search

wechatpay-apiv3 / wechatpay-go

微信支付 APIv3 的官方 Go Library
https://pay.weixin.qq.com/wiki/doc/apiv3/wxpay/pages/index.shtml
Apache License 2.0
1.03k stars 141 forks source link

微信支付回调,验签失败 #230

Closed zhangchaoming005 closed 1 month ago

zhangchaoming005 commented 3 months ago

无论如何处理,总是验签失败: invalid notification, err: validate verify fail serial=[38A599535618DC3E17612AEC229EFD326FE363F6] request-id=[] err=verify signature with public key err:crypto/rsa: verification error, request: &{Method:POST URL:/fonts/wx/pay/callback Proto:HTTP/1.0 ProtoMajor:1 ProtoMinor:0 Header:map[Accept:[*/*] Cache-Control:[no-cache] Connection:[close] Content-Length:[919] Content-Type:[application/json] Pragma:[no-cache] User-Agent:[Mozilla/4.0] Wechatpay-Nonce:[MpigGQPjeITf4IIkwyvFuZKSb4UzHc11] Wechatpay-Serial:[38A599535618DC3E17612AEC229EFD326FE363F6] Wechatpay-Signature:[LCnNSR+5ouNNySDSYZsy0ZhFBfcL3nnxPzKNAmKKB3PynPuW3DM0/DsRDt7N+91uqQuEb0MdYFWe0tNFbiZOoXh+Kg7a4szAJG+vW7NmW2Ht5C4T8fZ94mzXYWRhuGoXaxSAC2XIRFn9J1WGvJGbv8H1XVxZ1D8B1Ttloes61GJrAMcBaWVIlZpKGO/13E+YuAQboPATC8/jzHBDDn8xDGE1KzXOH7NdF+sNWjgMd90wMhFHY6c22KRqq5UUuaVdBZpc+PdaKggmTWxrw/70heVODY9YGyEfQDIqCrAwMKeKx1fsjECNk7AnI0w/6e6ps+bJsnP0RHPEN7VPDscShg==] Wechatpay-Signature-Type:[WECHATPAY2-SHA256-RSA2048] Wechatpay-Timestamp:[1718466819] X-Forwarded-For:[121.51.30.176] X-Real-Ip:[121.51.30.176]] Body:{Reader:{"create_time":"2024-06-15T21:49:36+08:00","event_type":"TRANSACTION.SUCCESS","id":"8dc45bdd-2033-595b-9c93-a23635cc7ede","resource":{"algorithm":"AEAD_AES_256_GCM","associated_data":"transaction","ciphertext":"WHNI+jwxdxBHauJiO6fucSZsF466gxjSr9v1lGEuKChsgBsmh9O+hdU8z4lH36TmXvISTsj/3rMnda5MSMyuuSIo/Wy46dZGA2REAbmAPt2GfuJHPoSzIrzVXVaGc/BMSP32XLqgl84nOgXsHP+zggnapq0N7C4cKSu+bVcrh4FlXKTl1R4XiSWiqLdFP7zU/YzKSGqu15rIR8Sj52PeY0KOiLaLVOODZ/VVIGg3a+35bpk28pf9YTvsdIXcOl9R82LXv1+nMLrMsHoiKj71t13Ce0onsIjqCPPMaCHz8V3hce6ymqhfKfYzrR8vFCSa9Ore6FBdfpxrsazLsKbtH78y60kXKz54x9axogXpi/rVTZIvmfnU+gEIPy2EPhGH6Fn53efllzXR9LT/jEctMqaI7hFj0G436M8wxwEx1qhd01e2s8R7zUldfUFelA8cYlI6tnaqHfbwo4jMnwYHBt0/07X7fZ3z5zgmGClfc9A8bDPSMPzXZFHG/tkpHxnzsHkrwA/zuadE5cJlTw7q3q/laj1N3KOq+ESkHrj6nZZcHxvHeSTFwPl9eo5OvPKVYRkQJ2Mi40qZOA==","nonce":"IpKrHESiX3uV","original_type":"transaction"},"resource_type":"encrypt-resource","summary":"支付成功"}} GetBody:<nil> ContentLength:919 TransferEncoding:[] Close:true Host:www.lzsfbj.com Form:map[] PostForm:map[] MultipartForm:<nil> Trailer:map[] RemoteAddr:127.0.0.1:37128 RequestURI:/fonts/wx/pay/callback TLS:<nil> Cancel:<nil> Response:<nil> ctx:0xc0008e45a0}

同时也打印出了,要签名的内容: 1718466819 MpigGQPjeITf4IIkwyvFuZKSb4UzHc11 {"create_time":"2024-06-15T21:49:36+08:00","event_type":"TRANSACTION.SUCCESS","id":"8dc45bdd-2033-595b-9c93-a23635cc7ede","resource":{"algorithm":"AEAD_AES_256_GCM","associated_data":"transaction","ciphertext":"WHNI+jwxdxBHauJiO6fucSZsF466gxjSr9v1lGEuKChsgBsmh9O+hdU8z4lH36TmXvISTsj/3rMnda5MSMyuuSIo/Wy46dZGA2REAbmAPt2GfuJHPoSzIrzVXVaGc/BMSP32XLqgl84nOgXsHP+zggnapq0N7C4cKSu+bVcrh4FlXKTl1R4XiSWiqLdFP7zU/YzKSGqu15rIR8Sj52PeY0KOiLaLVOODZ/VVIGg3a+35bpk28pf9YTvsdIXcOl9R82LXv1+nMLrMsHoiKj71t13Ce0onsIjqCPPMaCHz8V3hce6ymqhfKfYzrR8vFCSa9Ore6FBdfpxrsazLsKbtH78y60kXKz54x9axogXpi/rVTZIvmfnU+gEIPy2EPhGH6Fn53efllzXR9LT/jEctMqaI7hFj0G436M8wxwEx1qhd01e2s8R7zUldfUFelA8cYlI6tnaqHfbwo4jMnwYHBt0/07X7fZ3z5zgmGClfc9A8bDPSMPzXZFHG/tkpHxnzsHkrwA/zuadE5cJlTw7q3q/laj1N3KOq+ESkHrj6nZZcHxvHeSTFwPl9eo5OvPKVYRkQJ2Mi40qZOA==","nonce":"IpKrHESiX3uV","original_type":"transaction"},"resource_type":"encrypt-resource","summary":"支付成功"}

另外,同时使用了自动更新和本地文件的,均无法验签通过: 本地方式: · cert, err := utils.LoadCertificateWithPath(common.Conf.WxPlatformPem) if err != nil { log.Println("微信Handler初始化失败,加载证书失败", err) return }

wxPayHandler, err = notify.NewRSANotifyHandler(
    mchAPIv3Key, verifiers.NewSHA256WithRSAVerifier(core.NewCertificateMapWithList([]*x509.Certificate{cert})),
)

if err != nil {
    log.Println("使用证书访问器初始化微信handler失败", err)
    return
}·

自动更新: ctx := context.Background() //1. 使用RegisterDownloaderWithPrivateKey` 注册下载器 instance := downloader.MgrInstance() err := instance.RegisterDownloaderWithPrivateKey(ctx, mchPrivateKey, mchCertificateSerialNumber, mchID, mchAPIv3Key)

//使用商户私钥等初始化 client,并使它具有自动定时获取微信支付平台证书的能力
opts := []core.ClientOption{
    option.WithWechatPayAutoAuthCipher(mchID, mchCertificateSerialNumber, mchPrivateKey, mchAPIv3Key),
    option.WithoutValidator(),
}

client, err := core.NewClient(ctx, opts...)

err = instance.RegisterDownloaderWithClient(ctx, client, mchID, mchAPIv3Key)
if err != nil {
    log.Println("注册微信下载器失败", err)
    return
}

// 2. 获取商户号对应的微信支付平台证书访问器
certificateVisitor := instance.GetCertificateVisitor(mchID)

// 3. 使用证书访问器初始化 `notify.Handler`
wxPayHandler, err = notify.NewRSANotifyHandler(mchAPIv3Key, verifiers.NewSHA256WithRSAVerifier(certificateVisitor))`
xy-peng commented 3 months ago

同时也打印出了,要签名的内容: 1718466819 MpigGQPjeITf4IIkwyvFuZKSb4UzHc11 {"create_time":"2024-06-15T21:49:36+08:00","event_type":"TRANSACTION.SUCCESS","id":"8dc45bdd-2033-595b-9c93-a23635cc7ede","resource":{"algorithm":"AEAD_AES_256_GCM","associated_data":"transaction","ciphertext":"WHNI+jwxdxBHauJiO6fucSZsF466gxjSr9v1lGEuKChsgBsmh9O+hdU8z4lH36TmXvISTsj/3rMnda5MSMyuuSIo/Wy46dZGA2REAbmAPt2GfuJHPoSzIrzVXVaGc/BMSP32XLqgl84nOgXsHP+zggnapq0N7C4cKSu+bVcrh4FlXKTl1R4XiSWiqLdFP7zU/YzKSGqu15rIR8Sj52PeY0KOiLaLVOODZ/VVIGg3a+35bpk28pf9YTvsdIXcOl9R82LXv1+nMLrMsHoiKj71t13Ce0onsIjqCPPMaCHz8V3hce6ymqhfKfYzrR8vFCSa9Ore6FBdfpxrsazLsKbtH78y60kXKz54x9axogXpi/rVTZIvmfnU+gEIPy2EPhGH6Fn53efllzXR9LT/jEctMqaI7hFj0G436M8wxwEx1qhd01e2s8R7zUldfUFelA8cYlI6tnaqHfbwo4jMnwYHBt0/07X7fZ3z5zgmGClfc9A8bDPSMPzXZFHG/tkpHxnzsHkrwA/zuadE5cJlTw7q3q/laj1N3KOq+ESkHrj6nZZcHxvHeSTFwPl9eo5OvPKVYRkQJ2Mi40qZOA==","nonce":"IpKrHESiX3uV","original_type":"transaction"},"resource_type":"encrypt-resource","summary":"支付成功"}

检查了我们发送的报文,你这里打印出来的报文并不是回调的原文,所以验签不通过。我估计是中间处理时做了转换。你得检查下验签的请求数据。

建议先验签,再做检查和业务逻辑。

zhangchaoming005 commented 3 months ago

同时也打印出了,要签名的内容: 1718466819 MpigGQPjeITf4IIkwyvFuZKSb4UzHc11 {"create_time":"2024-06-15T21:49:36+08:00","event_type":"TRANSACTION.SUCCESS","id":"8dc45bdd-2033-595b-9c93-a23635cc7ede","resource":{"algorithm":"AEAD_AES_256_GCM","associated_data":"transaction","ciphertext":"WHNI+jwxdxBHauJiO6fucSZsF466gxjSr9v1lGEuKChsgBsmh9O+hdU8z4lH36TmXvISTsj/3rMnda5MSMyuuSIo/Wy46dZGA2REAbmAPt2GfuJHPoSzIrzVXVaGc/BMSP32XLqgl84nOgXsHP+zggnapq0N7C4cKSu+bVcrh4FlXKTl1R4XiSWiqLdFP7zU/YzKSGqu15rIR8Sj52PeY0KOiLaLVOODZ/VVIGg3a+35bpk28pf9YTvsdIXcOl9R82LXv1+nMLrMsHoiKj71t13Ce0onsIjqCPPMaCHz8V3hce6ymqhfKfYzrR8vFCSa9Ore6FBdfpxrsazLsKbtH78y60kXKz54x9axogXpi/rVTZIvmfnU+gEIPy2EPhGH6Fn53efllzXR9LT/jEctMqaI7hFj0G436M8wxwEx1qhd01e2s8R7zUldfUFelA8cYlI6tnaqHfbwo4jMnwYHBt0/07X7fZ3z5zgmGClfc9A8bDPSMPzXZFHG/tkpHxnzsHkrwA/zuadE5cJlTw7q3q/laj1N3KOq+ESkHrj6nZZcHxvHeSTFwPl9eo5OvPKVYRkQJ2Mi40qZOA==","nonce":"IpKrHESiX3uV","original_type":"transaction"},"resource_type":"encrypt-resource","summary":"支付成功"}

检查了我们发送的报文,你这里打印出来的报文并不是回调的原文,所以验签不通过。我估计是中间处理时做了转换。你得检查下验签的请求数据。

建议先验签,再做检查和业务逻辑。

感谢提醒,是一个防XSS注入攻击的中间件导致的。