Taobao H5 sign Encryption Algorithm
Taobao h5 access to the client using a different way and, since the h5 js code stored in appsercret have higher risk, using a random distribution Mtop token, a token is assigned to each access terminal, stored in the user's cookie, the cookie back to the server token assigned using the allocated client token digest value generated on the sign of the URL parameters of the request, with the value MTOP using the pick and the cookie URL token to prevent tampering.
Process
- When a local cookie in the token is empty (usually the first visit), mtop receive "FAIL_SYS_TOKEN_EXOIRED :: Token expired" This error response, while mtop will generate token write a cookie (response.cookies);
- When the second request, js token value read by the cookie generation algorithm according to the agreed sign, sign the request mtop the tape, calculated in the same manner mtop a sign, and the cookie with the request by the token sign Compare, api check will be returned by the response, failure prompt "FAIL_SYS_ILLEGAL_ACCESS :: illegal request";
-
The cookie is a time-sensitive token, token encountered when the failure, will receive the answer "FAIL_SYS_TOKEN_EXOIRED :: Token expired", and it will write the new token, js token recalculated using the new sign and resend the request;
The token cookie on self-checking, since the token is plaintext in a cookie may be counterfeit, the token comprises a public key encryption using asymmetric keys in the cookie outputted, each request will MTOP check whether the cookie token is assigned by the server-side out (using the token and the private key encrypted reduction token, compared with the plaintext token backhaul)
sign generation
About sign generation formula:
md5Hex(token&t&appKey&data)
如:md5Hex("30dc68e5b4cf40ebd02fb05673c7e3b7&1572522062317&12345678&{"itemNumId":"1502111132496"}")
sign=4c1e7b6853fa7a5e1b8f7066ee22932f
Implementation code:
public static String calcSignature(String token, String timestamp, String appKey, String data) {
return DigestUtils.md5Hex(StringUtils.trimToEmpty(token) + "&"
+ timestamp + "&" + appKey + "&" + data);
}
public static void main(String[] args) {
String token="30dc68e5b4cf40ebd02fb05673c7e3b7";
String timestamp="1572522062317";
String sign = calcSignature(token, timestamp, "12345678", "{\"itemNumId\":\"1502111132496\"}");
System.out.println(sign);
}token
m_h5tk: plain text format token_expireTime, obtained from the response.cookies, such as: 30dc68e5b4cf40ebd02fb05673c7e3b7_1572522062317
token is 30dc68e5b4cf40ebd02fb05673c7e3b7
time to failure is 1572522062317
Responsible for storing token may be packaged in a class
@Data
@NoArgsConstructor
@AllArgsConstructor
@Builder
public class Credentials implements Comparable<Credentials> {
private String _m_h5_tk;
private String _m_h5_tk_enc;
private static final int OFFSET = 60000;
public String getToken() {
return StringUtils.isEmpty(_m_h5_tk) ? null : _m_h5_tk.substring(0, _m_h5_tk.indexOf("_"));
}
public long getExpireTimestamp() {
long t = new Date().getTime() - OFFSET;
if (StringUtils.isEmpty(_m_h5_tk) || StringUtils.isEmpty(_m_h5_tk_enc)) {
return t;
}
try {
return Long.parseLong(_m_h5_tk.substring(_m_h5_tk.indexOf("_") + 1));
} catch (NumberFormatException e) {
return t;
}
}
public boolean isExpired() {
if (StringUtils.isEmpty(_m_h5_tk) || StringUtils.isEmpty(_m_h5_tk_enc)) {
return true;
}
return new Date().getTime() > getExpireTimestamp();
}
@Override
public int compareTo(Credentials o) {
return Long.compare(o.getExpireTimestamp(), this.getExpireTimestamp());
}
}t
Is simply that the time stamp obtained by new Date (). GetTime ()
appKey
Fixed value obtained by the capture tool in the request parameters, the parameter name appKey
data
By capture tool parameters submitted in the request parameter string obtained it is usually a JSON
Interested parties can continue to focus or add VX exchange, the future will be in-depth study on Taobao related technologies.