签名说明
- 签名对 url + method + 业务参数 进行统一签名,防止重放和篡改
- 客户端js对加密逻辑和appSecret进行混淆加密处理,增加破解难度
- 客户端本地存储appid 和 appSecret 字段名,使用无意义字段,比如:nihao,wohao,dajiahao
- 文件上传接口不进行签名,后期统一处理,签文件md5值。
名词解释:
- appid: 统一分配的唯一标示 ,比如 ximaiwu_h5
- nonce 随机字符串,每次重新生成,位数32位以上,推荐使用随机数+本地唯一值+用户唯一值参与计算
- timestamp: 当前的时间戳 (10位时间戳,单位是秒)
- signature: 最后生成的签名字符串
重要数据
- appSecret: 统一分配的与唯一标示配对的密钥, 比如 E8yUMwLTOJWvdCsDuwIMup7R1dyxIHcE, 加密保存,不能泄露,不能在接口参数中传递
// 加密处理函数 返回处理过的请求数据 var Jia_Mi = function (obj, url, method) { var Url = url //接口地址 var $method = method; //请求方式 var arr = [] //对象转数组处理 for (let v in obj) { arr.push({ key: v, value: obj[v] }) } // console.log('arr', JSON.stringify(arr, null, 2)); //首字母排序,生成一个按key首字母排序的升序数组 arr.sort(function (s, t) { var a = s.key.toLowerCase(); var b = t.key.toLowerCase(); if (a < b) return -1; if (a > b) return 1; return 0; }) console.log(arr, 2222) //使用 & 符号,将所有 key 和 value 连接起来, var arrstr = Url + $method for (var i in arr) { //遍历数组 arrstr += arr[i].key + '=' + arr[i].value + "&" } // arr.forEach(function (e) { // arrstr += e.key + '=' + e.value + "&" // }) //使用 RFC 3986 编码格式的 urlencode , 将字符串统一编码 arrstr = arrstr.slice(0, -1) console.log(arrstr, 22223333) arrstr = rawurlencode(arrstr); $appSecret = 'E8yUMwLTOJWvdCsDuwIMup7R1dyxIHcE'; //密钥,严格保存,字段名称无意义,混淆使用过程,跟appid 是配对使用的,不要在接口参数中传输 //使用算法 var sha1_result = CryptoJS.HmacSHA1(arrstr, $appSecret).toString(CryptoJS.enc.Base64); //第一个参数为加密字符串,第二个参数为公共秘钥 console.log(sha1_result, 44444, ) var $data = { "appid": obj.appid, "nonce": obj.nonce, "timestamp": obj.timestamp, "signature": sha1_result } return $data; }
/** * 加密过程中涉及到的处理方法urlcode编码 rfc 3986 urlencode * @param { * RFC 3986 编码格式的 urlencode , 将字符串统一编码} */ function rawurlencode(str = "") { const replaceList = [ { reg: /!/g, value: '%21' }, { reg: /\*/g, value: '%2A' }, { reg: /\(/g, value: '%28' }, { reg: /\)/g, value: '%29' }, { reg: /'/g, value: '%21' }, ]; let resStr = encodeURIComponent(str); replaceList.forEach(({ reg, value }) => { resStr = resStr.replace(reg, value); }); return resStr; }
/* 加密过程中涉及到的处理方法 CryptoJS sha1加密,可以直接引用Crypto-js CryptoJS v3.1.2 code.google.com/p/crypto-js (c) 2009-2013 by Jeff Mott. All rights reserved. code.google.com/p/crypto-js/wiki/License 加密算法 */ var CryptoJS = CryptoJS || function (g, l) { var e = {}, d = e.lib = {}, m = function () {}, k = d.Base = { extend: function (a) { m.prototype = this; var c = new m; a && c.mixIn(a); c.hasOwnProperty("init") || (c.init = function () { c.$super.init.apply(this, arguments) }); c.init.prototype = c; c.$super = this; return c }, create: function () { var a = this.extend(); a.init.apply(a, arguments); return a }, init: function () {}, mixIn: function (a) { for (var c in a) a.hasOwnProperty(c) && (this[c] = a[c]); a.hasOwnProperty("toString") && (this.toString = a.toString) }, clone: function () { return this.init.prototype.extend(this) } }, p = d.WordArray = k.extend({ init: function (a, c) { a = this.words = a || []; this.sigBytes = c != l ? c : 4 * a.length }, toString: function (a) { return (a || n).stringify(this) }, concat: function (a) { var c = this.words, q = a.words, f = this.sigBytes; a = a.sigBytes; this.clamp(); if (f % 4) for (var b = 0; b < a; b++) c[f + b >>> 2] |= (q[b >>> 2] >>> 24 - 8 * (b % 4) & 255) << 24 - 8 * ((f + b) % 4); else if (65535 < q.length) for (b = 0; b < a; b += 4) c[f + b >>> 2] = q[b >>> 2]; else c.push.apply(c, q); this.sigBytes += a; return this }, clamp: function () { var a = this.words, c = this.sigBytes; a[c >>> 2] &= 4294967295 << 32 - 8 * (c % 4); a.length = g.ceil(c / 4) }, clone: function () { var a = k.clone.call(this); a.words = this.words.slice(0); return a }, random: function (a) { for (var c = [], b = 0; b < a; b += 4) c.push(4294967296 * g.random() | 0); return new p.init(c, a) } }), b = e.enc = {}, n = b.Hex = { stringify: function (a) { var c = a.words; a = a.sigBytes; for (var b = [], f = 0; f < a; f++) { var d = c[f >>> 2] >>> 24 - 8 * (f % 4) & 255; b.push((d >>> 4).toString(16)); b.push((d & 15).toString(16)) } return b.join("") }, parse: function (a) { for (var c = a.length, b = [], f = 0; f < c; f += 2) b[f >>> 3] |= parseInt(a.substr(f, 2), 16) << 24 - 4 * (f % 8); return new p.init(b, c / 2) } }, j = b.Latin1 = { stringify: function (a) { var c = a.words; a = a.sigBytes; for (var b = [], f = 0; f < a; f++) b.push(String.fromCharCode(c[f >>> 2] >>> 24 - 8 * (f % 4) & 255)); return b.join("") }, parse: function (a) { for (var c = a.length, b = [], f = 0; f < c; f++) b[f >>> 2] |= (a.charCodeAt(f) & 255) << 24 - 8 * (f % 4); return new p.init(b, c) } }, h = b.Utf8 = { stringify: function (a) { try { return decodeURIComponent(escape(j.stringify(a))) } catch (c) { throw Error("Malformed UTF-8 data"); } }, parse: function (a) { return j.parse(unescape(encodeURIComponent(a))) } }, r = d.BufferedBlockAlgorithm = k.extend({ reset: function () { this._data = new p.init; this._nDataBytes = 0 }, _append: function (a) { "string" == typeof a && (a = h.parse(a)); this._data.concat(a); this._nDataBytes += a.sigBytes }, _process: function (a) { var c = this._data, b = c.words, f = c.sigBytes, d = this.blockSize, e = f / (4 * d), e = a ? g.ceil(e) : g.max((e | 0) - this._minBufferSize, 0); a = e * d; f = g.min(4 * a, f); if (a) { for (var k = 0; k < a; k += d) this._doProcessBlock(b, k); k = b.splice(0, a); c.sigBytes -= f } return new p.init(k, f) }, clone: function () { var a = k.clone.call(this); a._data = this._data.clone(); return a }, _minBufferSize: 0 }); d.Hasher = r.extend({ cfg: k.extend(), init: function (a) { this.cfg = this.cfg.extend(a); this.reset() }, reset: function () { r.reset.call(this); this._doReset() }, update: function (a) { this._append(a); this._process(); return this }, finalize: function (a) { a && this._append(a); return this._doFinalize() }, blockSize: 16, _createHelper: function (a) { return function (b, d) { return (new a.init(d)).finalize(b) } }, _createHmacHelper: function (a) { return function (b, d) { return (new s.HMAC.init(a, d)).finalize(b) } } }); var s = e.algo = {}; return e }(Math); (function () { var g = CryptoJS, l = g.lib, e = l.WordArray, d = l.Hasher, m = [], l = g.algo.SHA1 = d.extend({ _doReset: function () { this._hash = new e.init([1732584193, 4023233417, 2562383102, 271733878, 3285377520]) }, _doProcessBlock: function (d, e) { for (var b = this._hash.words, n = b[0], j = b[1], h = b[2], g = b[3], l = b[4], a = 0; 80 > a; a++) { if (16 > a) m[a] = d[e + a] | 0; else { var c = m[a - 3] ^ m[a - 8] ^ m[a - 14] ^ m[a - 16]; m[a] = c << 1 | c >>> 31 } c = (n << 5 | n >>> 27) + l + m[a]; c = 20 > a ? c + ((j & h | ~j & g) + 1518500249) : 40 > a ? c + ((j ^ h ^ g) + 1859775393) : 60 > a ? c + ((j & h | j & g | h & g) - 1894007588) : c + ((j ^ h ^ g) - 899497514); l = g; g = h; h = j << 30 | j >>> 2; j = n; n = c } b[0] = b[0] + n | 0; b[1] = b[1] + j | 0; b[2] = b[2] + h | 0; b[3] = b[3] + g | 0; b[4] = b[4] + l | 0 }, _doFinalize: function () { var d = this._data, e = d.words, b = 8 * this._nDataBytes, g = 8 * d.sigBytes; e[g >>> 5] |= 128 << 24 - g % 32; e[(g + 64 >>> 9 << 4) + 14] = Math.floor(b / 4294967296); e[(g + 64 >>> 9 << 4) + 15] = b; d.sigBytes = 4 * e.length; this._process(); return this._hash }, clone: function () { var e = d.clone.call(this); e._hash = this._hash.clone(); return e } }); g.SHA1 = d._createHelper(l); g.HmacSHA1 = d._createHmacHelper(l) })(); (function () { var g = CryptoJS, l = g.enc.Utf8; g.algo.HMAC = g.lib.Base.extend({ init: function (e, d) { e = this._hasher = new e.init; "string" == typeof d && (d = l.parse(d)); var g = e.blockSize, k = 4 * g; d.sigBytes > k && (d = e.finalize(d)); d.clamp(); for (var p = this._oKey = d.clone(), b = this._iKey = d.clone(), n = p.words, j = b.words, h = 0; h < g; h++) n[h] ^= 1549556828, j[h] ^= 909522486; p.sigBytes = b.sigBytes = k; this.reset() }, reset: function () { var e = this._hasher; e.reset(); e.update(this._iKey) }, update: function (e) { this._hasher.update(e); return this }, finalize: function (e) { var d = this._hasher; e = d.finalize(e); d.reset(); return d.finalize(this._oKey.clone().concat(e)) } }) })();
/** * 生成uuid * * UUid: 通用唯一识别码(Universally Unique Identifier)的缩写,是一种软件建构的标准,亦为开放软件 * 基金会组织在分布式计算环境领域的一部分。其目的,是让分布式系统中的所有元素,都能有唯一的辨识信息, * 而不需要通过中央控制端来做辨识信息的指定。如此一来,每个人都可以创建不与其它人冲突的UUID。在这样的情 * 况下,就不需考虑数据库创建时的名称重复问题。目前最广泛应用的UUID,是微软公司的全局唯一标识符(GUID) * ,而其他重要的应用,则有Linux ext2/ext3文件系统、LUKS加密分区、GNOME、KDE、Mac OS X等等。另外我们 * 也可以在e2fsprogs包中的UUID库找到实现。 * UUID是由一组32个16进制数字所构成,因此UUID理论上的总数为:3.4*10^38,也就是说若每纳秒产生1兆个uuid, * 需要花100亿年才能用完所有的uuid,所以它是唯一的,不必担心重复。 * 在JavaScript中生成uuid的代码如下,这个函数会直接给你返回uuid,所以直接调用,然后用变量接收即可! * */ function get_UUID(uid) { var d = uid || new Date().getTime(); // 默认根据时间戳生成, 如果有用户uid可以使用用户uid生成,原则上生成标识码要具有唯一性 console.log(d) if (window.performance && typeof window.performance.now === "function") { d += performance.now(); //use high-precision timer if available } var uuid = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) { var r = (d + Math.random() * 16) % 16 | 0; d = Math.floor(d / 16); return (c == 'x' ? r : (r & 0x3 | 0x8)).toString(16); }); return uuid; }
// 封装请求函数 function _ajax(method, url, param) { var nonce = get_UUID(JSON.parse(window.localStorage.getItem('browser_user_info')).uid) // 获取唯一标识码 console.log(nonce) //请求数据 $buildData = { appid: 'daofengdj_h5', nonce: nonce,//'8fa14cdd754f91cc6554c9e71929cce7', timestamp: 1517564053, }; $buildData = $.extend(true, $buildData, param); //第一个参数设为true表示深复制 需要引入jquery console.log($buildData,99999999999) $buildData = Jia_Mi($buildData, url, method) return new Promise(function (resolve, reject) { $.ajax({ type: method, url: url, data: $buildData || "", dataType: "json", success: function (response) { resolve(response) }, error: function (error) { reject(error); }, }); }); }
//参数 $params = { area_num: '86', mobile: '18610642891', }; // 执行demo 三个参数 method url params(请求参数) _ajax('GET','/sms/get/',$params).then(function(data){ console.log('resolved成功回调'); console.log('成功回调接受的值:',data); }).catch(function(reason, data){ console.log('catch到rejected失败回调'); console.log('catch失败执行回调抛出失败原因:',reason); });