1、获取平台证书接口中,微信支付方返回的响应信息:
{
"data": [
{
"serial_no": "5157F09EFDC096DE15EBE81A47057A7232F1B8E1",
"effective_time ": "2018-06-08T10:34:56+08:00",
"expire_time ": "2018-12-08T10:34:56+08:00",
"encrypt_certificate": {
"algorithm": "AEAD_AES_256_GCM",
"nonce": "61f9c719728a",
"associated_data": "certificate",
"ciphertext": "sRvt… "
}
},
{
"serial_no": "50062CE505775F070CAB06E697F1BBD1AD4F4D87",
"effective_time ": "2018-12-07T10:34:56+08:00",
"expire_time ": "2020-12-07T10:34:56+08:00",
"encrypt_certificate": {
"algorithm": "AEAD_AES_256_GCM",
"nonce": "35f9c719727b",
"associated_data": "certificate",
"ciphertext": "aBvt… "
}
}
]
}
想问的是:
(1)这个响应需要验签吧?(所有调微信支付相关接口的响应和回调都需要验签吧?)
(2)这个ciphertext 通过AES解密后是不是证书内容?文档也没备注,只说是加密秘文;有了两个证书的话, 就要AES解密两次?
(3)通过接口下载的平台证书,是跟原平台证书放同一个目录?,是直接覆盖原证书还是两个都暂时保留,原证书过期后删除;
1、验签随意,想验就验,从安全性考虑,有sign传回来的消息包,都建议验一下;
2、解密后就是key,有几个证书就需要解密几次;
3、按serial_no保存,相同的就覆盖,不同的就新增;