Skip to content

fix: 小程序虚拟支付用户态签名 calcSig 未转小写导致 SIGNATURE_INVALID #3938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
binarywang merged 2 commits into from
Mar 21, 2026
+76 −1
Merged

fix: 小程序虚拟支付用户态签名 calcSig 未转小写导致 SIGNATURE_INVALID #3938

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4784f7a
Initial plan
Copilot Mar 20, 2026
67e52cc
修复:小程序虚拟支付用户态签名未转小写导致签名无效
Copilot Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion weixin-java-miniapp/src/main/java/cn/binarywang/wx/miniapp/bean/xpay/WxMaXPaySigParams.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ public String calcPaySig(String url, String postBody) {

public String calcSig(String postBody) {
String sk = StringUtils.trimToEmpty(this.sessionKey);
return calcSignature(postBody, sk);
return calcSignature(postBody, sk).toLowerCase();
Copy link

@augmentcode augmentcode bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SignUtils.createHmacSha256Sign 在捕获 NoSuchAlgorithmException/InvalidKeyException 时会返回 null,这里直接调用 .toLowerCase() 可能触发 NullPointerException 并改变之前 calcSig 返回 null 的行为。是否需要明确该异常场景下的返回/抛出策略(例如保证非空或显式处理)?

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

}

/**
Expand Down
75 changes: 75 additions & 0 deletions ...-java-miniapp/src/test/java/cn/binarywang/wx/miniapp/bean/xpay/WxMaXPaySigParamsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
package cn.binarywang.wx.miniapp.bean.xpay;

import org.testng.annotations.Test;

import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertTrue;

/**
* 验证 {@link WxMaXPaySigParams} 签名方法的单元测试。
*
* <p>修复说明:{@link WxMaXPaySigParams#calcSig(String)} 方法计算用户态签名(HMAC-SHA256)后
* 未转小写,导致微信小程序端返回 {@code SIGNATURE_INVALID -15005} 错误。
* 修复方案与 {@link WxMaXPaySigParams#calcPaySig(String, String)} 保持一致,
* 在返回前调用 {@code .toLowerCase()}。
*
* @author GitHub Copilot
*/
public class WxMaXPaySigParamsTest {

private static final String SESSION_KEY = "your_session_key";
private static final String APP_KEY = "your_app_key";
private static final String POST_BODY = "{\"openid\":\"oHoSt5abc123\",\"env\":1}";
private static final String URL = "https://api.weixin.qq.com/xpay/query_user_balance";

/**
* 验证 calcSig 返回值全部为小写十六进制字符,不包含大写字母。
*/
@Test
public void testCalcSigReturnsLowerCase() {
WxMaXPaySigParams sigParams = WxMaXPaySigParams.builder()
.sessionKey(SESSION_KEY)
.appKey(APP_KEY)
.build();

String sig = sigParams.calcSig(POST_BODY);

assertTrue(sig.equals(sig.toLowerCase()),
"calcSig 返回值应为全小写,当前值: " + sig);
}

/**
* 验证 calcPaySig 返回值全部为小写十六进制字符,不包含大写字母。
*/
@Test
public void testCalcPaySigReturnsLowerCase() {
WxMaXPaySigParams sigParams = WxMaXPaySigParams.builder()
.sessionKey(SESSION_KEY)
.appKey(APP_KEY)
.build();

String paySig = sigParams.calcPaySig(URL, POST_BODY);

assertTrue(paySig.equals(paySig.toLowerCase()),
"calcPaySig 返回值应为全小写,当前值: " + paySig);
}

/**
* 验证 calcSig 与 calcPaySig 的返回值均为有效的 HMAC-SHA256 十六进制字符串(64 个字符)。
*/
@Test
public void testCalcSigIsValidHexString() {
WxMaXPaySigParams sigParams = WxMaXPaySigParams.builder()
.sessionKey(SESSION_KEY)
.appKey(APP_KEY)
.build();

String sig = sigParams.calcSig(POST_BODY);
String paySig = sigParams.calcPaySig(URL, POST_BODY);

assertEquals(sig.length(), 64, "HMAC-SHA256 签名应为 64 个十六进制字符");
Copy link

@augmentcode augmentcode bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这里的测试目前只覆盖了“小写/长度/hex 格式”,如果实现意外返回固定的 64 位小写 hex 常量也会通过。可以考虑针对固定输入断言具体签名值(例如与 SignUtils.createHmacSha256Sign(...) 的小写结果一致),从而同时覆盖算法/拼接逻辑的正确性。

Severity: low

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

assertEquals(paySig.length(), 64, "HMAC-SHA256 pay_sig 应为 64 个十六进制字符");
assertTrue(sig.matches("[0-9a-f]+"), "calcSig 返回值应只含小写十六进制字符");
assertTrue(paySig.matches("[0-9a-f]+"), "calcPaySig 返回值应只含小写十六进制字符");
}
}
Loading