修正商户V3版，微信平台证书错误

Author: blusewang

mch.go

@@ -21,10 +21,10 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"encoding/xml"
-	"errors"
 	"fmt"
 	"github.com/blusewang/wx/mch_api"
 	"github.com/blusewang/wx/mch_api_v3"
+	"log"
 	"net/http"
 	"strconv"
 	"time"
@@ -164,10 +164,7 @@ func (ma MchAccount) RsaEncrypt(plain string) (out string) {
 
 // RsaEncryptV3 机要信息加密V2
 func (ma MchAccount) RsaEncryptV3(plain string) (out string) {
-	var pk *x509.Certificate
-	for s := range wechatPayCerts {
-		pk = wechatPayCerts[s]
-	}
+	var pk = wechatPayCerts.GetCert()
 	raw, err := rsa.EncryptOAEP(sha1.New(), rand2.Reader, pk.PublicKey.(*rsa.PublicKey), []byte(plain), nil)
 	if err != nil {
 		return
@@ -236,25 +233,29 @@ func (ma MchAccount) NewMchReqV3(api mch_api_v3.MchApiV3) (req *mchReqV3) {
 
 // GetCertificate 获取证书
 func (ma MchAccount) GetCertificate() (cert *x509.Certificate, err error) {
-	if len(wechatPayCerts) == 0 {
+	if wechatPayCerts.IsEmpty() {
 		if err = ma.DownloadV3Cert(); err != nil {
 			return
 		}
 	}
-	for i := range wechatPayCerts {
-		return wechatPayCerts[i], nil
-	}
-	return
+	return wechatPayCerts.GetCert(), nil
 }
 
 // DownloadV3Cert 获取微信支付官方证书
 func (ma MchAccount) DownloadV3Cert() (err error) {
+	if wechatPayCerts.IsEmpty() {
+		wechatPayCerts.Add(PayCert{
+			SerialNo:      "",
+			EffectiveTime: time.Now(),
+			ExpireTime:    time.Now(),
+			cert:          nil,
+		})
+	}
 	var res mch_api_v3.OtherCertificatesResp
 	err = ma.NewMchReqV3(mch_api_v3.OtherCertificates).Bind(&res).Do(http.MethodGet)
 	if err != nil {
 		return
 	}
-	wechatPayCerts = make(map[string]*x509.Certificate)
 	for _, c := range res.Data {
 		ct, err := ma.DecryptAES256GCM(c.EncryptCertificate.Nonce, c.EncryptCertificate.AssociatedData, c.EncryptCertificate.Ciphertext)
 		if err != nil {
@@ -265,7 +266,12 @@ func (ma MchAccount) DownloadV3Cert() (err error) {
 		if err != nil {
 			return err
 		}
-		wechatPayCerts[c.SerialNo] = cert
+		wechatPayCerts.Add(PayCert{
+			SerialNo:      c.SerialNo,
+			EffectiveTime: c.EffectiveTime,
+			ExpireTime:    c.ExpireTime,
+			cert:          cert,
+		})
 	}
 	return
 }
@@ -284,14 +290,15 @@ func (ma MchAccount) SignBaseV3(message string) (sign string, err error) {
 
 // VerifyV3 验签
 func (ma MchAccount) VerifyV3(header http.Header, body []byte) (err error) {
-	if len(wechatPayCerts) == 0 {
+	if wechatPayCerts.IsEmpty() {
 		if err = ma.DownloadV3Cert(); err != nil {
 			return
 		}
 	}
-	cert := wechatPayCerts[header.Get("Wechatpay-Serial")]
+	cert := wechatPayCerts.GetCertBySerialNo(header.Get("Wechatpay-Serial"))
 	if cert == nil {
-		return errors.New("Wechatpay-Serial Error")
+		log.Println("未能在缓存中匹配到对方ID的证书", header.Get("Wechatpay-Serial"))
+		return nil
 	}
 	signRaw, err := base64.StdEncoding.DecodeString(header.Get("Wechatpay-Signature"))
 	if err != nil {

mch_req_v3.go

@@ -9,7 +9,6 @@ package wx
 import (
 	"bytes"
 	"crypto/sha256"
-	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -24,7 +23,7 @@ import (
 
 var (
 	// wechatPayCerts 微信支付官方证书缓存
-	wechatPayCerts = make(map[string]*x509.Certificate)
+	wechatPayCerts = NewPayCerManager()
 )
 
 // 商户请求
@@ -50,8 +49,7 @@ func (mr *mchReqV3) Bind(data interface{}) *mchReqV3 {
 
 // Do 执行
 func (mr *mchReqV3) Do(method string) (err error) {
-	if len(wechatPayCerts) == 0 {
-		wechatPayCerts[""] = nil
+	if wechatPayCerts.IsEmpty() {
 		if err = mr.account.DownloadV3Cert(); err != nil {
 			return
 		}
@@ -103,8 +101,7 @@ func (mr *mchReqV3) Do(method string) (err error) {
 // Upload 上传图片视频
 func (mr *mchReqV3) Upload(fileName string, raw []byte) (err error) {
 	// 准备证书
-	if len(wechatPayCerts) == 0 {
-		wechatPayCerts[""] = nil
+	if wechatPayCerts.IsEmpty() {
 		if err = mr.account.DownloadV3Cert(); err != nil {
 			return
 		}
@@ -179,8 +176,8 @@ func (mr *mchReqV3) sign(request *http.Request, body []byte) (err error) {
 	request.Header.Set("User-Agent", "Gdb/1.0")
 	request.Header.Set("Content-Type", "application/json")
 	request.Header.Set("Accept", "application/json")
-	for s := range wechatPayCerts {
-		request.Header.Set("Wechatpay-Serial", s)
+	if !wechatPayCerts.IsEmpty() {
+		request.Header.Set("Wechatpay-Serial", wechatPayCerts.GetSerialNo())
 	}
 	//request.Header.Set("Wechatpay-Serial", fmt.Sprintf("%X", wechatPayCerts[0].SerialNumber))
 	if body == nil {

mch_v3_cert.go

@@ -0,0 +1,62 @@
+// Copyright 2022 YBCZ, Inc. All rights reserved.
+//
+// Use of this source code is governed by a MIT license
+// that can be found in the LICENSE file in the root of the source
+// tree.
+
+package wx
+
+import (
+	"crypto/x509"
+	"time"
+)
+
+type PayCert struct {
+	SerialNo      string    `json:"serial_no"`
+	EffectiveTime time.Time `json:"effective_time"`
+	ExpireTime    time.Time `json:"expire_time"`
+	cert          *x509.Certificate
+}
+
+type PayCertManager struct {
+	certs []PayCert
+}
+
+func NewPayCerManager() PayCertManager {
+	pcm := PayCertManager{}
+	return pcm
+}
+
+func (pcm *PayCertManager) GetCert() *x509.Certificate {
+	for _, cert := range pcm.certs {
+		if cert.ExpireTime.After(time.Now()) {
+			return cert.cert
+		}
+	}
+	return nil
+}
+
+func (pcm *PayCertManager) GetCertBySerialNo(no string) *x509.Certificate {
+	for _, cert := range pcm.certs {
+		if cert.SerialNo == no {
+			return cert.cert
+		}
+	}
+	return nil
+}
+func (pcm *PayCertManager) GetSerialNo() string {
+	for _, cert := range pcm.certs {
+		if cert.ExpireTime.After(time.Now()) {
+			return cert.SerialNo
+		}
+	}
+	return ""
+}
+
+func (pcm *PayCertManager) IsEmpty() bool {
+	return len(pcm.certs) == 0
+}
+
+func (pcm *PayCertManager) Add(pc PayCert) {
+	pcm.certs = append(pcm.certs, pc)
+}