错误:- "code":"403", "message":"HMAC 验证失败"

Posted

技术标签:

【中文标题】错误:- "code":"403", "message":"HMAC 验证失败"【英文标题】:error :- "code":"403", "message":"HMAC validation Failure"错误:- "code":"403", "message":"HMAC 验证失败" 【发布时间】:2015-06-04 16:54:43 【问题描述】:

我在这里附上代码和一个包含完整代码的链接,看看它:- 我的授权标题接缝的长度与 payeezy 官方网站中提到的长度相同。我也使我的 hmacString 的顺序与此链接 (https://developer.payeezy.com/content/hmac-validation-failure) 中提到的相同。完成所有这些后,我仍然遇到同样的问题

public static String excutePost(String urlParameters) throws IOException 
        URL url = new URL("https://api-cert.payeezy.com/v1/transactions");
        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
        try 
            // Create connection
            connection.setRequestMethod("POST");
            connection.setRequestProperty("Content-Type", headerContentType);
            connection.setRequestProperty("apikey ", apikey);
            connection.setRequestProperty("token", MerchantToken);
            connection
                    .setRequestProperty("Authorization", authorizationHeader);
            connection.setRequestProperty("timestamp", ""+epoch);
            connection.setRequestProperty("nonce", ""+nonce);
            connection.setDoOutput(true);
            connection.setReadTimeout(30000);

            // Send request
            DataOutputStream wr = new DataOutputStream(connection.getOutputStream());
            wr.writeBytes(urlParameters);
            wr.flush();
            wr.close();

            // Get Response
            InputStream is = connection.getInputStream();
            BufferedReader rd = new BufferedReader(new InputStreamReader(is));
            String line;
            StringBuffer response = new StringBuffer();
            while ((line = rd.readLine()) != null) 
                response.append(line);
                response.append('\r');
            
            rd.close();
            return response.toString();

         catch (Exception e) 

            e.printStackTrace();
            return null;

         finally 

            if (connection != null) 
                connection.disconnect();
            
        
    

这里是完整的 java 类代码:- http://piratepad.net/ep/pad/view/ro.WwZ9v6FX1a6/latest

【问题讨论】:

【参考方案1】:

您必须为每个请求生成一个新的timestampnonce,即每个新请求都必须有其唯一的timestampnonce

在java中,timestamp可以设置为System.currentTimeMillis()nonce可以使用UUID(UUID.randomUUID().toString())设置。

最后,确保您的 Authorization 计算正确(我看到他们使用 API 密钥使用 HMAC-SHA1)。

我希望这会有所帮助。


编辑:怀疑是您的HMAC-SHA1 Authorization 值不正确。运行您的代码时,我得到以下响应(经过我自己的几次编码)。

Connection = keep-alive
Content-Length = 51
Content-Type = application/json
"code":"403", "message":"HMAC validation Failure"

确保您正确计算您的 HMAC-SHA1 值(正如我上面所说的)。

请参阅以下(更新的)代码,您可以自己编译和运行这些代码。您现在需要 Java 8,因为它带有 Base 64 编码器/解码器。

import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.net.URI;
import java.net.URL;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.text.SimpleDateFormat;
import java.util.Base64;
import java.util.Date;
import java.util.TimeZone;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

//import org.apache.commons.codec.binary.Base64;

public class MainJava 
    private static final String    myEncoding            = "UTF-8";
    private static final String    myMessageDigest        = "SHA-1";
    private static final String    myKeySpec            = "HmacSHA1";
    private static String        NEWLINE                = "\n";
    private static String        authorizationHeader;
    private static String        contentSha1;
    // private static String keyId = "230297";
    // private static String hmacKey = "tcwR9r1OR85V9bcV5tc7a9d1XkWigjqY";
    private static String        ApiSecretkey        = "0779eb593286b278aaf8cfcf83c8e33bc757d53a8a642b53d24d63bda844da5b";
    private static String        MerchantToken        = "fdoa-a480ce8951daa73262734cf102641994c1e55e7cdf4c02b6";
    private static String        reportingToken        = "e56a0223d0415067";
    private static String        apikey                = "XSjbv8PLDINJ28qXLEYAhcrz8rxKXQ4Y";
    private static long            nonce;
    public static String        headerContentType    = "application/json";
    private static long            epoch;

    public static void main(String[] args) throws Exception 
        String json_string_dataTwo = "\"type\":\"visa\",\"cardholder_name\":\"John Smith\",\"card_number\":\"4788250000028291\",\"exp_date\":1020,\"cvv\":\"123\"";
        // String json_string =
        // "\"gateway_id\":\"AI2010-01\",\"password\":\"w226638qtot48xu503zumwt2iy46g26q\",\"transaction_type\":\"00\",\"amount\":10,\"cardholder_name\":\"test\",\"cc_number\":\"4111111111111111\",\"cc_expiry\":\"1219\"";
        String json_string_data = "\"merchant_ref\":\"Astonishing-Sale\",\"transaction_type\":\"authorize\",\"method\":\"credit_card\",\"amount\":1299,\"currency_code\":\"USD\",\"credit_card\":"
                + json_string_dataTwo + "";
        // "\r\n  \"merchant_ref\": \"Astonishing-Sale\",\r\n  \"transaction_type\": \"authorize\",\r\n  \"method\": \"credit_card\",\r\n  \"amount\": \"1299\",\r\n  \"currency_code\": \"USD\",\r\n  \"credit_card\": \r\n    \"type\": \"visa\",\r\n    \"cardholder_name\": \"John Smith\",\r\n    \"card_number\": \"4788250000028291\",\r\n    \"exp_date\": \"1020\",\r\n    \"cvv\": \"123\"\r\n  \r\n";

        epoch = System.currentTimeMillis();// / 1000;
        // nonce = UUID.randomUUID().toString();
        nonce = Math.abs(SecureRandom.getInstance("SHA1PRNG").nextLong());
        contentSha1 = contentSha1(json_string_data);
        authorizationHeader = authHeader(epoch, contentSha1);
        System.out.println(excutePost(json_string_data));
    

    private static String authHeader(long hashTime, String contentSha1) 
        String authorizationHeader = null;
        try 
            String hmacString = "POST" + NEWLINE + "application/json" + NEWLINE + contentSha1 + NEWLINE + hashTime + NEWLINE + apikey + NEWLINE
                    + new URI("https://api-cert.payeezy.com/v1/transactions");

            return sha1(hmacString, ApiSecretkey);
         catch (Exception e) 
            throw new RuntimeException(e);
        
    

    private static String contentSha1(String content) throws Exception 
        MessageDigest md = MessageDigest.getInstance("SHA-1");
        byte[] sha1hash = new byte[40];
        md.update(content.getBytes("UTF-8"), 0, content.length());
        sha1hash = md.digest();
        return convertToHex(sha1hash);
    

    private static String convertToHex(byte[] data) 
        StringBuffer buf = new StringBuffer();
        for (int i = 0; i < data.length; i++) 
            int halfbyte = data[i] >>> 4 & 0xF;
            int two_halfs = 0;
            do 
                if ((0 <= halfbyte) && (halfbyte <= 9))
                    buf.append((char) (48 + halfbyte));
                else
                    buf.append((char) (97 + (halfbyte - 10)));
                halfbyte = data[i] & 0xF;
             while (two_halfs++ < 1);
        
        return buf.toString();
    

//     private static String sha1(String s, String keyString) 
//     Base64 base64 = new Base64();
//     try 
//     SecretKeySpec key = new SecretKeySpec(keyString.getBytes("UTF-8"),
//     "HmacSHA1");
//     Mac mac = Mac.getInstance("HmacSHA1");
//     mac.init(key);
//     byte[] bytes = mac.doFinal(s.getBytes("UTF-8"));
//    
//     return new String(base64.encode(bytes));
//      catch (Exception e) 
//     throw new RuntimeException(e);
//     
//     
    private static String sha1(String s, String keyString) 
        byte[] bytes = null;
        try 
            Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
            SecretKeySpec secret_key = new SecretKeySpec(keyString.getBytes(), "HmacSHA256");
            sha256_HMAC.init(secret_key);
            bytes = sha256_HMAC.doFinal(s.getBytes("UTF-8"));
            //return new String(Base64.encodeBase64String(bytes));
         catch (Exception e) 
            System.out.println("Error");
        
        return  Base64.getEncoder().encodeToString(bytes);
    

    private static String hashTime() 
        String time = getUTCFormattedDate("yyyy-MM-dd'T'HH:mm:ss'Z'");

        return time;
    

    private static String getUTCFormattedDate(String format) 
        SimpleDateFormat dateFormat = new SimpleDateFormat(format);
        dateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
        return dateFormat.format(new Date());
    

    public static String excutePost(String urlParameters) throws IOException 
    System.out.println(urlParameters);
    System.out.println(headerContentType);
    System.out.println(MerchantToken);
    System.out.println(authorizationHeader);
    System.out.println(epoch);
    System.out.println(nonce);
        URL url = new URL("https://api-cert.payeezy.com/v1/transactions");
        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
        try 
            // Create connection
            connection.setRequestMethod("POST");
            connection.setRequestProperty("Content-Type", headerContentType);
            connection.setRequestProperty("apikey ", apikey);
            connection.setRequestProperty("token", MerchantToken);
            connection.setRequestProperty("Authorization", authorizationHeader);
            connection.setRequestProperty("timestamp", "" + epoch);
            connection.setRequestProperty("nonce", "" + nonce);
            connection.setDoOutput(true);
            connection.setReadTimeout(30000);

            // Send request
            DataOutputStream wr = new DataOutputStream(connection.getOutputStream());
            wr.writeBytes(urlParameters);
            wr.flush();
            wr.close();

            // Get Response
            InputStream is = null;
            int statusCode = connection.getResponseCode();

        try 
            is = connection.getInputStream();
         catch (IOException e) 
            if (statusCode >= 400) 
                is = connection.getErrorStream();
            
        
        BufferedReader rd = new BufferedReader(new InputStreamReader(is));
            String line;
            StringBuffer response = new StringBuffer();
            while ((line = rd.readLine()) != null) 
                response.append(line);
                response.append('\r');
            
            rd.close();
            return response.toString();

         catch (Exception e) 

            e.printStackTrace();
            return null;

         finally 

            if (connection != null) 
                connection.disconnect();
            
        
    


【讨论】:

嘿,谢谢您的回复,是的,我知道我必须在每次点击 api 时生成我的时间戳和随机数向您发送我的主要 java 类...请看看它并告诉我我做错了什么... (piratepad.net/ep/pad/view/ro.WwZ9v6FX1a6/latest) 嘿,谢谢你的努力,我会试试,让你知道它是怎么回事:) 嘿,Sindi ..我只是在我的机器上运行你的代码,是的,我遇到了你上面提到的同样的问题......我没有更新我的 java 版本的 eclipse,但使用了 java。 util,base64 class from this site(grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/…) 你能告诉我我应该使用哪种方法来生成我的 Hmac 密钥。谢谢 您是否运行了您编辑的代码并对其进行了测试?你得到了什么结果?【参考方案2】:

我唯一的问题是字符编码,我假设是 UTF-8。我怀疑错误出在其他地方。

        // Send request
        byte[] data = urlParameters.getBytes(StandardCharsets.UTF_8);
        BufferedOutputStream wr = new BufferedOutputStream(connection.getOutputStream());
        wr.writeBytes(data);
        wr.close();

        // Get Response
        InputStream is = connection.getInputStream();
        BufferedReader rd = new BufferedReader(new InputStreamReader(is,
                StandardCharsets.UTF_8));

并且\r,CR,不作为行分隔符(除了旧的 MacOS)。

           response.append("\r\n"); // Or '\n'

【讨论】:

嘿,Eggen 感谢您的回复......但我仍然收到同样的错误:- java.lang.IllegalArgumentException:消息头值中的非法字符:AMru2osZZnotc25nRr7/dAOwkV/S3J1T7Yn7zs2XpFc= 另外,当我尝试调试代码时,我发现类似:- java.lang.IllegalStateException: 已经连接 尽量省略结尾的 = 填充字符。 对不起,我没明白你的意思……你能详细说明一下吗,谢谢 Base64 键的值末尾有多余的等号。你可以试试没有。还有什么? URLEncoder.encode(value) 可能仍然是另一个更可疑的尝试。【参考方案3】:

我终于通过在 api url hit 中发送直接字符串作为参数来解决这个错误。这里我发布了一些我的代码来解决我的错误:-

String str = "\"amount\":\"1299\",\"merchant_ref\":\"Astonishing-Sale\",\"transaction_type\":\"authorize\",\"credit_card\":\"card_number\":\"4788250000028291\",\"cvv\":\"123\",\"exp_date\": \"1020\",\"cardholder_name\": \"John Smith\",\"type\": \"visa\",\"method\": \"credit_card\",\"currency_code\": \"USD\"";

现在这个字符串将用于生成我的授权密钥。 整个过程定义如下 :-

getSecurityKeys(apikey, pzsecret,str);

private static Map<String, String> getSecurityKeys(String appId,
			String secureId, String payLoad) throws Exception 
		Map<String, String> returnMap = new HashMap<String, String>();
		try 
			returnMap.put(NONCE, Long.toString(nonce));
			returnMap.put(APIKEY, appId);
			returnMap.put(TIMESTAMP, Long.toString(System.currentTimeMillis()));
			returnMap.put(TOKEN, MerchantToken);
			returnMap.put(APISECRET, pzsecret);
			returnMap.put(PAYLOAD, payLoad);
			returnMap.put(AUTHORIZE, getMacValue(returnMap));
			authorizationHeader = returnMap.get(AUTHORIZE);
			return returnMap;

		 catch (NoSuchAlgorithmException e) 
			throw new RuntimeException(e.getMessage(), e);
		
	

	public static String getMacValue(Map<String, String> data) throws Exception 
		Mac mac = Mac.getInstance("HmacSHA256");
		String apiSecret = data.get(APISECRET);
		SecretKeySpec secret_key = new SecretKeySpec(apiSecret.getBytes(),
				"HmacSHA256");
		mac.init(secret_key);
		StringBuilder buff = new StringBuilder();
		buff.append(data.get(APIKEY)).append(data.get(NONCE))
				.append(data.get(TIMESTAMP));
		if (data.get(TOKEN) != null)
			buff.append(data.get(TOKEN));
		if (data.get(PAYLOAD) != null)
			buff.append(data.get(PAYLOAD));
		byte[] macHash = mac.doFinal(buff.toString().getBytes("UTF-8"));
		String authorizeString = Base64.encodeBase64String(toHex(macHash));
		return authorizeString;
	
现在终于可以通过直接字符串(即str)作为参数在java中点击post api。

希望它可以帮助其他人在不使用任何依赖项的情况下集成 payeezy 支付网关。 快乐编码!!!

【讨论】:

以上是关于错误:- "code":"403", "message":"HMAC 验证失败"的主要内容,如果未能解决你的问题,请参考以下文章

SyntaxException: <ErrorMessage code=2000 [CQL 查询中的语法错误] message="Unknown property 'replicati

Celery CRITICAL/MainProcess] 不可恢复的错误:AttributeError("'float' object has no attribute 'items'&qu

Instagram oauth api 给出 "code": 400, "error_type": "OAuthException", &

c++ vector 排序 sort 用不起来 我用的是code::blocks

vue router 报错: Uncaught (in promise) NavigationDuplicated {_name:""NavigationDuplicated&qu

以太坊错误 "code":-32000,"message":"unknown account"