在Google App Engine上使用Python验证Android应用内购买消息中的签名

Question

在Google App Engine上使用Python验证Android应用内购买消息中的签名

Tob*_*lor 14 python google-app-engine android in-app-purchase

android开发者网站上的示例应用程序使用java代码验证购买json.有没有人运气如何验证如何在python中购买.特别是在GAE？

以下是android应用内结算示例程序的相关摘录.这是需要使用PyCrypto转换为python的东西,PyCrypto被Google重写为完全python,是app引擎上唯一可用的安全库.希望谷歌对我很酷,使用下面的摘录.

private static final String KEY_FACTORY_ALGORITHM = "RSA";
private static final String SIGNATURE_ALGORITHM = "SHA1withRSA";
String base64EncodedPublicKey = "your public key here";

PublicKey key = Security.generatePublicKey(base64EncodedPublicKey);
verified = Security.verify(key, signedData, signature);

public static PublicKey generatePublicKey(String encodedPublicKey) {
    try {
        byte[] decodedKey = Base64.decode(encodedPublicKey);
        KeyFactory keyFactory = KeyFactory.getInstance(KEY_FACTORY_ALGORITHM);
        return keyFactory.generatePublic(new X509EncodedKeySpec(decodedKey));
    } catch ...
    }
}
public static boolean verify(PublicKey publicKey, String signedData, String signature) {
    if (Consts.DEBUG) {
        Log.i(TAG, "signature: " + signature);
    }
    Signature sig;
    try {
        sig = Signature.getInstance(SIGNATURE_ALGORITHM);
        sig.initVerify(publicKey);
        sig.update(signedData.getBytes());
        if (!sig.verify(Base64.decode(signature))) {
            Log.e(TAG, "Signature verification failed.");
            return false;
        }
        return true;
    } catch ...
    }
    return false;
}

Run Code Online (Sandbox Code Playgroud)

Answer 1

Ste*_*ard 15

这是我如何做到的:

from Crypto.Hash import SHA
from Crypto.PublicKey import RSA
from Crypto.Signature import PKCS1_v1_5
from base64 import b64decode

def chunks(s, n):
    for start in range(0, len(s), n):
        yield s[start:start+n]

def pem_format(key):
    return '\n'.join([
        '-----BEGIN PUBLIC KEY-----',
        '\n'.join(chunks(key, 64)),
        '-----END PUBLIC KEY-----'
    ])

def validate_purchase(publicKey, signedData, signature):
    key = RSA.importKey(pem_format(publicKey))
    verifier = PKCS1_v1_5.new(key)
    data = SHA.new(signedData)
    sig = b64decode(signature)
    return verifier.verify(data, sig)

Run Code Online (Sandbox Code Playgroud)

publicKey当您从开发者控制台获取时,这假设您的base64编码的Google Play商店密钥在一行上.

对于那些宁愿使用m2crypto的人,validate_purchase()会改为:

from M2Crypto import RSA, BIO, EVP
from base64 import b64decode

# pem_format() as above

def validate_purchase(publicKey, signedData, signature):
    bio = BIO.MemoryBuffer(pem_format(publicKey))
    rsa = RSA.load_pub_key_bio(bio)
    key = EVP.PKey()
    key.assign_rsa(rsa)
    key.verify_init()
    key.verify_update(signedData)
    return key.verify_final(b64decode(signature)) == 1

Run Code Online (Sandbox Code Playgroud)

Answer 2

sha*_*ter 7

我终于发现Google Play的base64编码公钥是X.509 subjectPublicKeyInfo DER SEQUENCE,签名方案是RSASSA-PKCS1-v1_5而不是RSASSA-PSS.如果你安装了PyCrypto,它实际上非常简单:

import base64
from Crypto.Hash import SHA
from Crypto.PublicKey import RSA
from Crypto.Signature import PKCS1_v1_5

# Your base64 encoded public key from Google Play.
_PUBLIC_KEY_BASE64 = "YOUR_BASE64_PUBLIC_KEY_HERE"
# Key from Google Play is a X.509 subjectPublicKeyInfo DER SEQUENCE.
_PUBLIC_KEY = RSA.importKey(base64.standard_b64decode(_PUBLIC_KEY_BASE64))

def verify(signed_data, signature_base64):
    """Returns whether the given data was signed with the private key."""

    h = SHA.new()
    h.update(signed_data)
    # Scheme is RSASSA-PKCS1-v1_5.
    verifier = PKCS1_v1_5.new(_PUBLIC_KEY)
    # The signature is base64 encoded.
    signature = base64.standard_b64decode(signature_base64)
    return verifier.verify(h, signature)

Run Code Online (Sandbox Code Playgroud)

归档时间：	14 年，8 月前
查看次数：	7180 次
最近记录：	9 年前