7

Sometimes, after a person makes a purchase on and android device via IAB, the signature the client sends back to the server cannot be base64 decoded due to a "TypeError: Incorrect padding" exception.

the server code looks like this, where "signature" is passed to the server from our clients which got the value from the IAB API:

signature_encoded = signature.encode()
key = RSA.importKey(GOOGLE_PLAY_STORE_KEY_PEM)
verifier = PKCS1_v1_5.new(key)
signed_data_hash = SHA.new(signed_data)
# fails here SOMETIMES
signature_decoded = base64.urlsafe_b64decode(signature_encoded)

The length of the "signature" string is supposed to be divisible by 4, but sometimes they come in with length 342 and give this padding error.

I've tried adding "==" to the end and that gets us around the exception but the result is not valid when compared to "signed_data_hash" (i.e. verifier.verify(signed_data_hash, signature_decoded) returns False).

I don't think this is a hack attempt since the client logs we're seeing indicate they are going through our purchase flow.

Any help here would be greatly appreciated! Thanks!

user701632
  • 489
  • 3
  • 19
  • [Try some of these](http://stackoverflow.com/questions/2941995/python-ignore-incorrect-padding-error-when-base64-decoding) – PurityLake Nov 29 '13 at 23:25
  • 1
    What are the actual bytes of the signature string? It may be giving you an error and likely the bytes may be describing what that error is. – Clarus Dec 02 '13 at 22:07
  • 1
    Without seeing the strings, it's hard to tell. For one thing, depending on the call, sometimes the IAB API returns a string for signature, in other cases it returns stringlist. There could be newline characters. Although I don't think it is related to the problem you don't need urlsafe unless the data was passed as part of a query_string (which I doubt). Also, is signature unicode? why are you using encode()? Do you need decode() to run the verifier? Too much missing code to guess the fix. – doog abides Dec 03 '13 at 20:27
  • @user701632, I met the same problem, have you fixed it? – Timothy Zhang Sep 10 '14 at 06:49
  • I've tentatively closed this in favour of Timothy Zhang's linked question. I would recommend updating the old question to be broader in scope in favour of having this as a second question, as people searching will not want to find only half an answer. On the other hand, if this is about a bug in your code and not the behaviour itself, feel free to message me and I'll consider reopening. – Veedrac Sep 13 '14 at 19:30

1 Answers1

1

I've tried adding "==" to the end

Sounds wrong. You should add only enough so that the length of the string is a multiple of 3. Check out the padding section here: http://en.wikipedia.org/wiki/Base64

Sorin
  • 11,863
  • 22
  • 26