Android in-app purchase server signature verification using php OpenSSL

Question

In an attempt to follow some of the security guidelines for in-app purchase here: http://developer.android.com/guide/market/billing/billing_best_practices.html

I am trying to do signature validation on a server instead of in the app iteself. I would ideally like to use the php openssl libraries and it looks like code such as the following should work:

<?php // $data and $signature are assumed to contain the data and the signature  // fetch public key from certificate and ready it $fp = fopen("/src/openssl-0.9.6/demos/sign/cert.pem", "r"); $cert = fread($fp, 8192); fclose($fp); $pubkeyid = openssl_get_publickey($cert);  // state whether signature is okay or not $ok = openssl_verify($data, $signature, $pubkeyid); if ($ok == 1) {     echo "good"; } elseif ($ok == 0) {     echo "bad"; } else {     echo "ugly, error checking signature"; } // free the key from memory openssl_free_key($pubkeyid); ?> 

I replace signature with the base64 decoded signature string in the app purchase bundle and the use the data from the same bundle. The public key needs to be in PEM format and I added the BEGIN and END tokens and some line breaks.

My problem is that I can not get this PHP code to successfully verify the data/signature and I do not know what needs to change to get it to work correctly.

If I use openssl, create a private and public key, create a signature for the same data using sha1 and run it through the above php code, it works fine and validate successfully.

Here is how I use OpenSSL:

openssl genrsa -out private.pem openssl rsa -in private.pem -pubout -out public.pem 

then I use the private.pem and some php code to generate a signature:

... openssl_sign($data, $signature, $pkeyid); ... 

Does anyone have any working sample php code with server side validation of in-app signatures?

I could just run the equivalent java code that is in the sample application, and that seems to work ok, but I would like to use php directly if possible.

Answer 1

I've written a library for verifying Android Market licensing responses and it's available on Google Code.

It just takes a few lines of PHP to verify a license, and the formatting of keys and OpenSSL stuff is taken care of for you.