PHP、Java、C#实现URI参数签名算法,确保应用与REST服务器之间的
简介 应用基于HTTP POST或HTTP GET请求发送Open API调用请求时,为了确保应用与REST服务器之间的安全通信,防止Secret Key盗用、数据篡改等恶意攻击行为,REST服务器使用了参数签名机制。应用在调用Open API之前,需要为其所有请求参数计算一个MD5签名,并追
简介
应用基于HTTP POST或HTTP GET请求发送Open API调用请求时,为了确保应用与REST服务器之间的安全通信,防止Secret Key盗用、数据篡改等恶意攻击行为,REST服务器使用了参数签名机制。应用在调用Open API之前,需要为其所有请求参数计算一个MD5签名,并追加到请求参数中,参数名为“sign”。REST服务器在接收到请求时会重新计算签名,并判断其值是否与应用传递过来的sign参数值一致,以此判定当前Open API调用请求是否是被第三者伪造或篡改。
应用在调用Open API之前需要通过 OAuth2.0服务获得用户或平台的授权,获取到授权后将会拿到以下3个重要参数:
- access_token:基于https调用Open API时所需要的访问授权码;
- session_key:基于http调用Open API时所需要的访问授权码;
- session_secret:基于http调用Open API时计算参数签名用的签名密钥。
其中,session_secret这个参数就是做参数签名时所需要的签名密钥。这与Facebook、人人网等平台稍微有所区别,这两个平台在做参数签名时所用的签名密钥一般有2个:
- 如果是通过应用服务端调用Open API,则注册应用时所拿到的应用密钥(即API Key)就是参数签名密钥;
- 如果是通过JavaScript、ActionScript等客户端语言调用Open API,则应用获取到用户授权后所拿到的Session Secret就是参数签名密钥。当然,通过服务端调用Open API时也可以用Session Secret作为签名密钥。
签名算法
假设参与参数签名计算的请求参数分别是“k1”、“k2”、“k3”,它们的值分别是“v1”、“v2”、“v3”,则参数签名计算方法如下:
- 将请求参数格式化为“key=value”格式,即“k1=v1”、“k2=v2”、“k3=v3”;
- 将格式化好的参数键值对以字典序升序排列后,拼接在一起,即“k1=v1k2=v2k3=v3”;
- 在拼接好的字符串末尾追加上应用通过OAuth2.0协议获取Access Token时所获取到的session_secret参数值;
- 上述字符串的MD5值即为签名的值。
注意:计算签名时的请求参数中不要包含sign(签名)参数,因为sign参数的值此时还不知道,有待计算。
另外,计算签名的时候不需要对参数进行urlencode处理(“application/x-www-form-urlencoded”编码),但是发送请求的时候需要进行urlencode处理,这是很多开发者最容易犯错的地方。
签名过程示例
假设某个应用需要获取某个uid为67411167的用户的基本资料,应用在之前的通过OAuth2.0服务获取Access Token的过程中所拿到的session_key和session_secret参数值分别为:
- session_key: "9XNNXe66zOlSassjSKD5gry9BiN61IUEi8IpJmjBwvU07RXP0J3c4GnhZR3GKhMHa1A="
- session_secret: "27e1be4fdcaa83d7f61c489994ff6ed6"
调用Open API时的系统时间(PHP中可以通过date('Y-m-d H:i:s')来获取当前系统时间)为"2011-06-21 17:18:09",希望REST服务器以JSON格式返回调用结果,即相当于参与参数签名计算的请求参数集合为:
<span>[
</span>"session_key" => "9XNNXe66zOlSassjSKD5gry9BiN61IUEi8IpJmjBwvU07RXP0J3c4GnhZR3GKhMHa1A="<span>,
</span>"timestamp" => "2011-06-21 17:18:09"<span>,
</span>"format" => "json"<span>,
</span>"uid" => 67411167<span>
]</span>则计算签名的具体过程如下:
- 将请求参数格式化为“key=value”格式,格式化后的请求参数集合为:
<span> [
</span>"session_key=9XNNXe66zOlSassjSKD5gry9BiN61IUEi8IpJmjBwvU07RXP0J3c4GnhZR3GKhMHa1A="<span>,
</span>"timestamp=2011-06-21 17:18:09"<span>,
</span>"format=json"<span>,
</span>"uid=67411167"<span>
]</span>- 将格式化好的参数键值对以字典序升序排列,得到如下参数集:
<span> [
</span>"format=json"<span>,
</span>"session_key=9XNNXe66zOlSassjSKD5gry9BiN61IUEi8IpJmjBwvU07RXP0J3c4GnhZR3GKhMHa1A="<span>,
</span>"timestamp=2011-06-21 17:18:09"<span>,
</span>"uid=67411167"<span>
]</span>- 将前面排序好的参数集拼接在一起,得到如下字符串:
format<span>=</span>jsonsession_key<span>=</span>9XNNXe66zOlSassjSKD5gry9BiN61IUEi8IpJmjBwvU07RXP0J3c4GnhZR3GKhMHa1A<span>=</span>timestamp<span>=</span><span>2011</span><span>-</span><span>06</span><span>-</span><span>21</span> <span>17</span><span>:</span><span>18</span><span>:</span>09uid<span>=</span><span>67411167</span>
- 在拼接好的字符串末尾追加上应用通过OAuth2.0协议获取Access Token时所获取到的session_secret参数值,得到如下字符串:
format<span>=</span>jsonsession_key<span>=</span>9XNNXe66zOlSassjSKD5gry9BiN61IUEi8IpJmjBwvU07RXP0J3c4GnhZR3GKhMHa1A<span>=</span>timestamp<span>=</span><span>2011</span><span>-</span><span>06</span><span>-</span><span>21</span> <span>17</span><span>:</span><span>18</span><span>:</span>09uid<span>=</span>6741116727e1be4fdcaa83d7f61c489994ff6ed6
- 对前面得到的字符串求MD5签名,得到的d24dd357a95a2579c410b3a92495f009就是调用API时所需要的sign参数值。
接下来便可以通过HTTP POST方法或HTTP GET方法请求Open API的REST服务器,进行接口调用了,如:
GET /rest/2.0/passport/users/getInfo?session_key=9XNNXe66zOlSassjSKD5gry9BiN61IUEi8IpJmjBwvU07RXP0J3c4GnhZR3GKhMHa1A%3D×tamp=2011-06-21+17%3A18%3A09&format=json&uid=67411167&sign=d24dd357a95a2579c410b3a92495f009 HTTP/1.1<span> Host: openapi.baidu.com User</span>-<span>Agent: Client of Baidu Open Platform Accept: </span>*<span>/*</span><span> Accept-Encoding: gzip,deflate Accept-Charset: utf-8 Connection: close 或 POST /rest/2.0/passport/users/getInfo HTTP/1.1 Host: openapi.baidu.com User-Agent: Client of Baidu Open Platform Accept: </span><span>*/</span>*<span> Accept</span>-<span>Encoding: gzip,deflate Accept</span>-Charset: utf-8<span> Content</span>-Length: 179<span> Connection: close session_key</span>=9XNNXe66zOlSassjSKD5gry9BiN61IUEi8IpJmjBwvU07RXP0J3c4GnhZR3GKhMHa1A%3D×tamp=2011-06-21+17%3A18%3A09&format=json&uid=67411167&sign=d24dd357a95a2579c410b3a92495f009
签名算法实现代码
PHP代码实现
获取签名的PHP代码实现方式如下所示:
<span>/*</span><span>*
* 签名生成算法
* @param array $params API调用的请求参数集合的关联数组,不包含sign参数
* @param string $secret 签名的密钥即获取access token时返回的session secret
* @return string 返回参数签名值
</span><span>*/</span>
<span>function</span> getSignature(<span>$params</span>, <span>$secret</span><span>)
{
</span><span>$str</span> = ''; <span>//</span><span>待签名字符串
//先将参数以其参数名的字典序升序进行排序</span>
<span>ksort</span>(<span>$params</span><span>);
</span><span>//</span><span>遍历排序后的参数数组中的每一个key/value对</span>
<span>foreach</span> (<span>$params</span> <span>as</span> <span>$k</span> => <span>$v</span><span>) {
</span><span>//</span><span>为key/value对生成一个key=value格式的字符串,并拼接到待签名字符串后面</span>
<span>$str</span> .= "<span>$k</span>=<span>$v</span>"<span>;
}
</span><span>//</span><span>将签名密钥拼接到签名字符串最后面</span>
<span>$str</span> .= <span>$secret</span><span>;
</span><span>//</span><span>通过md5算法为签名字符串生成一个md5签名,该签名就是我们要追加的sign参数值</span>
<span>return</span> <span>md5</span>(<span>$str</span><span>);
}</span>
调用示例:
<span>$uid</span> = 67411167<span>;
</span><span>$params</span> = <span>array</span><span>(
</span>"session_key" => "9XNNXe66zOlSassjSKD5gry9BiN61IUEi8IpJmjBwvU07RXP0J3c4GnhZR3GKhMHa1A=",
"timestamp" => "2011-06-21 17:18:09",
"format" => "json",
"uid" => <span>$uid</span>,<span>
);
</span><span>$sign</span> = getSignature(<span>$params</span>, "27e1be4fdcaa83d7f61c489994ff6ed6");Java代码实现
获取签名的java代码实现方式如下所示:
<span>/**</span><span>
* 签名生成算法
* </span><span>@param</span><span> HashMap<string> params 请求参数集,所有参数必须已转换为字符串类型
* </string></span><span>@param</span><span> String secret 签名密钥
* </span><span>@return</span><span> 签名
* </span><span>@throws</span><span> IOException
</span><span>*/</span>
<span>public</span> <span>static</span> String getSignature(HashMap<string> params, String secret) <span>throws</span><span> IOException
{
</span><span>//</span><span> 先将参数以其参数名的字典序升序进行排序</span>
Map<string string> sortedParams = <span>new</span> TreeMap<string string><span>(params);
Set</span><entry string>> entrys =<span> sortedParams.entrySet();
</span><span>//</span><span> 遍历排序后的字典,将所有参数按"key=value"格式拼接在一起</span>
StringBuilder basestring = <span>new</span><span> StringBuilder();
</span><span>for</span> (Entry<string string><span> param : entrys) {
basestring.append(param.getKey()).append(</span>"="<span>).append(param.getValue());
}
basestring.append(secret);
</span><span>//</span><span> 使用MD5对待签名串求签</span>
<span>byte</span>[] bytes = <span>null</span><span>;
</span><span>try</span><span> {
MessageDigest md5 </span>= MessageDigest.getInstance("MD5"<span>);
bytes </span>= md5.digest(basestring.toString().getBytes("UTF-8"<span>));
} </span><span>catch</span><span> (GeneralSecurityException ex) {
</span><span>throw</span> <span>new</span><span> IOException(ex);
}
</span><span>//</span><span> 将MD5输出的二进制结果转换为小写的十六进制</span>
StringBuilder sign = <span>new</span><span> StringBuilder();
</span><span>for</span> (<span>int</span> i = 0; i ) {
String hex = Integer.toHexString(bytes[i] & 0xFF<span>);
</span><span>if</span> (hex.length() == 1<span>) {
sign.append(</span>"0"<span>);
}
sign.append(hex);
}
</span><span>return</span><span> sign.toString();
}</span></string></entry></string></string></string>
注意:计算签名时所有参数的key和value都必须先转换为对应的字符串类型,因为在HTTP请求中传递的内容都是字符串类型的,很多开发者都因为没注意到这点,直接将非字符串类型的参数的二进制值传递了进去,结果导致签名与服务端计算的不一致而出错。
C#代码实现
获取签名的C#代码实现方式如下所示:
<span>///</span> <span><summary></summary></span>
<span>///</span><span> 计算参数签名
</span><span>///</span> <span></span>
<span>///</span> <span><param name="params"></span><span>请求参数集,所有参数必须已转换为字符串类型</span><span></span>
<span>///</span> <span><param name="secret"></span><span>签名密钥</span><span></span>
<span>///</span> <span><returns></returns></span><span>签名</span><span></span>
<span>public</span> <span>static</span> <span>string</span> getSignature(IDictionarystring, <span>string</span>> parameters, <span>string</span><span> secret)
{
</span><span>//</span><span> 先将参数以其参数名的字典序升序进行排序</span>
IDictionarystring, <span>string</span>> sortedParams = <span>new</span> SortedDictionarystring, <span>string</span>><span>(parameters);
IEnumerator</span><keyvaluepair>string, <span>string</span>>> iterator=<span> sortedParams.GetEnumerator();
</span><span>//</span><span> 遍历排序后的字典,将所有参数按"key=value"格式拼接在一起</span>
StringBuilder basestring= <span>new</span><span> StringBuilder();
</span><span>while</span><span> (iterator.MoveNext()) {
</span><span>string</span> key =<span> iterator.Current.Key;
</span><span>string</span> value =<span> iterator.Current.Value;
</span><span>if</span> (!<span>string</span>.IsNullOrEmpty(key) && !<span>string</span><span>.IsNullOrEmpty(value)){
basestring.Append(key).Append(</span><span>"</span><span>=</span><span>"</span><span>).Append(value);
}
}
basestring.Append(secret);
</span><span>//</span><span> 使用MD5对待签名串求签</span>
MD5 md5 =<span> MD5.Create();
</span><span>byte</span>[] bytes =<span> md5.ComputeHash(Encoding.UTF8.GetBytes(basestring.ToString()));
</span><span>//</span><span> 将MD5输出的二进制结果转换为小写的十六进制</span>
StringBuilder result = <span>new</span><span> StringBuilder();
</span><span>for</span> (<span>int</span> i = <span>0</span>; i ) {
<span>string</span> hex = bytes[i].ToString(<span>"</span><span>x</span><span>"</span><span>);
</span><span>if</span> (hex.Length == <span>1</span><span>) {
result.Append(</span><span>"</span><span>0</span><span>"</span><span>);
}
result.Append(hex);
}
</span><span>return</span><span> result.ToString();
}</span></keyvaluepair>服务器接受请求后,同样对参数进行签名,如果签名相同则数据没有被修改或者丢失。
注意:计算签名时所有参数的key和value都必须先转换为对应的字符串类型,因为在HTTP请求中传递的内容都是字符串类型的,很多开发者都因为没注意到这点,直接将非字符串类型的参数的二进制值传递了进去,结果导致签名与服务端计算的不一致而出错。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
How do you parse and process HTML/XML in PHP?
Feb 07, 2025 am 11:57 AM
This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an
PHP Program to Count Vowels in a String
Feb 07, 2025 pm 12:12 PM
A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total
Break or return from Java 8 stream forEach?
Feb 07, 2025 pm 12:09 PM
Java 8 introduces the Stream API, providing a powerful and expressive way to process data collections. However, a common question when using Stream is: How to break or return from a forEach operation? Traditional loops allow for early interruption or return, but Stream's forEach method does not directly support this method. This article will explain the reasons and explore alternative methods for implementing premature termination in Stream processing systems. Further reading: Java Stream API improvements Understand Stream forEach The forEach method is a terminal operation that performs one operation on each element in the Stream. Its design intention is
7 PHP Functions I Regret I Didn't Know Before
Nov 13, 2024 am 09:42 AM
If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op
Create the Future: Java Programming for Absolute Beginners
Oct 13, 2024 pm 01:32 PM
Java is a popular programming language that can be learned by both beginners and experienced developers. This tutorial starts with basic concepts and progresses through advanced topics. After installing the Java Development Kit, you can practice programming by creating a simple "Hello, World!" program. After you understand the code, use the command prompt to compile and run the program, and "Hello, World!" will be output on the console. Learning Java starts your programming journey, and as your mastery deepens, you can create more complex applications.
Java Made Simple: A Beginner's Guide to Programming Power
Oct 11, 2024 pm 06:30 PM
Java Made Simple: A Beginner's Guide to Programming Power Introduction Java is a powerful programming language used in everything from mobile applications to enterprise-level systems. For beginners, Java's syntax is simple and easy to understand, making it an ideal choice for learning programming. Basic Syntax Java uses a class-based object-oriented programming paradigm. Classes are templates that organize related data and behavior together. Here is a simple Java class example: publicclassPerson{privateStringname;privateintage;
