Signature Verification
Info
If the request signature from the client is correct, VMP will include the response signature in the HTTP headers of the response. We recommend that the client verifies the response signature.
Similarly, in the callback request scenario, VMP will include the signature in the callback parameters. The client must verify the callback signature to ensure that the callback is sent by VMP.
Developers can follow the steps below to verify the signature of the response or callback.
Construct Signature String
Assume the parameters of the response or callback are:
originalParam = {
"p0": "c",
"p2": "b",
"p1": "a",
"sign": "ed473ec9e423747a40b87403aa9814030861932d514dab000ed1f8a741f1d6df"
}
Assume secret_code is:
testsignkey1234
Step 1: Exclude the sign parameter and sort the parameters in ascending order based on the parameter names.
Before sorting:
{
"p0": "c",
"p2": "b",
"p1": "a"
}
After sorting:
{
"p0": "c",
"p1": "a",
"p2": "b"
}
Step 2: Concatenate the parameters in the format of key=value using the & symbol.
p0=c&p1=a&p2=b
Step 3: Concatenate secret_code at the beginning of the string generated in the previous step, without using the & symbol.
testsignkey1234p0=c&p1=a&p2=b
Calculate Signature Value
Calculate the signature value by signing the signature string using sha-256, with encoding format UTF-8 .
signCode = sha256('testsignkey1234p0=c&p1=a&p2=b', 'UTF-8');
Signature result:
ed473ec9e423747a40b87403aa9814030861932d514dab000ed1f8a741f1d6df
Verify Signature Result
Compare the signature result with the signature value in the original parameters to determine if they are the same.
signCode === originalParam.sign;
Demo Code
import net.sf.json.JSONObject;
import org.junit.Assert;
import org.junit.Test;
import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.*;
public class SignTest {
@Test
public void verifySign() throws Exception {
JSONObject responseBody = new JSONObject();
responseBody.put("p0", "c");
responseBody.put("p2", "b");
responseBody.put("p1", "a");
responseBody.put("sign", "ed473ec9e423747a40b87403aa9814030861932d514dab000ed1f8a741f1d6df");
String secretCode = "testsignkey1234";
String paramSign = (String) responseBody.remove("sign");
String asciiLinkString = createAsciiLinkString(responseBody);
System.out.println(asciiLinkString);
String signTempString = secretCode + asciiLinkString;
System.out.println(signTempString);
String signCode = sha256(signTempString, "UTF-8");
System.out.println(signCode);
Assert.assertEquals(paramSign, signCode);
}
private String createAsciiLinkString(JSONObject params) {
List<String> keys = new ArrayList();
keys.addAll(params.keySet());
Collections.sort(keys);
StringBuffer stringBuffer = new StringBuffer();
for (int i = 0; i < keys.size(); i++) {
stringBuffer.append(keys.get(i)).append("=").append(params.get(keys.get(i)));
if (i != keys.size() - 1) {
stringBuffer.append("&");
}
}
return stringBuffer.toString();
}
private String sha256(String signTempString, String charset)
throws UnsupportedEncodingException, NoSuchAlgorithmException {
byte[] bt = signTempString.getBytes(charset);
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(bt);
byte[] r = md.digest();
return bytes2Hex(r);
}
private String bytes2Hex(byte[] bts) {
String des = "";
for (int i = 0; i < bts.length; i++) {
String tmp = (Integer.toHexString(bts[i] & 0xFF));
if (tmp.length() == 1) {
des += "0";
}
des += tmp;
}
return des;
}
}