App Store Server Notifications v2 JWS verify in Java

I have been trying to use several open source libraries to verify the JWS in the signedPayload

I have tried auth0, jose4j, jsonwebtoken and have even tried raw java signature validation. None work on the tokens getting sent from the sandbox

If i create the JWT locally using the private/public configured for my account. I can verify with ALL of the different methods.

I am not getting any wrong algorithm or invalid key issues... its just saying the signature fails validation.

Does anyone have this running in Java that can share some tips??

-john

Up vote post of jmjava Down vote post of jmjava
2.2k views
Posted by
jmjava
Reply
Add a Comment

Replies

Hello John!

Use the information in the JWSDecodedHeader to validate the JWS signature. Check the x5c header parameter, it contains the certificate chain that corresponds to the key used to digitally sign the JWS. Keys used for local testing and for Sandbox are different. https://developer.apple.com/documentation/appstoreserverapi/jwsdecodedheader

Posted by
App Store Commerce Engineer
Up vote reply of App Store Commerce Engineer Down vote reply of App Store Commerce Engineer
Add a Comment

I am using the standard verification methods from the open source libraries. Is there a reason this should not work? I am using the private key associated with the account along with public key that i extracted from the p8 file. When I create JWT with this private key - ALL the standard libraries work to verify with the public key. Is there a different key for the Sandbox??

Posted by
jmjava
Up vote reply of jmjava Down vote reply of jmjava

  • This is overview of a working solution.

    --- 1. extract the Public key from X509 Cert created from first entry in x5c array in the header

    --- 2. use JWTVerifier to verify the signature on the token using the public key from step 1

    --- 3. validate the certificate chain using the g3 root cert from apple. Only use the 2nd and 3rd values in the x5c array for the chain

    See this:  https://www.javadoc.io/doc/com.auth0/java-jwt/3.2.0/com/auth0/jwt/JWTVerifier.html

    jmjava
Add a Comment