WeChat small program API user data signature verification and decryption

Signature verification and decryption of user data

Data signature checks

To ensure the security of open interfaces returning user data, WeChat will sign clear text data. Developers can sign packets according to business needs to ensure the integrity of the data.

1. The signature check algorithm involves the user session_key, obtains the user's data through the wx.login login process session_key, and maintains its own correspondence with the application's own login state.
2. When data is obtained by calling an interface such as wx.getUserInfo, the interface returns rawData, signature, where signature s sha1 (rawData session_key)
3. The developer sends signature, rawData to the developer server for verification. The server uses the user session_key algorithm to calculate signature2, comparing signature with signature2 to verify the integrity of the data.

Such as the data check of wx.getUserInfo:

RawData returned by the interface:

{
  "nickName": "Band",
  "gender": 1,
  "language": "zh_CN",
  "city": "Guangzhou",
  "province": "Guangdong",
  "country": "CN",
  "avatarUrl": "http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"
}

The user's session-key:

HyVFkGl5F5OQWJZZaNzBBg==

Therefore, the string used to sign is:

{"nickName":"Band","gender":1,"language":"zh_CN","city":"Guangzhou","province":"Guangdong","country":"CN","avatarUrl":"http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"}HyVFkGl5F5OQWJZZaNzBBg==

The result using sha1 is

75e81ceda165f4ffa64f4068af58c64b8f54b88c

Encrypted data decryption algorithm

If the interface involves sensitive data, such as openId and unionId in wx.getUserInfo the clear text content of the interface will not contain such sensitive data. D evelopers who need to obtain sensitive data need to symmetrically decrypt the encrypted data (encryptedData) returned by the interface. The decryption algorithm is as follows:

1. The algorithm for symmetrical decryption is AES-128-CBC, and the data is filled with PKCS # 7.
2. Symmetrical decryption target ciphertext is Base64_Decode (EncryptedData),
3. Symmetrical decision, Aeskey = base64_decode (session_key), Aeskey is 16 bytes
4. The symmetrical decomposition algorithm initial vector IV will return in the data interface.

WeChat official provides sample code for multiple programming languages ( click to download ).The interface names for each language type are consistent.The call mode can be referred to the example.

In addition, in order to apply the validity of the verification data, we will add data watermark in sensitive data (Watermark)

Watermark parameter description:

Interface wx.getUserInfo Watermark in sensitive data:

{
    "openId": "OPENID",
    "nickName": "NICKNAME",
    "gender": GENDER,
    "city": "CITY",
    "province": "PROVINCE",
    "country": "COUNTRY",
    "avatarUrl": "AVATARURL",
    "unionId": "UNIONID",
    "watermark":
    {
        "appid":"APPID",
        "timestamp":TIMESTAMP
    }
}

Note: The previously provided encrypted data (encryptData) and corresponding encryption algorithms will be deprecated, please stop relying on the old logic.