1

I want to implement in-app purchase verification server-side in PHP language. I tested this link but returned false for correct data set.

The java function:

public class Security {
    private static final String TAG = "IABUtil/Security";

    private static final String KEY_FACTORY_ALGORITHM = "RSA";
    private static final String SIGNATURE_ALGORITHM = "SHA1withRSA";


    public static boolean verifyPurchase(String base64PublicKey, String signedData, String signature) {
        if (TextUtils.isEmpty(signedData) || TextUtils.isEmpty(base64PublicKey) ||
                TextUtils.isEmpty(signature)) {
            Log.e(TAG, "Purchase verification failed: missing data.");
            return false;
        }

        PublicKey key = Security.generatePublicKey(base64PublicKey);
        return Security.verify(key, signedData, signature);
    }

    public static PublicKey generatePublicKey(String encodedPublicKey) {
        try {
            byte[] decodedKey = Base64.decode(encodedPublicKey);
            KeyFactory keyFactory = KeyFactory.getInstance(KEY_FACTORY_ALGORITHM);
            return keyFactory.generatePublic(new X509EncodedKeySpec(decodedKey));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        } catch (InvalidKeySpecException e) {
            Log.e(TAG, "Invalid key specification.");
            throw new IllegalArgumentException(e);
        } catch (Base64DecoderException e) {
            Log.e(TAG, "Base64 decoding failed.");
            throw new IllegalArgumentException(e);
        }
    }

    public static boolean verify(PublicKey publicKey, String signedData, String signature) {
        ...
    }
}

I tried this code:

function verify_market_in_app($signed_data, $signature, $public_key_base64) 
{
    $key =  "-----BEGIN PUBLIC KEY-----\n".
        chunk_split($public_key_base64, 64,"\n").
        '-----END PUBLIC KEY-----';   
    //using PHP to create an RSA key
    $key = openssl_get_publickey($key);
    //$signature should be in binary format, but it comes as BASE64. 
    //So, I'll convert it.
    $signature = base64_decode($signature);   
    //using PHP's native support to verify the signature
    $result = openssl_verify(
            $signed_data,
            $signature,
            $key,
            OPENSSL_ALGO_SHA1);
    if (0 === $result) 
    {
        return false;
    }
    else if (1 !== $result)
    {
        return false;
    }
    else 
    {
        return true;
    }
}

but this isn't work correctly.

I use openssl_error_string() function and get this error:

error:0906D064:PEM routines:PEM_read_bio:bad base64 decode

Can any body help?

Ali Motameni
  • 2,567
  • 3
  • 24
  • 34
  • Possible duplicate question http://stackoverflow.com/questions/35377526/inapp-billing-verifying-order-on-web-server-php/35406194#35406194 – Marc Greenstock Oct 27 '16 at 12:17
  • Also see http://stackoverflow.com/questions/34749489/server-side-verification-of-google-play-in-app-billing-purchase-signature-failed/34756767#34756767 – Marc Greenstock Oct 27 '16 at 12:19
  • *"... but this isn't work correctly"* is not very helpful. Please state the exact error message, and the exact line and/or function it is encountered. – jww Oct 27 '16 at 17:30

0 Answers0