Hey guys!
Hope you have great weekend. This time let's touch sysadmin topic as there was an important announcement from Tencent's WeChat payment.
I hope this blog comes in just a right moment. Around two months ago Tencent official announced that it will enforce new HTTPS certificate for WeChat payment as current certificates will be expired on 23 August 2018. So Tencent wants to make sure and allows us enough time to update our server.
Unable to do so might result in error during its usage of payment API. So we better prepare.
What We Need to Do?
From the guideline, here I list out what we need to get done.
Basically we need to
Verify whether we do need to install actual root CA certificate as provided by WeChat payment on our server.
This is done by executing API which can be achieved with ease via command line ie. curl etc. But as per official recommendation is to use your development environment, and programming language to execute it in code. If result is SUCCESS you have no need to further perform No.2.If verification in No.1 failed, then your server didn't have knowledge about such certifcate. You need to manually install it on your server. Then repeat No.1 to verify to be 100% sure that your server acknowledges the update.
So I will show you how we can verify our server for No.1 according to official guideline, and No.2 on how to list and install certificate on your server. Read along!
1. Verification
I have implemented verification code following closely from guideline. So you can jump right in and use it.
Clone repo from abzico/wepayCertVerify to your server
Configure your merchant platform key, and merchant number in apitest.js file. See its corresponding comments inside the source file.
Execute node apitest.js
Similar success result is as follows.
<xml>
<return_code><![CDATA[SUCCESS]]></return_code>
<return_msg><![CDATA[ok]]></return_msg>
<sandbox_signkey><![CDATA[aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa]]></sandbox_signkey>
</xml>
Note that value inside sandbox_signkey will be used for other payment APIs later. If you see SUCCESS then you're good to go. No further action need.
See next two sub-sections on how to get merchant platform key, and merchant number.
∆ How to Get Merchant Platform Key
Log in to https://pay.weixin.qq.com then 账户中心 -> API安全 -> API密钥 you can set your key.
Key is in format of 32 characters string. You can easily generate such value from openssl command as follows before entering.
openssl rand -hex 16 | awk '{print toupper($0)}'
# result -> FC961C981C9C44A9D38CA8C674422469
∆ How to Get Merchant Number
When you're successfully applied for WeChat payment. The system will send e-mail to you along with credential information you need to keep it safe.
∆ Further Explanation for What's Happening Behind The Scene
You can skip this section if you don't want to know about the detail. The vital part of verification is its signature generation. Guideline linked above describes very best in concise of how the process went. WeChat payment uses this mechanism all across its ecosystem when certain API needs to be supplied with signature of overall input parameters. I think it's not too simple, and not too hard.
It's not meant to be un-beatable encryption algorithm. It's meant to be used as hashing for checking whether such packet is compromised or not which will be checked at the backend side; of course at WeChat payment's backend. Yes, we could think it's as a checksum.
It as well involves using random string, and depends on input content although not all the time involves timestamp thus less likely that consecutive of data packets will be the same when hashed into MD5 or SHA256 in hexadecimal string as final.
Steps in generate signature is as follows
Sort parameter names in ASCII code in lexicographic order
Concatenate all parameter names and its values in format param1=value1¶m2=value2...
Append result from 2. with &key=192006250b4c09247ec02edce69f6a2d . key is your merchant platform key. See ∆ How to Get Merchant Platform Key.
Hash with MD5
Make it uppercase
Done, you get a signature
Beware: From my testing, hashing with SHA-256 although gets the correct result which matches the test-case as shown in guideline, but it didn't work when execute with API. So stick with MD5 for now, and all across payment APIs.
2. List & Install Certificate (if 1. failed)
Until now, you've verified with method in No.1 and it failed. So you have to manually install certificate on your server.
I show you the way to not just install but also list certificates installed on your server as well for Ubuntu 16.04, and CentOS 7.
First of all download one of following root CA certificate file (choose one only)
"DigiCert Global Root CA" - download here
"Baltimore CyberTrust Root CA" - download here
∆ Ubuntu 16.04
List
List all of root CA certificates by using the following command (thanks to Stéphane Chazelas)
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crtInstall
Follow instructions here. In short, you need to convert .pem file to .crt file then configure to let system knows path to add such certificate.
∆ CentOS 7
List
You can manually take a peek at /etc/ssl/certs/ca-bundle.crt then search for the name of certificate exactly and namely "DigiCert Global Root CA" (or "Baltimore CyberTrust Root CA"). As CentOS keeps certificate names as comment inside the file as well, so we can take advantage of this.
Otherwise, we could follow the similar approach done on Ubuntu above by using the following command (thanks to Nathan Basanese)
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crtInstall
Follow instructions here.
When done with installation, repeat steps in No.1 to verify that it all works out to be 100% sure. Finally we're done updating our server according to official announcement.
That's it for this week blog. It's always good to be prepared to get our server ready according to changes introduced from platform.
Thank you for reading!
See you next week as usual.
Follow us for more