In an attempt to follow some of the security guidelines for in-app purchase here: http://developer.android.com/guide/market/billing/billing_best_practices.html I am trying to do signature validation on a server instead of in the app iteself. I would ideally like to use the php openssl libraries and it looks like code such as the following should work:

为了尝试遵循本文中的一些安全性指南:http://developer.android.com/guide/market/billing/billing_best_practices.html，我试图在服务器上而不是在应用iteself中执行签名验证。我希望使用php openssl库，它的代码应该如下所示:

$public_key_str = file_get_contents("./pubKey/out");
$public_key_str = trim($public_key_str);
$key = openssl_get_publickey($public_key_str);
if(!$key)
{
echo 'Can\'t get public key';
}
$signature = base64_decode( $signature );
$ok = openssl_verify($data, $signature, $key);
var_dump($ok);

I know both my signature and public key are correct, but $ok is 0! Signature I try to use is string from the app purchase bundle. Guess my key is correct and the problem is in signature. When I try to decode it from base64 with: openssl enc -base64 -d -in signature -A > signature.bin, I have the string same with base64_decode(). Any ideas ?

我知道我的签名和公钥都是正确的，但是$ok是0!我尝试使用的签名是来自应用程序购买包的字符串。我猜我的钥匙是对的，问题在签名中。当我尝试用:openssl enc -base64 -d -in签名- >签名从base64解码时。bin，我的字符串与base64_decode()相同。什么好主意吗?

UPD: also I don't really understanf what I should pass in openssl_verify() as $data ? My data looks like this:

UPD:我也不知道我应该把openssl_verify()作为$data传递给谁?我的数据是这样的:

$data = '{"nonce":5550262978898439313,"orders":[{"notificationId":"android.test.purchased","orderId":"transactionId.android.test.purchased","packageName":"com.ads.testbilling","productId":"android.test.purchased","purchaseTime":1308224646237,"purchaseState":0}]}';

1 个解决方案

#1

---