1

I'm curious to know how I can decode and verify jws from apple inapp purchase notifications, I've found this lib: https://github.com/firebase/php-jwt which supports ES256 but I don't know clearly how to use the shared secret generated by Apple (if it is possible, I'm not sure about that). I've attempted this:

require_once dirname(__FILE__) . '/vendor/autoload.php';

use Firebase\JWT\JWT;
use Firebase\JWT\Key;

$key = '*****'//apple shared secret
$body = file_get_contents('php://input');
$decodedBody = json_decode($body,true);
$data = $decodedBody["signedPayload"];//string to be decoded
$decoded = JWT::decode($data, new Key($key, 'ES256'));

I've got these errors

Warning: openssl_verify(): supplied key param cannot be coerced into a public key in /Applications/XAMPP/xamppfiles/htdocs/jwttest/vendor/firebase/php-jwt/src/JWT.php on line 293

Fatal error: Uncaught DomainException: OpenSSL error: error:0909006C:PEM routines:get_name:no start line in /Applications/XAMPP/xamppfiles/htdocs/jwttest/vendor/firebase/php-jwt/src/JWT.php on line 301

DomainException: OpenSSL error: error:0909006C:PEM routines:get_name:no start line in /Applications/XAMPP/xamppfiles/htdocs/jwttest/vendor/firebase/php-jwt/src/JWT.php on line 301

Thanks in advance for your help

Camille Gallet
  • 83
  • 7
  • First you can inspect your token on https://jwt.io and then tell us what "alg" value you find in the header. Is it really "ES256"? Then you would need a public key, not a shared secret. – jps Aug 18 '22 at 21:19
  • Yes it is ES256 cf. https://pastebin.com/mgtca1yf thats why I'm curious if someone has successfuly verify apple jws in PHP – Camille Gallet Aug 18 '22 at 21:24
  • See this for a working solution https://stackoverflow.com/questions/69438848/validate-apple-storekit2-in-app-purchase-receipt-jwsrepresentation-in-backend-n – Camille Gallet Aug 18 '22 at 22:18

0 Answers0