Order and Shopping Cart
First, copy the service code framework of srv from the inventory service and find and replace the corresponding name (order_srv)
Fundamentals of Encryption Technology
Symmetric Encryption(Symmetric Encryption)
Principle:
- Uses the same key for encryption and decryption
- Like a single key that can both lock and unlock a door
- Fast encryption speed, suitable for large data transfers
Use Cases:
- Local file encryption
- Database content encryption
- Content encryption during large data transfers
- Fast communication between internal systems
Pros and Cons:
- ✅ Fast speed, high efficiency
- ❌ Key distribution is difficult and prone to interception
Asymmetric Encryption(Asymmetric Encryption)
Principle:
- Uses a pair of keys: public key and private key
- Content encrypted with the public key can only be decrypted with the private key
- Content signed with the private key can be verified with the public key
- Like an email address (public key) and password (private key)
Use Cases:
- Digital signature for identity verification
- Secure transmission of symmetric encryption keys
- HTTPS certificate verification
- Blockchain transaction signing
Pros and Cons:
- ✅ High security, secure key distribution
- ❌ Slow speed, not suitable for large amounts of data
Detailed Analysis of Alipay Payment Process
Payment Flowchart
graph TD
A[用户浏览器] -->|1. 下订单| B[慕学生鲜商户系统]
B -->|2. 返回支付URL| A
A -->|3. 跳转支付宝支付| C[支付宝支付平台]
B -->|发起支付请求| C
subgraph "商户端密钥管理"
D[商户私钥<br/>自己留着]
E[商户公钥<br/>给支付宝]
end
subgraph "支付宝端密钥管理"
F[支付宝私钥<br/>严格保密]
G[支付宝公钥<br/>给商户]
end
subgraph "安全验证机制"
H[数字签名验证]
I[请求可信度检查]
J[通知真实性验证]
end
B -.->|使用私钥签名| D
C -.->|使用公钥验证| E
C -.->|使用私钥签名| F
B -.->|使用公钥验证| G
C -->|4. 支付结果通知| B
style A fill:#e1f5fe
style B fill:#f3e5f5
style C fill:#e8f5e8
style D fill:#ffebee
style E fill:#fff3e0
style F fill:#ffebee
style G fill:#fff3e0
style H fill:#f1f8e9
style I fill:#f1f8e9
style J fill:#f1f8e9
System Architecture and Participants
Three Core Roles:
- Browser: User-side, responsible for user interaction
- Muxueshengxian (Merchant System): E-commerce platform's backend service
- Alipay: Third-party payment platform
Key Management System (Core of Asymmetric Encryption)
Merchant-side Key Management
-
Private Key (Secret Key - Kept by Merchant):
-
Strictly confidential to the merchant, never to be disclosed
- Used for digitally signing requests sent to Alipay
-
Proves that the request indeed originated from the merchant
-
Public Key (Public Key - Given to Alipay):
- Provided to the Alipay platform
- Alipay uses it to verify the merchant's request signature
- Ensures the authenticity and integrity of the request
Alipay-side Key Management
-
Private Key (Secret Key):
-
Alipay keeps it strictly confidential
- Used for digitally signing payment notifications
-
Proves that the notification indeed originated from official Alipay
-
Public Key (Public Key - For Merchant's Use):
- Provided to the merchant system
- The merchant uses it to verify the Alipay notification signature
- Ensures the authenticity of the payment result notification
Detailed Payment Process Steps
Step 1: User Places Order
- User browses products in the browser
- Selects products and submits the order
- The browser sends an order request to the merchant system
Step 2: Generate Payment Request (Critical Security Step)
Merchant System Processing:
- Receives user order information
- Constructs payment parameters (order number, amount, product information, etc.)
- Digitally signs the payment request using the merchant's private key
- Sends the signed request to Alipay
Alipay Verification:
- Receives the merchant's payment request
- Verifies the request signature using the merchant's public key
- Checks "if this request is trustworthy"
- After successful verification, generates a payment URL
- Returns the payment URL to the merchant system
Security Mechanism Explanation:
- Digital signature ensures the request originates from a legitimate merchant
- Prevents malicious third parties from forging payment requests
- Ensures that request data has not been tampered with during transmission
Step 3: User Makes Payment
- The merchant system returns the payment URL to the browser
- The browser automatically redirects to the Alipay payment page
- The user completes the payment operation on the Alipay page (enters password, selects payment method, etc.)
Step 4: Payment Result Notification (Critical Security Step)
Alipay Processing:
- Processes user payment operation
- Generates payment result notification
- Digitally signs the notification using Alipay's private key
- Sends the signed notification to the merchant system
Merchant System Verification:
- Receives Alipay's payment notification
- Verifies the notification signature using Alipay's public key
- Confirms the notification is from official Alipay
- Verifies payment result and order information
- Updates order status, completes the transaction
Security Mechanism Explanation:
- Digital signature ensures the notification originates from official Alipay
- Prevents malicious third parties from forging successful payment notifications
- Ensures the authenticity and integrity of payment result data
How Digital Signatures Work
The Essence of Digital Signatures:
- Uses a private key to encrypt data, generating a "signature"
- Uses the corresponding public key to verify the signature, confirming data source and integrity
- Like a handwritten signature in reality, but more secure and unforgeable
Application in the Payment Process:
- Merchant Signature: Merchant signs with private key → Alipay verifies with merchant's public key
- Alipay Signature: Alipay signs with private key → Merchant verifies with Alipay's public key
Security Protection Mechanisms
Anti-Forgery Attack:
- Without the private key, an effective signature cannot be generated
- The public key can only verify, not forge, a signature
Anti-Tampering Attack:
- If data is modified, signature verification will fail
- Ensures data integrity during transmission
Anti-Replay Attack:
- Typically used with timestamps and nonces
- Prevents malicious repeated submission of identical payment requests
Encryption Technology Applications
- Symmetric Encryption: Used for fast encrypted transmission of large amounts of payment data
- Asymmetric Encryption: Used for digital signatures and identity verification
- Public Key Verification: Ensures the authenticity of communicating parties and data integrity
Alipay Developer Platform
Environment Configuration
Sandbox Environment (Testing)
- Use Alipay Sandbox environment for testing
- Configure Sandbox App ID and keys
- Set callback notification URL
Production Environment
- Apply for official application and get it approved
- Configure production environment keys
- Set HTTPS callback URL
Integration Considerations
-
Key Management
-
Properly store the application private key, do not disclose it
- Regularly change keys
-
Use environment variables to store sensitive information
-
Communication Security
-
All API calls must use HTTPS
- Verify the authenticity of Alipay's public key
-
Encrypt sensitive data during transmission
-
Data Validation
- Verify the signature of payment notifications
- Check order amount and status
- Prevent duplicate processing of notifications
Public and private keys for the sandbox environment
主题测试文章,只做测试使用。发布者:Walker,转转请注明出处:https://walker-learn.xyz/archives/6755
