diff --git a/src/SKIT.FlurlHttpClient.Wechat.Api/Interceptors/WechatApiSecurityApiInterceptor.cs b/src/SKIT.FlurlHttpClient.Wechat.Api/Interceptors/WechatApiSecurityApiInterceptor.cs index cf67b4e3..e073bc96 100644 --- a/src/SKIT.FlurlHttpClient.Wechat.Api/Interceptors/WechatApiSecurityApiInterceptor.cs +++ b/src/SKIT.FlurlHttpClient.Wechat.Api/Interceptors/WechatApiSecurityApiInterceptor.cs @@ -23,6 +23,7 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors * https://developers.weixin.qq.com/miniprogram/dev/OpenApiDoc/getting_started/api_signature.html * https://developers.weixin.qq.com/community/develop/article/doc/00028ca675c708b23f100b8e161013 * https://developers.weixin.qq.com/community/develop/article/doc/000e68b8038ed8796f00f6c2f68c13 + * https://wxaintpcos.wxqcloud.qq.com.cn/public/tmp/apitool.py */ private static readonly ISet SIGN_REQUIRED_URLS = new HashSet(StringComparer.OrdinalIgnoreCase) { @@ -88,19 +89,19 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors private readonly string _appId; private readonly string _symmetricAlg; private readonly string _symmetricNum; - private readonly string _symmetricKey; + private readonly string _symmetricEncodingKey; private readonly string _asymmetricAlg; private readonly string _asymmetricNum; private readonly string _asymmetricPrivateKey; private readonly Func? _customRequestPathMatcher; - public WechatApiSecurityApiInterceptor(string baseUrl, string appId, string symmetricAlg, string symmetricNum, string symmetricKey, string asymmetricAlg, string asymmetricNum, string asymmetricPrivateKey, Func? customRequestPathMatcher) + public WechatApiSecurityApiInterceptor(string baseUrl, string appId, string symmetricAlg, string symmetricNum, string symmetricEncodingKey, string asymmetricAlg, string asymmetricNum, string asymmetricPrivateKey, Func? customRequestPathMatcher) { _baseUrl = baseUrl; _appId = appId; _symmetricAlg = symmetricAlg; _symmetricNum = symmetricNum; - _symmetricKey = symmetricKey; + _symmetricEncodingKey = symmetricEncodingKey; _asymmetricAlg = asymmetricAlg; _asymmetricNum = asymmetricNum; _asymmetricPrivateKey = asymmetricPrivateKey; @@ -116,10 +117,10 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors return; if (context.FlurlCall.HttpRequestMessage.RequestUri is null) return; - if (!IsRequestUrlRequireEncryption(context.FlurlCall.HttpRequestMessage.RequestUri)) + if (!IsRequestUrlPathMatched(context.FlurlCall.HttpRequestMessage.RequestUri)) return; - string urlpath = GetRequestUrl(context.FlurlCall.HttpRequestMessage.RequestUri); + string urlpath = GetRequestUrlPath(context.FlurlCall.HttpRequestMessage.RequestUri); string timestamp = DateTimeOffset.Now.ToLocalTime().ToUnixTimeSeconds().ToString(); string postData = "{}"; string postDataEncrypted; @@ -140,7 +141,7 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors } // 对称加密 - if (string.IsNullOrEmpty(_symmetricKey)) + if (string.IsNullOrEmpty(_symmetricEncodingKey)) { throw new WechatApiException("Failed to encrypt request, because the AES/SM4 key is not set."); } @@ -180,7 +181,7 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors { const int TAG_LENGTH_BYTE = 16; byte[] cipherBytes = Utilities.AESUtility.EncryptWithGCM( - keyBytes: Convert.FromBase64String(_symmetricKey), + keyBytes: Convert.FromBase64String(_symmetricEncodingKey), nonceBytes: Convert.FromBase64String(nonce), associatedDataBytes: Encoding.UTF8.GetBytes(associatedData), plainBytes: Encoding.UTF8.GetBytes(plainData) @@ -207,7 +208,7 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors { const int TAG_LENGTH_BYTE = 16; byte[] cipherBytes = Utilities.SM4Utility.EncryptWithGCM( - keyBytes: Convert.FromBase64String(_symmetricKey), + keyBytes: Convert.FromBase64String(_symmetricEncodingKey), nonceBytes: Convert.FromBase64String(nonce), associatedDataBytes: Encoding.UTF8.GetBytes(associatedData), plainBytes: Encoding.UTF8.GetBytes(plainData) @@ -250,7 +251,7 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors } else { - string signData = $"{urlpath}\n{_appId}\n{timestamp}\n{postDataEncrypted}"; + string signData = GenerateAymmetricSigningData(urlpath, _appId, timestamp, postDataEncrypted); string sign; switch (_asymmetricAlg) @@ -300,12 +301,12 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors return; if (context.FlurlCall.HttpRequestMessage.RequestUri is null) return; - if (!IsRequestUrlRequireEncryption(context.FlurlCall.HttpRequestMessage.RequestUri)) + if (!IsRequestUrlPathMatched(context.FlurlCall.HttpRequestMessage.RequestUri)) return; if (context.FlurlCall.HttpResponseMessage is null) return; - string urlpath = GetRequestUrl(context.FlurlCall.HttpRequestMessage.RequestUri); + string urlpath = GetRequestUrlPath(context.FlurlCall.HttpRequestMessage.RequestUri); byte[] respBytes = Array.Empty(); if (context.FlurlCall.HttpResponseMessage.Content is not null) { @@ -319,7 +320,7 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors } // 对称解密 - if (string.IsNullOrEmpty(_symmetricKey)) + if (string.IsNullOrEmpty(_symmetricEncodingKey)) { throw new WechatApiException("Failed to decrypt response, because the AES/SM4 key is not set."); } @@ -368,7 +369,7 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors Buffer.BlockCopy(authtagBytes, 0, cipherBytes, encdataBytes.Length, authtagBytes.Length); respBytesDecrypted = Utilities.AESUtility.DecryptWithGCM( - keyBytes: Convert.FromBase64String(_symmetricKey), + keyBytes: Convert.FromBase64String(_symmetricEncodingKey), nonceBytes: Convert.FromBase64String(sIV!), associatedDataBytes: Encoding.UTF8.GetBytes(associatedData), cipherBytes: cipherBytes @@ -392,7 +393,7 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors Buffer.BlockCopy(authtagBytes, 0, cipherBytes, encdataBytes.Length, authtagBytes.Length); respBytesDecrypted = Utilities.SM4Utility.DecryptWithGCM( - keyBytes: Convert.FromBase64String(_symmetricKey), + keyBytes: Convert.FromBase64String(_symmetricEncodingKey), nonceBytes: Convert.FromBase64String(sIV!), associatedDataBytes: Encoding.UTF8.GetBytes(associatedData), cipherBytes: cipherBytes @@ -427,14 +428,19 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.Interceptors return $"{urlpath}|{appId}|{timestamp}|{_symmetricNum}"; } - private string GetRequestUrl(Uri uri) + private string GenerateAymmetricSigningData(string urlpath, string appId, string timestamp, string postdata) + { + return $"{urlpath}\n{appId}\n{timestamp}\n{postdata}"; + } + + private string GetRequestUrlPath(Uri uri) { return uri.AbsoluteUri.Substring(0, uri.AbsoluteUri.Length - uri.Query.Length); } - private bool IsRequestUrlRequireEncryption(Uri uri) + private bool IsRequestUrlPathMatched(Uri uri) { - string absoluteUrl = GetRequestUrl(uri); + string absoluteUrl = GetRequestUrlPath(uri); if (!absoluteUrl.StartsWith(_baseUrl)) return false; diff --git a/src/SKIT.FlurlHttpClient.Wechat.Api/WechatApiClient.cs b/src/SKIT.FlurlHttpClient.Wechat.Api/WechatApiClient.cs index 212d7451..7142066a 100644 --- a/src/SKIT.FlurlHttpClient.Wechat.Api/WechatApiClient.cs +++ b/src/SKIT.FlurlHttpClient.Wechat.Api/WechatApiClient.cs @@ -45,10 +45,10 @@ namespace SKIT.FlurlHttpClient.Wechat.Api { Interceptors.Add(new Interceptors.WechatApiSecurityApiInterceptor( baseUrl: FlurlClient.BaseUrl, - appId: string.IsNullOrEmpty(options.SecurityApiAppId) ? options.AppId : options.SecurityApiAppId, + appId: string.IsNullOrEmpty(options.SecurityApiAppId) ? options.AppId : options.SecurityApiAppId!, symmetricAlg: options.SecurityApiSymmetricAlgorithm!, symmetricNum: options.SecurityApiSymmetricNumber!, - symmetricKey: options.SecurityApiSymmetricKey!, + symmetricEncodingKey: options.SecurityApiSymmetricEncodingKey!, asymmetricAlg: options.SecurityApiAsymmetricAlgorithm!, asymmetricNum: options.SecurityApiAsymmetricNumber!, asymmetricPrivateKey: options.SecurityApiAsymmetricPrivateKey!, diff --git a/src/SKIT.FlurlHttpClient.Wechat.Api/WechatApiClientOptions.cs b/src/SKIT.FlurlHttpClient.Wechat.Api/WechatApiClientOptions.cs index e0d1de2f..ba3d4e8d 100644 --- a/src/SKIT.FlurlHttpClient.Wechat.Api/WechatApiClientOptions.cs +++ b/src/SKIT.FlurlHttpClient.Wechat.Api/WechatApiClientOptions.cs @@ -102,9 +102,9 @@ namespace SKIT.FlurlHttpClient.Wechat.Api public string? SecurityApiSymmetricNumber { get; set; } /// - /// 获取或设置 API 安全鉴权模式对称加密密钥。 + /// 获取或设置 API 安全鉴权模式对称加密密钥(经过 Base64 编码)。 /// - public string? SecurityApiSymmetricKey { get; set; } + public string? SecurityApiSymmetricEncodingKey { get; set; } /// /// 获取或设置 API 安全鉴权模式非对称加密算法。 diff --git a/test/SKIT.FlurlHttpClient.Wechat.Api.UnitTests/TestCase_SecurityApiTests.cs b/test/SKIT.FlurlHttpClient.Wechat.Api.UnitTests/TestCase_SecurityApiTests.cs index bb682bc8..f980c49a 100644 --- a/test/SKIT.FlurlHttpClient.Wechat.Api.UnitTests/TestCase_SecurityApiTests.cs +++ b/test/SKIT.FlurlHttpClient.Wechat.Api.UnitTests/TestCase_SecurityApiTests.cs @@ -20,7 +20,7 @@ namespace SKIT.FlurlHttpClient.Wechat.Api.UnitTests AppId = "wxba6223c06417af7b", SecurityApiEnabled = true, SecurityApiSymmetricNumber = "fa05fe1e5bcc79b81ad5ad4b58acf787", - SecurityApiSymmetricKey = "otUpngOjU+nVQaWJIC3D/yMLV17RKaP6t4Ot9tbnzLY=", + SecurityApiSymmetricEncodingKey = "otUpngOjU+nVQaWJIC3D/yMLV17RKaP6t4Ot9tbnzLY=", SecurityApiAsymmetricNumber = "97845f6ed842ea860df6fdf65941ff56", SecurityApiAsymmetricPrivateKey = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA3FoQOmOl5/CF5hF7ta4EzCy2LaU3Eu2k9DBwQ73J82I53Sx9\nLAgM1DH3IsYohRRx/BESfbdDI2powvr6QYKVIC+4Yavwg7gzhZRxWWmT1HruEADC\nZAgkUCu+9Il/9FPuitPSoIpBd07NqdkkRe82NBOfrKTdhge/5zd457fl7J81Q5VT\nIxO8vvq7FSw7k6Jtv+eOjR6SZOWbbUO7f9r4UuUkXmvdGv21qiqtaO1EMw4tUCEL\nzY73M7NpCH3RorlommYX3P6q0VrkDHrCE0/QMhmHsF+46E+IRcJ3wtEj3p/mO1Vo\nCpEhawC1U728ZUTwWNEii8hPEhcNAZTKaQMaTQIDAQABAoIBAQCXv5p/a5KcyYKc\n75tfgekh5wTLKIVmDqzT0evuauyCJTouO+4z/ZNAKuzEUO0kwPDCo8s1MpkU8boV\n1Ru1M8WZNePnt65aN+ebbaAl8FRzNvltoeg9VXIUmBvYcjzhOVAE4V2jW7M8A9QU\nzUpyswuED6OeFKfOHtYk2In2IipAqhfbyc6gn7uZSWTQsoO6hGBRQ7Ejx+vgwrbx\nZKVZ7UXbPHD0lOEPraA3PH/QUeUKpNwK2NXQoBxWcR283/HxFSAjjSSsGSBKsCnw\nDN55P2FQ0HNi5YrwUNT9190NIXSeygaRy1b+D+yBfm+yE7/qXwHLZCHsjO+2tMSS\n3KGjllTBAoGBAP9FPeYNKZuu5jt9RpZwXCc9E7Iz7bmM7zws6dun6dQH0xVVWFVm\niGIu07eqyB8HNagXseFzoXLV5EQx+3DaB0bAH+ZEpHGJJpAWSLusigssFUFuTvTF\nw+rC5hxOfidMa6+93SU5pWeJb0zJF8PRDaJ3UmwlwpYubF17sT4PD6p9AoGBANz7\nRlhRSFvggJjhEMpek3OIYWrrlRNO2MVcP7i/fGNTHhrw7OHcNGRof54QZ2Y0baL7\n1vHNokbK2mnT+cQXY/gXMmcE/eV4xyRGYiIL9nBdrkLerc43EYPv+evDvgyji6+y\n4np5cKqHrS8F+YzATk82Jt9HgdI2MvfbJTkSbmgRAoGAHNPL9rPb1An/VA6Ery6H\nKaM7Gy/EE+U3ixsjWbvvqxMrIkieDh7jHftdy2sM6Hwe8hmi6+vr+pTvD0h5tbfZ\nhILj11Q/Idc0NKdflVoZyMM0r0vuvLOsuVFDPUUb+AIoUxNk6vREmpmpqQk4ltN/\n763779yfyef6MuBqFrEKut0CgYB9FfsuuOv1nfINF7EybDCZAETsiee7ozEPHnWv\ndSzK6FytMV1VSBmcEI7UgUKWVu0MifOUsiq+WcsihmvmNLtQzoioSeoSP7ix7ulT\njmP0HQMsNPI7PW67uVZFv2pPqy/Bx8dtPlqpHN3KNV6Z7q0lJ2j/kHGK9UUKidDb\nKnS2kQKBgHZ0cYzwh9YnmfXx9mimF57aQQ8aFc9yaeD5/3G2+a/FZcHtYzUdHQ7P\nPS35blD17/NnhunHhuqakbgarH/LIFMHITCVuGQT4xS34kFVjFVhiT3cHfWyBbJ6\nGbQuzzFxz/UKDDKf3/ON41k8UP20Gdvmv/+c6qQjKPayME81elus\n-----END RSA PRIVATE KEY-----" })