使用 PHP openssl 进行应用内购买签名验证
尝试遵循应用内的一些安全准则 在这里购买: http://developer.android.com/guide/market/billing/billing_best_practices.html 我正在尝试在服务器上而不是在服务器上进行签名验证 应用程序本身。我理想地想使用 php openssl 库和 看起来像下面这样的代码应该可以工作:
$public_key_str = file_get_contents("./pubKey/out");
$public_key_str = trim($public_key_str);
$key = openssl_get_publickey($public_key_str);
if(!$key)
{
echo 'Can\'t get public key';
}
$signature = base64_decode( $signature );
$ok = openssl_verify($data, $signature, $key);
var_dump($ok);
我知道我的签名和公钥都是正确的,但是 $ok 是 0!我尝试使用的签名是应用程序购买包中的字符串。我猜我的密钥是正确的,问题出在签名上。当我尝试使用以下命令从 base64 解码它时: openssl enc -base64 -d -insignature -A > signature.bin,我有与base64_decode()相同的字符串。有什么想法吗?
UPD:我也不太明白应该将 openssl_verify() 作为 $data 传递给什么?我的数据如下所示:
$data = '{"nonce":5550262978898439313,"orders":[{"notificationId":"android.test.purchased","orderId":"transactionId.android.test.purchased","packageName":"com.ads.testbilling","productId":"android.test.purchased","purchaseTime":1308224646237,"purchaseState":0}]}';
In an attempt to follow some of the security guidelines for in-app
purchase here:
http://developer.android.com/guide/market/billing/billing_best_practices.html
I am trying to do signature validation on a server instead of in the
app iteself. I would ideally like to use the php openssl libraries and
it looks like code such as the following should work:
$public_key_str = file_get_contents("./pubKey/out");
$public_key_str = trim($public_key_str);
$key = openssl_get_publickey($public_key_str);
if(!$key)
{
echo 'Can\'t get public key';
}
$signature = base64_decode( $signature );
$ok = openssl_verify($data, $signature, $key);
var_dump($ok);
I know both my signature and public key are correct, but $ok is 0! Signature I try to use is string from the app purchase bundle. Guess my key is correct and the problem is in signature. When I try to decode it from base64 with: openssl enc -base64 -d -in signature -A > signature.bin, I have the string same with base64_decode(). Any ideas ?
UPD: also I don't really understanf what I should pass in openssl_verify() as $data ? My data looks like this:
$data = '{"nonce":5550262978898439313,"orders":[{"notificationId":"android.test.purchased","orderId":"transactionId.android.test.purchased","packageName":"com.ads.testbilling","productId":"android.test.purchased","purchaseTime":1308224646237,"purchaseState":0}]}';
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看看 OAuth.php 我想你可以在 googlecode.com 上找到它
它使用 openssl_verify() 我认为他们使用的 $data 是一个 URL
http:// /oauth.googlecode.com/svn/code/php/OAuth.php
Have a look at OAuth.php I think you can get it at googlecode.com
It uses openssl_verify() I think the $data they are using is an URL
http://oauth.googlecode.com/svn/code/php/OAuth.php