安全规范
- 拼接报文参数
除sign参数外的所有参数按照ASCII顺序排序后,以"参数名1=参数值1&参数名2=参数值2"的方式拼接所有参数
- bizContent业务参数
对所有业务参数的json格式做base64再行拼接
- 拼接签名 appSecret(由易百分配)
最后在尾部拼接双方约定的密钥"appSecret=xxxxx",
- 签名值计算
sha256加密后即为签名值,并赋给sign参数。
- 注
当参数值为null或为空时不参与签名串拼接
- JAVA签名参考代码
JSONObject notifyJson = new JSONObject(true);
notifyJson.put("orderNo", "4200001172202109274275163730");
notifyJson.put("transDateTime", "20210928102350");
notifyJson.put("ebuyCode", "1002108300000059091");
notifyJson.put("faceValue", "30");
notifyJson.put("outTradeNo", "89392109280163981");
byte[] encodeBase64 = Base64.encodeBase64(notifyJson.toJSONString().getBytes("UTF-8"));
String bizContent = new String(encodeBase64, "UTF-8");
Map<String, String> map = new TreeMap<>();
map.put("appKey", "274b9cf9f01543619baa726ed24ddd19");
map.put("signType", "sha256");
map.put("timestamp", "1483372334");
map.put("bizContent", bizContent);
StringBuilder buffer = new StringBuilder();
for (Map.Entry<String, String> item : map.entrySet()) {
buffer.append(item.getKey()).append("=").append(item.getValue()).append("&");
}
String signStr = buffer.toString() + "appSecret=XXXXXXXXXXXX";// appSecret(需易百提供);
String checkSign = SHAUtil.sha256(signStr);
System.out.println(signStr);
System.out.println(checkSign);拼接后签名串:action=verify&appKey=274b9cf9f01543619baa726ed24ddd19&bizContent=eyJvcmRlck5vIjoiNDIwMDAwMTE3MjIwMjEwOTI3NDI3NTE2MzczMCIsInRyYW5zRGF0ZVRpbWUiOiIyMDIxMDkyODEwMjM1MCIsImVidXlDb2RlIjoiMTAwMjEwODMwMDAwMDA1OTA5MSIsImZhY2VWYWx1ZSI6IjMwIiwib3V0VHJhZGVObyI6Ijg5MzkyMTA5MjgwMTYzOTgxIn0=&charset=utf-8&format=json&signType=sha256×tamp=1483372334&appSecret=XXXXXXXXXXXX
最终签名值:bc151776f32a0eed26fd97696ece7e8102e5c1f8f594fbf8ddc392bd579693f1
No Comments