0

I want to implement In-App Billing in my application. I have a private key (provided by Google) to verify requests, but i need to put it inside a .pem file. The problem is that when I paste it in the form:

-----BEGIN RSA PRIVATE KEY-----
------------<MY KEY>----------
-----END RSA PRIVATE KEY-----

It says that is an invalid certificate.

How can I transform the Key string in a valid .pem file? Thanks.

Kara
  • 6,115
  • 16
  • 50
  • 57
Santiago Ignacio Poli
  • 935
  • 1
  • 9
  • 18
  • You can refere to this ansewer, please see: http://stackoverflow.com/questions/7216969/getting-rsa-private-key-from-pem-base64-encoded-private-key-file – Milos Cuculovic Sep 27 '12 at 15:45

1 Answers1

1

What is provided by Google is not private but a public key. The private key resides on Google's servers. What language/libraries are you using? You probably need a PEM public key file, which goes something like this: 

-----BEGIN PUBLIC KEY-----
<PASTE HERE>
-----END PUBLIC KEY-----
Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • Thanks for the quick answer. The problem is that it says that the key must have 256 characters instead of 363. Google gave me that key, so I don't know where the problem is. – Santiago Ignacio Poli Sep 28 '12 at 15:34
  • Again, how and with library/language are you trying to parse the key? Paste the full error message or stack trace. – Nikolay Elenkov Sep 28 '12 at 16:11
  • java.security.SignatureException: Signature length not correct: got 344 but was expecting 256 at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) at java.security.Signature$Delegate.engineVerify(Signature.java:1172) at java.security.Signature.verify(Signature.java:623) at com.estontorise.simplersa.RSAToolImpl.verifyWithKey(RSAToolImpl.java:101) – Santiago Ignacio Poli Sep 28 '12 at 17:32
  • The code that brings out that exception is: tool.verifyWithKey(data, signature, publicKey); – Santiago Ignacio Poli Sep 28 '12 at 17:33
  • This is a signature verification exception, not a key parsing exception. Show how you parse the key and/or the full code. – Nikolay Elenkov Sep 29 '12 at 01:56
  • I'm using RSATool to verify the signature. sslSecurityService.verify(purchaseData.getData().getBytes(), purchaseData.getSignature().getBytes()); and then in the verify method: tool.verifyWithKey(data, signature, publicKey); tool is an instance of RSATool – Santiago Ignacio Poli Oct 01 '12 at 12:33
  • You are aware that there is no way for us to divine what's inside `RSATool`, right? Either post your full code or a link to the library(s) you are using. If you just give us the names of your methods, no one can really help you. – Nikolay Elenkov Oct 01 '12 at 13:23
  • I thought that RSATool was a common library for doing that. Here's a link http://code.google.com/p/simplersalibrary/ . It uses the BouncyCastle provider – Santiago Ignacio Poli Oct 01 '12 at 13:43
  • Never heard of it and don't how popular it is. It seems you are passing wrong signature data: the signature you get from Google Play is Base64 encoded, you need to decode it, before you can pass it to `RSATool.verify()` which expects the raw signature as a `byte[]`. For a 2048-bit key the signature key is 256 bytes long (2048/8). – Nikolay Elenkov Oct 01 '12 at 14:46