Create a gist now

Instantly share code, notes, and snippets.

Hand-checking the digital signature of Android in-app purchase against the Google public key
//The modulus of the IAP public key, as Base64.
//The public exponent is 65537, we'll hard-code it.
private static final String GMOD = "APXj+9V6Mrp7DwDVLP2yIDhuMiB30R+NQ9JO14jg42S3TcJFhURQZ2RD21GIbp5S7RLy7YDcxOjH765HM7FWUJgJegvL01lYtzFkXv0XRcnL05m5sgTp58i9fYOJt1QKar2k4FI/a6iv7sjT4qGLOcX3drjDx6WKwZdnu6q5rA94rycHoe+BdELsy1eKBp/iI4KIe/Y3WePYfVgynL4mrJOHutf1tvy6WL04zG61yl3PBlwh6uy1K+RBqEXeiznS0ee4Xq3fe3puq6HgEZKw8PQIihxk8odbg1lneqAk51JZ8vuQi9WEZMdvqWK+p4jT+q7mTYQO18NH1MP5y2/fj8k=";
//d is the value of the IAP result intent's string extra "INAPP_PURCHASE_DATA"
//s is the value of the IAP result intent's string extra "INAPP_DATA_SIGNATURE"
private static boolean PowModThenCheck(String d, String c)
{
try
{
byte []h = MessageDigest.getInstance("SHA1").digest(d.getBytes());
byte [] p = new java.math.BigInteger(1, Util.FromBase64(c)) //Substitute your own FromBase64 function
.modPow(
java.math.BigInteger.valueOf(65537),
new java.math.BigInteger(Util.FromBase64(GMOD))
).toByteArray();
if(p.length != 255 || p[0] != 1)
return false;
int i;
for(i=1;i<219;i++)
if(p[i] != -1)
return false;
final byte []TheOID = new byte[]{0, 0x30, 0x21, 0x30, 9, 6, 5, 0x2B, 0xE, 3, 0x02, 0x1A, 5, 0, 4, 0x14};
for(i=219;i<235;i++)
if(p[i] != TheOID[i-219])
return false;
for(i=235;i<255;i++)
if(p[i] != h[i-235])
return false;
return true;
}
catch(Exception exc)
{
return false;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment