGUgQXBwbGljYXRpb24gSW50ZWdyYXRpb24gQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE0MDUwODAxMjMzOVoXDTE5MDUwNzAxMjMzOVowXzElMCMGA1UEAwwcZWNjLXNtcC1icm9rZXItc2lnbl9VQzQtUFJPRDEUMBIGA1UECwwLaU9TIFN5c3RlbXMxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwhV37evWx7Ihj2jdcJChIY3HsL1vLCg9hGCV2Ur0pUEbg0IO2BHzQH6DMx8cVMP36zIg1rrV1O/0komJPnwPE6OB7zCB7DBFBggrBgEFBQcBAQQ5MDcwNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDQtYXBwbGVhaWNhMzAxMB0GA1UdDgQWBBSUV9tv1XSBhomJdi9+V4UH55tYJDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFCPyScRPk+TvJ+bE9ihsP6K7/S5LMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FwcGxlYWljYTMuY3JsMA4GA1UdDwEB/wQEAwIHgDAPBgkqhkiG92NkBh0EAgUAMAoGCCqGSM49BAMCA0gAMEUCIQCFGdtAk+7wXrBV7jTwzCBLE+OcrVL15hjif0reLJiPGgIgXGHYYeXwrn02Zwcl5TT1W8rIqK0QuIvOnO1THCbkhVowggLuMIICdaADAgECAghJbS+/OpjalzAKBggqhkjOPQQDAjBnMRswGQYDVQQDDBJBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xNDA1MDYyMzQ2MzBaFw0yOTA1MDYyMzQ2MzBaMHoxLjAsBgNVBAMMJUFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPAXEYQZ12SF1RpeJYEHduiAou/ee65N4I38S5PhM1bVZls1riLQl3YNIk57ugj9dhfOiMt2u2ZwvsjoKYT/VEWjgfcwgfQwRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDA0LWFwcGxlcm9vdGNhZzMwHQYDVR0OBBYEFCPyScRPk+TvJ+bE9ihsP6K7/S5LMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUu7DeoVgziJqkipnevr3rr9rLJKswNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5hcHBsZS5jb20vYXBwbGVyb290Y2FnMy5jcmwwDgYDVR0PAQH/BAQDAgEGMBAGCiqGSIb3Y2QGAg4EAgUAMAoGCCqGSM49BAMCA2cAMGQCMDrPcoNRFpmxhvs1w1bKYr/0F+3ZD3VNoo6+8ZyBXkK3ifiY95tZn5jVQQ2PnenC/gIwMi3VRCGwowV3bF3zODuQZ/0XfCwhbZZPxnJpghJvVPh6fRuZy5sJiSFhBpkPCZIdAAAxggFeMIIBWgIBATCBhjB6MS4wLAYDVQQDDCVBcHBsZSBBcHBsaWNhdGlvbiBJbnRlZ3JhdGlvbiBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMCCEKQlelCCG+KMA0GCWCGSAFlAwQCAQUAoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQxMDA0MjI1NDI1WjAvBgkqhkiG9w0BCQQxIgQgKEjKTiHVyu9PbL12hkc/BIkZDl9G8ZF2TCODYNidZ1owCgYIKoZIzj0EAwIERjBEAiBvgKqclPRVag3bLxFoLsOrpi9CnL2AofNsrBVVuF1m4gIgbq/kXbXu8Hqg6NTt3dZnKW4xDUUggRVIHo2ntNGjj9IAAAAAAAA=\",\n" + " \"version\": \"EC_v1\"\n" + "}";

yramakanth commented 8 years ago

Thanks for the quick response. i used the above data and i am seeing error at step 3 - // step 3: // Ensure that there is a valid X.509 chain of trust from the signature to the root CA. Specifically, // ensure that the signature was created using the private key corresponding to the leaf certificate, // that the leaf certificate is signed by the intermediate CA, and that the intermediate CA is signed by the Apple Root CA - G3.

Exception in thread "main" java.lang.Exception: Failed to validate chain of trust for apple certificates. at com.myapple.ApplePaySignatureVerifier.verifyCertificate(ApplePaySignatureVerifier.java:165) at com.myapple.ApplePaySignatureVerifier.validate(ApplePaySignatureVerifier.java:76).

enudler commented 8 years ago

Please archive the project and send it to enudler@gmail.com I'll have a look

yramakanth commented 8 years ago

Thanks Enduler for reply. Can you please clarify. Do i have to validate the signature in my code. I fell the app does signature validation(i assume signature is generated as per the finger print of the user) and based on the result it allows to make transaction.

yramakanth commented 8 years ago

Also i used AppleRootCA-G3 for validating the signature, i am seeing below exception at the stage 3. Exception in thread "main" java.lang.Exception: Failed to validate chain of trust for apple certificates.

enudler commented 8 years ago

Apple recommends to validate the signature in your code to make sure that the PaymentToken was created and signed by Apple

Please take a look at: https://developer.apple.com/library/ios/documentation/PassKit/Reference/PaymentTokenJSON/PaymentTokenJSON.html

If it fails in step 3 it probably means that the your PaymentToken (paymentJsonData in the code) is invalid (corrupted or not created by Apple)

To create your own PaymentToken you will have to go through Apple Dev Portal.

enudler commented 8 years ago

Hi @yramakanth Have you managed to overcome the issue? Can I close it?

yramakanth commented 8 years ago

Hi Enduler, Yes, i am. Also i am using merchant certificate of form .p12 . Kindly let me know if i have to load that using keystore.

Thanks.

enudler commented 8 years ago

Hi @yramakanth The p12 isn't needed to validate the signature. anyway, it can be created by the keystore.

look up here for the decryption process: https://github.com/beatty/applepay_crypto_demo

yramakanth commented 8 years ago

Hi Enudler, i am getting SecuritException " constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider BC" in the line keystore.load(new FileInputStream(pkcs12Filename), "test".toCharArray()); ( i deployed the code in linux-jboss server) . i am not seeing this error while running as independent program in windows. Can you please let me know , do i have to add any security related jars.

private static ECPrivateKey loadPrivateKey(String pkcs12Filename) throws KeyStoreException, NoSuchProviderException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException { KeyStore keystore = KeyStore.getInstance("PKCS12", "BC"); keystore.load(new FileInputStream(pkcs12Filename), "test".toCharArray()); assert keystore.size() == 1 : "wrong number of entries in keychain"; Enumeration aliases = keystore.aliases(); String alias = null; while (aliases.hasMoreElements()) { alias = aliases.nextElement(); } return (ECPrivateKey) keystore.getKey(alias, null); }

enudler commented 8 years ago

did you add BC (Bouncy Castle) to java.security?

yramakanth commented 8 years ago

Thanks for the quick reply. Can you confirm, can i follow this steps

http://tomee.apache.org/bouncy-castle.html

yramakanth commented 8 years ago

Hi Enduler, i see there are entries already in the java.security in side the java /usr/java/jdk1.7.0_45/jre/lib/security

security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider security.provider.11=org.bouncycastle.jce.provider.BouncyCastleProvider

enudler commented 8 years ago

Hi @yramakanth As much as i would help, the questions you are asking are not related to this github project.

yramakanth commented 8 years ago

Thanks. it was really help full. I will close the ticket.