Parse.com Cloud Code RSA Verification - Android In App Purchase Verification

Question

I'm trying to verify an RSA signature on Parse.com Cloud Code. Basically I am trying to do the receipt verification for an Android In App Purchase on the server.

Parse.com crypto module does not suppor the verify method. So I found a library online that I imported.

var KJUR = require("cloud/jsrsasign-4.7.0/npm/lib/jsrsasign.js"); 
var verifier = new   KJUR.crypto.Signature({alg: "SHA1withRSA", prov: "cryptojs/jsrsa"}); 
verifier.initVerifyByCertificatePEM(publicKey);
verifier.updateString(purchaseData); 
//verifier.updateHex(hexValue); 
var result = verifier.verify(signature);

I am doing something wrong, but can't really tell what. I might be putting the signature, publicKey and purchaseData in the wrong places.

The purchaseData looks like this: (per Android specs, I altered the data)

var purchaseData = {
    orderID: "12999763169854705758.1300523466622834",
    packageName: "com.blabla.bla",
    productID: e.purchase.SKU,
    purchaseTime: new moment(time).valueOf(),
    purchaseState: 0,
    developerPayload: "74571d75-98b8-4327-942d-5379309c9033",
    purchaseToken: "klsDmifojfknmbojimkkkdkm.AO-J1OyXvZ3RH1aPiPD2MIdOUu00FrCnuTCjl1-K3ZD4Puu0zXDPTOAKH3Dc1hq1DZwiNI-AgXwW18gDV3eU9kXCR1IwhADLvVeOSkyu5kzdUBoVNdA42Zc"
};

I get the following error:

Result: TypeError: Cannot call method 'bitLength' of undefined
at RSAKey._rsasign_verifyWithMessageHash [as verifyWithMessageHash] (jsrsasign-4.7.0/npm/lib/jsrsasign.js:251:3675)
at verify (jsrsasign-4.7.0/npm/lib/jsrsasign.js:230:10483)
at main.js:43:24

If you have any prior experience doing this, I would appreciate your help. Thanks

Answer 1

I'm guessing things have changed a little with updates to jsrasign - my solution looks like this:

cloud/lib/crypto.js:

// jsrasign expects to be running in a browser and expects these to be in the global namespace
var navigator = {},
    window = {};

// Include contents of jsrsasign-latest-all-min.js from https://kjur.github.io/jsrsasign/

// ------------- Snip -------------

// Expose a Validate method
exports.Validate = function(sText, sPublicKey, sSignature) {
    var cVerifier = new KJUR.crypto.Signature({ alg: 'SHA1withRSA' });

    cVerifier.init("-----BEGIN PUBLIC KEY-----\n" + sPublicKey + "-----END PUBLIC KEY-----\n");
    cVerifier.updateString(sText);
    return cVerifier.verify(b64utohex(sSignature));
};

cloud/MakePurchase.js:

var Crypto = require('cloud/lib/crypto'),
    // You should have got this from https://play.google.com/apps/publish
    sPublicKey = 'SomethingSlightlySecretUsing64CharactersWithNoSpacesOrNewLines';

// Assume you have done something to get back a Google receipt object containing:
// json: A stringified JSON object with the purchase details
// signature: A base64 string
// payload: Data you might have set when you made the purchase

if (Crypto.Validate(cReceipt.json, sPublicKey, cReceipt.signature)) {
    // Purchase confirmed
}

Answer 2

Here's how to do it:

var KJUR = require("cloud/jsrsasign.js"); 
var publicKey =
    "-----BEGIN PUBLIC KEY-----\n" +
    // your public key from google play
    "-----END PUBLIC KEY-----\n";

var verifier = new KJUR.crypto.Signature({alg: "SHA1withRSA"}); 
verifier.init(publicKey);
verifier.updateString(signedData); // signedData from IAB response
var result = verifier.verify(KJUR.b64utohex(signature));

Be sure to convert the signature from base64 to hex.