Menu
Sometimes, after a person makes a purchase on and android device via IAB, the signature the client sends back to the server cannot be base64 decoded due to a "TypeError: Incorrect padding" exception.
the server code looks like this, where "signature" is passed to the server from our clients which got the value from the IAB API:
signature_encoded = signature.encode()
key = RSA.importKey(GOOGLE_PLAY_STORE_KEY_PEM)
verifier = PKCS1_v1_5.new(key)
signed_data_hash = SHA.new(signed_data)
# fails here SOMETIMES
signature_decoded = base64.urlsafe_b64decode(signature_encoded)
The length of the "signature" string is supposed to be divisible by 4, but sometimes they come in with length 342 and give this padding error.
I've tried adding "==" to the end and that gets us around the exception but the result is not valid when compared to "signed_data_hash" (i.e. verifier.verify(signed_data_hash, signature_decoded) returns False).
I don't think this is a hack attempt since the client logs we're seeing indicate they are going through our purchase flow.
Any help here would be greatly appreciated! Thanks!
727
To ignore ‘Incorrect padding’ error when base64 decoding with Python, we add the padding to the base64 string. to call b64decode with the base64 string s concatenated with the padding string to decode the string without errors. To ignore ‘Incorrect padding’ error when base64 decoding with Python, we add the padding to the base64 string.
Also, previously the sample code (used by many big apps) from Google Play Billing Library allowed an empty signature. That's why it's static purchases worked there. But it was a security hole, so when it was published, Google submitted an update.
Ran into the same issue (signature verification, and getting rid of the test purchase) today (Oct 30, 2018). The signature issue is probably being caused by the fact that these test sku's are not really part of your app, and are thus do not have your app's signature.
From a theoretical point of view, the padding character is not needed, since the number of missing bytes can be calculated from the number of Base64 digits. So if this is really the only thing "wrong" with your base64 data, the padding can just be added back.
I've tried adding "==" to the end
Sounds wrong. You should add only enough so that the length of the string is a multiple of 3. Check out the padding section here: http://en.wikipedia.org/wiki/Base64
170
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
