The Gateway Port of OpenAPI

更新时间：2017/01/09 访问次数：7854

1.Checking APPID and the Keys of Digital Signature
2.The Generation of Keys and Explanation of its Format
2.3.2 Upload the public key
3. Constructing Pre-sign String
4. Verifying the Signature

1.Checking APPID and the Keys of Digital Signature

The partner logs in to the “Alipay Open Portal” (蚂蚁金服开放平台). From the “Administration Center”（https://openhome.alipay.com/platform/manageApp.htm）, select any application, click the “check” button on right side to get into the page of application details.

2.The Generation of Keys and Explanation of its Format

2.1 Alipay Public Key

For Alipay public key，we will see a string as the following：

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDI6d306Q8fIfCOaTXyiUeJHkrIvYISRcc73s3vF1ZT7XN8RNPwJxo8pWaJMmvyTn9N4HQ632qJBVHf8sxHi/fEsraprwCtzvzQETrNRwVxLO5jVmRGi60j8Ue1efIlzPXV9je9mkjzOmdssymZkh2QhUrCmZYI/FCEa3/cNMW0QIDAQAB

If we need to access the key in the format of the file (for example, SDK’s PHP/.NET version), we need to add the header and footer before saving to the file. For example:

2.2 The Public Key for the Application (OpenAPI key)

OpenAPI key refers to the public key for every application that is authorized. The partner can use this key by setting up the application key pair and use the private key to sign. The API will require the app_id and the private key. The gateway for this type will be OpenAPI (https://openapi.alipay.com/gateway.do ).
The configuration is as the following:

If uploaded for the first time, click the “configure” button. For the key generation, please refer to “ 2.3.steps for public key configuration”.
If uploaded before, click the “details” button. We can check the public key that uploaded before and change the key in the page.

2.3 The Private Key of the Partner

Click the “Private key of the partner” in the management page for the private key of the partner.

When the merchant signs with Alipay, it will be granted access right for the APIs. The API call that the merchant makes normally should contains PID and signature information. The gateway for the API calls normally will be mapi (https://mapi.alipay.com/gateway.do ). The digital signature used for the digital signature for this solution supports RSA and RSA2.
The typical use cases for the partner’s private key are:

Quick login
Mobile payment
Instant paymnet
WAP payment

The configuration is as the following:

If uploaded for the first time, click the “configure” button. For the key generation, please refer to “2.3.1 steps for public key configuration”.
If uploaded before, click the “details” button. We can check the key value that uploaded before and change the key in the page.

2.3.1 RSA Key Generation

1.OpenSSL installation

Linux（Ubuntu）
sudo apt-get install openssl
Windows
The developer can download Windows version of OpenSSL from the official site of https://www.openssl.org/source/

RSA key pair generation

Linux(Ubuntu)
$ openssl enter OpenSSL
OpenSSL> genrsa -out rsa_private_key.pem 1024 generating private key
OpenSSL> pkcs8 -topk8 -inform PEM -in rsa_private_key.pem -outform PEM -nocrypt transform private key into PKCS8 format
OpenSSL> rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem Generate public key
OpenSSL> exit ##
Windows operates in cmd window:
C:\Users\Hammer>cd C:\OpenSSL-Win32\bin enter OpenSSL directory
C:\OpenSSL-Win32\bin>openssl.exe enter OpenSSL
OpenSSL> genrsa -out rsa_private_key.pem 1024 generating private key
OpenSSL> pkcs8 -topk8 -inform PEM -in rsa_private_key.pem -outform PEM -nocrypt transform private key into PKCS8 format
OpenSSL> rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem Generate public key
`OpenSSL> exit

Notes:
For Java developers, we need to removed the header, footer, , and space from the pkcs8 private key outout in the console. For.NET and PHP developer, there is no need for the pkcs8 operation.

After the above steps, the user could see two files under the current folder (C:\OpenSSL-Win32\bin for Windows), rsaprivatekey.pem and rsapublickey.pem.
The former is the private key while the latter is the public key. The merchant should keep the private key and exchange the public key with Alipay for signature verification. The following are the examples on how to use the key pair.

Standard private key file（PHP,.NET）

Standard private key file in PKCS8 format(Java)

Public key file

2.3.2 Upload the public key

Remove the header, footer, , and space. For example, pem format：

After the processing:

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQWiDVZ7XYxa4CQsZoB3n7bfxLDkeGKjyQPt2FUtm4TWX9OYrd523iw6UUqnQ+Evfw88JgRnhyXadp+vnPKP7unormYQAfsM/CxzrfMoVdtwSiGtIJB4pfyRXjA+KL8nIa2hdQy5nLfgPVGZN4WidfUY/QpkddCVXnZ4bAUaQjXQIDAQAB

Upload the key in the required places in “Application public key (open api public key)”、“Partners’ private key”. Please sign with the matching private key in the key pair.

3. Constructing Pre-sign String

1) Choosing the parameters
Get all the parameters. The parameters are converted into a set of name-value pairs. Remove those with no value. The “sign” key should not be included.

2) Sorting
The name-value pairs are sorted in the ascending order of the names. For the duplicated names, they would be sorted in the ascending order of the values.

3) Concatenating
Construct the string by concatenating the name value pair(‘name=value’) with the ampersand ‘&’
For example:

REQUEST URL: https://openapi.alipay.com/gateway.do
REQUEST METHOD: POST
CONTENT:
    app_id=2014072300007148
    method=alipay.trade.query
    charset=utf-8
    sign_type=RSA2
    timestamp=2014-07-24 03:07:50
    biz_content={"out_trade_no":"201503022001"}
    sign=e9zEAe4TTQ4LPLQvETPoLGXTiURcxiAKfMVQ6Hrrsx2hmyIEGvSfAQzbLxHrhyZ48wOJXTsD4FPnt+YGdK57+fP1BCbf9rIVycfjhYCqlFhbTu9pFnZgT55W+xbAFb9y7vL0MyAxwXUXvZtQVqEwW7pURtKilbcBTEW7TAxzgro=
    version=1.0

The result pre-sign string will be：

app_id=2014072300007148&biz_content={"out_trade_no":"201503022001"}&charset=utf-8&method=alipay.trade.query&sign_type=RSA2&timestamp=2014-07-24 03:07:50&version=1.0

4) Signature Generation
After the pre-signed string is constructed, it would be signed by the applicable signature method (e.g. RSA2). The result is the digital signature that would be put into the parameter ‘sign’ and the used method would be put into the parameter ‘sign_type’. The two parameters of ‘sign’ and ‘sign_type’ would be appended to the string. Append the previous result string to base address of Alipay MAPI, then URL encode it and we will get the final string for the API call.

4. Verifying the Signature

After receiving the responses, the Alipay public key, the pre-sign string and the parameter “sign” will be used with the RSA signature function to accomplish the signature verification.

1) Construct the string for signature verification
Only take the string from the response in JSON. Normally the values are already sorted by ascending orders by the keys of all the JSON nodes. The JSON content should includes the beginning and ending braces “{” and “}”, the quotation mark, etc. If the string contains “http://”, we should escape the ‘/’ first. By default, ‘/’ is already escaped. If the verification failed, please escape the ‘/’, and verify again.
For example,we have the following return response:

{"alipay_trade_precreate_response":{"code":"10000","msg":"Success","out_trade_no":"6141161365682511","qr_code":"https:\/\/qr.alipay.com\/bax03206ug0kulveltqc80a8"},"sign":"VrgnnGgRMNApB1QlNJimiOt5ocGn4a4pbXjdoqjHtnYMWPYGX9AS0ELt8YikVAl6LPfsD7hjSyGWGjwaAYJjzH1MH7B2/T3He0kLezuWHsikao2ktCjTrX0tmUfoMUBCxKGGuDHtmasQi4yAoDk+ux7og1J5tL49yWiiwgaJoBE="}

The content to be verified will be:

{“code”:“10000”,“msg”:“Success”,“out_trade_no”:“6141161365682511”,“qr_code”:“https:\/\/qr.alipay.com\/bax03206ug0kulveltqc80a8”}
The comma before the “sign” will not be part of this verification.
The value of the sign will be the content within the quotation marks.

2) Call the verification function
Call the verification function, passing in the string to be verified, Alipay public key, and signature. Decide if it will pass by the return value.

FAQ

关于此文档暂时还没有FAQ

有用(0) 我要提问

开放平台

当面付－英文版