为了让企业确认调用来自腾讯会议,腾讯会议在回调时,会在 Header 中带上消息签名,以参数 signature 为标识,企业需要验证此参数的正确性后再解码数据。
验证步骤
1. 计算签名:
dev_signature = sha1(sort(token、timestamp、nonce、data))
说明:
sort 的含义是将参数值按照字母字典排序,然后从小到大拼接成一个字符串,最后再进行 sha1 加密得到最终的签名串。
2. 比较 dev_signature 和 signature 是否相等,相等则表示验证通过。
验证示例
1. 将 token、timestamp、nonce、data 这四个参数值以字符串类型按照字典序排序:
nonce:"14964161"timestamp:"1609239040864"token:"bVPU6F8Htxxxxxxxp3jGV2xWp"data:"eyJldmVudCI6Im1lZXRpbmcuY3JlYXRlZCIsInVuaXF1ZV9zZXF1ZW5jZSI6ImYyMDA5NmVlLThhYzgtNGRmMi1hN2RlLTA1NzQ2NDlmMjExYiIsInBheWxvYWQiOlt7Im9wZXJhdGVfdGltZSI6IjIwMjAtMTItMjkgMTc6NDE6MDYiLCJvcGVyYXRvciI6eyJ1c2VyaWQiOiJ0ZXN0ZXIwMDAwNmJhNWJhYjMzOTg1OGMxM2M5MzBjY2E5NTY4NCJ9LCJtZWV0aW5nX2luZm8iOnsibWVldGluZ19pZCI6IjYwNTg4OTAzODU0ODA5MjEwNTIiLCJtZWV0aW5nX2NvZGUiOiI1MzA4MTI0NTIiLCJzdWJqZWN0IjoibWVkaWEgdGVzdGVyIG1lZXRpbmciLCJjcmVhdG9yX2lkIjoidGVzdGVyMDAwMDZiYTViYWIzMzk4NThjMTNjOTMwY2NhOTU2ODQiLCJob3N0cyI6WyJ0ZXN0ZXIwMDAwNmJhNWJhYjMzOTg1OGMxM2M5MzBjY2E5NTY4NCJdLCJtZWV0aW5nX3R5cGUiOjAsInN0YXJ0X3RpbWUiOiIyMDIwLTEyLTI5IDE3OjQxOjA0IiwiZW5kX3RpbWUiOiIyMDIwLTEyLTI5IDE4OjAxOjA0In19XX0"
说明:
字符串的拼接不是固定排序,请以实际参数值按照字典序排序。
2. 拼接成一个字符串:
sort_str="149641611609239040864bVPU6F8Htxl5XkAbp3jGV2xWpeyJldmVudCI6Im1lZXRpbmcuY3JlYXRlZCI
3. 对该字符串进行 sha1 计算得到签名:
signature = sha1(sort_str) = "b11e507817336a91d7df0c8536ee2aca18bbbae8"
4. 对比从 Header 中得到的签名和上述计算的签名是否一致,若一致则签名通过,说明数据来源于腾讯会议且未被篡改,是安全的。
签名代码示例
import ("bytes""crypto/sha1""fmt""sort")// 生成签名func CalSignature(token, timestamp, nonce, data string) string {sortArr := []string{token, timestamp, nonce, data}sort.Strings(sortArr)var buffer bytes.Bufferfor _, value := range sortArr {buffer.WriteString(value)}sha := sha1.New()sha.Write(buffer.Bytes())signature := fmt.Sprintf("%x", sha.Sum(nil))return signature}
import java.security.MessageDigest;import java.util.Arrays;public class Sha1Util {// 生成签名public static String calSignature(String token, String timestamp, String nonce, String data) {String[] arr = new String[]{token, timestamp, nonce, data};Arrays.sort(arr);StringBuffer sb = new StringBuffer();for (int i = 0; i < arr.length; i++) {sb.append(arr[i]);}return getSha1(sb.toString());}// sha1签名算法public static String getSha1(String str) {if (str == null || str.length() == 0) {return null;}char hexDigits[] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };try {MessageDigest mdTemp = MessageDigest.getInstance("SHA1");mdTemp.update(str.getBytes("UTF-8"));byte[] md = mdTemp.digest();int j = md.length;char buf[] = new char[j * 2];int k = 0;for (int i = 0; i < j; i++) {byte byte0 = md[i];buf[k++] = hexDigits[byte0 >>> 4 & 0xf];buf[k++] = hexDigits[byte0 & 0xf];}return new String(buf);} catch (Exception e) {return null;}}}
#include <stdio.h>#include <string>#include <algorithm>#include <openssl/sha.h>std::string CalSignature(const std::string &token, const std::string ×tamp, const std::string &nonce, const std::string &data){std::string sortArr[] = {token, timestamp, nonce, data};sort(sortArr, sortArr+4);std::string buffer;for (int i = 0; i < 4; i++)buffer += sortArr[i];printf("%s\\n", buffer.c_str());unsigned char obuf[21] = {0};SHA1((unsigned char *)buffer.c_str(), buffer.length(), obuf);char hexbuf[41] = {0};for(int i = 0; i < 20; i++)sprintf(&hexbuf[2*i], "%02x", obuf[i]);return std::string(hexbuf);}
function calSignature($data, $timestamp, $nonce, $token){$list = [$data, $timestamp, $nonce, $token];sort($list,SORT_STRING);$signature = sha1(implode('', $list));return $signature;}
import hashlibdef cal_signature(token, timestamp, nonce, data):vars = [token,timestamp,nonce,data]vars.sort()delimiter=''s = delimiter.join(vars)sign = hashlib.sha1(str.encode(s)).hexdigest()return sign
