QQ micro-channel payment and record Internet access problem

1. The micro-channel processing payment certificate

1.1 Background Description

Access to micro-channel payment, call the corporate payment interfaces, micro-channel payment to individual users.

1.2 Issue Description

Micro-channel pay corporate payment interface documentation https://pay.weixin.qq.com/wiki/doc/api/tools/mch_pay.php?chapter=14_2 described in this interface "request requires two-way certificate", but did not explain how the certificate required use.

Micro-channel payment security specification documents https://pay.weixin.qq.com/wiki/doc/api/tools/mch_pay.php?chapter=4_3 description of "micro-channel payment interface, involving funds will be used to roll back interface API certificates, including the refund, reversal Interface ", the interface requires the use of unspecified enterprise payment certificate.

So when you call micro-channel pay corporate payment interfaces, unused certificates, returned calls "certificate error, please log in micro-channel pay merchant platform to download the certificate."

1.3 Analysis

Use Fildder call micro-channel pay corporate payment interfaces, https://api.mch.weixin.qq.com/mmpaymkttransfers/promotion/transfers , sending a POST request, states the following:

Use Java programs to access micro-channel payment companies through SSLSocket payment interfaces, see SSL debug information, as is now the following:

*** CertificateRequest

Warning: no suitable certificate found - continuing without client authentication *** Certificate chain <Empty> ***

According to the above phenomenon can be seen, micro-channel interface SSL pay corporate payment services two-way authentication, SSL client certificate will be authenticated.

1.4 micro-channel payment processing certificate

Micro-channel payment certificate download instructions see the safety specification document https://pay.weixin.qq.com/wiki/doc/api/tools/mch_pay.php?chapter=4_3 .

After successfully applying for micro-payment business letter, after appropriate incoming mail, you can download the API certificate in accordance with the guidelines, you can also download the following path: micro-channel merchant platform (pay.weixin.qq.com) -> Account Center -> Account settings -> API security.

Certificate Accessories       description       pkcs12 format (apiclient_cert.p12) It contains the private certificate file information for p12 (pfx) format, a micro-channel payment issued to you to identify and define your identity

◆ API call or certificates need to install a password, the password is a micro-channel merchant number (mch_id)

According to micro-channel business documents you need to download the certificate and sent technical personnel.

Older certificate file is cert.zip, which contains apiclient_cert.p12, apiclient_cert.pem, apiclient_key.pem file.

Java program in the use of SSL certificates, you need to save the file in the SSL certificate KeyStore format, it is necessary to convert the P12 certificate format for KeyStore file, you can use the Java keytool command to convert. After format conversion, initial cryptographic key needs to be modified, and to check the contents of the file KeyStore ordered as follows:

# Into the server directory # Upload the file to the current directory apiclient_cert.p12 # Of keys and key store password KeyStore password file settings may not be the same     # P12 turn JKS /nemo/jdk1.8.0_141/bin/keytool -importkeystore -srckeystore apiclient_cert.p12 -destkeystore PROD-wcentpay_key.keystore -srcstoretype PKCS12 -deststoretype JKS # 提示“Enter destination keystore password:”“Re-enter new password:”，需要两次输入密钥库密码（不会显示在屏幕），需要自己设置，与/data/tomcat/appsystems/certs/welink-frontdmz/PROD-wcentpay_config.properties配置文件中的keystore_pwd参数值保持一致 # 提示输入“Enter source keystore password”，即P12文件的密码（不会显示在屏幕），为/data/tomcat/appsystems/certs/welink-frontdmz/PROD-wcentpay_config.properties配置文件中的mchid参数值 # 成功后会出现以下提示“Entry for alias mmpaycert successfully imported.”“Import command completed:  1 entries successfully imported, 0 entries failed or cancelled” # 以上mmpaycert为导入KeyStore文件的条目别名     # 修改KeyStore密钥密码 /nemo/jdk1.8.0_141/bin/keytool -keypasswd -keystore PROD-wcentpay_key.keystore -alias mmpaycert # -alias参数值mmpaycert应与之前导入KeyStore文件的条目别名一致 # 提示输入“Enter keystore password:”，即之前设置的密钥库密码（不会显示在屏幕），即/data/tomcat/appsystems/certs/welink-frontdmz/PROD-wcentpay_config.properties配置文件中的keystore_pwd参数值 # 提示输入“Enter key password for <mmpaycert>”，即P12文件的密码（不会显示在屏幕）,为/data/tomcat/appsystems/certs/welink-frontdmz/PROD-wcentpay_config.properties配置文件中的mchid参数值 # 提示输入“New key password for <mmpaycert>:”“Re-enter new key password for <mmpaycert>:”，需要两次输入密钥库密钥密码（不会显示在屏幕），需要自己设置，与/data/tomcat/appsystems/certs/welink-frontdmz/PROD-wcentpay_config.properties配置文件中的keystore_key_pwd参数值保持一致 # 成功后无提示     # 查看生成的KeyStore文件 /nemo/jdk1.8.0_141/bin/keytool -list -v -keystore PROD-wcentpay_key.keystore # 提示输入“Enter keystore password:”，即之前设置的密钥库密码（不会显示在屏幕），即/data/tomcat/appsystems/certs/welink-frontdmz/PROD-wcentpay_config.properties配置文件中的keystore_pwd参数值 # # 删除apiclient_cert.p12文件

1.5  Java对SSL客户端证书的使用

在Java中进行SSL通信时，使用SSL客户端证书示例代码如下：

1.5.1  使用Apache HttpClient

当使用Apache HttpClient时，示例代码如下：

public CloseableHttpClient genHttpsClient(String[] supportedProtocols, String[] supportedCipherSuites,                                           KeyStore trustStore, TrustStrategy trustStrategy, X509HostnameVerifier hostnameVerifier) {     try (InputStream inputStream = new FileInputStream("KeyStore文件路径")) {         SSLContext sslcontext;         SSLConnectionSocketFactory sslsf;         KeyStore keystoreKey = KeyStore.getInstance("JKS");         keystoreKey.load(inputStream, "密钥库密码".toCharArray());         sslcontext = SSLContexts                 .custom()                 .loadTrustMaterial(trustStore, trustStrategy)                 .loadKeyMaterial(keystoreKey, "密钥密码".toCharArray())                 .build();         sslsf = new SSLConnectionSocketFactory(                 sslcontext,                 supportedProtocols,                 supportedCipherSuites,                 hostnameVerifier);         return HttpClients.custom().setSSLSocketFactory(sslsf).build();     } catch (Exception e) {         logger.error("genHttpsClient error: ", e);         return null;     } }

1.5.2  使用SSLSocket或HttpsURLConnection

当使用SSLSocket或HttpsURLConnection时，均需要生成SSLSocketFactory，示例代码如下：

public SSLSocketFactory genSSLSocketFactory(String protocol) {     try (InputStream inputStream = new FileInputStream("KeyStore文件路径")) {         SSLContext context = SSLContext.getInstance(protocol);         KeyStore keystore = KeyStore.getInstance("JKS");         keystore.load(inputStream, "密钥库密码".toCharArray());         KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");         kmf.init(keystore, "密钥密码".toCharArray());         context.init(new KeyManager[]{kmf.getKeyManagers()[0]}, null, new SecureRandom());         return context.getSocketFactory();     } catch (Exception e) {         logger.error("genSSLSocketFactory error: ", e);         return null;     } }

当使用SSLSocket时，需要调用SSLSocketFactory的createSocket方法获取SSLSocket对象。

当使用HttpsURLConnection时，需要调用HttpsURLConnection的setSSLSocketFactory，设置SSLSocketFactory对象。

1.6  问题解决

调用微信支付企业付款接口时，对微信支付证书进行处理，并在Java程序中使用SSL客户端证书后，能够正常调用接口。

2.  QQ互联appid处理

2.1  问题说明

调用QQ互联的访问用户资料接口get_user_info，文档为http://wiki.connect.qq.com/get_user_info，返回信息为“{"ret":100008,"msg":"client request's app is not existed"}”。

2.2  问题分析

已检查调用上述接口时，appid参数值上送正确。

查看创建应用文档http://wiki.connect.qq.com/__trashed-2，说明“点击“应用接口”可查看已获取的接口，使用QQ登录功能。”截图如下：

登录QQ互联平台查看对应页面，截图如下，可以看到登录对应的API为login，而不是文档中说明的get_user_info：

查看API列表文档http://wiki.connect.qq.com/api%E5%88%97%E8%A1%A8，说明访问用户资料接口不需要申请权限。

怀疑是因为当前应用对访问用户资料接口get_user_info没有权限导致，查看OpenAPI权限申请文档http://wiki.connect.qq.com/openapi%E6%9D%83%E9%99%90%E7%94%B3%E8%AF%B7，按照提示登录QQ互联平台后，未找到对应的API管理界面。

2.3  问题解决

通过腾讯企业微信联系qqconnecthelper(QQ互联及登录咨询)，描述问题现象后，对方帮忙找到相应同事解决，反馈原因是因为应用信息未同步。

以上问题为对测试应用进行测试时出现，若生产应用上线时也出现类似问题，需要再联系对方进行处理。