微信支付: API V3支付回调签名验证


微信支付官方文档对于签名验证的介绍:微信支付-开发者文档 (qq.com)

微信支付会在回调的HTTP头部中包括回调报文的签名。商户必须 验证回调的签名,以确保回调是由微信支付发送。

参数说明

一个支付回调的示例:

Headers:

[{"Key":"Connection","Value":["Keep-Alive"]},{"Key":"Pragma","Value":["no-cache"]},{"Key":"Accept","Value":["*/*"]},{"Key":"Host","Value":["www.datatook.com"]},{"Key":"User-Agent","Value":["Mozilla/4.0"]},{"Key":"Wechatpay-Nonce","Value":["lL0M9v8R3WtTa5iusxEWgjXgjbyQeP3D"]},{"Key":"Wechatpay-Serial","Value":["4B771705B6FFCA007AAE05A3512E4EA923BF757E"]},{"Key":"Wechatpay-Signature","Value":["ImfeCH3vkB/iQ+nl+JSBuzFdx5aZf3V9+CAyqSww/xeavzcTGtqCO+bixh9Lylk0ZZ2/UJOfJd/KWL4BCqw+GMumAHVWMzb34a0kAdHimVuUt36dNz2ZI58mM/1RN75AMYuNcCptXPTgHzdGBl3+bE2VO+dnoK5q/X+lskFDcxb0LGvKVA7V/bVA0edhSBCaUeiEogajXVXDmHcaHk/4/fUmDD2NCJwjVh0CdynC5p6IQN+mkyITwlJQgASgN6+truAGFGnN50FunTVPXGLze/VbFbZg87flawWce+/KpmFqfSvhxyUOQ/axPMvZkSvMxIWCp7Y0kw6MfMXMCCP5Ow=="]},{"Key":"Wechatpay-Timestamp","Value":["1622016489"]}]

Body:

{"id":"ebd1442a-156f-5e1f-8ca4-d43bf679a603","create_time":"2021-05-26T16:08:09+08:00","resource_type":"encrypt-resource","event_type":"TRANSACTION.SUCCESS","summary":"支付成功","resource":{"original_type":"transaction","algorithm":"AEAD_AES_256_GCM","ciphertext":"vocEJn2O7MWb9d21Zk48EiHuZfQMapbAjgHPPsvYisfHkZKs4jF15joWbrKb37HYbDuYVYgPoUta4u3i2c1YrcA9VxGWrO043dUO3Nj2QHURCEnIE9j+3G7iY+3PPYiJTI3M1w5vRw6+BDNn0atcLr5GuOy0ajvxpr7bu3GJa6fjuO23pbWw/rEfALaH3igl1gQeeSm+zkVmNeA5uXFrlmX8gMQkADDs+YVIKC84rBslyJZfhvX9rqpI+zPGtXJPs9lRM4qsbtVsqWMK+nEnB7wfj9qTa3fHh/lBtNXzCB29tlodzBPKQS+Pxa9GCMtf3HeIf8YognqF496eqq3kPlGEcF3BdqVu1VqzdW1e+9qzPu68GfexTkml8GliCdFdaO7eq9BUOoebulOLq/p58ZxORxoeaCKR3NfItmSVyHIPbS3wlulJgUDWFo0Umt4hkSmxRp4s+4P40Pc+w/tfAkQsQUYln7V1c1XR8IpWrQn22YGIOKGqB86Fs8Bw4F8S7QzKVhCbD075AoiRhGciXpFD6XNYiMF0gk7gB6eUooZj3aU1bkJzzmf29xUJktcK6G/IeLipE/KzKVeOJJ9t/bqjJRtbAqfEUnTsf7xgwZ2MjQ9gnFn4XG1TELypAyJnajnXfjBcwmEU/3oMxKDw35w9Oc+5V501JFmN/58iKSWYzFK9e48C6iRgZ5cOuU0ImAyF2rjF0KhofJwy7gDV19SteyJkzH+m+116ZiEa8iki","associated_data":"transaction","nonce":"C8EMTkPpAvH5"}}

在回调签名验证中需要用到几个参数:

serialNo:平台证书(公钥)序列号,验证签名需要用到平台公钥 PublicKey,通过 获取平台证书列表(https://api.mch.weixin.qq.com/v3/certificates) 接口获取,PublicKey 下载下来后保存在自己的服务器中和 serialNo 是一对,通过 serialNo 找到公钥,如果和保存的公钥 serialNo 不匹配,代表微信平台证书已经更新,需要重新下载平台公钥。在 Header 中获得,参数为:Wechatpay-Serial 示例中值为 4B771705B6FFCA007AAE05A3512E4EA923BF757E

timestamp:签名时间戳,在 Header 中获得参数为 Wechatpay-Timestamp  示例中值为 1622016489

nonce:签名随机字符串,在 Header 中获得,参数为 Wechatpay-Nonce 示例中值为 lL0M9v8R3WtTa5iusxEWgjXgjbyQeP3D

signature:签名,在 Header 中获得,参数为 Wechatpay-Signature 示例中值为 ImfeCH3vkB/iQ+nl+JSBuzFdx5aZf3V9+CAyqSww/xeavzcTGtqCO+bixh9Lylk0ZZ2/UJOfJd/KWL4BCqw+GMumAHVWMzb34a0kAdHimVuUt36dNz2ZI58mM/1RN75AMYuNcCptXPTgHzdGBl3+bE2VO+dnoK5q/X+lskFDcxb0LGvKVA7V/bVA0edhSBCaUeiEogajXVXDmHcaHk/4/fUmDD2NCJwjVh0CdynC5p6IQN+mkyITwlJQgASgN6+truAGFGnN50FunTVPXGLze/VbFbZg87flawWce+/KpmFqfSvhxyUOQ/axPMvZkSvMxIWCp7Y0kw6MfMXMCCP5Ow==

body:post请求的主体 content

参数值获取代码

 // 平台证书序列号
string serialNo = Request.Headers.GetValues("Wechatpay-Serial").FirstOrDefault();

// 签名时间戳
string timestamp = Request.Headers.GetValues("Wechatpay-Timestamp").FirstOrDefault();

// 签名随机字符串
string nonce = Request.Headers.GetValues("Wechatpay-Nonce").FirstOrDefault();

// 验签值
string signature = Request.Headers.GetValues("Wechatpay-Signature").FirstOrDefault();

Request.Content.ReadAsStreamAsync().Result.Seek(0, System.IO.SeekOrigin.Begin);
// POST请求主体
string body = Request.Content.ReadAsStringAsync().Result;
GarsonZhang www.yesdotnet.com

签名验证

1. 需要构建待签名字符串 

签名时间戳\n

签名随机串\n

Post报文主体\n

代码:
string message = $"{timestamp}\n{nonce}\n{body}\n";
GarsonZhang www.yesdotnet.com
 

示例中结果是:

1622016489

lL0M9v8R3WtTa5iusxEWgjXgjbyQeP3D

{"id":"ebd1442a-156f-5e1f-8ca4-d43bf679a603","create_time":"2021-05-26T16:08:09+08:00","resource_type":"encrypt-resource","event_type":"TRANSACTION.SUCCESS","summary":"支付成功","resource":{"original_type":"transaction","algorithm":"AEAD_AES_256_GCM","ciphertext":"vocEJn2O7MWb9d21Zk48EiHuZfQMapbAjgHPPsvYisfHkZKs4jF15joWbrKb37HYbDuYVYgPoUta4u3i2c1YrcA9VxGWrO043dUO3Nj2QHURCEnIE9j+3G7iY+3PPYiJTI3M1w5vRw6+BDNn0atcLr5GuOy0ajvxpr7bu3GJa6fjuO23pbWw/rEfALaH3igl1gQeeSm+zkVmNeA5uXFrlmX8gMQkADDs+YVIKC84rBslyJZfhvX9rqpI+zPGtXJPs9lRM4qsbtVsqWMK+nEnB7wfj9qTa3fHh/lBtNXzCB29tlodzBPKQS+Pxa9GCMtf3HeIf8YognqF496eqq3kPlGEcF3BdqVu1VqzdW1e+9qzPu68GfexTkml8GliCdFdaO7eq9BUOoebulOLq/p58ZxORxoeaCKR3NfItmSVyHIPbS3wlulJgUDWFo0Umt4hkSmxRp4s+4P40Pc+w/tfAkQsQUYln7V1c1XR8IpWrQn22YGIOKGqB86Fs8Bw4F8S7QzKVhCbD075AoiRhGciXpFD6XNYiMF0gk7gB6eUooZj3aU1bkJzzmf29xUJktcK6G/IeLipE/KzKVeOJJ9t/bqjJRtbAqfEUnTsf7xgwZ2MjQ9gnFn4XG1TELypAyJnajnXfjBcwmEU/3oMxKDw35w9Oc+5V501JFmN/58iKSWYzFK9e48C6iRgZ5cOuU0ImAyF2rjF0KhofJwy7gDV19SteyJkzH+m+116ZiEa8iki","associated_data":"transaction","nonce":"C8EMTkPpAvH5"}}

2. 校验平台序列号 serialNo 是否一致

对比 Header 中的 平台序列号 ( serialNo ) 和 本地平台公钥serialNo 是否一致

一致直接返回 本地的平台公钥

不一致:调用 获取平台证书列表(https://api.mch.weixin.qq.com/v3/certificates) 接口 获取 新的 平台公钥serialNo , 并 确保 和 Header 中的 serialNo 一致,保存到本地,返回公钥

public class WXCertHelper
{
    List<WXPlatformPublicKey> CacheData { get; set; }

    private WXCertHelper()
    {
        CacheData = new List<WXPlatformPublicKey>();
    }

    static WXCertHelper _intance;

    // 单例模式
    public static WXCertHelper Intance
    {
        get
        {
            if (_intance == null)
            {
                _intance = new WXCertHelper();
                _intance.LoadCacheData();
            }
            return _intance;
        }
    }

    /// <summary>
    /// 从本地加载平台序列号
    /// </summary>
    void LoadCacheData()
    {
        CacheData.Clear();
        // 从数据库加载数据
    }
    /// <summary>
    /// 保存平台公钥到本地
    /// </summary>
    /// <param name="data"></param>
    void SaveCacheData()
    {
        //List<WXPlatformPublicKey> data = this.CacheData;
        // 刷新本地存储
    }

    public string GetPublicKey(string serialNo)
    {
        // 匹配缓存中的公钥
        var obj = CacheData.Find(w => w.serialNo == serialNo);
        if (obj != null)
        {
            return obj.PublicKey;
        }
        // 缓存中没有,重新下载
        else
        {
            this.RefreshDownCert();
            return GetPublicKey(serialNo);
        }
    }

    /// <summary>
    /// 重新从API下载平台公钥
    /// </summary>
    void RefreshDownCert()
    {
        APIHelper apiHelper = new APIHelper();

        CacheData.Clear();
        var result = apiHelper.DownCert();
        foreach (var o in result.data)
        {
            string publicKey = AesGcm.AesGcmDecrypt(o.encrypt_certificate.associated_data, o.encrypt_certificate.nonce, o.encrypt_certificate.ciphertext, ConfigData.Intance.WXPaySetting.wx_aes_key);
            CacheData.Add(new WXPlatformPublicKey()
            {
                serialNo = o.serial_no,
                PublicKey = publicKey
            });
        }
        SaveCacheData();

    }
}

public class WXPlatformPublicKey
{

    /// <summary>
    /// 平台证书序列号
    /// </summary>
    public string serialNo { get; set; }
    /// <summary>
    /// 平台证书公钥
    /// </summary>
    public string PublicKey { get; set; }
}
GarsonZhang www.yesdotnet.com

 

3. 校验签名

/// <summary>
/// 验证签名
/// </summary>
/// <param name="message">签名字符串</param>
/// <param name="publickey">公钥</param>
/// <param name="signStr">签名</param>
/// <returns></returns>
public bool VerifySign(string message, string publickey, string signStr)
{
    try
    {
        var _publicKeyBytes = Encoding.UTF8.GetBytes(publickey);
        var x509 = new X509Certificate2(_publicKeyBytes);
        using (var rsa = (RSACryptoServiceProvider)x509.PublicKey.Key)
        {
            using (var sha256 = new SHA256CryptoServiceProvider())
            {
                var b = rsa.VerifyData(Encoding.UTF8.GetBytes(message), sha256, Convert.FromBase64String(signStr));
                return b;
            }
        }
    }
    catch { return false; }
}
GarsonZhang www.yesdotnet.com

.NET Core 中使用如下方法

var _publicKeyBytes = Encoding.UTF8.GetBytes(publickey);
var x509 = new X509Certificate2(_publicKeyBytes);
using (var rsa = (System.Security.Cryptography.RSACng)x509.PublicKey.Key)
{
    
    rsa.VerifyData(Encoding.UTF8.GetBytes(message), Convert.FromBase64String(signStr), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
}
GarsonZhang www.yesdotnet.com

 

 

 

版权声明:本文为YES开发框架网发布内容,转载请附上原文出处连接
管理员
评论列表

发表评论

评论内容
昵称:
关联文章

支付: API V3支付签名验证
支付: API V3支付签名验证
支付API v3 Postman脚本使用指南
【已解决】.NET 支付API V3中JSAPI支付发起wx.chooseWXPay时,提示 支付验证签名失败
支付支付成功没有通知Notify_URL
Asp.net H5唤起支付支付
支付接口签名校验工具
支付签名计算.net4.5
支付:C#计算签名
支付:JSAPI支付 开发手册
支付宝:当面付支付完成异步
支付API v3 Postman脚本使用指南
支付,当面付,开发手册
支付:商户API私钥
支付官方相关工具下载
支付:header中的mchid与post payload中的mchid不匹配
支付:Http头缺少Accept或User-Agent
/支付宝 在线支付测试工具
支付参数登记
支付:受理机构必须传入sub_mch_id