Android的应用程序内购买服务器签名验证使用PHP的OpenSSL [英] Android in-app purchase server signature verification using php OpenSSL

问题描述

在试图遵循一些安全准则应用程序内购买这里： <一href="http://developer.android.com/guide/market/billing/billing_best_practices.html">http://developer.android.com/guide/market/billing/billing_best_practices.html

In an attempt to follow some of the security guidelines for in-app purchase here: http://developer.android.com/guide/market/billing/billing_best_practices.html

我试图做签名验证的应用程序iteself的服务器上，而不是。我想理想情况下使用PHP OpenSSL库，它看起来像code，如以下应该工作：

I am trying to do signature validation on a server instead of in the app iteself. I would ideally like to use the php openssl libraries and it looks like code such as the following should work:

<?php
// $data and $signature are assumed to contain the data and the signature

// fetch public key from certificate and ready it
$fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
$cert = fread($fp, 8192);
fclose($fp);
$pubkeyid = openssl_get_publickey($cert);

// state whether signature is okay or not
$ok = openssl_verify($data, $signature, $pubkeyid);
if ($ok == 1) {
    echo "good";
} elseif ($ok == 0) {
    echo "bad";
} else {
    echo "ugly, error checking signature";
}
// free the key from memory
openssl_free_key($pubkeyid);
?>

我跟在应用程序内购买包中的Base64德codeD签名字符串，并使用来自同一包中的数据代替签名。公共密钥需要在PEM格式，我增加了BEGIN和END标记和一些换行。

I replace signature with the base64 decoded signature string in the app purchase bundle and the use the data from the same bundle. The public key needs to be in PEM format and I added the BEGIN and END tokens and some line breaks.

我的问题是，我不能得到这个PHP code成功验证数据/签名，我不知道是什么需要改变，以使其正常工作。

My problem is that I can not get this PHP code to successfully verify the data/signature and I do not know what needs to change to get it to work correctly.

如果我使用OpenSSL，创建一个私钥和公钥，使用SHA1为同一个数据上的签名，并通过上面的PHP code运行它，它工作正常，并验证成功。

If I use openssl, create a private and public key, create a signature for the same data using sha1 and run it through the above php code, it works fine and validate successfully.

下面是我如何使用OpenSSL：

Here is how I use OpenSSL:

openssl genrsa -out private.pem
openssl rsa -in private.pem -pubout -out public.pem

然后我用的是private.pem和一些PHP code生成一个签名：

then I use the private.pem and some php code to generate a signature:

...
openssl_sign($data, $signature, $pkeyid);
...

没有人有任何的工作示例PHP code与在应用程序签名的服务器端验证？

Does anyone have any working sample php code with server side validation of in-app signatures?

我可以运行相应的Java code，它是在示例应用程序，这似乎工作确定，但我想如果可能的话，直接使用PHP。

I could just run the equivalent java code that is in the sample application, and that seems to work ok, but I would like to use php directly if possible.

推荐答案

我写了一个库，用于验证Android Market的授权响应，它的可用上的谷歌code 。

I've written a library for verifying Android Market licensing responses and it's available on Google Code.

这只是需要一个<一个href="http://$c$c.google.com/p/android-market-license-verification/source/browse/trunk/samples/verify.php"相对=nofollow>几行 PHP来验证许可证和密钥的格式和OpenSSL的东西是照顾你。

It just takes a few lines of PHP to verify a license, and the formatting of keys and OpenSSL stuff is taken care of for you.

这篇关于Android的应用程序内购买服务器签名验证使用PHP的OpenSSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！