Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Padding Error when base64decoding google signature after in-app purchase [duplicate]

Sometimes, after a person makes a purchase on and android device via IAB, the signature the client sends back to the server cannot be base64 decoded due to a "TypeError: Incorrect padding" exception.

the server code looks like this, where "signature" is passed to the server from our clients which got the value from the IAB API:

signature_encoded = signature.encode()
key = RSA.importKey(GOOGLE_PLAY_STORE_KEY_PEM)
verifier = PKCS1_v1_5.new(key)
signed_data_hash = SHA.new(signed_data)
# fails here SOMETIMES
signature_decoded = base64.urlsafe_b64decode(signature_encoded)

The length of the "signature" string is supposed to be divisible by 4, but sometimes they come in with length 342 and give this padding error.

I've tried adding "==" to the end and that gets us around the exception but the result is not valid when compared to "signed_data_hash" (i.e. verifier.verify(signed_data_hash, signature_decoded) returns False).

I don't think this is a hack attempt since the client logs we're seeing indicate they are going through our purchase flow.

Any help here would be greatly appreciated! Thanks!

like image 727
user701632 Avatar asked Nov 21 '13 19:11

user701632


People also ask

How to ignore ‘incorrect padding’ error when Base64 decoding with Python?

To ignore ‘Incorrect padding’ error when base64 decoding with Python, we add the padding to the base64 string. to call b64decode with the base64 string s concatenated with the padding string to decode the string without errors. To ignore ‘Incorrect padding’ error when base64 decoding with Python, we add the padding to the base64 string.

What happened to the Google Play billing library sample code?

Also, previously the sample code (used by many big apps) from Google Play Billing Library allowed an empty signature. That's why it's static purchases worked there. But it was a security hole, so when it was published, Google submitted an update.

Why is my test purchase not showing up as a signature?

Ran into the same issue (signature verification, and getting rid of the test purchase) today (Oct 30, 2018). The signature issue is probably being caused by the fact that these test sku's are not really part of your app, and are thus do not have your app's signature.

Is it possible to add padding to Base64 data?

From a theoretical point of view, the padding character is not needed, since the number of missing bytes can be calculated from the number of Base64 digits. So if this is really the only thing "wrong" with your base64 data, the padding can just be added back.


1 Answers

I've tried adding "==" to the end

Sounds wrong. You should add only enough so that the length of the string is a multiple of 3. Check out the padding section here: http://en.wikipedia.org/wiki/Base64

like image 170
Sorin Avatar answered Nov 14 '22 08:11

Sorin