安全要求
签名方式
币趣支付采用 HMAC-SHA512 算法签名验签,商户登录商户平台在“开发者”→“API 秘钥”→ 点击”生成 API 密钥“,币趣支付为商户生成 ApiKey、SecretKey 密钥对。
报文签名
报文的签名处理机制如下:
1)签名算法:HMAC-SHA512;
2)设所有发送的数据为集合 P,将集合 P 内非空参数值的参数按照参数名 ASCII 码从小到大排序(字典序),使用 URL 键值对的格式(即 K1=V1&K2=V2)拼接成字符串 A,
- 注意:参数名区分大小写;传送的 sign 参数不参与签名;
- 注意: 请求参数中: bizConent字段中 JSON 字符串中
key按照固定字段顺序进行排序,具体参考各Method中的请求参数顺序- 注意,请求参数中: bizContent字段为字符串格式,即对应Method中的请求参数序列化为 JSON 字符串形式置入
3)在字符串 A 最后拼接上 key 参数,key 值则为 apiKey 密钥,得到待签名字符串 signTemp,再对 signTemp 使用 secretKey 密钥进行 HMAC-SHA512 运算,再将得到的字符串转换为大写,得到最终签名值 signValue;
说明:
apiKey、secretKey密钥长度均为 64 位;
4)把最终生成的签名值 signValue 赋值于公共参数 sign。
签名示例
例如,商户发起一笔收银台支付(basicexpay.trade.cashier),按照收银台支付接口请求参数如下:
{
"merOrderNo": "ysibWeNmphs55rse",
"clientIp": "127.0.0.1",
"totalAmount": 49.33,
"currency": "USDT",
"description": "测试商品",
"orderSource": "APP",
"tradeStartTime": "2023-04-01 14:50:58",
"expireTime": 900,
"notifyUrl": "https://api.xx.com/receive_notify.htm",
"returnUrl": "https://xx.com/return.htm",
"attach": ""
}合并整体请求参数为:
{
"bizConent": "{\"merOrderNo\":\"ysibWeNmphs55rse\",\"clientIp\":\"127.0.0.1\",\"totalAmount\":49.33,\"currency\":\"USDT\",\"description\":\"测试商品\",\"orderSource\":\"APP\",\"tradeStartTime\":\"2023-04-01 14:50:58\",\"expireTime\":900,\"notifyUrl\":\"https://api.xx.com/receive_notify.htm\",\"returnUrl\":\"https://xx.com/return.htm\",\"attach\":\"\"}",
"merNo": "819275770875906",
"method": "basicexpay.trade.cashier",
"nonce": "R6mkm6sP4CpAX7Bk",
"signType": "HmacSHA512",
"timestamp": "20230401145058"
}第一步: 根据字典序将请求参数按照字典序顺序排列,并使用 URL 键值对的格式拼接成待签名字符串:
bizConent={"merOrderNo":"ysibWeNmphs55rse","clientIp":"127.0.0.1","totalAmount":49.33,"currency":"USDT","description":"测试商品","orderSource":"APP","tradeStartTime":"2023-04-01 14:50:58","expireTime":900,"notifyUrl":"https://api.xx.com/receive_notify.htm","returnUrl":"https://xx.com/return.htm","attach":""}&merNo=819275770875906&method=basicexpay.trade.cashier&nonce=R6mkm6sP4CpAX7Bk&signType=HmacSHA512×tamp=20230401145058第二步: 在待签名字符串最后拼接 key 参数,key 值则为 apiKey 密钥,得到待签名字符串 signTemp:
bizConent={"merOrderNo":"ysibWeNmphs55rse","clientIp":"127.0.0.1","totalAmount":49.33,"currency":"USDT","description":"测试商品","orderSource":"APP","tradeStartTime":"2023-04-01 14:50:58","expireTime":900,"notifyUrl":"https://api.xx.com/receive_notify.htm","returnUrl":"https://xx.com/return.htm","attach":""}&merNo=819275770875906&method=basicexpay.trade.cashier&nonce=R6mkm6sP4CpAX7Bk&signType=HmacSHA512×tamp=20230401145058&key=7V46gR6dA83eIS0vU9w7gU5mYiy2G6Oxx1J19WcgU9ZF20g1f2HYic7fGzOG36O3第三步: 使用 secretKey 密钥进行 HMAC-SHA512 运算,再将得到的字符串转换为大写,得到最终签名值 signValue
88E749A59400CB70547794C11B7557FF861D7489AE416C0630656149C87EDDE8B738DB30022B434D9BFF4031359E6B4951660B4F1B087B27ADE8318789BB3D86第四步: 将sign参数放入整体请求参数中:
{
"bizConent": "{\"merOrderNo\":\"ysibWeNmphs55rse\",\"clientIp\":\"127.0.0.1\",\"totalAmount\":49.33,\"currency\":\"USDT\",\"description\":\"测试商品\",\"orderSource\":\"APP\",\"tradeStartTime\":\"2023-04-01 14:50:58\",\"expireTime\":900,\"notifyUrl\":\"https://api.xx.com/receive_notify.htm\",\"returnUrl\":\"https://xx.com/return.htm\",\"attach\":\"\"}",
"merNo": "819275770875906",
"method": "basicexpay.trade.cashier",
"nonce": "R6mkm6sP4CpAX7Bk",
"signType": "HmacSHA512",
"timestamp": "20230401145058",
"sign": "88E749A59400CB70547794C11B7557FF861D7489AE416C0630656149C87EDDE8B738DB30022B434D9BFF4031359E6B4951660B4F1B087B27ADE8318789BB3D86"
}报文验签
1)验证签名时,sign 参数不参与签名,在接收到的参数列表中,除去 sign 参数后再按照签名处理步骤得到签名值 signValue;
2)签名值(signValue)与 sign 参数值进行比较验证。
具体查看 异步通知验签部分
测试 Demo
币趣提供测试 DEMO 供商户/渠道合作伙伴的系统分析人员、系统设计人员、系统开发人员及测试人员 参考,具体参考: https://merchant.basicex.com/developer/demo/demo.html