# Signature Verification and Encryption/Decryption of User Data
# Data Signature Verification
In order to ensure the security of user data returned via open interface, Weixin will sign the plaintext data. Developers can perform signature verification on data packets based on business needs to ensure data integrity.
- The signature verification algorithm involves the session_key of the user that is obtained through the login process of wx.login, and maintains the corresponding relationship with the application's own login state by itself.
- When the data is obtained through a call interface (such as wx.getUserInfo), the interface will also return rawData and signature, where signature = sha1 ( rawData + session_key )
- The developer sends the signature and rawData to the developer server for verification. The server uses the session_key corresponding to the user to calculate the signature2 by the same algorithm, and compares the signature with signature2 to verify the integrity of the data.
Such as Data Validation for wx.getUserInfo:
rawData returned by the interface:
{
"nickName": "Band",
"gender": 1,
"language": "zh_CN",
"city": "Guangzhou",
"province": "Guangdong",
"country": "CN",
"avatarUrl": "http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"
}
User's session-key:
HyVFkGl5F5OQWJZZaNzBBg==
So, the string used for signing is:
{"nickName":"Band","gender":1,"language":"zh_CN","city":"Guangzhou","province":"Guangdong","country":"CN","avatarUrl":"http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"}HyVFkGl5F5OQWJZZaNzBBg==
The result of using sha1 is
75e81ceda165f4ffa64f4068af58c64b8f54b88c
# Encrypted Data Decryption Algorithm
If the interface involves sensitive data (such as openId and unionId in wx.getUserInfo), the plaintext content of the interface will not contain these sensitive data. Developers need to symmetrically decrypt the encrypted data returned by the interface if they need to obtain sensitive data. The decryption algorithm is as follows:
- The algorithm used for symmetric decryption is AES-128-CBC, and the data is populated with PKCS#7.
- The symmetric decrypted target ciphertext is Base64_Decode(encryptedData).
- Symmetric decryption key aeskey = Base64_Decode(session_key), aeskey is 16 bytes.
- The initialization vector for the symmetric decryption algorithm is Base64_Decode(iv), where iv is returned by the data interface.
In addition, in order to verify the validity of data, we will add data watermarks to sensitive data.
Watermark Parameter Description:
Parameters | Type | Description |
---|---|---|
watermark | OBJECT | Data watermark |
appid | String | Sensitive data belongs to appid, developers can check whether this parameter is consistent with its own appid |
timestamp | DateInt | Timestamp of sensitive data acquisition, developers can use it for data timeliness validation |
For example, watermark in sensitive data of interface wx.getUserInfo:
{
"openId": "OPENID",
"nickName": "NICKNAME",
"gender": GENDER,
"city": "CITY",
"province": "PROVINCE",
"country": "COUNTRY",
"avatarUrl": "AVATARURL",
"unionId": "UNIONID",
"watermark":
{
"appid":"APPID",
"timestamp":TIMESTAMP
}
}
Note: The encrypted data (encryptData) and the corresponding encryption algorithm provided earlier will be deprecated. Developers should not rely on the old logic.