Clever Geek Handbook

Checking the billing signature in the application in the application on the php server

I am working on IAB v3 in my android app. After every successful purchase, I want my app to send back the sign data and signature to my php server for validation with the public key generated by google developer console. I found the following code.

<?php
// $data and $signature are assumed to contain the data and the signature

// fetch public key from certificate and ready it
$fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
$cert = fread($fp, 8192);
fclose($fp);
$pubkeyid = openssl_get_publickey($cert);

// state whether signature is okay or not
$ok = openssl_verify($data, $signature, $pubkeyid);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    echo "ugly, error checking signature";
}
// free the key from memory
openssl_free_key($pubkeyid);
?>

Now I have a problem. The public key provided by google is String Base64 encoded. I don't know how to convert this string key to ".pem" format.

If I put my Base64 encoded key in "$ pubkeyid" by the above code. A warning will be given.

Warning: openssl_verify() [function.openssl-verify]: supplied key param cannot be coerced into a public key in myxxx.php.

How can I convert String Base64 public key to php accept format?

Does anyone have the above experience or solution? Please help. Many thanks.

+3


source to share


3 answers


To convert the open source base64 public key you get from Google to one you can use in PHP, try this:

$base64EncodedPublicKeyFromGoogle = "..."; // This is the public key for your app you get from Google.

$openSslFriendlyKey = "-----BEGIN PUBLIC KEY-----\n" . chunk_split($base64EncodedPublicKeyFromGoogle, 64, "\n") .  "-----END PUBLIC KEY-----";

Then you can pipe this to openssl_get_publickey()

.

$publicKeyId = openssl_get_publickey($openSslFriendlyKey);


As you can see, Google's format is almost correct. It just needs to be split into 64 character lines and added / added to the right header / footer.

You can also use the OpenSSL command to transform the public key like this:

openssl enc -base64 -d -in publickey.base64 -A | openssl rsa -inform DER -pubin > publickey.pem

Then you can read in the generated file publickey.pem

from PHP and pass its contents to the function openssl_get_publickey()

.

+9


source


My problem was fixed by this API.



https://github.com/mgoldsborough/google-play-in-app-billing-verification

+1


source


Complete solution to the poster question:

<?php
// $data and $signature are assumed to contain the data and the signature

// Paste your google public key below:
$base64EncodedPublicKeyFromGoogle  = "###############################"

//Convert the key to the right format for open SSL
$openSslFriendlyKey = "-----BEGIN PUBLIC KEY-----\n" . chunk_split($base64EncodedPublicKeyFromGoogle, 64, "\n") .  "-----END PUBLIC KEY-----";
$publicKeyId = openssl_get_publickey($openSslFriendlyKey);

// free the key from memory
openssl_free_key($publicKeyId);

//Perform signature verification. Don't forget to decode the signature!
$ok = openssl_verify($data, base64_decode($signature), $publicKeyId, OPENSSL_ALGO_SHA1);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    echo openssl_error_string();
}

?>
+1


source






More articles:


All Articles