提交 | 用户 | age
|
826b66
|
1 |
/** |
C |
2 |
* 对企业微信发送给企业后台的消息加解密示例代码. |
|
3 |
* |
|
4 |
* @copyright Copyright (c) 1998-2014 Tencent Inc. |
|
5 |
*/ |
|
6 |
|
|
7 |
// ------------------------------------------------------------------------ |
|
8 |
|
|
9 |
package com.qq.weixin.mp.aes; |
|
10 |
|
|
11 |
import java.io.StringReader; |
|
12 |
|
|
13 |
import javax.xml.parsers.DocumentBuilder; |
|
14 |
import javax.xml.parsers.DocumentBuilderFactory; |
|
15 |
|
|
16 |
import org.w3c.dom.Document; |
|
17 |
import org.w3c.dom.Element; |
|
18 |
import org.w3c.dom.NodeList; |
|
19 |
import org.xml.sax.InputSource; |
|
20 |
|
|
21 |
/** |
|
22 |
* XMLParse class |
|
23 |
* |
|
24 |
* 提供提取消息格式中的密文及生成回复消息格式的接口. |
|
25 |
*/ |
|
26 |
class XMLParse { |
|
27 |
|
|
28 |
/** |
|
29 |
* 提取出xml数据包中的加密消息 |
|
30 |
* @param xmltext 待提取的xml字符串 |
|
31 |
* @return 提取出的加密消息字符串 |
|
32 |
* @throws AesException |
|
33 |
*/ |
|
34 |
public static Object[] extract(String xmltext) throws AesException { |
|
35 |
Object[] result = new Object[3]; |
|
36 |
try { |
|
37 |
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); |
|
38 |
|
|
39 |
String FEATURE = null; |
|
40 |
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented |
|
41 |
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl |
|
42 |
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; |
|
43 |
dbf.setFeature(FEATURE, true); |
|
44 |
|
|
45 |
// If you can't completely disable DTDs, then at least do the following: |
|
46 |
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities |
|
47 |
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities |
|
48 |
// JDK7+ - http://xml.org/sax/features/external-general-entities |
|
49 |
FEATURE = "http://xml.org/sax/features/external-general-entities"; |
|
50 |
dbf.setFeature(FEATURE, false); |
|
51 |
|
|
52 |
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities |
|
53 |
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities |
|
54 |
// JDK7+ - http://xml.org/sax/features/external-parameter-entities |
|
55 |
FEATURE = "http://xml.org/sax/features/external-parameter-entities"; |
|
56 |
dbf.setFeature(FEATURE, false); |
|
57 |
|
|
58 |
// Disable external DTDs as well |
|
59 |
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; |
|
60 |
dbf.setFeature(FEATURE, false); |
|
61 |
|
|
62 |
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" |
|
63 |
dbf.setXIncludeAware(false); |
|
64 |
dbf.setExpandEntityReferences(false); |
|
65 |
|
|
66 |
// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then |
|
67 |
// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks |
|
68 |
// (http://cwe.mitre.org/data/definitions/918.html) and denial |
|
69 |
// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk." |
|
70 |
|
|
71 |
// remaining parser logic |
|
72 |
DocumentBuilder db = dbf.newDocumentBuilder(); |
|
73 |
StringReader sr = new StringReader(xmltext); |
|
74 |
InputSource is = new InputSource(sr); |
|
75 |
Document document = db.parse(is); |
|
76 |
|
|
77 |
Element root = document.getDocumentElement(); |
|
78 |
NodeList nodelist1 = root.getElementsByTagName("Encrypt"); |
|
79 |
NodeList nodelist2 = root.getElementsByTagName("ToUserName"); |
|
80 |
result[0] = 0; |
|
81 |
result[1] = nodelist1.item(0).getTextContent(); |
|
82 |
result[2] = nodelist2.item(0).getTextContent(); |
|
83 |
return result; |
|
84 |
} catch (Exception e) { |
|
85 |
e.printStackTrace(); |
|
86 |
throw new AesException(AesException.ParseXmlError); |
|
87 |
} |
|
88 |
} |
|
89 |
|
|
90 |
/** |
|
91 |
* 生成xml消息 |
|
92 |
* @param encrypt 加密后的消息密文 |
|
93 |
* @param signature 安全签名 |
|
94 |
* @param timestamp 时间戳 |
|
95 |
* @param nonce 随机字符串 |
|
96 |
* @return 生成的xml字符串 |
|
97 |
*/ |
|
98 |
public static String generate(String encrypt, String signature, String timestamp, String nonce) { |
|
99 |
|
|
100 |
String format = "<xml>\n" + "<Encrypt><![CDATA[%1$s]]></Encrypt>\n" |
|
101 |
+ "<MsgSignature><![CDATA[%2$s]]></MsgSignature>\n" |
|
102 |
+ "<TimeStamp>%3$s</TimeStamp>\n" + "<Nonce><![CDATA[%4$s]]></Nonce>\n" + "</xml>"; |
|
103 |
return String.format(format, encrypt, signature, timestamp, nonce); |
|
104 |
|
|
105 |
} |
|
106 |
} |