8-year test summary, interface test special - encryption/signature, an article to get through the interface test

Contents: Guide

foreword

What is encryption and decryption?
Encryption: The original data (plaintext) transmitted on the network is encrypted to form (ciphertext) transmission to prevent theft.
Decryption: restore the encryption to the original data

Classification of encryption methods?
Symmetric encryption: The same key is used for encryption and decryption
Asymmetric encryption: Asymmetric encryption requires two keys (double keys), called public key and secret key, which can be added to each other For decryption, the public key is public and does not need to be kept secret, and the private key is kept secret.

Encryption analysis

1. Encryption Symmetric
encryption DES encryption algorithm: encryption security is weak, generally used in the old system
AES encryption algorithm: generally used for front-end and back-end separation interface encryption
Base64 encryption algorithm: encoding method

2. Asymmetric encryption technology (RSA encryption algorithm)
RSA encryption algorithm: the most influential encryption algorithm

Scenario 1: Encryption with the public key Decryption
with the private key
Two users, A and B, B has a double key, and A wants to send a data message to B in an encrypted manner.

① B sends its public key to A (the public key is public)
② A uses this public key to encrypt the data message, and the encryption is completed and passed to B (the encrypted ciphertext is sent to B through the network)
③ B uses Decrypt with your own secret key to get the data message

Scenario 2: Private key encryption: digital signature
Public key decryption: signature verification

Origin of digital certificate: Because the public key is public and insecure, a third-party CA (digital certificate authority) is required to encrypt the public key, and the encrypted thing is called a digital certificate. The digital certificate includes: B user basic information and B public key information, and some certificates also have a validity period. X509 standard

CA: Dual key, encrypted by private key
Verify signature: Authentication.

Two users, A and B, B has a dual key

① B encrypts the data message to be sent with the private key.
② B finds CA and authenticates his public key
③ CA encrypts B's public key and some related information with his private key to generate a digital certificate
④ CA sends the digital certificate to B
⑤ B sends the ciphertext Both the digital certificate and the digital certificate are passed to A
⑥ A uses the public key of the CA to unlock the digital certificate, obtains the public key of B, and uses the public key to decrypt the ciphertext to obtain the data message

Fiddler cannot directly capture the data packets of the https protocol, and needs to install a digital certificate
https protocol = http protocol + SSL security transmission protocol
SSL security transmission protocol: secure socket layer.

NetScape (B) research and development, Fiddler (A), CA sends digital certificates to the Internet, digital certificate generator.

3. MD5 (does not consider decryption at all, also called hash algorithm, hash algorithm)
Postman example: in Tests

//获得当前时间戳
new times = new Date().getTime()

//使用MD5加密
var miwen =

CryptoJS.MD5("admin").toString().toUpperCase()

Example of Jmeter

Function helper: __digest

${
    
    __digest(MD5.admin,,,)}

Interface signature analysis

1. What is an interface signature?
Use the user name, password, timestamp and all sorted parameters to combine, and then encrypt the string obtained. The string is the only authentication code that has the right to access the third-party financial interface = sign interface sign.

2. Why do interface signatures
prevent masquerading attacks; prevent tampering attacks; prevent storage attacks; prevent data leakage

3. How to sign the interface and understand the signature rules:
sort all request parameters in ascending order by key and ASCII code.

{
    
    "c":"3","b":"2","a":"1"}
{
    
    "1":"1","b":"2","c":"3"}

Concatenate the parameter name and parameter value into a string:

a=1&b=2&c=3

Use the applied appid and appsecret to connect to the head of the string
appid: username
appsecret: password

appid=admin&appsecret=123&a=1&b=2&c=3

Concatenate the tails of strings with timestamps

appid=admin&appsecret=123&a=1&b=2&c=3&timestamp=124124252

Then install 32-bit MD5 encryption on this string, and then convert it to uppercase after encryption.

sign=E48B34F95AE8001C99CB86A612538C04

10 seconds is effective
if jmeter is implemented and packaged into functions: custom function jave python

4. Postman implements and encapsulates it into a function: JavaScript

Pre-request-Script

//url=https://aaa/sss?com=aaa&nu=hhh&phone=jjjjj&show_appid=jj&showapi_timestamp={
    
    {time}}&showapi_sign={
    
    {sign}}
var moment = require('moment')//获取时间戳

console.log(request.url);//获取请求信息

var url = request.url;

 

var param = url.split("?")[1]//取到url的？后面的值，按照？分割，取前面就是0

if(param != null)

{
    
    
   

{
    
    
   var time = moment().format("YYYYMMDDHHmmss")//取当天时间按照YYYYMMDDHHmmss形式显示
   pm.environment.set("time",time);//postman 自带的  全局变量


   param+="&showapi_timestamp="+time;
   param+="&showapi_sign=122344556";
   

   var param = param.split("&") ;//分割变成一个list
   param.sort();//按照要求的方式进行排序a-z
   var keys = new Array(param.length);
   var values = new Array(param.length);
   for(var i=0;i<param.length;i++)
   {
    
    
       keys[i]=param[i].split("=")[0]//取=前面的值
       values[i]=param[i].split("=")[1]//取=后面的值
   }
   var str=[]
   for(var p=0;p<keys.length;p++)//如果发现keys需要sign，就不参与验签
   {
    
    
       if (keys[p]=="showapi_sign"||values[p]=="{
    
    {time}}")
       {
    
    
           continue;
       }
       str.push(keys[p]+value[p]);
   }
   var sign = str.join("")
   sign = sign+"sssss"；//加密钥
   pm.environment.set("sign",CryptoJs.MD5(sign).toString());//postman 自带的全局变量}

The following is the most complete software test engineer learning knowledge architecture system diagram in 2023 that I compiled