Android内购使用php OpenSSL验证服务器签名
尝试遵循此处的一些应用内购买安全准则: http://developer.android.com/guide/market/billing/billing_best_practices.html
我正在尝试在服务器上而不是在应用程序本身中进行签名验证。理想情况下,我希望使用 php openssl 库,看起来像下面这样的代码应该可以工作:
<?php
// $data and $signature are assumed to contain the data and the signature
// fetch public key from certificate and ready it
$fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
$cert = fread($fp, 8192);
fclose($fp);
$pubkeyid = openssl_get_publickey($cert);
// state whether signature is okay or not
$ok = openssl_verify($data, $signature, $pubkeyid);
if ($ok == 1) {
echo "good";
} elseif ($ok == 0) {
echo "bad";
} else {
echo "ugly, error checking signature";
}
// free the key from memory
openssl_free_key($pubkeyid);
?>
我用应用程序购买包中的 base64 解码签名字符串替换签名,并使用同一包中的数据。公钥需要采用 PEM 格式,我添加了 BEGIN 和 END 标记以及一些换行符。
我的问题是我无法获取此 PHP 代码来成功验证数据/签名,并且我不知道需要更改哪些内容才能使其正常工作。
如果我使用 openssl,创建私钥和公钥,使用 sha1 为相同数据创建签名并通过上面的 php 代码运行它,它工作正常并成功验证。
以下是我使用 OpenSSL 的方法:
openssl genrsa -out private.pem
openssl rsa -in private.pem -pubout -out public.pem
然后我使用 private.pem 和一些 php 代码来生成签名:
...
openssl_sign($data, $signature, $pkeyid);
...
有人有任何可用于应用程序内签名的服务器端验证的工作示例 php 代码吗?
我可以运行示例应用程序中的等效 java 代码,这似乎工作正常,但如果可能的话,我想直接使用 php。
In an attempt to follow some of the security guidelines for in-app purchase here:
http://developer.android.com/guide/market/billing/billing_best_practices.html
I am trying to do signature validation on a server instead of in the app iteself. I would ideally like to use the php openssl libraries and it looks like code such as the following should work:
<?php
// $data and $signature are assumed to contain the data and the signature
// fetch public key from certificate and ready it
$fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r");
$cert = fread($fp, 8192);
fclose($fp);
$pubkeyid = openssl_get_publickey($cert);
// state whether signature is okay or not
$ok = openssl_verify($data, $signature, $pubkeyid);
if ($ok == 1) {
echo "good";
} elseif ($ok == 0) {
echo "bad";
} else {
echo "ugly, error checking signature";
}
// free the key from memory
openssl_free_key($pubkeyid);
?>
I replace signature with the base64 decoded signature string in the app purchase bundle and the use the data from the same bundle. The public key needs to be in PEM format and I added the BEGIN and END tokens and some line breaks.
My problem is that I can not get this PHP code to successfully verify the data/signature and I do not know what needs to change to get it to work correctly.
If I use openssl, create a private and public key, create a signature for the same data using sha1 and run it through the above php code, it works fine and validate successfully.
Here is how I use OpenSSL:
openssl genrsa -out private.pem
openssl rsa -in private.pem -pubout -out public.pem
then I use the private.pem and some php code to generate a signature:
...
openssl_sign($data, $signature, $pkeyid);
...
Does anyone have any working sample php code with server side validation of in-app signatures?
I could just run the equivalent java code that is in the sample application, and that seems to work ok, but I would like to use php directly if possible.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我编写了一个用于验证 Android Market 许可响应的库,可以在 Google 代码上找到它。
只需几行< PHP 的 /a> 来验证许可证,并且密钥和 OpenSSL 内容的格式会为您处理。
I've written a library for verifying Android Market licensing responses and it's available on Google Code.
It just takes a few lines of PHP to verify a license, and the formatting of keys and OpenSSL stuff is taken care of for you.
是否可以在 PHP 脚本中使用 cURL,而不是 PHP 流中内置的内容。我以前使用过它们,发现问题更罕见,而且错误消息更冗长。
Is it possible to use cURL in your PHP script, rather than the stuff built into PHP streams. I've used them before, and have found the problems more rare, and the error messages more verbose.