From d0b7a526f6a8c27116067f63387e220df2fffeea Mon Sep 17 00:00:00 2001
From: SynchPj <46849861+SynchPj@users.noreply.github.com>
Date: Wed, 14 May 2025 16:27:29 +0800
Subject: [PATCH] =?UTF-8?q?:art:=20#3587=E3=80=90=E5=BE=AE=E4=BF=A1?=
 =?UTF-8?q?=E6=94=AF=E4=BB=98=E3=80=91=E6=94=AF=E6=8C=81=E5=AE=8C=E5=85=A8?=
 =?UTF-8?q?=E5=85=AC=E9=92=A5=E6=A8=A1=E5=BC=8F=EF=BC=8C=E6=96=B0=E5=A2=9E?=
 =?UTF-8?q?fullPublicKeyModel=E5=AD=97=E6=AE=B5=E6=9D=A5=E6=8E=A7=E5=88=B6?=
 =?UTF-8?q?=EF=BC=8C=E9=BB=98=E8=AE=A4=E5=85=B3=E9=97=AD=EF=BC=8C=E5=85=B3?=
 =?UTF-8?q?=E9=97=AD=E6=97=B6=E8=B5=B0=E8=80=81=E9=80=BB=E8=BE=91=EF=BC=8C?=
 =?UTF-8?q?=E5=BC=80=E5=90=AF=E6=97=B6=EF=BC=8C=E5=8F=AA=E5=8A=A0=E8=BD=BD?=
 =?UTF-8?q?=E5=85=AC=E9=92=A5=E6=89=80=E9=9C=80=E7=9B=B8=E5=85=B3=E9=85=8D?=
 =?UTF-8?q?=E7=BD=AE=EF=BC=8C=E9=81=BF=E5=85=8D=E4=B8=8B=E8=BD=BD=E5=B9=B3?=
 =?UTF-8?q?=E5=8F=B0=E8=AF=81=E4=B9=A6=E4=BD=BF=E7=81=B0=E5=BA=A6=E5=88=87?=
 =?UTF-8?q?=E6=8D=A2=E6=97=A0=E6=B3=95=E8=BE=BE=E5=88=B0100%=E8=A6=86?=
 =?UTF-8?q?=E7=9B=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../wxpay/config/VerifierBuilder.java         | 10 ++
 .../binarywang/wxpay/config/WxPayConfig.java  | 93 +++++++++++++------
 2 files changed, 73 insertions(+), 30 deletions(-)

diff --git a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/VerifierBuilder.java b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/VerifierBuilder.java
index c7bc14f52..b0d9276a3 100644
--- a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/VerifierBuilder.java
+++ b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/VerifierBuilder.java
@@ -92,6 +92,16 @@ class VerifierBuilder {
     return null;
   }
 
+  /**
+   * 针对完全使用公钥的场景
+   * @param publicKeyId 公钥id
+   * @param publicKey 公钥
+   * @return
+   */
+  static Verifier buildPublicCertVerifier(String publicKeyId, PublicKey publicKey) {
+    return getPublicCertVerifier(publicKeyId, publicKey, null);
+  }
+
   /**
    * 获取证书验证器.
    *
diff --git a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/WxPayConfig.java b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/WxPayConfig.java
index 75db10a07..c4fecfd12 100644
--- a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/WxPayConfig.java
+++ b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/config/WxPayConfig.java
@@ -232,6 +232,11 @@ public class WxPayConfig {
    */
   private boolean strictlyNeedWechatPaySerial = false;
 
+  /**
+   * 是否完全使用公钥模式(用以微信从平台证书到公钥的灰度切换)，默认不使用
+   */
+  private boolean fullPublicKeyModel = false;
+
   /**
    * 返回所设置的微信支付接口请求地址域名.
    *
@@ -289,48 +294,76 @@ public class WxPayConfig {
     if (StringUtils.isBlank(this.getApiV3Key())) {
       throw new WxPayException("请确保apiV3Key值已设置");
     }
-
-    // 尝试从p12证书中加载私钥和证书
-    PrivateKey merchantPrivateKey = null;
-    X509Certificate certificate = null;
-    Object[] objects = this.p12ToPem();
-    if (objects != null) {
-      merchantPrivateKey = (PrivateKey) objects[0];
-      certificate = (X509Certificate) objects[1];
-      this.certSerialNo = certificate.getSerialNumber().toString(16).toUpperCase();
-    }
     try {
+      PrivateKey merchantPrivateKey = null;
+      PublicKey publicKey = null;
+
+      // 使用完全公钥模式时，只加载公钥相关配置，避免下载平台证书使灰度切换无法达到100%覆盖
+      if (this.fullPublicKeyModel) {
+        if (StringUtils.isBlank(this.getCertSerialNo())) {
+          throw new WxPayException("使用公钥模式时，请确保certSerialNo(apiV3证书序列号)值已设置");
+        }
+        if (StringUtils.isBlank(this.getPublicKeyId())) {
+          throw new WxPayException("使用公钥模式时，请确保publicKeyId值已设置");
+        }
+        if (StringUtils.isBlank(this.getPublicKeyString()) && StringUtils.isBlank(this.getPublicKeyPath()) && this.getPublicKeyContent() == null) {
+          throw new WxPayException("使用公钥模式时，请确保publicKeyString/publicKeyPath/publicKeyContent其中一项值已设置");
+        }
+
+        try (InputStream pubInputStream =
+               this.loadConfigInputStream(this.getPublicKeyString(), this.getPublicKeyPath(),
+                 this.getPublicKeyContent(), "publicKeyPath")) {
+          publicKey = PemUtils.loadPublicKey(pubInputStream);
+        }
+      } else {
+        // 不使用完全公钥模式时，同时兼容平台证书和公钥
+        X509Certificate certificate = null;
+        // 尝试从p12证书中加载私钥和证书
+        Object[] objects = this.p12ToPem();
+        if (objects != null) {
+          merchantPrivateKey = (PrivateKey) objects[0];
+          certificate = (X509Certificate) objects[1];
+          this.certSerialNo = certificate.getSerialNumber().toString(16).toUpperCase();
+        }
+        if (certificate == null && StringUtils.isBlank(this.getCertSerialNo()) && StringUtils.isNotBlank(this.getPrivateCertPath())) {
+          try (InputStream certInputStream = this.loadConfigInputStream(this.getPrivateCertString(), this.getPrivateCertPath(),
+            this.privateCertContent, "privateCertPath")) {
+            certificate = PemUtils.loadCertificate(certInputStream);
+          }
+          this.certSerialNo = certificate.getSerialNumber().toString(16).toUpperCase();
+        }
+        if (this.getPublicKeyString() != null || this.getPublicKeyPath() != null || this.publicKeyContent != null) {
+          if (StringUtils.isBlank(this.getPublicKeyId())) {
+            throw new WxPayException("请确保和publicKeyId配套使用");
+          }
+          try (InputStream pubInputStream =
+                 this.loadConfigInputStream(this.getPublicKeyString(), this.getPublicKeyPath(),
+                   this.publicKeyContent, "publicKeyPath")) {
+            publicKey = PemUtils.loadPublicKey(pubInputStream);
+          }
+        }
+      }
+
+      // 加载api私钥
       if (merchantPrivateKey == null && StringUtils.isNotBlank(this.getPrivateKeyPath())) {
         try (InputStream keyInputStream = this.loadConfigInputStream(this.getPrivateKeyString(), this.getPrivateKeyPath(),
           this.privateKeyContent, "privateKeyPath")) {
           merchantPrivateKey = PemUtils.loadPrivateKey(keyInputStream);
         }
       }
-      if (certificate == null && StringUtils.isBlank(this.getCertSerialNo()) && StringUtils.isNotBlank(this.getPrivateCertPath())) {
-        try (InputStream certInputStream = this.loadConfigInputStream(this.getPrivateCertString(), this.getPrivateCertPath(),
-          this.privateCertContent, "privateCertPath")) {
-          certificate = PemUtils.loadCertificate(certInputStream);
-        }
-        this.certSerialNo = certificate.getSerialNumber().toString(16).toUpperCase();
-      }
-      PublicKey publicKey = null;
-      if (this.getPublicKeyString() != null || this.getPublicKeyPath() != null || this.publicKeyContent != null) {
-        try (InputStream pubInputStream =
-               this.loadConfigInputStream(this.getPublicKeyString(), this.getPublicKeyPath(),
-                 this.publicKeyContent, "publicKeyPath")) {
-          publicKey = PemUtils.loadPublicKey(pubInputStream);
-        }
-      }
 
       //构造Http Proxy正向代理
       WxPayHttpProxy wxPayHttpProxy = getWxPayHttpProxy();
 
       // 构造证书验签器
-      Verifier certificatesVerifier = VerifierBuilder.build(
-        this.getCertSerialNo(), this.getMchId(), this.getApiV3Key(), merchantPrivateKey, wxPayHttpProxy,
-        this.getCertAutoUpdateTime(), this.getPayBaseUrl(),
-        this.getPublicKeyId(), publicKey
-      );
+      Verifier certificatesVerifier;
+      if (this.fullPublicKeyModel) {
+        certificatesVerifier = VerifierBuilder.buildPublicCertVerifier(this.publicKeyId, publicKey);
+      } else {
+        certificatesVerifier = VerifierBuilder.build(
+          this.getCertSerialNo(), this.getMchId(), this.getApiV3Key(), merchantPrivateKey, wxPayHttpProxy,
+          this.getCertAutoUpdateTime(), this.getPayBaseUrl(), this.getPublicKeyId(), publicKey);
+      }
 
       WxPayV3HttpClientBuilder wxPayV3HttpClientBuilder = WxPayV3HttpClientBuilder.create()
         .withMerchant(mchId, certSerialNo, merchantPrivateKey)