Detailed parsing and. net Implementation of WeChat message body signature and encryption and decryption functions, and decryption of. net

Detailed parsing of Message Body signature and encryption/decryption functions and. net implementation, decryption. net

Preface

The message body signature and encryption functions have been launched, and there is indeed a security risk in plaintext transmission. In view of the wide range of users, it will certainly become the target of the public. Therefore, it is better to connect to the security mode as soon as possible. Read the official access Guide carefully and find that this security upgrade only involves user interaction with the public in the dialog box. Therefore, this upgrade is relatively simple. The following is an example.

 

I. Function Analysis

The message body signature and encryption functions have been launched. For security reasons, we strongly recommend that you access the message encryption function as soon as possible to eliminate security risks. For details, see the announcement. The API debugging tool on the public platform fully supports online debugging of Message Body encryption.

Currently, basic messages pushed by the public platform to public accounts and response messages sent to public accounts have certain security risks. To better protect the information security of users and public accounts, the public platform will upgrade information security as follows: 1. added message body signature verification for public platforms and public accounts. 2. encrypts common messages and event messages pushed to the public account and device messages pushed to the public account. public accounts also require encryption for responses to ciphertext messages

In security mode, the server must Decrypts the message replied by the user., Public Account The message sent to the user must be encrypted..

Except that the public account directly calls the server interface, because https is already used.

Our official demo (Deepleo. Web project is demo), in which Controllers/WeixinController accepts user messages and replies to messages.

 

 

Ii. Steps for Public Account Access  1. Download the official encrypted/decrypted file of C.I have downloaded this part to the SDK. See https://github.com/night-king/we... in. SDK/Cryptography for details

 

2. Modify the Post method of WeixinControllerIn safe mode, the request sent from the server POST only adds two parameters, Encrypt_typeAnd Msg_signature(Note that it is not signature), so it is relatively simple to modify. Encrypt_type = aes indicates that the security mode has been enabled for the public account. Msg_signature is the decryption signature string for us. It is only used for decryption. msg_signature is not required for encryption. The following code is a good example.

/// <Summary> /// after the user sends a message, the platform automatically posts a request here and waits for the XML response.
/// Full version: https://github.com/night-king/we ... WeixinController. cs // </summary> [HttpPost] [ActionName ("Index")] public ActionResult Post (string signature, string timestamp, string nonce, string echostr) {WeixinMessage message = null; var safeMode = Request. queryString. get ("encrypt_type") = "aes"; using (var streamReader = new StreamReader (Request. inputStream) {var decryptMsg = string. empty; var msg = streamReader. readToEnd (); # region Decrypt if (safeMode) {var msg_signature = Request. queryString. get ("msg_signature"); var wxBizMsgCrypt = new WXBizMsgCrypt (WeixinConfig. token, WeixinConfig. encodingAESKey, WeixinConfig. appID); var ret = wxBizMsgCrypt. decryptMsg (msg_signature, timestamp, nonce, msg, ref decryptMsg); if (ret! = 0) // decryption failed {// TODO: the developer's business processing logic for decryption failure // Note: This demo uses log4net to record this information. You can use other LogWriter methods. default. writeError (string. format ("decrypt message return {0}, request body {1}", ret, msg) ;}} else {decryptMsg = msg ;}# endregion message = AcceptMessageAPI. parse (decryptMsg);} var response = new WeixinExecutor (). execute (message); var encryptMsg = string. empty; # region encrypted if (safeMode) {var msg_signature = Request. QueryString. get ("msg_signature"); var wxBizMsgCrypt = new WXBizMsgCrypt (WeixinConfig. token, WeixinConfig. encodingAESKey, WeixinConfig. appID); var ret = wxBizMsgCrypt. encryptMsg (response, timestamp, nonce, ref encryptMsg); if (ret! = 0) // encryption failed {// TODO: The business processing logic LogWriter that fails to be encrypted by the developer. default. writeError (string. format ("encrypt message return {0}, response body {1}", ret, response) ;}} else {encryptMsg = response ;} # endregion return new ContentResult {Content = encryptMsg, ContentType = "text/xml", ContentEncoding = System. text. UTF8Encoding. UTF8 };}

Note: WXBizMsgCrypt is an official C # version of the AES encryption and decryption class. You can download these files here.

See: https://github.com/night-king/we... WeixinController. cs

 

3. Public platform background settingsLog on to the background of the public platform and click Developer Center, Change "message encryption method" to" Security Mode". Because the message body transmitted in the compatible mode is three times that of the plain text mode, the security mode is comparable to the plain text mode, so I personally do not recommend using the compatible mode, the official compatibility mode also provides smooth and secure transition from the plaintext mode to the security mode. You also need to set EncodingAESKeyThat is, the encryption and decryption key of the AES algorithm. Save the settings.