Verifying the synchronous notification
What is a synchronous notification?
An API response that is sent to the API caller synchronously with the GET method if return_url
field was set in the request with the targeted URL to handle the synchronous notification. The synchronous notification has two formats: the returnURL format and the XML format.
Note:
The transaction status cannot be confirmed by the data in the return page because the data can be changed manually.
The synchronous notification in returnURL:
The return page is responsible for redirection to the merchant website after the payment completed. Moreover, some data is also returned by the return page. The return page is one of the following pages in different languages:
- Java: return_url.jsp
- Php: return_url.php
- C#: return_url.aspx.cs
The synchronous notification in Xml:
In many cases, one transaction process returns the process result only one time and the process result is in the XML format. With an XML synchronous notification returned, your current Alipay gateway page (https://mapi.alipay.com) will be automatically refreshed and output the process result from Alipay.
Verify the synchronous notification
After receiving a notification, you need to verify the authenticity of the signature to ensure the data contained in the notification is originated from Alipay without being modified during the transmission. By completing the following steps, the notification is verified and you can trust the notification.
MD5
1.Process the content of the notification sent from Alipay to get a pre-sign string.
a. Remove sign
and sign_type
fields,
b. Sort the remaining fields in alphabetical order from A to Z
c. Connect all array values by the character of "&".
Note:
If the returned notification is in XML, the returned parameters are contained in the nodes. You can take each node name as the parameter name and node value as the parameter value.Take the synchronous response data of the create_forex_trade API as an example:
out_trade_no=test20181109153145&total_fee=0.01&trade_status=TRADE_FINISHED&sign=32c532376eee9281fa4d424dd4a40e5b&trade_no=2018110922001332950500389138¤cy=USD&sign_type=MD5
After processing, you get the following content to be signed:
currency=USD&out_trade_no=test20181109153145&total_fee=0.01&trade_no=2018110922001332950500389138&trade_status=TRADE_FINISHED
2.Get the value of the mysign parameter.
a. Append MD5 key to the end of the pre-sign string obtained in Step 2.
b. A value is generated by encrypting the string that consists of the pre-sign string and MD5 key by an MD5 encryption function. Assign this value to the mysign parameter.
3.Verify whether mysign = sign. If the value of mysign, obtained in Step 3, and the value of sign, returned by Alipay, are equal, the verification of the signature is passed and you can trust the content of the notification.
RSA2/RSA
1. Process the content of the notification sent from Alipay to get a pre-sign string.
a. Remove sign
and sign_type
fields,
b. Sort the remaining fields in alphabetical order from A to Z
c. Connect all array values by the character of "&".
Note:
If the returned notification is in XML, the returned parameters are contained in the nodes. You can take each node name as the parameter name and node value as the parameter value.Take the synchronous response data of the create_forex_trade API as an example:
currency=USD&out_trade_no=FALCN32YWXN2CL4KFT8&trade_no=2020010222001331421405964515&total_fee=108.00&trade_status=TRADE_FINISHED&sign=bOQ2PdVHqBRK7UuewOIFlgQjyKdAVN7itA1VNu3MB+jtK+9Z2TPyTYJXngmwHzfHD44AVNaN90YXoHweivSKU+GmHxlJMBStT1Pie+AemJhJ9J126WMg5GaE+7xmp0V3zxuwFupzJi+A2iX+XxHTv6jOchDEESFSl5W6UXZX1AI&sign_type=RSA2
After processing, you get the following content to be signed:
currency=USD&out_trade_no=FALCN32YWXN2CL4KFT8&total_fee=108.00&trade_no=2020010222001331421405964515&trade_status=TRADE_FINISHED
2. Encode the signature parameter (sign) into a bytecode string by using the Base64 scheme.
3. Use the RSA2/RSA verification method to verify the signature. Pass the pre-sign string, the value of the sign parameter, and Alipay public key to the RSA2/RSA verification method to check the verification result. For more information about the RSA2/RSA verification method, see the following method in Demo Code.
public static boolean verify(String content, String sign, String ali_public_key, String input_charset)
To get the Alipay public key, contact Global Merchant Technical Support (AlipayGlobalTechService@service.alipay.com).