WeChat Open Platform

Mini Programs Documentation

Signature verification, encryption and decryption for user data

Data signature verification

WeChat will sign cleartext data to ensure the security of user data returned by the Open Interface. Developers can perform signature verification on packets according to business requirements, to ensure data integrity.

  1. The signature verification algorithm involves the user's session_key. A user session_key is obtained via the wx.login login process and you protect and use the relationships corresponding to your own login status.
  2. When getting data by calling an interface (for example, wx.getUserInfo, the interface will also return rawData and the signature, wherein the signature = sha1(rawData + session_key).
  3. The developer sends the signature and rawData to the developer server for verification. The server uses a signature (signature2) calculated by the same algorithm used by the session_key corresponding to the user. The integrity of the data can then be verified by comparing signature1 and signature2.

For example, the data verification for wx.getUserInfo:

The rawData returned by the interface:

{
  "nickName": "Band",
  "gender": 1,
  "language": "zh_CN",
  "city": "Guangzhou",
  "province": "Guangdong",
  "country": "CN",
  "avatarUrl": "http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"
}

The user's session-key:

HyVFkGl5F5OQWJZZaNzBBg==

Therefore, the string used for the signature is:

{"nickName":"Band","gender":1,"language":"zh_CN","city":"Guangzhou","province":"Guangdong","country":"CN","avatarUrl":"http://wx.qlogo.cn/mmopen/vi_32/1vZvI39NWFQ9XM4LtQpFrQJ1xlgZxx3w7bQxKARol6503Iuswjjn6nIGBiaycAjAtpujxyzYsrztuuICqIM5ibXQ/0"}HyVFkGl5F5OQWJZZaNzBBg==

The result obtained using sha1 is

75e81ceda165f4ffa64f4068af58c64b8f54b88c

Decryption algorithms for encrypted data

If an interface contains sensitive data (for example, the openId and unionId in wx.getUserInfo, the interface's cleartext content will not contain this sensitive data. If the developer needs to get the sensitive data, they need to symmetrically decrypt the encrypted data (encryptedData) returned by the interface. The decryption algorithm is as follows:

  1. The algorithm used for symmetric decryption is AES-128-CBC, the data is padded using PKCS#7.
  2. The target cryptogram for symmetric decryption is Base64_Decode(encryptedData).
  3. The symmetric decryption key, aeskey = Base64_Decode(session_key). The aeskey is 16 bytes.
  4. The initialization vector for the symmetric decryption algorithm is Base64_Decode(iv), wherein the iv is returned by the data interface.

WeChat's official website provides a variety of programming language sample code (click to download. The interface names for each language type are all the same. You can refer to the samples for the call methods.

We will also add data (watermarks) to sensitive data so that applications can verify the validity of data.

watermark parameter descriptions:

Parameter Type Description
watermark OBJECT Data watermark
appid String appid attributed to sensitive data, developers can verify whether this parameter is the same as their own appid
timestamp DateInt Time stamp obtained by sensitive data, developers can use this to verify that data is up to date

For example, the water mark in sensitive data in the wx.getUserInfo interface:

{
    "openId": "OPENID",
    "nickName": "NICKNAME",
    "gender": GENDER,
    "city": "CITY",
    "province": "PROVINCE",
    "country": "COUNTRY",
    "avatarUrl": "AVATARURL",
    "unionId": "UNIONID",
    "watermark":
    {
        "appid":"APPID",
        "timestamp":TIMESTAMP
    }
}

Note: The encrypted data (encryptData) and corresponding encryption algorithm previously provided will be retired, developers are requested to not rely on the old logic anymore.