微信支付回调验签,使用的wechatpay-java 0.2.12,但是偶尔会出现报错:Caused by: com.wechat.pay.java.core.exception.ValidationException: Processing WechatPay notification,signature verification failed,signType[WECHATPAY2-SHA256-RSA2048] serial[659A3E7D0B61A6B2D97E9FEE05C68E4FC13A0B04] message[1729512147
6K9cI3QxLNdZ
controller代码:
@PostMapping("payCallback")
public ResponseEntity<Void> payCallback(
@RequestBody String body,
@RequestHeader("Wechatpay-Serial") String wechatpaySerial,
@RequestHeader("Wechatpay-Signature") String wechatpaySignature,
@RequestHeader("Wechatpay-Timestamp") String wechatpayTimestamp,
@RequestHeader("Wechatpay-Nonce") String wechatpayNonce
) {
WechatVerificationIBO ibo = new WechatVerificationIBO();
ibo.setWechatSignature(wechatpaySignature);
ibo.setWechatTimestamp(wechatpayTimestamp);
ibo.setWechatpayNonce(wechatpayNonce);
ibo.setWechatPaySerial(wechatpaySerial);
ibo.setRequestBody(body);
return wechatPayService.handlePayCallback(ibo);
}
调用api部分代码:
// 初始化 NotificationParser
NotificationParser parser = new NotificationParser((NotificationConfig) config);
// 构造 RequestParam
RequestParam requestParam = new RequestParam.Builder()
.serialNumber(wechatVerificationIBO.getWechatPaySerial())
.nonce(wechatVerificationIBO.getWechatpayNonce())
.signature(wechatVerificationIBO.getWechatSignature())
.timestamp(wechatVerificationIBO.getWechatTimestamp())
.body(wechatVerificationIBO.getRequestBody())
.build();
// 以支付通知回调为例,验签、解密并转换成 Transaction
Transaction transaction = parser.parse(requestParam, Transaction.class);
wechatVerificationOBO.setTransaction(transaction);
为了确保商户系统的安全,微信支付会在极少数应答或通知回调中生成错误签名,以探测商户系统是否正确地验证了签名。
商户系统不应对探测流量进行特殊处理,而应将其视为正常的应答或通知回调,并对其签名进行验证。 在排查问题时,您可以通过查看签名值中的
WECHATPAY/SIGNTEST/前缀快速判断是否为探测流量。所有用于探测目的的签名值都会包含此前缀。在验签失败的情况下,我们建议商户系统采取以下措施:
4xx或5xx的状态码),等待微信支付携带正确签名重新发送通知回调。