Shulou(Shulou.com)06/01 Report--

This article mainly explains the "WeChat Mini Programs api signature verification method", the article explains the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "WeChat Mini Programs api signature verification method"!

Signature verification of user data and signature verification of encrypted and decrypted data

In order to ensure the security of user data returned by the open interface, Wechat will sign the plaintext data. Developers can sign and verify data packets according to business needs to ensure the integrity of the data.

The signature verification algorithm involves the user's session_key, obtains the user's session_key through the wx.login login process, and maintains the corresponding relationship with the application's own login state.

When you get data by calling an API (such as wx.getUserInfo), the API returns both rawData and signature, where signature = sha1 (rawData + session_key)

The developer sends signature and rawData to the developer server for verification. The server uses the user's corresponding session_key to calculate the signature signature2 using the same algorithm, and the integrity of the data can be verified by comparing signature with signature2.

For example, the data verification of wx.getUserInfo:

The rawData returned by the API:

{"nickName": "Band", "gender": 1, "language": "zh_CN", "city": "Guangzhou", "province": "Guangdong", "country": "CN", "avatarUrl": "http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"}"

User's session-key:

HyVFkGl5F5OQWJZZaNzBBg==

Therefore, the string used for signing is:

{"nickName": "Band", "gender": 1, "language": "zh_CN", "city": "Guangzhou", "province": "Guangdong", "country": "CN", "avatarUrl": "http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"}HyVFkGl5F5OQWJZZaNzBBg=="

The result of using sha1 is

75e81ceda165f4ffa64f4068af58c64b8f54b88c encrypted data decryption algorithm

If an interface involves sensitive data (such as openId and unionId in wx.getUserInfo), the plaintext content of the interface will not contain the sensitive data. If developers need to obtain sensitive data, they need to symmetrically decrypt the encrypted data (encryptedData) returned by the API. The decryption algorithm is as follows:

The algorithm used for symmetric decryption is AES-128-CBC, and the data is filled with PKCS#7.

The target ciphertext of symmetrical decryption is Base64_Decode (encryptedData).

Symmetric decryption key aeskey = Base64_Decode (session_key), aeskey is 16 bytes

The initial vector iv of the symmetric decryption algorithm is returned in the data interface.

Wechat officially provides sample code for various programming languages (click to download). The interface names are the same for each language type. You can refer to the example for the calling method.

In addition, in order to verify the validity of data, we will add data watermark (watermark) to sensitive data.

Watermark parameter description:

Parameter type indicates that watermarkOBJECT data watermark appidString sensitive data belongs to appid. Developers can verify whether this parameter is consistent with their own appid. Developers can use the timestamp of timestampDateInt sensitive data acquisition, which can be used to verify the timeliness of data.

For example, watermark in the sensitive data of the API wx.getUserInfo:

{"openId": "OPENID", "nickName": "NICKNAME", "gender": GENDER, "city": "CITY", "province": "PROVINCE", "country": "COUNTRY", "avatarUrl": "AVATARURL", "unionId": "UNIONID", "watermark": {"appid": "APPID", "timestamp": TIMESTAMP}

Note: the previously provided encrypted data (encryptData) and the corresponding encryption algorithm will be discarded, please developers no longer rely on the old logic.

Thank you for your reading, the above is the content of "WeChat Mini Programs api signature verification method". After the study of this article, I believe you have a deeper understanding of the method of WeChat Mini Programs api signature verification, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.