SignVerification
Corresponding to the signature logic, when PingPong as the requester, sends a notice to you or responds to your request, it will use PingPong's secret key for signature processing; After you receive the successive messages, you need to execute the signature verification logic to ensure the authenticity of the messages.
the signature verification of a request message is divided into two steps
- Generate the original signature string.
- Verification.
Generate the original signature string
Take out the sign value in the Request Body and Request Header, and set the remaining parameters according to the key 1value 1key_ 2Value2,then add the app_secret at the end
The parameters are arranged in ascending order according to the first letter.
All parameters with non null values need to participate in the signature, except those that are explicitly marked as not participating in the signature in the document:
The Sign Value From Request Header
| Parameter | Description | Participation signature |
|---|---|---|
| appId | Provided by PingPong. | M |
| timestamp | Current timestamp(Millisecond) | M |
| sign | Encrypted generated signature | O |
verification
Take the sign from the Request Body ,Call the signature verification method
Sample code:
private void checkSign(String str , String sign) {
String digest = string2SHA256(str);
log.info(digest);
if (!sign.equals(digest)) {
throw new Exception("sign is incorrect");
}
}