使用php OpenSSL的Android应用内购买服务器签名验证
为了在此处遵循应用内购买的一些安全指南:http://developer.android.com/guide/market/billing/billing_best_practices.html
In an attempt to follow some of the security guidelines for in-app purchase here: http://developer.android.com/guide/market/billing/billing_best_practices.html
我正在尝试在服务器上而不是在应用程序本身中进行签名验证.理想情况下,我想使用 php openssl 库,看起来像下面这样的代码应该可以工作:
I am trying to do signature validation on a server instead of in the app iteself. I would ideally like to use the php openssl libraries and it looks like code such as the following should work:
<?php
// $data and $signature are assumed to contain the data and the signature
// fetch public key from certificate and ready it
$fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
$cert = fread($fp, 8192);
fclose($fp);
$pubkeyid = openssl_get_publickey($cert);
// state whether signature is okay or not
$ok = openssl_verify($data, $signature, $pubkeyid);
if ($ok == 1) {
echo "good";
} elseif ($ok == 0) {
echo "bad";
} else {
echo "ugly, error checking signature";
}
// free the key from memory
openssl_free_key($pubkeyid);
?>
我用应用购买包中的 base64 解码签名字符串替换了签名,并使用了同一个包中的数据.公钥需要采用 PEM 格式,我添加了 BEGIN 和 END 标记以及一些换行符.
I replace signature with the base64 decoded signature string in the app purchase bundle and the use the data from the same bundle. The public key needs to be in PEM format and I added the BEGIN and END tokens and some line breaks.
我的问题是我无法获得此 PHP 代码来成功验证数据/签名,而且我不知道需要进行哪些更改才能使其正常工作.
My problem is that I can not get this PHP code to successfully verify the data/signature and I do not know what needs to change to get it to work correctly.
如果我使用 openssl,创建一个私钥和公钥,使用 sha1 为相同的数据创建一个签名并通过上面的 php 代码运行它,它工作正常并成功验证.
If I use openssl, create a private and public key, create a signature for the same data using sha1 and run it through the above php code, it works fine and validate successfully.
以下是我如何使用 OpenSSL:
Here is how I use OpenSSL:
openssl genrsa -out private.pem
openssl rsa -in private.pem -pubout -out public.pem
然后我使用private.pem和一些php代码来生成一个签名:
then I use the private.pem and some php code to generate a signature:
...
openssl_sign($data, $signature, $pkeyid);
...
有没有人有任何可用的示例 php 代码,其中包含应用程序内签名的服务器端验证?
Does anyone have any working sample php code with server side validation of in-app signatures?
我可以运行示例应用程序中的等效 java 代码,这似乎可以正常工作,但如果可能,我想直接使用 php.
I could just run the equivalent java code that is in the sample application, and that seems to work ok, but I would like to use php directly if possible.
推荐答案
我编写了一个用于验证 Android Market 许可响应的库,可在 Google 代码.
I've written a library for verifying Android Market licensing responses and it's available on Google Code.
它只需要一个 几行 PHP 代码来验证许可证,密钥的格式和 OpenSSL 的内容会为您处理.
It just takes a few lines of PHP to verify a license, and the formatting of keys and OpenSSL stuff is taken care of for you.
相关文章