签名算法
为了防止API调用过程中被黑客恶意篡改,调用任何一个API都需要携带签名,服务端会根据请求参数,对签名进行验证,签名不合法的请求将会被拒绝。
支持的签名算法有两种:MD5(sign_method=md5),HMAC_MD5(sign_method=hmac),签名大体过程如下:
① 对所有API请求参数(除去sign参数和byte[]类型的参数),根据参数名称的ASCII码表的顺序排序;
② 将排序好的参数名和参数值拼装在一起;
③ 把拼装好的字符串采用utf-8编码,使用签名算法对编码后的字节流进行摘要。如果使用MD5算法,则需要在拼装的字符串前后加上app_secret后,再进行摘要;如果使用HMAC_MD5算法,则需要用app_secret初始化摘要算法后,再进行摘要;
④ 将摘要得到的字节流结果使用十六进制表示
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
/**
* 将javabean对象转换为map
*/
public static <T> Map<String, Object> beanToMap(T bean) {
Map<String, Object> map = Maps.newHashMap();
if (bean != null) {
BeanMap beanMap = BeanMap.create(bean);
for (Object key : beanMap.keySet()) {
Object value = beanMap.get(key);
map.put(key + "", value);
}
}
return map;
}
/**
* 将map转换为javabean对象
*/
public static <T> T mapToBean(Map<String, Object> map, T bean) {
if (map != null) {
BeanMap beanMap = BeanMap.create(bean);
beanMap.putAll(map);
}
return bean;
}
public static String signTopRequest(Map <String, String> params, String secret, String signMethod) throws IOException {
if(StringUtils.isBlank(secret) || params == null || params.isEmpty()){
return null;
}
// 第一步:把字典按Key的字母顺序排序
String[] keys = params.keySet().toArray(new String[0]);
Arrays.sort(keys);
// 第二步:把所有参数名和参数值串在一起
StringBuilder query = new StringBuilder();
if (signMethod == null || "md5".equals(signMethod)) {
query.append(secret);
}
for (String key : keys) {
String value = params.get(key).toString();
if(StringUtils.isNotBlank(key) && StringUtils.isNotBlank(value)){
query.append(key).append(value);
}
}
// 第三步:使用MD5/HMAC加密
byte[] bytes = new byte[0];
if (signMethod == null || "md5".equals(signMethod)) {
query.append(secret);
logger.info("request md5 decryp is ====" + query.toString());
bytes = encryptMD5(query.toString());
} else if ("hmac".equals(signMethod)) {
bytes = encryptHMAC(query.toString(), secret);
}
// 第四步:把二进制转化为大写的十六进制
return byte2hex(bytes);
}
public static byte[] encryptMD5(String data) throws IOException {
byte[] bytes = null;
try {
MessageDigest md = MessageDigest.getInstance("MD5");
bytes = md.digest(data.getBytes("UTF-8"));
} catch (GeneralSecurityException gse) {
throw new IOException(gse);
}
return bytes;
}
public static byte[] encryptHMAC(String data, String secret) throws IOException {
byte[] bytes = null;
try {
SecretKey secretKey = new SecretKeySpec(secret.getBytes("UTF-8"), "HmacMD5");
Mac mac = Mac.getInstance(secretKey.getAlgorithm());
mac.init(secretKey);
bytes = mac.doFinal(data.getBytes("UTF-8"));
} catch (GeneralSecurityException gse) {
throw new IOException(gse);
}
return bytes;
}
public static String byte2hex(byte[] bytes) {
StringBuilder sign = new StringBuilder();
for (int i = 0; i < bytes.length; i++) {
String hex = Integer.toHexString(bytes[i] & 0xFF);
if (hex.length() == 1) {
sign.append("0");
}
sign.append(hex.toUpperCase());
}
return sign.toString();
}