我想验证 Google 收据验证,但由于我没有客户端密钥,我无法使用 Google API: https://developers.google.com/android-publisher/archive/v1_1/inapppurchases/get https://developers.google.com/android-publisher/archive/v1_1/inapppurchases/get
所以我通过使用进行本地验证public key
, signedData
and signature
.
自从我有了新的以来一切都很好orderId
格式:
GPA.XXXX-XXXX-XXXX-XXXXX
但是此代码不适用于旧模式orderId
看起来像:
4582257046313445026.7467948335710411
我得到异常:
签名异常 java.security.SignatureException:签名长度不正确:得到 294 但期望 256
所以我成功生成了PublicKey
bu 失败verify
:
sig.verify(Base64.decode(signature, Base64.DEFAULT) // <- java.security.SignatureException
我知道RSA
签名应该是 256,在我的例子中我得到了 294
Ref: Google Play 订单 ID 已更新为新格式 https://stackoverflow.com/questions/31602234/google-play-order-id-updated-to-new-format
代码示例
String base64PublicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3dkBTr2pD2YSqSK2ewlEWwH9Llu0iA4PkwgVOyNRxOsHfrOlqi0Cm51qdNS0aqh/SMZkuQTAroqH3pAr9gVFOiejKRw+ymTaL5wB9+5n1mAbdeO2tv2FDsbawDvp7u6fIBejYt7Dtmih+kcu707fEO58HZWqgzx9qSHmrkMZr6yvHCtAhdBLwSBBjyhPHy7RAwKA+PE+HYVV2UNb5urqIZ9eI1dAv3RHX/xxHVHRJcjnTyMAqBmfFM+o31tp8/1CxGIazVN6HpVk8Qi2uqSS5HdKUu6VnIK8VuAHQbXQn4bG6GXx5Tp0SX1fKrejo7hupNUCgOlqsYHFYxsRkEOi0QIDAQAB";
String signedData = "{\"orderId\":\"GPA.3353-8027-5082-45637\",\"packageName\":\"com.mycompany.testapp\",\"productId\":\"weekly\",\"purchaseTime\":1503578932746,\"purchaseState\":0,\"developerPayload\":\"1502364785372-5918650324956818356\",\"purchaseToken\":\"bfljoelddlibhbibhnbnflej.AO-J1Oz8pvdqCmzz04OBmegRVKEG1stj4su5HH4uc-gzsz_vlhcz7iB_NUZVBNXp3RlTGyIGnsIgOe6bqvqfUIbPC9_CrCngL0EkZp-SBwaRzfn-EgJ32yQ\",\"autoRenewing\":true}";
String signature = "TyVJfHg8OAoW7W4wuJtS4dM//zmyECiNzWa8wuVrXyDOCPirHqxjpNthq23lmAZlxbTXyMNwedMQPr9R8NJtp3VTzGuNlLYBSOERVehmgstXiiwWDBvTNzgWbwimZmFaIiCExMQiPvbXHoWQh2rClFeAd4FfdC15pNf3NqfOGhUAEmieeb572umOo4YoF0l0421pY/JWYXa+2dtO6pcnSHF6gidRDXR66s/enRZUvkB4x9CEHdA862LDKbwOG4Aihh03IRLjD+m/5WNW+w05Q8bNNA6sCzFGVD+qa3IDiSqkiISCpd3UnufePxf3+O2doWjg2mXC5agEDMnNXvhfrw==";
boolean result = DefaultSignatureValidator.validate(base64PublicKey, signedData, signature);
默认签名Validator.class:
public class DefaultSignatureValidator {
protected static final String KEY_FACTORY_ALGORITHM = "RSA";
protected static final String SIGNATURE_ALGORITHM = "SHA1withRSA";
/**
* Generates a PublicKey instance from a string containing the
* Base64-encoded public key.
*
* @param encodedPublicKey
* Base64-encoded public key
* @throws IllegalArgumentException
* if encodedPublicKey is invalid
*/
protected static PublicKey generatePublicKey(String encodedPublicKey) {
try {
byte[] decodedKey = Base64.decode(encodedPublicKey, Base64.DEFAULT);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_FACTORY_ALGORITHM);
return keyFactory.generatePublic(new X509EncodedKeySpec(decodedKey));
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
} catch (InvalidKeySpecException e) {
System.out.println("Invalid key specification.");
throw new IllegalArgumentException(e);
} catch (Exception e) {
System.out.println("Base64 decoding failed.");
throw new IllegalArgumentException(e);
}
}
protected static boolean validate(PublicKey publicKey, String signedData, String signature) {
Signature sig;
try {
sig = Signature.getInstance(SIGNATURE_ALGORITHM);
sig.initVerify(publicKey);
sig.update(signedData.getBytes());
if (!sig.verify(Base64.decode(signature, Base64.DEFAULT))) {
System.out.println("Signature verification failed.");
return false;
}
return true;
} catch (NoSuchAlgorithmException e) {
System.out.println("NoSuchAlgorithmException" + e);
} catch (InvalidKeyException e) {
System.out.println("Invalid key specification" + e);
} catch (SignatureException e) {
System.out.println("Signature exception" + e);
} catch (Exception e) {
System.out.println("Base64 decoding failed" + e);
}
return false;
}
public static boolean validate(String base64PublicKey, String signedData, String signature) {
PublicKey key = DefaultSignatureValidator.generatePublicKey(base64PublicKey);
return DefaultSignatureValidator.validate(key, signedData, signature);
}
}
有什么想法如何验证它吗?
如果你有解决方案,无论用什么语言 Clojure、Skala、Ruby、Java .....