stackoom
  简体   繁体   中英

Android in-app purchase server signature verification using php OpenSSL

 原文  2011-04-13 06:47:37       php/ android/ openssl/ in-app-purchase/ signature

Question

In an attempt to follow some of the security guidelines for in-app purchase here: http://developer.android.com/guide/market/billing/billing_best_practices.html

I am trying to do signature validation on a server instead of in the app iteself. I would ideally like to use the php openssl libraries and it looks like code such as the following should work: 

<?php
// $data and $signature are assumed to contain the data and the signature

// fetch public key from certificate and ready it
$fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
$cert = fread($fp, 8192);
fclose($fp);
$pubkeyid = openssl_get_publickey($cert);

// state whether signature is okay or not
$ok = openssl_verify($data, $signature, $pubkeyid);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    echo "ugly, error checking signature";
}
// free the key from memory
openssl_free_key($pubkeyid);
?>

I replace signature with the base64 decoded signature string in the app purchase bundle and the use the data from the same bundle. The public key needs to be in PEM format and I added the BEGIN and END tokens and some line breaks.

My problem is that I can not get this PHP code to successfully verify the data/signature and I do not know what needs to change to get it to work correctly.

If I use openssl, create a private and public key, create a signature for the same data using sha1 and run it through the above php code, it works fine and validate successfully.

Here is how I use OpenSSL: 

openssl genrsa -out private.pem
openssl rsa -in private.pem -pubout -out public.pem

then I use the private.pem and some php code to generate a signature: 

...
openssl_sign($data, $signature, $pkeyid);
...

Does anyone have any working sample php code with server side validation of in-app signatures?

I could just run the equivalent java code that is in the sample application, and that seems to work ok, but I would like to use php directly if possible.

2 answers

solution1
 4  2011-06-27 22:47:46

I've written a library for verifying Android Market licensing responses and it's available on Google Code .

It just takes a few lines of PHP to verify a license, and the formatting of keys and OpenSSL stuff is taken care of for you.

solution2
 0  2011-06-01 18:39:25

Is it possible to use cURL in your PHP script, rather than the stuff built into PHP streams. I've used them before, and have found the problems more rare, and the error messages more verbose.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question In-app purchase signature verification with PHP openssl Android in-app billing signature verification in php server Signature verification of in-app billing v3 in PHP server with openssl_verify In App Purchase Validation and Verification Server for PHP In App Purchase Server verification php script for in-app purchase Electron - In-App Purchase - how to validate apple receipt using PHP? rsa signature verification using phpseclib vs openssl in-app purchase Server Product Model Implementation Implementing receipt validations on playstore in-app purchase using purchase token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM