如何使用旧订单ID格式在本地验证Google收据验证?

时间:2017-08-27 06:37:32

标签: java android google-play in-app-billing android-pay

我想验证Google收据验证,但由于我没有客户端密钥,我无法使用Google API https://developers.google.com/android-publisher/archive/v1_1/inapppurchases/get

所以我使用public keysignedDatasignature进行本地验证。

一切正常,因为我有新的orderId格式:

GPA.XXXX-XXXX-XXXX-XXXXX

但是,此代码不适用于旧模式orderId,如下所示:

4582257046313445026.7467948335710411

我得到例外:

  

签名异常java.security.SignatureException:签名长度不正确:得到294但是期待256

所以我成功地在PublicKey上生成verify次广告失败:

sig.verify(Base64.decode(signature, Base64.DEFAULT) // <- java.security.SignatureException

我知道RSA签名应该是256,在我的情况下我得到294

参考:Google Play Order ID updated to new format

代码示例

String base64PublicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3dkBTr2pD2YSqSK2ewlEWwH9Llu0iA4PkwgVOyNRxOsHfrOlqi0Cm51qdNS0aqh/SMZkuQTAroqH3pAr9gVFOiejKRw+ymTaL5wB9+5n1mAbdeO2tv2FDsbawDvp7u6fIBejYt7Dtmih+kcu707fEO58HZWqgzx9qSHmrkMZr6yvHCtAhdBLwSBBjyhPHy7RAwKA+PE+HYVV2UNb5urqIZ9eI1dAv3RHX/xxHVHRJcjnTyMAqBmfFM+o31tp8/1CxGIazVN6HpVk8Qi2uqSS5HdKUu6VnIK8VuAHQbXQn4bG6GXx5Tp0SX1fKrejo7hupNUCgOlqsYHFYxsRkEOi0QIDAQAB";
String signedData = "{\"orderId\":\"GPA.3353-8027-5082-45637\",\"packageName\":\"com.mycompany.testapp\",\"productId\":\"weekly\",\"purchaseTime\":1503578932746,\"purchaseState\":0,\"developerPayload\":\"1502364785372-5918650324956818356\",\"purchaseToken\":\"bfljoelddlibhbibhnbnflej.AO-J1Oz8pvdqCmzz04OBmegRVKEG1stj4su5HH4uc-gzsz_vlhcz7iB_NUZVBNXp3RlTGyIGnsIgOe6bqvqfUIbPC9_CrCngL0EkZp-SBwaRzfn-EgJ32yQ\",\"autoRenewing\":true}";
String signature = "TyVJfHg8OAoW7W4wuJtS4dM//zmyECiNzWa8wuVrXyDOCPirHqxjpNthq23lmAZlxbTXyMNwedMQPr9R8NJtp3VTzGuNlLYBSOERVehmgstXiiwWDBvTNzgWbwimZmFaIiCExMQiPvbXHoWQh2rClFeAd4FfdC15pNf3NqfOGhUAEmieeb572umOo4YoF0l0421pY/JWYXa+2dtO6pcnSHF6gidRDXR66s/enRZUvkB4x9CEHdA862LDKbwOG4Aihh03IRLjD+m/5WNW+w05Q8bNNA6sCzFGVD+qa3IDiSqkiISCpd3UnufePxf3+O2doWjg2mXC5agEDMnNXvhfrw==";


boolean result = DefaultSignatureValidator.validate(base64PublicKey, signedData, signature);

DefaultSignatureValidator.class 

public class DefaultSignatureValidator {

        protected static final String KEY_FACTORY_ALGORITHM = "RSA";
        protected static final String SIGNATURE_ALGORITHM = "SHA1withRSA";

        /**
         * Generates a PublicKey instance from a string containing the
         * Base64-encoded public key.
         * 
         * @param encodedPublicKey
         *            Base64-encoded public key
         * @throws IllegalArgumentException
         *             if encodedPublicKey is invalid
         */
        protected static PublicKey generatePublicKey(String encodedPublicKey) {
            try {
                byte[] decodedKey = Base64.decode(encodedPublicKey, Base64.DEFAULT);
                KeyFactory keyFactory = KeyFactory.getInstance(KEY_FACTORY_ALGORITHM);
                return keyFactory.generatePublic(new X509EncodedKeySpec(decodedKey));
            } catch (NoSuchAlgorithmException e) {
                throw new RuntimeException(e);
            } catch (InvalidKeySpecException e) {
                System.out.println("Invalid key specification.");
                throw new IllegalArgumentException(e);
            } catch (Exception e) {
                System.out.println("Base64 decoding failed.");
                throw new IllegalArgumentException(e);
            }
        }

        protected static boolean validate(PublicKey publicKey, String signedData, String signature) {
            Signature sig;
            try {
                sig = Signature.getInstance(SIGNATURE_ALGORITHM);
                sig.initVerify(publicKey);
                sig.update(signedData.getBytes());
                if (!sig.verify(Base64.decode(signature, Base64.DEFAULT))) {
                    System.out.println("Signature verification failed.");
                    return false;
                }
                return true;
            } catch (NoSuchAlgorithmException e) {
                System.out.println("NoSuchAlgorithmException" + e);
            } catch (InvalidKeyException e) {
                System.out.println("Invalid key specification" + e);
            } catch (SignatureException e) {
                System.out.println("Signature exception" + e);
            } catch (Exception e) {
                System.out.println("Base64 decoding failed" + e);
            }
            return false;
        }

        public static boolean validate(String base64PublicKey, String signedData, String signature) {

            PublicKey key = DefaultSignatureValidator.generatePublicKey(base64PublicKey);
            return DefaultSignatureValidator.validate(key, signedData, signature);
        }
}

如何验证它?

如果你有解决方案,无论用什么语言Clojure,Skala,Ruby,Java .....

1 个答案:

答案 0 :(得分:4)

假设您正在尝试验证某些真实收据:如果您收到SignatureException - 这意味着除了给定的签名无效之外别无其他 。并且您的代码必须相应地处理此类签名,即

...
} catch (SignatureException e) {
    return false;
} 
...

您已经请求了一些与处理旧式orderId相关的代码:here you go。如您所见,Ruby中的验证部分与您的验证部分大致相同。同样,您的验证代码没有问题。问题在于收据签名本身。

现在,为什么的答案是否有无效签名。您并不是唯一一个看到无效签名的人,尤其是旧版格式的订单ID,例如asked here(以及thereeverywhere),这些订单ID在Google切换到新GPA后即将到来-prefixed ids。顺便说一句,您可以仔细检查您是否具有以下相同的条件:

  

在GooglePlay控制台的订单管理标签中搜索orderIds不会返回这些orderIds的结果。

最具逻辑意义的根本原因是欺诈活动。查看this answer,了解欺诈流程的外观如何

返回关于如何使用旧订单ID本地验证收据的问题 - 以与具有新订单ID的方式完全相同的方式验证(正如您已经做的那样),并考虑具有不正确长度的签名作为一个有效的。

相关问题
最新问题