Appearance
API签名
为了防止API调用过程中被黑客恶意篡改,调用任何一个API都需要携带签名,TOP服务端会根据请求参数,对签名进行验证,签名不合法的请求将会被拒绝。TOP目前支持的签名算法有: MD5(本接口通用参数里面sign_method的值为md5),签名大体过程如下:
对所有API请求参数(包括公共参数和业务参数,但除去sign参数和byte[]类型的参数),根据参数名称的ASCII码表的顺序排序。如:foo=1, bar=2, foo_bar=3, foobar=4排序后的顺序是bar=2, foo=1, foo_bar=3, foobar=4。
将排序好的参数名和参数值拼装在一起,根据上面的示例得到的结果为:bar2foo1foo_bar3foobar4
把拼装好的字符串采用utf-8编码,使用签名算法对编码后的字节流进行摘要。如果使用MD5算法,则需要在拼装的字符串前后加上app的secret后,再进行摘要,如:md5(secret+bar2foo1foo_bar3foobar4+secret)
将摘要得到的字节流结果使用十六进制表示,如: hex(“helloworld”.getBytes(“utf-8”)) = “68656C6C6F776F726C64”
说明:MD5是128位长度的摘要算法,用16进制表示,一个十六进制的字符能表示4个位,所以签名后的字符串长度固定为32个十六进制字符。
算法
JAVA代码示例
java
public static String signTopRequest(Map params, String secret, String signMethod) throws IOException {
// 第一步:检查参数是否已经排序
String[] keys = params.keySet().toArray(new String[0]);
Arrays.sort(keys);
// 第二步:把所有参数名和参数值串在一起
StringBuilder query = new StringBuilder();
if ("md5".equals(signMethod)) {
query.append(secret);
}
for (String key : keys) {
String value = params.get(key);
if (StringUtils.areNotEmpty(key, value)) {
query.append(key).append(value);
}
}
// 第三步:使用MD5/HMAC加密
byte[] bytes;
if ("hmac".equals(signMethod)) {
bytes = encryptHMAC(query.toString(), secret);
} else {
query.append(secret);
bytes = encryptMD5(query.toString());
}
// 第四步:把二进制转化为大写的十六进制
return byte2hex(bytes);
}
public static byte[] encryptHMAC(String data, String secret) throws IOException {
byte[] bytes = null;
try {
SecretKey secretKey = new SecretKeySpec(secret.getBytes("UTF-8"), "HmacMD5");
Mac mac = Mac.getInstance(secretKey.getAlgorithm());
mac.init(secretKey);
bytes = mac.doFinal(data.getBytes("UTF-8"));
} catch (GeneralSecurityException gse) {
throw new IOException(gse.toString());
}
return bytes;
}
public static byte[] encryptMD5(String data) throws IOException {
return encryptMD5(data.getBytes("UTF-8"));
}
private static byte[] encryptMD5(byte[] bytes) throws IOException {
MessageDigest md = null;
try {
md = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) {
throw new IOException(e.toString());
}
return md.digest(bytes);
}
public static String byte2hex(byte[] bytes) {
StringBuilder sign = new StringBuilder();
for (int i = 0; i < bytes.length; i++) {
String hex = Integer.toHexString(bytes[i] & 0xFF);
if (hex.length() == 1) {
sign.append("0");
}
sign.append(hex.toUpperCase());
}
return sign.toString();
}IOS代码示例
js
#import "JAVAToOC.h" #import <CommonCrypto/CommonDigest.h> @implementation
JAVAToOC + (NSString *)signToRequest:(NSDictionary *)params secret:(NSString
*)secret signMethod:(NSString *)signMethod { //第一步:参数按ASCII码表排序 NSArray
*keys = params.allKeys; NSStringCompareOptions comparisonOptions =NSCaseInsensitiveSearch|NSNumericSearch|
NSWidthInsensitiveSearch|NSForcedOrderingSearch; NSComparator sort = ^(NSString
*obj1,NSString *obj2){ NSRange range =NSMakeRange(0,obj1.length); return
[obj1 compare:obj2 options:comparisonOptions range:range]; }; NSArray *keysSort
= [keys sortedArrayUsingComparator:sort]; //第二步:把所有参数名和参数串在一起 NSMutableString
*appendStr = [[NSMutableString alloc] init]; if ([@"md5" isEqualToString:signMethod])
{ [appendStr appendString:secret]; } for (NSString *key in keysSort) {
NSString *value = params[key]; if (value) { [appendStr appendString:[NSString
stringWithFormat:@"%@%@",key,value]]; } } // 第三步:使用MD5加密 [appendStr appendString:secret];
NSString *md5Result = [self md5HexDigest:appendStr]; return md5Result;
} //MARK - md5加密 + (NSString *) md5HexDigest:(NSString *)str { const char
*original_str = [str UTF8String]; unsigned char result[CC_MD5_DIGEST_LENGTH];
CC_MD5(original_str, strlen(original_str), result); NSMutableString *hash
= [NSMutableString string]; for (int i = 0; i
< 16; i++) [hash appendFormat:@ "%02X", result[i]]; return [hash uppercaseString];
} @endPHP代码示例:
js
public function getSign($params, $secret, $signMethod){
$str = $secret;
//先将参数以其参数名的字典序升序进行排序
ksort($params);
//遍历排序后的参数数组中的每一个key/value对
foreach ($params as $k => $v) {
//为key/value对生成一个key=value格式的字符串,并拼接到待签名字符串后面
if( empty($v) ){
continue;
}
$str .= "$k$v";
}
//将签名密钥拼接到签名字符串最后面
if("md5" == $signMethod){
$str .= $secret;
}
//通过md5算法为签名字符串生成一个md5签名,该签名就是我们要追加的sign参数值
//结果转大写
return strtoupper(md5($str));
}
public function testGetSign(){
$param['user_pwd_md5'] = "2d0d5b96848610b2138cee1d9ed19388";
$param['method'] = "jimi.oauth.token.get";
$param['format'] = "json";
$param['app_key'] = "C1DDF4C4D506C60892C977D35785315B";
$param['user_id'] = "TEST";
$param['v'] = "1.0";
$param['expires_in'] = "7200";
$param['timestamp'] = "2019-07-16 11:52:00";
$param['sign_method'] = "md5";
$secret = "9aae0ac796f14c42a3bdad403bfc1883";
$signMethod = "md5";
$str = $this->getSign($param, $secret, $signMethod);
dump($str);
}