Signature verification and encryption and decryption of WeChat applet API user data


Signature verification and encryption and decryption of user data

Data signature verification

In order to ensure the security of user data returned by the open interface, WeChat will sign the plaintext data. Developers can perform signature verification on data packets based on business needs to ensure data integrity.

  1. The signature verification algorithm involves the user's session_key, which is obtained through the wx.login login process and maintains the corresponding relationship with the application's own login state.
  2. When obtaining data by calling the interface (such as wx.getUserInfo), the interface will return rawData and signature at the same time, where signature = sha1(rawData + session_key)
  3. The developer sends signature and rawData to The developer server performs verification. The server uses the user's corresponding session_key to calculate the signature signature2 using the same algorithm, and compares signature and signature2 to verify the integrity of the data.

For example, data verification of wx.getUserInfo:

rawData returned by the interface: 

{
  "nickName": "Band",
  "gender": 1,
  "language": "zh_CN",
  "city": "Guangzhou",
  "province": "Guangdong",
  "country": "CN",
  "avatarUrl": "http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"
}

User’s session-key: 

HyVFkGl5F5OQWJZZaNzBBg==

So, the string used for signature is: 

{"nickName":"Band","gender":1,"language":"zh_CN","city":"Guangzhou","province":"Guangdong","country":"CN","avatarUrl":"http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"}HyVFkGl5F5OQWJZZaNzBBg==

The result obtained by using sha1 is 

75e81ceda165f4ffa64f4068af58c64b8f54b88c

Encrypted data decryption algorithm

Interface if sensitive data is involved (such as openId and unionId in wx.getUserInfo), the plain text content of the interface will not contain these sensitive data. If developers need to obtain sensitive data, they need to symmetrically decrypt the encrypted data (encryptedData) returned by the interface. The decryption algorithm is as follows:

  1. The algorithm used for symmetric decryption is AES-128-CBC, and the data is filled with PKCS#7.
  2. The target ciphertext of symmetric decryption is Base64_Decode(encryptedData),
  3. The symmetric decryption key aeskey = Base64_Decode(session_key), aeskey is 16 bytes
  4. Initial symmetric decryption algorithm Vector iv will be returned in the data interface.

WeChat officially provides sample codes in multiple programming languages ​​(click to download). The interface names are consistent for each language type. You can refer to the example for the calling method.

In addition, in order for the application to verify the validity of the data, we will add a data watermark (watermark) to the sensitive data

watermark parameter description:

QQ截图20170208150911.png

For example, the watermark in the sensitive data of the interface http://www.w3cschool.cn/weixinapp/weixinapp-open.html: 

{
    "openId": "OPENID",
    "nickName": "NICKNAME",
    "gender": GENDER,
    "city": "CITY",
    "province": "PROVINCE",
    "country": "COUNTRY",
    "avatarUrl": "AVATARURL",
    "unionId": "UNIONID",
    "watermark":
    {
        "appid":"APPID",
        "timestamp":TIMESTAMP
    }
}

Note: ## previously provided #EncryptData (encryptData) and the corresponding encryption algorithm will be deprecated. Developers are asked not to rely on the old logic.