3.3安全规范

## 一.RSA(SHA1WithRSA)签名逻辑

A.签名字符串为除了sign之外的其他非空字段组成键值对

B.所有参与签名的字段，按字段名的ASCII码从小到大排序后，使用URL的键值对的格式(即key1=value1&key2=value2)拼接成字符串string
如appid=00000051
cusid=990581007426001
randomstr=82712208
signtype=RSA
trxid=112094120001088317
version=11
排序后的字符串：
string=”appid=00000051&cusid=990581007426001&randomstr=82712208&signtype=RSA&trxid=112094120001088317&version=11”;

C.用商户的RSA私钥进行签名
sign=SybUtil.rsaSign(string,cusRsaPrivateKey,”utf-8”);
如测试私钥
cusRsaPrivateKey=”MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAJgHMGYsspghvP+yCbjLG43CkZuQ3YJyDcmEKxvmgblITfmiTPx2b9Y2iwDT9gnLGExTDm1BL2A8VzMobjaHfiCmTbDctu680MLmpDDkVXmJOqdlXh0tcLjhN4+iDA2KkRqiHxsDpiaKT6MMBuecXQbJtPlVc1XjVhoUlzUgPCrvAgMBAAECgYAV9saYTGbfsdLOF5kYo0dve1JxaO7dFMCcgkV+z2ujKtNmeHtU54DlhZXJiytQY5Dhc10cjb6xfFDrftuFcfKCaLiy6h5ETR8jyv5He6KH/+X6qkcGTkJBYG1XvyyFO3PxoszQAs0mrLCqq0UItlCDn0G72MR9/NuvdYabGHSzEQJBAMXB1/DUvBTHHH4LiKDiaREruBb3QtP72JQS1ATVXA2v6xJzGPMWMBGQDvRfPvuCPVmbHENX+lRxMLp39OvIn6kCQQDEzYpPcuHW/7h3TYHYc+T0O6z1VKQT2Mxv92Lj35g1XqV4Oi9xrTj2DtMeV1lMx6n/3icobkCQtuvTI+AcqfTXAkB6bCz9NwUUK8sUsJktV9xJN/JnrTxetOr3h8xfDaJGCuCQdFY+rj6lsLPBTnFUC+Vk4mQVwJIE0mmjFf22NWW5AkAmsVaRGkAmui41Xoq52MdZ8WWm8lY0BLrlBJlvveU6EPqtcZskWW9KiU2euIO5IcRdpvrB6zNMgHpLD9GfMRcPAkBUWOV/dH13v8V2Y/Fzuag/y5k3/oXi/WQnIxdYbltad2xjmofJ7DbB7MJqiZZD8jlr8PCZPwRNzc5ntDStc959”,
则上面字符串加密后的
sign=”ce6EAOj4rhoBMJM5MJCNG4qQ/CVMTWkoRuSGpSzRAnD3U3V5QyHkQUEej2eZXRaa+qSbw2/IJJSPV0sPuAia1+ccb7OnvxyZqkV9wQyimX6qAMz0K+UWFhQ5McCcQ/XsFhhezoVd5QgL7PtdvuK1AtjuzA3J9yzNmwuPssPnKnc=”;

D.请求接口成功后通联系统返回JSON字符串数据，把除sign之外的其他所有非空字段组成键值对，进行同样的排序和组装处理，并用通联的公钥进行验签
通联RSA测试公钥：
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYXfu4b7xgDSmEGQpQ8Sn3RzFgl5CE4gL4TbYrND4FtCYOrvbgLijkdFgIrVVWi2hUW4K0PwBsmlYhXcbR+JSmqv9zviVXZiym0lK3glJGVCN86r9EPvNTusZZPm40TOEKMVENSYaUjCxZ7JzeZDfQ4WCeQQr2xirqn6LdJjpZ5wIDAQAB
通联RSA生产公钥：
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm9OV6zH5DYH/ZnAVYHscEELdCNfNTHGuBv1nYYEY9FrOzE0/4kLl9f7Y9dkWHlc2ocDwbrFSm0Vqz0q2rJPxXUYBCQl5yW3jzuKSXif7q1yOwkFVtJXvuhf5WRy+1X5FOFoMvS7538No0RpnLzmNi3ktmiqmhpcY/1pmt20FHQQIDAQAB

通联RSA2测试公钥：
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtL+QFEiZGkCtI9GSoGNNpCY1zIRSZyS3CA7UCULFYC27/tJZcsfVxapiC7QSFkSMCvJ+GCd0DpmamIHINkOYV+xUYGAM9Jz85X9tSgeihFiP0IrkU1sBiJNxsRj1giCSbTbw5IgBlAwNbnElu4tgDwnFpSRv2VcdzU9BvObXkFGO7eZKS7FFqV/q6NYoLKZ1MZE/EitFLh0EjooUo189u4veb5SXp0OIz13pqEhklpXrZdT7h6CI9NIiHFWurjQ2Z1tAIypPtyCtZATlseBTu+bqPNrjAQieMTOi83O9JkHv4POHyrwo2yQnxu3NKXXyJVFNDuHmygsTzDmfZCJfvwIDAQAB
通联RSA2生产公钥：
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Ll8kJJqjwzz9IoSZ2QBup3WqoV5uuJ0A4cB3Led9AiB2SBFT6hwVowPQ8g+l+8OqBzgcAi8SARr6IdkBb5GTx96zSIiCNHEr/Xc63oBqAVgOs6+0WuwccTApRhUg6nvn++au9EFT6MODO50GRdpudHcpO3YomriKLWojhSOCjKawPF81eW6s1eyL0KtnKrgLZx32G0cAJDv3NOkVazgh3eSJrwdE2bH5j74Fu38Q7mlF/nhckqklCnTbyd6ia8i+40yocMe1+IYHeBz5t8RRXeon9f+gXXshpjbiqsPAp0XQ6MJdLpLZu89NBWLJyOrPXe1UYQ82rgxDVDHrboUQwIDAQAB

## 二.SM2国密签名逻辑

A.签名字符串为除了sign之外的其他非空字段组成键值对

B.所有参与签名的字段，按字段名的ASCII码从小到大排序后，使用URL的键值对的格式(即key1=value1&key2=value2)拼接成字符串string
如appid=00000051
cusid=990581007426001
randomstr=75016315
signtype=SM2
trxid=112094120001088317
version=11
排序后的字符串：
string=”appid=00000051&cusid=990581007426001&randomstr=75016315&signtype=SM2&trxid=112094120001088317&version=11”;

C.用商户的SM2私钥进行签名
先获取私钥明文PrivateKey privkey = SmUtil.privKeySM2FromBase64Str(SM2PPRIVATEKEY);
sign=SmUtil.signSM3SM2RetBase64(privkey,appid, string.getBytes("UTF-8"));//签名;
如测试私钥
SM2PPRIVATEKEY=”MIGTAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBHkwdwIBAQQgNqz1EieIP8QVzV7vEmx5e8f7XN7/MIzoeXgEinxcG0agCgYIKoEcz1UBgi2hRANCAAQNfkEgaCQ4cdZ4aD2LWMcnkk5LALQfL05oY8x8XQDIyUM44N15YcTwtFNvHYgyeNRa93vlEUutp935n6rp4yuf”,
则上面字符串加密后的
sign=”m4ki0xZ+19LtqjuyG8Qb0ytD3Q8B166mboCeg+6Ar1Z4XmQB14LrcfddkM121EbroDDnJ17bbJAH/S+8jus9iQ==”;

D.请求接口成功后通联系统返回JSON字符串数据，把除sign之外的其他所有非空字段组成键值对，进行同样的排序和组装处理，并用通联的公钥进行验签
通联测试公钥：
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAE/BnA8BawehBtH0ksPyayo4pmzL/u1FQ2sZcqwOp6bjVqQX4tjo930QAvHZPJ2eez8sCz/RYghcqv4LvMq+kloQ==
通联生产公钥：
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEBQicgWm0KAMqhO3bdqMUEDrKQvYg8cCXHhdGwq7CGE6oJDzJ1P/94HpuVdBf1KidmPxr7HOH+0DAnpeCcx9TcQ==

附：详细签名及验签可参考对应java开发demo的SybUtil.unionSign及SybUtil.validSign统一签名及统一验签工具方法。