带有签名的接口设计 -- 借鉴与改进
一 原有参考逻辑
1加签(改造前)
(1)将接口中实际全部上送的字段(除 sign 参数外),按照字段名的 ASCII 码从小到大排序后(字典序),使用 URL 键值对的格式(即 key1=value1&key2=value2…)拼接成字符串 string1。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1
(2)在 string1 最后直接拼接(不需要用“&”连接)双方约定的签名密钥 K1(接入时后台系统侧分配),得到 stringSignTemp1 字符串。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1zsdfyreuoyamdphhaweyrjbvzkgfdycs
(3)对 stringSignTemp1 字符串进行 SHA256 运算,得到签名 sign。
sign=SHA256(stringSignTemp1)=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
2验签(改造前)
(1)将收到的报文中所有字段(除 sign 参数外),按照字段名的 ASCII 码从小到大排序后(字典序),使用 URL 键值对的格式(即 key1=value1&key2=value2…)拼接成字符串 string2。
{"bankType":"CFT","busicd":"PURC","channelOrderNum":"4001532001201707130466979768","chcd":"WXP","chcdDiscount":"0.00","consumerAccount":"orS1BuFv3529BkM7m_ou7wKgDuc4","errorDetail":"成功","inscd":"10130001","mchntid":"100000000000203","merDiscount":"0.00","orderNum":"25026839024001998","respcd":"00","sign":"0faaf0f5e1c99f22460b58446833a0a00411e86091f7db306c4ac2ce84597b3c","terminalid":"00000001","transTime":"2017-07-13 10:40:03","txamt":"000000000001","txndir":"A"}
拼接后的字符串 string2 为:
bankType=CFT&busicd=PURC&channelOrderNum=4001532001201707130466979768&chcd=WXP&chcdDiscount=0.00&consumerAccount=orS1BuFv3529BkM7m_ou7wKgDuc4&errorDetail=成功&inscd=10130001&mchntid=100000000000203&merDiscount=0.00&orderNum=25026839024001998&respcd=00&terminalid=00000001&transTime=2017-07-13 10:40:03&txamt=000000000001&txndir=A
(2)在 string2 最后直接拼接(不需要用“&”连接)双方约定的签名密钥K1(接入时后台系统侧分配),得到 stringSignTemp2 字符串。
bankType=CFT&busicd=PURC&channelOrderNum=4001532001201707130466979768&chcd=WXP&chcdDiscount=0.00&consumerAccount=orS1BuFv3529BkM7m_ou7wKgDuc4&errorDetail=成功&inscd=10130001&mchntid=100000000000203&merDiscount=0.00&orderNum=25026839024001998&respcd=00&terminalid=00000001&transTime=2017-07-13 10:40:03&txamt=000000000001&txndir=Azsdfyreuoyamdphhaweyrjbvzkgfdycs
(3)对 stringSignTemp2 字符串进行 SHA256 运算,得到签名 sign。
sign=SHA256(stringSignTemp2)=0faaf0f5e1c99f22460b58446833a0a00411e86091f7db306c4ac2ce84597b3c
(4)校验签名,若计算的签名与报文中获取的一致,则验签通过。
(二) 进行改造的加解签逻辑
1加签(改造后)
(1)将接口中实际全部上送的字段(除 sign 参数外),按照字段名的 ASCII 码从小到大排序后(字典序),使用 URL 键值对的格式(即 key1=value1&key2=value2…)拼接成字符串 string1。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1
(2)在 string1 最后直接拼接(不需要用“&”连接)双方约定的签名密钥 K1(接入时后台系统侧分配),得到 stringSignTemp1 字符串。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1zsdfyreuoyamdphhaweyrjbvzkgfdycs
(3)对 stringSignTemp1 字符串进行 SHA256 运算,得到签名 sign。
sign=SHA256(stringSignTemp1)=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
(4)拼接成字符串stringResult1 = string1 + "&sign=" + sign;
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1&sign=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
(5)对stringResult1进行URLEncode,放在get请求QueryString中
busicd%3dPURC%26charset%3dutf-8%26inscd%3d10130001%26mchntid%3d100000000000203%26orderNum%3d1481006881300%26scanCodeId%3d130704380939251367%26signType%3dSHA256%26terminalid%3d00000001%26txamt%3d000000000001%26txndir%3dQ%26version%3d2.3.1%26sign%3d2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
2验签(改造后)
(1)将收到get请求QueryString。
busicd%3dPURC%26charset%3dutf-8%26inscd%3d10130001%26mchntid%3d100000000000203%26orderNum%3d1481006881300%26scanCodeId%3d130704380939251367%26signType%3dSHA256%26terminalid%3d00000001%26txamt%3d000000000001%26txndir%3dQ%26version%3d2.3.1%26sign%3d2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
URLDecode后的字符串 string2 为:
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1&sign=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
截取"sign=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725"获得报文中的签名
截取stringSRC,"busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1"
(2)在 stringSRC 最后直接拼接(不需要用“&”连接)双方约定的签名密钥K1(接入时后台系统侧分配),得到 stringSignTemp2 字符串。
busicd=PURC&charset=utf-8&inscd=10130001&mchntid=100000000000203&orderNum=1481006881300&scanCodeId=130704380939251367&signType=SHA256&terminalid=00000001&txamt=000000000001&txndir=Q&version=2.3.1zsdfyreuoyamdphhaweyrjbvzkgfdycs
(3)对 stringSignTemp2 字符串进行 SHA256 运算,得到签名 sign。
sign=SHA256(stringSignTemp2)=2394af792892ffe5d1b83bb3c7842635167476f6b8f571e7d01443aa9d258725
(4)校验签名,若计算的签名与报文中获取的一致,则验签通过。
改造签名的适用,避免客户解签出现的”签名不一致“问题。在对接过程中,出现最多的也是解签时签名不一致。