交易HTTP联动通知(RSA_SHA256)验签
说明
此文档描述了当收到以RSA_SHA256验签方式的交易HTTP联动通知数据后,如何对通知数据进行验签,以此判断通知数据是否可信.
您也可以在启动支付服务后,访问http://<支付服务地址端口>/tradesignpage.csp来手工验签并查看验签步骤
您还可以通过使用ForcePaySDK的本地API接口进行验签
验签步骤
| 步骤1 | 首先需要接收交易HTTP联动通知数据.有两种格式一种是标准HTTP表单,一种是JSON,这里以JSON格式为例子,他们看起来像这样: { "MerchantID": "M05CBEFE15", "TradeAmount": "0.01", "TradeBeginTime": "2019-05-22 11:39:35", "TradeCustomParam": "HELLOWORLD", "TradeEndinTime": "2019-05-22 11:40:03", "TradeGuestMobile": "15026628939", "TradeName": "%E4%BA%A7%E5%93%81%E5%90%8D%E7%A7%B01%28x1%29", "TradeNo": "T20190522113934630", "TradeProduct": "P05CBF2B99", "TradePromotion": "%E4%BA%A7%E5%93%811%E6%8A%98%E4%BC%98%E6%83%A0", "TradeQuantity": "1", "TradeSignMode": "RSA_SHA256", "TradeSignature": "u0SkhUCscN6wn88Vn4%2FZ66N73sAFReZQgEuDSM4SKt2ah2XrM1yAFSU9tXF9iPNvfc7OwImRmYXmhbnpgklnQN1S%2Bxm%2B6VPDllzuPBiua5hufF%2BppHBC1%2BA8ZLpkmmAGRzCUnTMWD785lPJ0ImmEQw%2FEUNAzbn%2FZe9cA%2Fj6Yq1HCXE6hdam%2FsUX0EnnVrBgHjt7edZPrL9IIYTSannDeeU%2BR19nwrMLsYIRlKn1pUxm5bowIO90C3uNnTAk0zmrHUU8NOlwE2DYtBASdXGt%2BCxk%2Fw%2BPrm5tsHpbLloWzNHMe0NrCmhpZGdDbl1FKiaAqQTPdo65mCaOHx8t%2BwJDdNw%3D%3D", "TradeStatus": "TRADE_SUCCESS", "TradeTimestamp": "20190522114003646", "TradeToken": "2019052222001454271036271374" } 每个参数都有Name和Value值,比如第一个参数Name是MerchantID,它的Value是M05CBEFE15 |
| 步骤2 | 首先排除TradeSignMode,TradeSignature这2个参数. 对其余其他参数以Name进行字母顺序的排序,用Name=Value的格式组合并用&符号连接起来. 得到待签名内容[SignatureContent]如下: MerchantID=M05CBEFE15&TradeAmount=0.01&TradeBeginTime=2019-05-22 11:39:35&TradeCustomParam=HELLOWORLD&TradeEndinTime=2019-05-22 11:40:03&TradeGuestMobile=15026628939&TradeName=%E4%BA%A7%E5%93%81%E5%90%8D%E7%A7%B01%28x1%29&TradeNo=T20190522113934630&TradeProduct=P05CBF2B99&TradePromotion=%E4%BA%A7%E5%93%811%E6%8A%98%E4%BC%98%E6%83%A0&TradeQuantity=1&TradeStatus=TRADE_SUCCESS&TradeTimestamp=20190522114003646&TradeToken=2019052222001454271036271374 |
| 步骤3 | 计算[SignatureContent]的MD5特征码得到[SignatureContentMD5]: 7F747A23FABED86447094E5DC50ABCAF |
| 步骤4 | 对TradeSignature参数进行URL Decode解码,得到[TradeSignatureBase64]: u0SkhUCscN6wn88Vn4/Z66N73sAFReZQgEuDSM4SKt2ah2XrM1yAFSU9tXF9iPNvfc7OwImRmYXmhbnpgklnQN1S+xm+6VPDllzuPBiua5hufF+ppHBC1+A8ZLpkmmAGRzCUnTMWD785lPJ0ImmEQw/EUNAzbn/Ze9cA/j6Yq1HCXE6hdam/sUX0EnnVrBgHjt7edZPrL9IIYTSannDeeU+R19nwrMLsYIRlKn1pUxm5bowIO90C3uNnTAk0zmrHUU8NOlwE2DYtBASdXGt+Cxk/w+Prm5tsHpbLloWzNHMe0NrCmhpZGdDbl1FKiaAqQTPdo65mCaOHx8t+wJDdNw== |
| 步骤5 | 对[TradeSignatureBase64]进行Base64解码,得到[TradeSignatureBrinary]: 这是长度为:256的二进制RSA_SH256签名数据 BB 44 A4 85 40 AC 70 DE B0 9F CF 15 9F 8F D9 EB A3 7B DE C0 05 45 E6 50 80 4B 83 48 CE 12 2A DD 9A 87 65 EB 33 5C 80 15 25 3D B5 71 7D 88 F3 6F 7D CE CE C0 89 91 99 85 E6 85 B9 E9 82 49 67 40 DD 52 FB 19 BE E9 53 C3 96 5C EE 3C 18 AE 6B 98 6E 7C 5F A9 A4 70 42 D7 E0 3C 64 BA 64 9A 60 06 47 30 94 9D 33 16 0F BF 39 94 F2 74 22 69 84 43 0F C4 50 D0 33 6E 7F D9 7B D7 00 FE 3E 98 AB 51 C2 5C 4E A1 75 A9 BF B1 45 F4 12 79 D5 AC 18 07 8E DE DE 75 93 EB 2F D2 08 61 34 9A 9E 70 DE 79 4F 91 D7 D9 F0 AC C2 EC 60 84 65 2A 7D 69 53 19 B9 6E 8C 08 3B DD 02 DE E3 67 4C 09 34 CE 6A C7 51 4F 0D 3A 5C 04 D8 36 2D 04 04 9D 5C 6B 7E 0B 19 3F C3 E3 EB 9B 9B 6C 1E 96 CB 96 85 B3 34 73 1E D0 DA C2 9A 1A 59 19 D0 DB 97 51 4A 89 A0 2A 41 33 DD A3 AE 66 09 A3 87 C7 CB 7E C0 90 DD 37 |
| 步骤6 | 通过RSA_SH256验签算法进行验签 签名的内容数据为[SignatureContentMD5]: 7F747A23FABED86447094E5DC50ABCAF 待验证的签名数据为[TradeSignatureBrinary]: (见之前解码获得) 用于验证签名使用的商户公钥MD5为: 773D5FA18C0CEB6637600CBBCFB28E66 商户公钥是在您创建商户的时候生成的,您可以在<商户管理>页面中导出获得 |
备注
交易HTTP联动RSA_SHA256验签方式较为复杂,但是采用了2048位的高强度非对称加密,
它是可靠且安全.您不必担心商户公钥泄露,这不会影响验签安全性.
适用各种商业环境.