Fix WeChat Pay V3 public key transfer signature verification failure

When using public key mode for transfer APIs, WeChat Pay may return a response with a platform certificate serial number in the Wechatpay-Serial header, but the signature is actually signed with the public key. The previous logic would fail to verify this. Changes: - Modified PublicCertificateVerifier.verify() to fallback to public key verification when certificate verification fails - This ensures both platform certificate and public key signatures can be verified - Fixes the issue where funds are locked but verification fails for transfer APIs Co-authored-by: binarywang <1343140+binarywang@users.noreply.github.com>
2025-12-14 10:58:07 +08:00 · 2025-10-03 17:43:00 +00:00
parent 942c431549
commit bcce7f73a4
1 changed files with 9 additions and 1 deletions
--- a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/v3/auth/PublicCertificateVerifier.java
+++ b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/v3/auth/PublicCertificateVerifier.java
@@ -24,9 +24,17 @@ public class PublicCertificateVerifier implements Verifier{

    @Override
    public boolean verify(String serialNumber, byte[] message, String signature) {
+        // 如果序列号不包含"PUB_KEY_ID"且有证书验证器，先尝试证书验证
        if (!serialNumber.contains("PUB_KEY_ID") && this.certificateVerifier != null) {
-            return this.certificateVerifier.verify(serialNumber, message, signature);
+            try {
+                if (this.certificateVerifier.verify(serialNumber, message, signature)) {
+                    return true;
                }
+            } catch (Exception e) {
+                // 证书验证失败，继续尝试公钥验证
+            }
+        }
+        // 使用公钥验证（兜底方案，适用于公钥转账等场景）
        try {
            Signature sign = Signature.getInstance("SHA256withRSA");
            sign.initVerify(publicKey);