帶有簽名的接口設計 -- 借鑑與改進
一 原有參考邏輯
1加簽(改造前)
(1)將接口中實際全部上送的字段(除 sign 參數外),按照字段名的 ASCII 碼從小到大排序後(字典序),使用 URL 鍵值對的格式(即 key1=value1&key2=value2…)拼接成字符串 string1。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1
(2)在 string1 最後直接拼接(不需要用“&”連接)雙方約定的簽名密鑰 K1(接入時後臺系統側分配),得到 stringSignTemp1 字符串。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1zsdfyreuoyamdphhaweyrjbvzkgfdycs
(3)對 stringSignTemp1 字符串進行 SHA256 運算,得到簽名 sign。
sign=SHA256(stringSignTemp1)=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
2驗籤(改造前)
(1)將收到的報文中所有字段(除 sign 參數外),按照字段名的 ASCII 碼從小到大排序後(字典序),使用 URL 鍵值對的格式(即 key1=value1&key2=value2…)拼接成字符串 string2。
{"bankType":"CFT","busicd":"PURC","channelOrderNum":"4001532001201707130466979768","chcd":"WXP","chcdDiscount":"0.00","consumerAccount":"orS1BuFv3529BkM7m_ou7wKgDuc4","errorDetail":"成功","inscd":"10130001","mchntid":"100000000000203","merDiscount":"0.00","orderNum":"25026839024001998","respcd":"00","sign":"0faaf0f5e1c99f22460b58446833a0a00411e86091f7db306c4ac2ce84597b3c","terminalid":"00000001","transTime":"2017-07-13 10:40:03","txamt":"000000000001","txndir":"A"}
拼接後的字符串 string2 爲:
bankType=CFT&busicd=PURC&channelOrderNum=4001532001201707130466979768&chcd=WXP&chcdDiscount=0.00&consumerAccount=orS1BuFv3529BkM7m_ou7wKgDuc4&errorDetail=成功&inscd=10130001&mchntid=100000000000203&merDiscount=0.00&orderNum=25026839024001998&respcd=00&terminalid=00000001&transTime=2017-07-13 10:40:03&txamt=000000000001&txndir=A
(2)在 string2 最後直接拼接(不需要用“&”連接)雙方約定的簽名密鑰K1(接入時後臺系統側分配),得到 stringSignTemp2 字符串。
bankType=CFT&busicd=PURC&channelOrderNum=4001532001201707130466979768&chcd=WXP&chcdDiscount=0.00&consumerAccount=orS1BuFv3529BkM7m_ou7wKgDuc4&errorDetail=成功&inscd=10130001&mchntid=100000000000203&merDiscount=0.00&orderNum=25026839024001998&respcd=00&terminalid=00000001&transTime=2017-07-13 10:40:03&txamt=000000000001&txndir=Azsdfyreuoyamdphhaweyrjbvzkgfdycs
(3)對 stringSignTemp2 字符串進行 SHA256 運算,得到簽名 sign。
sign=SHA256(stringSignTemp2)=0faaf0f5e1c99f22460b58446833a0a00411e86091f7db306c4ac2ce84597b3c
(4)校驗簽名,若計算的簽名與報文中獲取的一致,則驗籤通過。
(二) 進行改造的加解籤邏輯
1加簽(改造後)
(1)將接口中實際全部上送的字段(除 sign 參數外),按照字段名的 ASCII 碼從小到大排序後(字典序),使用 URL 鍵值對的格式(即 key1=value1&key2=value2…)拼接成字符串 string1。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1
(2)在 string1 最後直接拼接(不需要用“&”連接)雙方約定的簽名密鑰 K1(接入時後臺系統側分配),得到 stringSignTemp1 字符串。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1zsdfyreuoyamdphhaweyrjbvzkgfdycs
(3)對 stringSignTemp1 字符串進行 SHA256 運算,得到簽名 sign。
sign=SHA256(stringSignTemp1)=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
(4)拼接成字符串stringResult1 = string1 + "&sign=" + sign;
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1&sign=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
(5)對stringResult1進行URLEncode,放在get請求QueryString中
busicd%3dPURC%26charset%3dutf-8%26inscd%3d10130001%26mchntid%3d100000000000203%26orderNum%3d1481006881300%26scanCodeId%3d130704380939251367%26signType%3dSHA256%26terminalid%3d00000001%26txamt%3d000000000001%26txndir%3dQ%26version%3d2.3.1%26sign%3d2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
2驗籤(改造後)
(1)將收到get請求QueryString。
busicd%3dPURC%26charset%3dutf-8%26inscd%3d10130001%26mchntid%3d100000000000203%26orderNum%3d1481006881300%26scanCodeId%3d130704380939251367%26signType%3dSHA256%26terminalid%3d00000001%26txamt%3d000000000001%26txndir%3dQ%26version%3d2.3.1%26sign%3d2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
URLDecode後的字符串 string2 爲:
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1&sign=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
截取"sign=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725"獲得報文中的簽名
截取stringSRC,"busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1"
(2)在 stringSRC 最後直接拼接(不需要用“&”連接)雙方約定的簽名密鑰K1(接入時後臺系統側分配),得到 stringSignTemp2 字符串。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1zsdfyreuoyamdphhaweyrjbvzkgfdycs
(3)對 stringSignTemp2 字符串進行 SHA256 運算,得到簽名 sign。
sign=SHA256(stringSignTemp2)=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
(4)校驗簽名,若計算的簽名與報文中獲取的一致,則驗籤通過。
改造簽名的適用,避免客戶解簽出現的”簽名不一致“問題。在對接過程中,出現最多的也是解籤時簽名不一致。