Verifying signature on android in-app purchase message in Python on Google App Engine

Question

The sample application on the android developers site validates the purchase json using java code. Has anybody had any luck working out how to validate the purchase in python.

Answer 1

I finally figured out that your base64 encoded public key from Google Play is an X.509 subjectPublicKeyInfo DER SEQUENCE, and that the signature scheme is RSASSA-PKCS1-v1_5 and not RSASSA-PSS. If you have PyCrypto installed, it's actually quite easy:

import base64
from Crypto.Hash import SHA
from Crypto.PublicKey import RSA
from Crypto.Signature import PKCS1_v1_5

# Your base64 encoded public key from Google Play.
_PUBLIC_KEY_BASE64 = "YOUR_BASE64_PUBLIC_KEY_HERE"
# Key from Google Play is a X.509 subjectPublicKeyInfo DER SEQUENCE.
_PUBLIC_KEY = RSA.importKey(base64.standard_b64decode(_PUBLIC_KEY_BASE64))

def verify(signed_data, signature_base64):
    """Returns whether the given data was signed with the private key."""

    h = SHA.new()
    h.update(signed_data)
    # Scheme is RSASSA-PKCS1-v1_5.
    verifier = PKCS1_v1_5.new(_PUBLIC_KEY)
    # The signature is base64 encoded.
    signature = base64.standard_b64decode(signature_base64)
    return verifier.verify(h, signature)