Signature check
Update Time:2024.09.19 | ●Is the signature method of the V2 and V3 interface the same? |
No. |
| ●Why is the WeChat Pay callback missing several HTTP headers? |
The WeChat Pay callback contains the following four HTTP headers in the HTTP header: |
| ●Accept or User-Agent is missing in Http | |
The error is caused by the wrongly set basic rules. 1、Please refer to the following to set up Accept setting:
2.、Refer to the following tips for the setting of User-Agent: HTTP agreement requires the requesting client to use User-Agent in the HTTP header to identify itself in each request. WeChat Pay recommends that the caller choose one of the following two methods:
|
| ●How to Load a Private Key in a Program? |
We recommend using the SDK provided by WeChat Pay. You can also view the sample codes in the following programming languages. JAVA  1/** 2 * 获取私钥。 3 * 4 * @param filename 私钥文件路径 (required) * @return 私钥对象 5 */ 6public static PrivateKey getPrivateKey(String filename) throws IOException { 7 8 String content = new String(Files.readAllBytes(Paths.get(filename)), "utf-8"); 9 try { 10 String privateKey = content.replace("-----BEGIN PRIVATE KEY-----", "") 11 .replace("-----END PRIVATE KEY-----", "") 12 .replaceAll("\\s+", ""); 13 14 KeyFactory kf = KeyFactory.getInstance("RSA"); 15 return kf.generatePrivate( 16 new PKCS8EncodedKeySpec(Base64.getDecoder().decode(privateKey))); 17 } catch (NoSuchAlgorithmException e) { 18 throw new RuntimeException("当前Java环境不支持RSA", e); 19 } catch (InvalidKeySpecException e) { 20 throw new RuntimeException("无效的密钥格式"); 21 } 22} 23 PHP 1/** 2* Read private key from file* 3* @param string $filepath PEM encoded private key file path 4* 5* @return resource|bool Private key resource identifier on success, or FALSE on error 6*/ 7public static function getPrivateKey($filepath) { 8 return openssl_get_privatekey(file_get_contents($filepath)); 9} 10 .NET 1protected string sign(string message) 2{ 3 // 需去除私钥文件中的-----BEGIN/END PRIVATE KEY----- 4 string privateKey = "MIIEvgIBADANBgkqhkiG...30HBe+GD1tntZgf6I1Y0ZpHZ"; 5 byte[] keyData = Convert.FromBase64String(privateKey); 6 using (CngKey cngKey = CngKey.Import(keyData, CngKeyBlobFormat.Pkcs8PrivateBlob)) 7 using (RSACng rsa = new RSACng(cngKey)) 8 { 9 byte[] data = System.Text.Encoding.UTF8.GetBytes(message); 10 return Convert.ToBase64String(rsa.SignData(data, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1)); 11 } 12} 13 GO 1package main 2import ( 3 "crypto/x509" 4 "encoding/pem" "fmt" 5 "log" 6) 7 8func main() { 9 var pemData = []byte(` 10-----BEGIN PRIVATE KEY----- 11MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1yhh6LNB8nXmOSxdGKWmDh0OxAM/wnGyHKSD9tcEhMQTe+wabce0POXzejCmwFBzZa7ZmxH5LoAeyT7Fpwb7pptbbDx58CxCYhNEdQ2XrFILUCq3daMj++KQlyDp8U0NspFKsO57gSlihAJ49DzcXQb7Vs5daIvtLapIouPyixAE5uDL+afmJ+bXC11xP5sPWw1RfXynW3vbEyfRol9hQyQWfmO15GSZi6TTAhTKaW31yKaQNChy06K+LsE9JAU+ESxihthtGiMbY3fFRyhF9Ka2e0wIOz6UdcfwMjxXWRV4OLD1uFG9IYbUiugmYtDyIYZaFDPYdi/+Rjm10Ps5lAgMBAAECggEAb19kRZ2lEWOM8D9S//opGZrKPuvneVrsJpZtDuLGcqZMfKvALYXLnZMzzEiE1cpMrmuOMUHaukxNytGGOOupIg7D/SszGv3QahCc6Ne83hwP1wa/5DDpS0RblIYqRrbgTPQTbk+Mk48Y43K0f2YN82KlHtnLNT7PRDIDX42Nwc1X8f4JcfyKUE/pOSn+YUlu5Edu6QYbWJWS7mlojEZ/wuWbSymbs6mVVkKeSWGTIh1v4n2F3Gj6ckUDlt4aZWTVcBa2+ZvSE2h5frSH0snpdGV1bW44IqE3NkwfTQ7JI34CVJdhb3goIyoTmiz6NGEZuiyr8gP9IOjqPfeP7GO5YQKBgQDuB1CT8ksO4SqR3skRkdCQW7kOogZgDThei+3HUMOsHr8L42oYkJDmk2res1ow/mz6SoIV4w6mvvUSnACxdtYA1AzUEs3jvltv8cQ1HAuDhLRslWrhSoxrQQh20yrVxxGN0J4DdCAGURSUwypzUHR+mlfcjacPyxKUsT41+8zG+QKBgQDDg8ZGivuV794RuA3cfpitUFG+0nA0ZS3qAZqlA3ufnCudHQixFIsf83Q7sX7pBob5PNONqsbv0OKpC3/xJRSPIwjWTBUPlDLrsGajKMhUPtkWo4zkfrSa8XaUpUVDU0qTzS71f9Aab3SkPH1d1o4cQxO08axGLbmTV/46QCBzQKBgDd7ZQDXPT+epHmT4HJD9sVvW9dZVPsWmckP/MC0xqdcE1QGEjjfmablPcfjLma1J1m//Ep1vniHkkBgNJkpBgDzbHoSWAN5335ccEug2d4yFIwq19rjsY9efUaVOirSV/kiY3KSotRWGeIDC+YNHtpTx58VNZes0gvutH2Iz9ahAoGAUcoWb/xEMv0dURxF8C+lfxtSlxlBhymsg3AYWV+Tn7mdJSS4Nhv592vI/A/Mn37zh+BCP8lpX3lq2HzPEPoKF7b4Q22ggdvlSQT6SMT8mTtfbyPSyRAQdWZQZnyVkTD3TvPDg7CKD1As8KFiFuXPAD2KgI9nVz6XhNBpjZ8rbyECgYEAsOrm1hbNZbvlNhnuUjw5DTgTuJ3B0j1aK/7C2EQWR+mIG2q5TKDC6xNdszV0gK1/TbJk4RNgQo0JLkuZ2Xk2Q8KhaNe+X8SYP9CFKIsXuhGrYI5ICjipov5oJqjESV4wle575eWwdPgF1ICabpIqdnX2MxS9tkk830uXxPrXpRA= 12-----END PRIVATE KEY-----`) 13 14 block, rest := pem.Decode(pemData) 15 if block == nil || block.Type != "PRIVATE KEY" { 16 log.Fatal("failed to decode PEM block containing public key") 17 } 18 19 pri, err := x509.ParsePKCS8PrivateKey(block.Bytes) 20 if err != nil { 21 log.Fatal(err) 22 } 23 24 fmt.Printf("Got a %T, with remaining data: %q", pri, rest) 25} 26
|
| ●Why is 401 Unauthorized Returned in the Request? | |||||||||||||||||||||||||||||||||
Please find the cause of the error and the corresponding solution in the table below according to the message.
|
| ●How to Locate the Error of"Verification Failed Due to Wrong Signature"? | ||||||
In order to help developers locate the error, we will add the verification information to the error detail detail of the response when there is a verification failure. The verification information is a variety of information we request Constructing a signature string based on the merchant's HTTP.
1{ 2"code": "SIGN_ERROR", 3"message": "Verification failed due to wrong signature", 4"detail": { 5 "field": "signature", 6 "issue": "sign not match", 7 "location": "authorization", 8 "sign_information": { 9 "method": "GET", 10 "url": "/payscore/user-service-state?service_id=500001&appid=wxeaf7bf1de621b0c2&openid=oWm9Z5JQwgV7BKAQUeKsUMVSjTpQ", 11 "truncated_sign_message": "GET\n/payscore/user-service-state?service_id=500001&appid=wxeaf7bf1de621b0c2&openid=oWm9Z5JQwgV7BKAQUeKsUMVSjTpQ\n1559194069\n18a427e78d2344e1a71156a2690cc4d6\n\n", 12 "sign_message_length": 157 13 } 14} 15} 16 We recommend that developers export the signature string they have assembled and the byte length of the signature string in the debugging information in the program, and carefully compare the verification information returned by WeChat Pay to check for the following common errors: No line break character added to the last line of the signature string If the body of the request message is empty (such as a GET request), the last line should be a line break character. The parameters in the signature string are inconsistent with the actual requested parameters. The manually spliced URL is inconsistent with the actual request sent. We recommend using the HTTP library to construct the request object or URL object, then use the corresponding method to obtain the URL. Two timestamps generated at different time were used when you sign and set the Authorization header. Two different random strings generated at different time were used when you sign and set the Authorization header. The JSON strings serialized at different time were used as the request subject during signing and request.
Inconsistent text encoding The generated signature string uses non-UTF-8 encoding or no specific encoding is set. Wrong signature string construction sequence The signature string was not constructed in the order required by the document. Wrong merchant private key Developers can use the following openssl command to check whether the private key and the modulus (the product of the two large prime numbers p and q) in the merchant certificate are consistent. If yes, the private key and certificate are paired. 1$ openssl x509 -noout -modulus -in 1900009191_20180326_cert.pem 2Modulus=C6D43C87B991... 3$ openssl rsa -noout -modulus -in 1900009191_20180326_key.pem 4Modulus=C6D43C87B991... 5
|
| ●Why is the Callback of WeChat Pay Missing Several HTTP Headers? |
The callback of WeChat Pay contains the following four HTTP headers in the HTTP header:
Some proxy servers or CDN service providers will "filter" the HTTP headers of WeChat Pay extensions when forwarding, causing the application layer of signature verification to fail to obtain the signature information of WeChat Pay. In that case, merchants should adjust the proxy server configuration or accept WeChat Pay callbacks through direct connection. |
