签名生成
更新时间:2025.01.06商户可以按照下述步骤生成请求的签名。在本节的最后,我们准备了多种常用编程语言的演示代码供开发者参考。
微信支付API V3 要求商户对请求进行签名。微信支付会在收到请求后进行签名的验证。如果签名验证不通过,微信支付API V3将会拒绝处理请求,并返回401 Unauthorized。
1. 准备
商户需要拥有一个微信支付商户号,并通过超级管理员账号登录商户平台,获取商户API证书。 商户API证书的压缩包中包含了签名必需的私钥和商户证书。
2. 构造签名串
我们希望商户的技术开发人员按照当前文档约定的规则构造签名串。微信支付会使用同样的方式构造签名串。如果商户构造签名串的方式错误,将导致签名验证不通过。下面先说明签名串的具体格式。
签名串一共有五行,每一行为一个参数。行尾以 \n(换行符,ASCII编码值为0x0A)结束,包括最后一行。如果参数本身以\n结束,也需要附加一个\n。
1HTTP请求方法\n 2URL\n 3请求时间戳\n 4请求随机串\n 5请求报文主体\n
我们通过在命令行中调用"获取微信支付平台证书"接口,一步一步向开发者介绍如何进行请求签名。按照接口文档,获取商户平台证书的URL为 https://apihk.mch.weixin.qq.com/v3/global/certificates请求方法为GET,没有查询参数。
第一步,获取HTTP请求的方法(GET,POST,PUT)等
1GET第二步,获取请求的绝对URL,并去除域名部分得到参与签名的URL。如果请求中有查询参数,URL末尾应附加有'?'和对应的查询字符串。
1/v3/global/certificates第三步,获取发起请求时的系统当前时间戳,即格林威治时间1970年01月01日00时00分00秒(北京时间1970年01月01日08时00分00秒)起至现在的总秒数,作为请求时间戳。微信支付会拒绝处理很久之前发起的请求,请商户保持自身系统的时间准确。
1 $ date +%s 2 1554208460
第四步,生成一个请求随机串,可参见生成随机数算法。这里,我们使用命令行直接生成一个。
1$ hexdump -n 16 -e '4/4 "%08X" 1 "\n"' /dev/random 2 593BEC0C930BF1AFEB40B4A08C8FB242
第五步,获取请求中的请求报文主体(request body)。
请求方法为GET时,报文主体为空。
当请求方法为POST或PUT时,请使用真实发送的JSON报文。
图片上传API,请使用meta对应的JSON报文。
对于下载证书的接口来说,请求报文主体是一个空串。
第六步,按照前述规则,构造的请求签名串为:
1GET\n 2 /v3/global/certificates\n 3 1554208460\n 4 593BEC0C930BF1AFEB40B4A08C8FB242\n 5 \n
3. 计算签名值
绝大多数编程语言提供的签名函数支持对签名数据进行签名。强烈建议商户调用该类函数,使用商户私钥对待签名串进行SHA256 with RSA签名,并对签名结果进行Base64编码得到签名值。
1$ echo -n -e \ 2 "GET\n/v3/global/certificates\n1554208460\n593BEC0C930BF1AFEB40B4A08C8FB242\n\n" \ 3 | openssl dgst -sha256 -sign apiclient_key.pem \ 4 | openssl base64 -A 5 uOVRnA4qG/MNnYzdQxJanN+zU+lTgIcnU9BxGw5dKjK+VdEUz2FeIoC+D5sB/LN+nGzX3hfZg6r5wT1pl2ZobmIc6p0ldN7J6yDgUzbX8Uk3sD4a4eZVPTBvqNDoUqcYMlZ9uuDdCvNv4TM3c1WzsXUrExwVkI1XO5jCNbgDJ25nkT/c1gIFvqoogl7MdSFGc4W4xZsqCItnqbypR3RuGIlR9h9vlRsy7zJR9PBI83X8alLDIfR1ukt1P7tMnmogZ0cuDY8cZsd8ZlCgLadmvej58SLsIkVxFJ8XyUgx9FmutKSYTmYtWBZ0+tNvfGmbXU7cob8H/4nLBiCwIUFluw==
4. 设置HTTP头
微信支付商户API V3要求请求通过HTTP Authorization头来传递签名。 Authorization由认证类型和签名信息两个部分组成。
下面我们使用命令行演示如何生成签名。
1Authorization: 认证类型 签名信息具体组成为:
1.认证类型,目前为WECHATPAY2-SHA256-RSA2048
2.签名信息
发起请求的商户(包括直连商户、服务商或渠道商)的商户号
mchid
商户API证书序列号
serial_no,用于声明所使用的证书
请求随机串
nonce_str
时间戳
timestamp
签名值
signature
|
Authorization 头的示例如下:(注意,示例因为排版可能存在换行,实际数据应在一行)
1Authorization: WECHATPAY2-SHA256-RSA2048 mchid="1900009191",nonce_str="593BEC0C930BF1AFEB40B4A08C8FB242",signature="uOVRnA4qG/MNnYzdQxJanN+zU+lTgIcnU9BxGw5dKjK+VdEUz2FeIoC+D5sB/LN+nGzX3hfZg6r5wT1pl2ZobmIc6p0ldN7J6yDgUzbX8Uk3sD4a4eZVPTBvqNDoUqcYMlZ9uuDdCvNv4TM3c1WzsXUrExwVkI1XO5jCNbgDJ25nkT/c1gIFvqoogl7MdSFGc4W4xZsqCItnqbypR3RuGIlR9h9vlRsy7zJR9PBI83X8alLDIfR1ukt1P7tMnmogZ0cuDY8cZsd8ZlCgLadmvej58SLsIkVxFJ8XyUgx9FmutKSYTmYtWBZ0+tNvfGmbXU7cob8H/4nLBiCwIUFluw==",timestamp="1554208460",serial_no="1DDE55AD98ED71D6EDD4A4A16996DE7B47773A8C"最终我们可以组一个包含了签名的HTTP请求了。
1$ curl https://apihk.mch.weixin.qq.com/v3/global/certificates -H 'Authorization: WECHATPAY2-SHA256-RSA2048 mchid="1900009191",nonce_str="593BEC0C930BF1AFEB40B4A08C8FB242",signature="uOVRnA4qG/MNnYzdQxJanN+zU+lTgIcnU9BxGw5dKjK+VdEUz2FeIoC+D5sB/LN+nGzX3hfZg6r5wT1pl2ZobmIc6p0ldN7J6yDgUzbX8Uk3sD4a4eZVPTBvqNDoUqcYMlZ9uuDdCvNv4TM3c1WzsXUrExwVkI1XO5jCNbgDJ25nkT/c1gIFvqoogl7MdSFGc4W4xZsqCItnqbypR3RuGIlR9h9vlRsy7zJR9PBI83X8alLDIfR1ukt1P7tMnmogZ0cuDY8cZsd8ZlCgLadmvej58SLsIkVxFJ8XyUgx9FmutKSYTmYtWBZ0+tNvfGmbXU7cob8H/4nLBiCwIUFluw==",timestamp="1554208460",serial_no="1DDE55AD98ED71D6EDD4A4A16996DE7B47773A8C"'5. 演示代码
开发者可以查看开发工具 相关章节,获取对应语言的库。如何在程序中加载私钥,请参考常见问题 。
计算签名的示例代码如下。
JAVA
1import okhttp3.HttpUrl; 2package com.wechat.v3; 3 4import org.apache.http.client.methods.HttpGet; 5import org.apache.http.client.methods.HttpRequestBase; 6import org.junit.Test; 7 8import java.io.IOException; 9import java.net.URI; 10import java.nio.charset.StandardCharsets; 11import java.security.*; 12import java.util.Base64; 13 14public class SignTest { 15protected static final String SYMBOLS = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; 16protected static final SecureRandom RANDOM = new SecureRandom(); 17protected static final PrivateKey privateKey = null; //need to be initialized 18protected static final String certificateSerialNumber = null; //need to be initialized 19protected static final String merchantId = null; //need to be initialized 20 21@Test 22public void signTest() throws IOException { 23HttpGet httpGet = new HttpGet("https://apihk.mch.weixin.qq.com/v3/global/certificates"); 24httpGet.addHeader("Accept", "application/json"); 25httpGet.addHeader("Content-type", "application/json; charset=utf-8"); 26System.out.println(getToken(httpGet,"")); 27} 28 29public String getToken(HttpRequestBase request, String body) throws IOException { 30String nonceStr = generateNonceStr(); 31long timestamp = generateTimestamp(); 32 33String message = buildMessage(nonceStr, timestamp, request, body); 34// log.debug("authorization message=[{}]", message); 35String signature = sign(message.getBytes(StandardCharsets.UTF_8)); 36 37String token = "mchid=\"" + merchantId + "\"," 38+ "nonce_str=\"" + nonceStr + "\"," 39+ "timestamp=\"" + timestamp + "\"," 40+ "serial_no=\"" + certificateSerialNumber + "\"," 41+ "signature=\"" + signature + "\""; 42// log.debug("authorization token=[{}]", token); 43 44return token; 45} 46 47public String sign(byte[] message) { 48try { 49Signature sign = Signature.getInstance("SHA256withRSA"); 50sign.initSign(privateKey); 51sign.update(message); 52return Base64.getEncoder().encodeToString(sign.sign()); 53} catch (NoSuchAlgorithmException e) { 54throw new RuntimeException("当前Java环境不支持SHA256withRSA", e); 55} catch (SignatureException e) { 56throw new RuntimeException("签名计算失败", e); 57} catch (InvalidKeyException e) { 58throw new RuntimeException("无效的私钥", e); 59} 60} 61 62protected String buildMessage(String nonce, long timestamp, HttpRequestBase request, String body) throws IOException { 63URI uri = request.getURI(); 64String canonicalUrl = uri.getRawPath(); 65if (uri.getQuery() != null) { 66canonicalUrl += "?" + uri.getRawQuery(); 67} 68 69return request.getRequestLine().getMethod() + "\n" 70+ canonicalUrl + "\n" 71+ timestamp + "\n" 72+ nonce + "\n" 73+ body + "\n"; 74} 75 76protected long generateTimestamp() { 77return System.currentTimeMillis() / 1000; 78} 79 80protected String generateNonceStr() { 81char[] nonceChars = new char[32]; 82for (int index = 0; index < nonceChars.length; ++index) { 83nonceChars[index] = SYMBOLS.charAt(RANDOM.nextInt(SYMBOLS.length())); 84} 85return new String(nonceChars); 86} 87}
PHP
1<? php 2require_once('vendor/autoload.php'); 3 4use WeChatPay\ Crypto\ Rsa; 5 6class SignTest { 7 public static 8 function timestamp(): int { 9 return time(); 10 } 11 12 public static 13 function nonce(int $size = 32): string { 14 if ($size < 1) { 15 throw new InvalidArgumentException('Size must be a positive integer.'); 16 } 17 18 return implode('', array_map(static 19 function(string $c): string { 20 return '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' [ord($c) % 62]; 21 }, str_split(random_bytes($size)))); 22 } 23 24 public static 25 function request(string $method, string $uri, string $timestamp, string $nonce, string $body = ''): string { 26 return static::joinedByLineFeed($method, $uri, $timestamp, $nonce, $body); 27 } 28 29 public static 30 function joinedByLineFeed(...$pieces): string { 31 return implode("\n", array_merge($pieces, [''])); 32 } 33 34 public static 35 function sign(string $message, $privateKey): string { 36 if (!openssl_sign($message, $signature, $privateKey, OPENSSL_ALGO_SHA256)) { 37 throw new UnexpectedValueException('Signing the input $message failed, please checking your $privateKey whether or nor correct.'); 38 } 39 40 return base64_encode($signature); 41 } 42 43 public static 44 function authorization(string $mchid, $privateKey, string $serial, string $method, string $uri, string $body = ''): string { 45 $nonce = static::nonce(); 46 $timestamp = static::timestamp(); 47 $signature = static::sign(static::request($method, $uri, $timestamp, $nonce, $body), $privateKey); 48 return sprintf( 49 'WECHATPAY2-SHA256-RSA2048 mchid="%s",serial_no="%s",timestamp="%s",nonce_str="%s",signature="%s"', 50 $mchid, $serial, $timestamp, $nonce, $signature 51 ); 52 } 53} 54 55$merchantPrivateKeyFilePath = '/path/to/your/private/key/file'; 56$merchantId = '10010000'; 57$method = 'GET'; 58$uri = 'v3/global/certificates'; 59$merchantCertificateSerial = '329E9A85CDAAFAD289AA69AE71369CBF8A1290A2'; 60$merchantPrivateKeyFileContent = file_get_contents($merchantPrivateKeyFilePath); 61$merchantPrivateKey = Rsa::from($merchantPrivateKeyFileContent, Rsa::KEY_TYPE_PRIVATE); 62 63echo SignTest::authorization('', $merchantPrivateKey, $merchantCertificateSerial, $method, $uri);
GO
1package sign 2 3import ( 4 "crypto" 5 "crypto/rand" 6 "crypto/rsa" 7 "crypto/x509" 8 "encoding/base64" 9 "encoding/pem" 10 "fmt" 11 "github.com/wechatpay-apiv3/wechatpay-go/utils" 12 "log" 13 "testing" 14 "time" 15) 16 17const ( 18 NonceSymbols = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 19 NonceLength = 32 20 SignatureMessageFormat = "%s\n%s\n%d\n%s\n%s\n" 21 HeaderAuthorizationFormat = "%s mchid=\"%s\",nonce_str=\"%s\",timestamp=\"%d\",serial_no=\"%s\",signature=\"%s\"" 22) 23 24var ( 25 signTestMchid = "" // merchant id 26 signTestCertSerialNumber = "" // merchant certificate serial number 27 signTestPrivateKey *rsa.PrivateKey 28) 29 30func GenerateNonce() (string, error) { 31 bytes := make([]byte, NonceLength) 32 _, err := rand.Read(bytes) 33 if err != nil { 34 return "", err 35 } 36 symbolsByteLength := byte(len(NonceSymbols)) 37 for i, b := range bytes { 38 bytes[i] = NonceSymbols[b%symbolsByteLength] 39 } 40 return string(bytes), nil 41} 42 43// LoadPrivateKey 通过私钥的文本内容加载私钥 44func LoadPrivateKey(privateKeyStr string) (privateKey *rsa.PrivateKey, err error) { 45 block, _ := pem.Decode([]byte(privateKeyStr)) 46 if block == nil { 47 return nil, fmt.Errorf("decode private key err") 48 } 49 if block.Type != "PRIVATE KEY" { 50 return nil, fmt.Errorf("the kind of PEM should be PRVATE KEY") 51 } 52 key, err := x509.ParsePKCS8PrivateKey(block.Bytes) 53 if err != nil { 54 return nil, fmt.Errorf("parse private key err:%s", err.Error()) 55 } 56 privateKey, ok := key.(*rsa.PrivateKey) 57 if !ok { 58 return nil, fmt.Errorf("%s is not rsa private key", privateKeyStr) 59 } 60 return privateKey, nil 61} 62 63func SignSHA256WithRSA(source string, privateKey *rsa.PrivateKey) (signature string, err error) { 64 if privateKey == nil { 65 return "", fmt.Errorf("private key should not be nil") 66 } 67 h := crypto.Hash.New(crypto.SHA256) 68 _, err = h.Write([]byte(source)) 69 if err != nil { 70 return "", nil 71 } 72 hashed := h.Sum(nil) 73 signatureByte, err := rsa.SignPKCS1v15(rand.Reader, privateKey, crypto.SHA256, hashed) 74 if err != nil { 75 return "", err 76 } 77 return base64.StdEncoding.EncodeToString(signatureByte), nil 78} 79 80func getAuthorizationType() string { 81 return "WECHATPAY2-SHA256-RSA2048" 82} 83 84func GenerateAuthorizationHeader(mchid, certificateSerialNo, method, canonicalURL, body string, privateKey *rsa.PrivateKey) (string, error) { 85 nonce, err := GenerateNonce() 86 if err != nil { 87 return "", err 88 } 89 timestamp := time.Now().Unix() 90 message := fmt.Sprintf(SignatureMessageFormat, method, canonicalURL, timestamp, nonce, body) 91 signatureResult, err := SignSHA256WithRSA(message, privateKey) 92 if err != nil { 93 return "", err 94 } 95 authorization := fmt.Sprintf( 96 HeaderAuthorizationFormat, getAuthorizationType(), 97 mchid, nonce, timestamp, certificateSerialNo, signatureResult, 98 ) 99 return authorization, nil 100} 101 102func TestGenerateAuthorizationHeader(t *testing.T) { 103 // 使用 utils 提供的函数从本地文件中加载商户私钥,商户私钥会用来生成请求的签名 104 signTestPrivateKey, err = utils.LoadPrivateKeyWithPath("/Path/to/your/private_key.pem") 105 if err != nil { 106 log.Fatal("load merchant private key error") 107 } 108 authHeader, err := GenerateAuthorizationHeader(signTestMchid, signTestCertSerialNumber, "GET", "/v3/global/certificates", "", signTestPrivateKey) 109 if err != nil { 110 log.Fatal(err) 111 } 112 log.Printf("The authorization header is: %s", authHeader) 113}
|
