PHP version Google Advertising admob server callback verification SSV

Old article, just moved here.

Because the business needs to access Google's incentive advertising, it involves the server-side verification (SSV) of Google callback.
Python version is based on the third-party package ecdsa out of the box. PHP version also has an ecdsa library, but it is too complex.
Think of the openssl rsa key signature check that google paid before making Alipay payment. I'd better write a simple and practical one myself.

Address of Google public key:

be careful:

  1. The public key provided by AdMob key server will rotate from time to time. To ensure that SSV callbacks can continue to be verified as expected, do not cache the public key for more than 24 hours.
  2. Google expects your server to return the HTTP 200 OK success status response code for the SSV callback. If your server is unreachable or does not provide the expected response, Google will try to send the SSV callback again, up to 5 times every 1 second.
  3. Use the key in the callback parameter_ ID takes the corresponding public key for signature verification.

To get the public key, you can use curl or file_get_contents function, curl is recommended. Here, we will not write the code to obtain the public key, but directly copy it for use.

The complete code is as follows:

// Google admob public key
$verifier_keys = '{"keys":[{"keyId":3335741209,"pem":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+nzvoGqvDeB9+SzE6igTl7TyK4JB\nbglwir9oTcQta8NuG26ZpZFxt+F2NDk7asTE6/2Yc8i1ATcGIqtuS5hv0Q==\n-----END PUBLIC KEY-----","base64":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+nzvoGqvDeB9+SzE6igTl7TyK4JBbglwir9oTcQta8NuG26ZpZFxt+F2NDk7asTE6/2Yc8i1ATcGIqtuS5hv0Q=="}]}';

// Google callback parameter string, get parameter
$query_string = '';

// json format public key string, array conversion, query according to callback parameter_ Key in string_ ID takes the corresponding public key to verify the signature
$verifier_keys_arr = json_decode($verifier_keys, true);
if(empty($verifier_keys_arr) || !is_array($verifier_keys_arr)){
    throw new Exception("wrong google public keys!");
// Two formats of public key, pem and base64 
$publicKey_pem = $verifier_keys_arr['keys'][0]['pem'];
$publicKey_base64 = $verifier_keys_arr['keys'][0]['base64'];
// Format of base64
$publicKeyString = "-----BEGIN PUBLIC KEY-----\n" . wordwrap($publicKey_base64, 64, "\n", true) . "\n-----END PUBLIC KEY-----";
// pem to public key resource object
$publicKey = openssl_pkey_get_public($publicKeyString);
// Note: publickey_ PEM, publickeystring and publickey can be signed normally

// Parsing callback parameters
parse_str($query_string, $query_arr);
// Signature result string
$signature = trim($query_arr['signature']);
// It is important to replace and complement the signature result string here
$signature = str_replace(['-', '_'], ['+', '/'], $signature);
$signature .= '===';

// Data element string to sign
$message = substr($query_string, 0, strpos($query_string, 'signature')-1);

$return = [
    'code' => 0,
    'message' => 'error'

//Verify the signature. Use $publicKey and $publicKey here_ PEM and $publickeystring are all OK
$success = openssl_verify($message, base64_decode($signature), $publicKey, OPENSSL_ALGO_SHA256);
if ($success === -1) {
    $return['message'] = '111111'.openssl_error_string();
} elseif ($success === 1) {
    $return['code'] = 1;
    $return['message'] = 'success';
} else {
    $return['message'] = '222222'.openssl_error_string();


Execute php script:

$ php -f admob_ssv.php
array(2) {
  'code' =>
  'message' =>
  string(7) "success"

success is successful verification.

Composer package: composer require depakin/admobssv
github address:

Tags: Programming Google PHP JSON curl

Posted on Fri, 22 May 2020 08:28:09 -0700 by leena