Message signing and encryption/decryption - Developer Q&A

Q Why do we need to launch the message encryption function?

A In order to better protect the information security of users and public accounts.

Q Is the access message encryption and decryption function complicated?

A It is not complicated for developers to access the message encryption and decryption function. The WeChat team provides sample codes in five languages ​​(including C++, PHP, Python, Java and C#). For developers using these five languages, they only need to follow the "Message Encryption and Decryption Access Guide", refer to the sample code, and call the functions provided by the WeChat public platform; for developers of other languages, they need to write relevant codes according to the "Detailed Technical Plan for Message Encryption and Decryption".

Q What important changes will the message encryption function bring?

A has the following aspects:

When the plain text mode is selected, the method of sending and receiving messages is the same as before, but the security factor is lower. The WeChat team recommends that developers develop and debug in the compatible mode and upgrade to the safe mode.

When the compatible mode is selected, the message packet includes both plaintext and ciphertext, and the length of the message packet will increase to about 3 times the original length. Developers need to check the system and make reservations to prevent reception errors due to longer messages.

In compatible mode and safe mode, when the public platform server pushes messages to the public account server configuration address URL, two parameters will be added;

In security mode, the content is pure ciphertext. Please prepare for decryption of received messages and encryption of reply messages in advance.

Q What is EncodingAESKey?

A WeChat public platform uses the AES symmetric encryption algorithm to encrypt the message body pushed to the public account, and EncodingAESKey is the secret key used for encryption. The public account uses this secret key to decrypt the received ciphertext message body, and the reply message body is also encrypted with this secret key.

Q How do developers determine whether a message is encrypted? Under what circumstances does it need to encrypt the response packet?

A Developers are requested to judge based on the URL parameters: If there is no encrypt_type parameter on the URL or its value is raw, it means that the message body contains only plain text, and the public account replies with plain text. If encrypt_type is aes, it means that the message body contains ciphertext, and the public account replies with ciphertext (either plain text or ciphertext can be replied during compatible mode).

Q After the public account developer launches the encrypted and decrypted version, do they still need to retain the plaintext unpacking and return logic?

A temporarily retains the previous logic and makes it compatible based on the parameters.

Q Common Error Examples

A Common causes of errors include:

The xml format is incorrect: for example, <TimeStamp> is written as <Timestamp > (s is lowercase and there is a space between p and >)

The public platform website provides the function of modifying EncodingAESKey. The public account needs to save the current and last EncodingAESKey. If the current EncodingAESKey fails to decrypt, try to use the last EncodingAESKey to decrypt. When replying, the key that successfully decrypts is used to encrypt the corresponding reply.

When calling DecryptMsg to decrypt, the msg_signature on the url is passed in instead of the signature

Java requires JDK 1.6 and above

Solution to exception java.security.InvalidKeyException:illegal Key Size: Download the JCE unlimited permission policy file from the official website (please go to the official website to download the corresponding version, for example, the download address of JDK7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html. After downloading and unzipping, you can see local_policy.jar and US_export_policy.jar and readme.txt. If JRE is installed, put the two jar files in the %JRE_HOME%\lib\security directory to overwrite the original files; if JDK is installed, put the two jar files in the %JDK_HOME%\jre\lib\security directory to overwrite the original files.

Q Does the WeChat public platform interface debugging tool support online debugging of message body encryption and decryption?

A Click http://mp.weixin.qq.com/debug