Signature verification

TIP

The merchant can verify the signature of the response or callback by following the steps below.

If the request signature of the verified merchant is correct, tokenpay includes the reply signature in the HTTP header of the reply. We recommend that merchants verify the response signature.

Similarly, tokenpay includes the signature of the callback packet in the HTTP header of the callback. The merchant must verify the signature of the callback to ensure that the callback was sent by tokenpay.

Concatenate

Firstly, the merchant obtains the following information from the response.

  • Reply timestamp in HTTP header TTPay-Timestamp.

  • Reply to a random string in the HTTP header TTPay-Nonce.

  • Response Body, check the interface according to the order returned by the interface. An incorrect order will cause the check failure.

The signature string has three lines, one parameter per action. The line ends with \n (line break, The ASCII encoding value is 0x0A), and don't add \n on the last line. If the parameter itself ends in \n , you also need to attach an \n.

Reply timestamp\n
Reply random string\n
Reply message body

For example, an HTTP reply message is as follows:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 02 Apr 2019 12:59:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2204
Connection: keep-alive
Keep-Alive: timeout=8
Content-Language: zh-CN
TTPay-Nonce: c5ac7061fccab6bf3e254dcf98995b8c
TTPay-Signature: CtcbzwtQjN8rnOXItEBJ5aQFSnIXESeV28Pr2YEmf9wsDQ8Nx25ytW6FXBCAFdrr0mgqngX3AD9gNzjnNHzSGTPBSsaEkIfhPF4b8YRRTpny88tNLyprXA0GU5ID3DkZHpjFkX1hAp/D0fva2GKjGRLtvYbtUk/OLYqFuzbjt3yOBzJSKQqJsvbXILffgAmX4pKql+Ln+6UPvSCeKwznvtPaEx+9nMBmKu7Wpbqm/+2ksc0XwjD+xlvlECkCxfD/OJ4gN3IurE0fpjxIkvHDiinQmk51BI7zQD8k1znU7r/spPqB+vZjc5ep6DC5wZUpFu5vJ8MoNKjCu8wnzyCFdA==
TTPay-Timestamp: 1554209980
Cache-Control: no-cache, must-revalidate

{"app_id":"xxxx"}

Then the signature string is

1554209980
c5ac7061fccab6bf3e254dcf98995b8c
{"app_id":"xxxx"}

Reply

The tokenpay reply signature is transmitted through the HTTP header TTPay-Signature. (Note: Example because typesetting may contain line breaks, the actual data should be on one line)

CtcbzwtQjN8rnOXItEBJ5aQFSnIXESeV28Pr2YEmf9wsDQ8Nx25ytW6FXBCAFdrr0mgqngX3AD9gNzjnNHzSGTPBSsaEkIfhPF4b8YRRTpny88tNLyprXA0GU5ID3DkZHpjFkX1hAp/D0fva2GKjGRLtvYbtUk/OLYqFuzbjt3yOBzJSKQqJsvbXILffgAmX4pKql+Ln+6UPvSCeKwznvtPaEx+9nMBmKu7Wpbqm/+2ksc0XwjD+xlvlECkCxfD/OJ4gN3IurE0fpjxIkvHDiinQmk51BI7zQD8k1znU7r/spPqB+vZjc5ep6DC5wZUpFu5vJ8MoNKjCu8wnzyCFdA==

Judgment

Use the method of AES-256-ECB to generate signatures (You can reference signature generation). The generated signature is compared with the reply signature. If not, the data is tampered with.

PreviousSignature generationNextDecrypt callback

Last updated