?
请问开启JAVA服务端加密加签后,成功返回,但是验签一致是false,解密成功,请问是为什么?public class RSA_Verify { public static boolean checkSignature(JsonObject ctx,JsonObject resp){ String signature = null; boolean result = false; // 开发者本地信息 String local_appid = ctx.get("local_appid").getAsString(); String url_path = ctx.get("url_path").getAsString(); String local_sym_sn = ctx.get("local_sym_sn").getAsString(); String local_certificate = ctx.get("local_certificate").getAsString(); long respTs = resp.get("resp_ts").getAsLong(); String respAppid = resp.get("resp_appid").getAsString(); String respSn = resp.get("resp_sn").getAsString(); String respSig = resp.get("resp_sig").getAsString(); String respDeprecatedSn = resp.get("resp_deprecated_sn").getAsString(); String respDeprecatedSig = resp.get("resp_deprecated_sig").getAsString(); String respData = resp.get("resp_data").getAsString(); long localTs = System.currentTimeMillis() / 1000; // 安全检查,根据业务实际需求判断 if (respAppid != local_appid || // 回包appid不正确 localTs - respTs > 300){ // 回包时间超过5分钟 System.out.println("安全字段校验失败"); return result; } if(local_sym_sn == respSn){ signature = respSig; }else if(local_sym_sn == respDeprecatedSn){ System.out.println("平台证书即将过期,请及时更换"); // 本地证书编号与即将过期编号一致,需及时更换 signature = respDeprecatedSig; }else{ System.out.println("sn不匹配"); return result; } String payload = url_path + "\n" + local_appid + "\n" + respTs + "\n" + respData; byte[] dataBuffer = payload.getBytes(StandardCharsets.UTF_8); // 确保加载 BouncyCastle 提供程序 Security.addProvider(new BouncyCastleProvider()); try{ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); ByteArrayInputStream inputStream = new ByteArrayInputStream(local_certificate.getBytes()); X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(inputStream); Signature verifier = Signature.getInstance("RSASSA-PSS"); PSSParameterSpec pssParameterSpec = new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1); verifier.setParameter(pssParameterSpec); verifier.initVerify(certificate); verifier.update(dataBuffer); byte[] sig_buffer = Base64.getDecoder().decode(signature); result = verifier.verify(sig_buffer); }catch (Exception e){ e.printStackTrace(); } return result; } private static JsonObject getCtx(){ JsonObject ctx = new JsonObject(); // 仅做演示,敏感信息请勿硬编码 String localCertificate = "-----BEGIN CERTIFICATE-----\n" + "MIID9DCCAtygAwIBAgIUaB2siCgYGWdiA2mdSGpWPqwlKDYwDQYJKoZIhvcNAQEL\n" + "BQAwbTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzERMA8GA1UEBwwI\n" + 省略.... "JXBtYJRsH6xQXLW6sCL8mh/QsVKkjHeYgN0qz1e585JP69uCyWzYNVxhNr6U6HQK\n" + "vozFTehwlm8=\n" + "-----END CERTIFICATE-----"; ctx.addProperty("local_certificate",localCertificate); ctx.addProperty("local_sym_sn","d7914ee8f4XXXXXXXXXXX"); ctx.addProperty("local_appid","wx66f8f5a50d26e3eb"); ctx.addProperty("url_path","https://api.weixin.qq.com/wxa/business/getuserphonenumber"); return ctx; } private static JsonObject getResp(){ JsonObject resp = new JsonObject(); resp.addProperty("resp_appid","wx66f8f5XXXXXXXX"); resp.addProperty("resp_ts",1732794186); resp.addProperty("resp_sn","d7914ee8f41XXXXXXXXXX"); resp.addProperty("resp_sig","nOQvsfQbXcJTuaS61jx0lDXXXXXXXX"); resp.addProperty("resp_deprecated_sn",""); resp.addProperty("resp_deprecated_sig",""); resp.addProperty("resp_data","{\"authtag\":\"MyejXXXXXFw==\",\"data\":\"8Wl3F4NVXXXXXiXvz XXXXXX 6rBykFSB8CmZrMN//OfTov0=\",\"iv\":\"3MaXXXXXX+mlE\"}"); return resp; } public static void main(String[] args) { JsonObject resp = getResp(); JsonObject ctx = getCtx(); boolean res = checkSignature(ctx,resp); System.out.println(res); } } 返回:false 但是我通过解密的demo示例,能够成功解析数据,并且能够正确的获取手机号:
11-29请问你这面怎么解决的呢?我也是遇到这种问题了,解密可以解密,但是验签就是通过不了
同城配送API请求正常,返回值也能解密,但是验签失败?我用的是nodejs版本,按照官方文档 的示例操作的,请求过程正常,返回值也能正常解密,只是返回的签名验证失败,验证签名的方法是这个文档中的verifySign 同样的验签代码,我用自己的私钥加密,公钥来验证是正常的,所以我怀疑给我的平台证书有问题 [图片]
11-29官方api:https://work.weixin.qq.com/api/doc/90000/90135/90240#%E8%BF%9B%E5%85%A5%E5%BA%94%E7%94%A8
企业api:进入应用 本事件在成员进入企业微信的应用时触发?如何知道进入应用事件示例: <xml><ToUserName><![CDATA[toUser]]></ToUserName> <FromUserName><![CDATA[FromUser]]></FromUserName> <CreateTime>1408091189</CreateTime> <MsgType><![CDATA[event]]></MsgType> <Event><![CDATA[enter_agent]]></Event> <EventKey><![CDATA[]]></EventKey> <AgentID>1</AgentID> </xml> 参数说明: 参数说明ToUserName企业微信CorpIDFromUserName成员UserIDCreateTime消息创建时间(整型)MsgType消息类型,此时固定为:eventEvent事件类型:enter_agentEventKey事件KEY值,此事件该值为空AgentID企业应用的id,整型。可在应用的设置页面查看
2021-09-22