🎨 #3854 【微信支付】修复公钥模式下平台证书自动更新导致的初始化失败问题

weixin-java-pay/src/main/java/com/github/binarywang/wxpay/service/impl/WxPayServiceApacheHttpImpl.java

@@ -420,7 +420,13 @@ public class WxPayServiceApacheHttpImpl extends BaseWxPayServiceImpl {
       return wxPayConfig.getPublicKeyId();
     }
 
-    return wxPayConfig.getVerifier().getValidCertificate().getSerialNumber().toString(16).toUpperCase();
+    try {
+      return wxPayConfig.getVerifier().getValidCertificate().getSerialNumber().toString(16).toUpperCase();
+    } catch (Exception e) {
+      log.warn("Failed to get certificate serial number: {}", e.getMessage());
+      // 返回空字符串而不是抛出异常，让请求继续进行，由微信服务器判断是否需要Wechatpay-Serial
+      return "";
+    }
   }
 
   private void logRequestAndResponse(String url, String requestStr, String responseStr) {

weixin-java-pay/src/main/java/com/github/binarywang/wxpay/service/impl/WxPayServiceHttpComponentsImpl.java

@@ -398,7 +398,13 @@ public class WxPayServiceHttpComponentsImpl extends BaseWxPayServiceImpl {
       return wxPayConfig.getPublicKeyId();
     }
 
-    return wxPayConfig.getVerifier().getValidCertificate().getSerialNumber().toString(16).toUpperCase();
+    try {
+      return wxPayConfig.getVerifier().getValidCertificate().getSerialNumber().toString(16).toUpperCase();
+    } catch (Exception e) {
+      log.warn("Failed to get certificate serial number: {}", e.getMessage());
+      // 返回空字符串而不是抛出异常，让请求继续进行，由微信服务器判断是否需要Wechatpay-Serial
+      return "";
+    }
   }
 
   private void logRequestAndResponse(String url, String requestStr, String responseStr) {

weixin-java-pay/src/main/java/com/github/binarywang/wxpay/v3/auth/AutoUpdateCertificatesVerifier.java

@@ -109,18 +109,24 @@ public class AutoUpdateCertificatesVerifier implements Verifier {
     this.minutesInterval = minutesInterval;
     this.payBaseUrl = payBaseUrl;
     this.wxPayHttpProxy = wxPayHttpProxy;
-    //构造时更新证书
+    //构造时尝试更新证书，但失败时不抛出异常，避免影响公钥模式的使用
     try {
       autoUpdateCert();
       instant = Instant.now();
     } catch (IOException | GeneralSecurityException e) {
-      throw new WxRuntimeException(e);
+      log.warn("Auto update cert failed during initialization, will retry later, exception = {}", e.getMessage());
+      // 设置 instant 为 null，后续每次使用时都会尝试下载证书直到成功
+      instant = null;
     }
   }
 
   @Override
   public boolean verify(String serialNumber, byte[] message, String signature) {
     checkAndAutoUpdateCert();
+    if (verifier == null) {
+      log.warn("No valid certificate available for verification");
+      return false;
+    }
     return verifier.verify(serialNumber, message, signature);
   }
 
@@ -220,6 +226,9 @@ public class AutoUpdateCertificatesVerifier implements Verifier {
   @Override
   public X509Certificate getValidCertificate() {
     checkAndAutoUpdateCert();
+    if (verifier == null) {
+      throw new WxRuntimeException("No valid certificate available, please check your configuration or use fullPublicKeyModel mode");
+    }
     return verifier.getValidCertificate();
   }
 

weixin-java-pay/src/test/java/com/github/binarywang/wxpay/v3/auth/AutoUpdateCertificatesVerifierPublicKeyModeTest.java

@@ -0,0 +1,91 @@
+package com.github.binarywang.wxpay.v3.auth;
+
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+
+import java.nio.charset.StandardCharsets;
+import java.security.cert.X509Certificate;
+
+import static org.testng.Assert.*;
+
+/**
+ * 测试公钥模式下 AutoUpdateCertificatesVerifier 的健壮性
+ *
+ * @author copilot
+ */
+public class AutoUpdateCertificatesVerifierPublicKeyModeTest {
+
+  private String invalidMchId;
+  private String invalidApiV3Key;
+  private String invalidCertSerialNo;
+  private String payBaseUrl;
+  private WxPayCredentials credentials;
+
+  @BeforeMethod
+  public void setUp() {
+    // 使用无效的配置，模拟证书下载失败的场景
+    invalidMchId = "invalid_mch_id";
+    invalidApiV3Key = "invalid_api_v3_key_must_be_32_b";
+    invalidCertSerialNo = "invalid_serial_no";
+    payBaseUrl = "https://api.mch.weixin.qq.com";
+
+    credentials = new WxPayCredentials(
+      invalidMchId,
+      new PrivateKeySigner(invalidCertSerialNo, null)
+    );
+  }
+
+  /**
+   * 测试当证书下载失败时，构造函数不应该抛出异常
+   * 这是为了支持公钥模式下的场景，在公钥模式下商户可能没有平台证书
+   */
+  @Test
+  public void testConstructorShouldNotThrowExceptionWhenCertDownloadFails() {
+    // 构造函数应该不抛出异常，即使证书下载失败
+    AutoUpdateCertificatesVerifier verifier = new AutoUpdateCertificatesVerifier(
+      credentials,
+      invalidApiV3Key.getBytes(StandardCharsets.UTF_8),
+      60,
+      payBaseUrl,
+      null
+    );
+    // 如果没有抛出异常，测试通过
+    assertNotNull(verifier);
+  }
+
+  /**
+   * 测试当没有有效证书时，verify 方法应该返回 false 而不是抛出异常
+   */
+  @Test
+  public void testVerifyShouldReturnFalseWhenNoCertificateAvailable() {
+    AutoUpdateCertificatesVerifier verifier = new AutoUpdateCertificatesVerifier(
+      credentials,
+      invalidApiV3Key.getBytes(StandardCharsets.UTF_8),
+      60,
+      payBaseUrl,
+      null
+    );
+
+    // verify 方法应该返回 false，而不是抛出异常
+    boolean result = verifier.verify("test_serial", "test_message".getBytes(), "test_signature");
+    assertFalse(result, "当没有有效证书时，verify 应该返回 false");
+  }
+
+  /**
+   * 测试当没有有效证书时，getValidCertificate 方法应该抛出有意义的异常
+   */
+  @Test(expectedExceptions = me.chanjar.weixin.common.error.WxRuntimeException.class,
+    expectedExceptionsMessageRegExp = ".*No valid certificate available.*")
+  public void testGetValidCertificateShouldThrowMeaningfulException() {
+    AutoUpdateCertificatesVerifier verifier = new AutoUpdateCertificatesVerifier(
+      credentials,
+      invalidApiV3Key.getBytes(StandardCharsets.UTF_8),
+      60,
+      payBaseUrl,
+      null
+    );
+
+    // 应该抛出有意义的异常
+    X509Certificate certificate = verifier.getValidCertificate();
+  }
+}