[android-developers] In-app purchase signature verification with PHP openssl

Tue, 12 Apr 2011 23:44:55 -0700 

In an attempt to follow some of the security guidelines for in-app
purchase here:
http://developer.android.com/guide/market/billing/billing_best_practices.html

I am trying to do signature validation on a server instead of in the
app iteself. I would ideally like to use the php openssl libraries and
it looks like code such as the following should work:

<?php
// $data and $signature are assumed to contain the data and the
signature

// fetch public key from certificate and ready it
$fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
$cert = fread($fp, 8192);
fclose($fp);
$pubkeyid = openssl_get_publickey($cert);

// state whether signature is okay or not
$ok = openssl_verify($data, $signature, $pubkeyid);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    echo "ugly, error checking signature";
}
// free the key from memory
openssl_free_key($pubkeyid);
?>

I replace signature with the base64 decoded signature string in the
app purchase bundle and the use the data from the same bundle. The
public key needs to be in PEM format and I added the BEGIN and END
tokens and some line breaks.

My problem is that I can not get this PHP code to successfully verify
the data/signature and I do not know what needs to change to get it to
work correctly.

If I use openssl, create a private and public key, create a signature
for the same data using sha1 and run it through the above php code, it
works fine and validate successfully.

Here is how I use OpenSSL:

  openssl genrsa -out private.pem
  openssl rsa -in private.pem -pubout -out public.pem
then i use the private.pem and some php code to generate a signature:
...
openssl_sign($data, $signature, $pkeyid);
...

Does anyone have any working sample php code with server side
validation of in-app signatures?

I could just run the equivalent java code that is in the sample
application, and that seems to work ok, but I would like to use php
directly if possible.

Thanks,
Nate



-- 
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en

Reply via email to