🎨 #3587【微信支付】支持完全公钥模式，新增fullPublicKeyModel字段来控制，默认关闭，关闭时走老逻辑，开启时，只加载公钥所需相关配置，避免下载平台证书使灰度切换无法达到100%覆盖

2025-06-28 13:16:19 +08:00 · 2025-05-14 16:27:29 +08:00 · 2025-05-14 16:27:29 +08:00 · d0b7a526f6
commit d0b7a526f6
parent 47051bdf31
2 changed files with 73 additions and 30 deletions
--- a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/VerifierBuilder.java
+++ b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/VerifierBuilder.java
@ -92,6 +92,16 @@ class VerifierBuilder {
    return null;
  }

+  /**
+   * 针对完全使用公钥的场景
+   * @param publicKeyId 公钥id
+   * @param publicKey 公钥
+   * @return
+   */
+  static Verifier buildPublicCertVerifier(String publicKeyId, PublicKey publicKey) {
+    return getPublicCertVerifier(publicKeyId, publicKey, null);
+  }
+
  /**
   * 获取证书验证器.
   *
--- a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/WxPayConfig.java
+++ b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/WxPayConfig.java
@ -232,6 +232,11 @@ public class WxPayConfig {
   */
  private boolean strictlyNeedWechatPaySerial = false;

+  /**
+   * 是否完全使用公钥模式(用以微信从平台证书到公钥的灰度切换)，默认不使用
+   */
+  private boolean fullPublicKeyModel = false;
+
  /**
   * 返回所设置的微信支付接口请求地址域名.
   *
@ -289,23 +294,37 @@ public class WxPayConfig {
    if (StringUtils.isBlank(this.getApiV3Key())) {
      throw new WxPayException("请确保apiV3Key值已设置");
    }
-
-    // 尝试从p12证书中加载私钥和证书
+    try {
      PrivateKey merchantPrivateKey = null;
+      PublicKey publicKey = null;
+
+      // 使用完全公钥模式时，只加载公钥相关配置，避免下载平台证书使灰度切换无法达到100%覆盖
+      if (this.fullPublicKeyModel) {
+        if (StringUtils.isBlank(this.getCertSerialNo())) {
+          throw new WxPayException("使用公钥模式时，请确保certSerialNo(apiV3证书序列号)值已设置");
+        }
+        if (StringUtils.isBlank(this.getPublicKeyId())) {
+          throw new WxPayException("使用公钥模式时，请确保publicKeyId值已设置");
+        }
+        if (StringUtils.isBlank(this.getPublicKeyString()) && StringUtils.isBlank(this.getPublicKeyPath()) && this.getPublicKeyContent() == null) {
+          throw new WxPayException("使用公钥模式时，请确保publicKeyString/publicKeyPath/publicKeyContent其中一项值已设置");
+        }
+
+        try (InputStream pubInputStream =
+               this.loadConfigInputStream(this.getPublicKeyString(), this.getPublicKeyPath(),
+                 this.getPublicKeyContent(), "publicKeyPath")) {
+          publicKey = PemUtils.loadPublicKey(pubInputStream);
+        }
+      } else {
+        // 不使用完全公钥模式时，同时兼容平台证书和公钥
        X509Certificate certificate = null;
+        // 尝试从p12证书中加载私钥和证书
        Object[] objects = this.p12ToPem();
        if (objects != null) {
          merchantPrivateKey = (PrivateKey) objects[0];
          certificate = (X509Certificate) objects[1];
          this.certSerialNo = certificate.getSerialNumber().toString(16).toUpperCase();
        }
-    try {
-      if (merchantPrivateKey == null && StringUtils.isNotBlank(this.getPrivateKeyPath())) {
-        try (InputStream keyInputStream = this.loadConfigInputStream(this.getPrivateKeyString(), this.getPrivateKeyPath(),
-          this.privateKeyContent, "privateKeyPath")) {
-          merchantPrivateKey = PemUtils.loadPrivateKey(keyInputStream);
-        }
-      }
        if (certificate == null && StringUtils.isBlank(this.getCertSerialNo()) && StringUtils.isNotBlank(this.getPrivateCertPath())) {
          try (InputStream certInputStream = this.loadConfigInputStream(this.getPrivateCertString(), this.getPrivateCertPath(),
            this.privateCertContent, "privateCertPath")) {
@ -313,24 +332,38 @@ public class WxPayConfig {
          }
          this.certSerialNo = certificate.getSerialNumber().toString(16).toUpperCase();
        }
-      PublicKey publicKey = null;
        if (this.getPublicKeyString() != null || this.getPublicKeyPath() != null || this.publicKeyContent != null) {
+          if (StringUtils.isBlank(this.getPublicKeyId())) {
+            throw new WxPayException("请确保和publicKeyId配套使用");
+          }
          try (InputStream pubInputStream =
                 this.loadConfigInputStream(this.getPublicKeyString(), this.getPublicKeyPath(),
                   this.publicKeyContent, "publicKeyPath")) {
            publicKey = PemUtils.loadPublicKey(pubInputStream);
          }
        }
+      }
+
+      // 加载api私钥
+      if (merchantPrivateKey == null && StringUtils.isNotBlank(this.getPrivateKeyPath())) {
+        try (InputStream keyInputStream = this.loadConfigInputStream(this.getPrivateKeyString(), this.getPrivateKeyPath(),
+          this.privateKeyContent, "privateKeyPath")) {
+          merchantPrivateKey = PemUtils.loadPrivateKey(keyInputStream);
+        }
+      }

      //构造Http Proxy正向代理
      WxPayHttpProxy wxPayHttpProxy = getWxPayHttpProxy();

      // 构造证书验签器
-      Verifier certificatesVerifier = VerifierBuilder.build(
+      Verifier certificatesVerifier;
+      if (this.fullPublicKeyModel) {
+        certificatesVerifier = VerifierBuilder.buildPublicCertVerifier(this.publicKeyId, publicKey);
+      } else {
+        certificatesVerifier = VerifierBuilder.build(
          this.getCertSerialNo(), this.getMchId(), this.getApiV3Key(), merchantPrivateKey, wxPayHttpProxy,
-        this.getCertAutoUpdateTime(), this.getPayBaseUrl(),
-        this.getPublicKeyId(), publicKey
-      );
+          this.getCertAutoUpdateTime(), this.getPayBaseUrl(), this.getPublicKeyId(), publicKey);
+      }

      WxPayV3HttpClientBuilder wxPayV3HttpClientBuilder = WxPayV3HttpClientBuilder.create()
        .withMerchant(mchId, certSerialNo, merchantPrivateKey)