{"id":13694685,"url":"https://github.com/wechatpay-apiv3/CertificateDownloader","last_synced_at":"2025-05-03T04:30:48.047Z","repository":{"id":37663468,"uuid":"198823967","full_name":"wechatpay-apiv3/CertificateDownloader","owner":"wechatpay-apiv3","description":"Java 微信支付 APIv3 平台证书的命令行下载工具","archived":false,"fork":false,"pushed_at":"2023-08-30T02:43:04.000Z","size":3840,"stargazers_count":259,"open_issues_count":1,"forks_count":76,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-07T06:06:54.888Z","etag":null,"topics":["certificate","command-line","java","wechat","wechat-pay"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wechatpay-apiv3.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-07-25T12:06:23.000Z","updated_at":"2025-01-19T18:04:07.000Z","dependencies_parsed_at":"2024-01-14T19:12:09.752Z","dependency_job_id":"1fbe9965-edd6-4a13-b05c-1ed255151ed0","html_url":"https://github.com/wechatpay-apiv3/CertificateDownloader","commit_stats":null,"previous_names":["eliaszzz/certificatedownloader"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wechatpay-apiv3%2FCertificateDownloader","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wechatpay-apiv3%2FCertificateDownloader/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wechatpay-apiv3%2FCertificateDownloader/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wechatpay-apiv3%2FCertificateDownloader/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wechatpay-apiv3","download_url":"https://codeload.github.com/wechatpay-apiv3/CertificateDownloader/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252144406,"owners_count":21701405,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","command-line","java","wechat","wechat-pay"],"created_at":"2024-08-02T17:01:37.331Z","updated_at":"2025-05-03T04:30:45.626Z","avatar_url":"https://github.com/wechatpay-apiv3.png","language":"Java","funding_links":[],"categories":["Java"],"sub_categories":[],"readme":"# Certificate Downloader\n\nCertificate Downloader 是 Java 微信支付 APIv3 平台证书的命令行下载工具。该工具可从 `https://api.mch.weixin.qq.com/v3/certificates` 接口获取商户可用证书，并使用 [APIv3 密钥](https://wechatpay-api.gitbook.io/wechatpay-api-v3/ren-zheng/api-v3-mi-yao) 和 AES_256_GCM 算法进行解密，并把解密后证书下载到指定位置。\n\n该工具使用了 [wechatpay-apache-httpclient]()、[Maven](https://github.com/apache/maven)、[picocli](https://github.com/remkop/picocli)、[gson]()、[lombok](https://github.com/rzwitserloot/lombok) 等库。\n\n## 前置条件\n\n+ JRE 1.8+\n\n## 快速开始\n\n该工具已经通过 Maven 打包成 CertificateDownloader.jar，可在 [release ](https://github.com/EliasZzz/CertificateDownloader/releases) 中下载。\n\n下载 jar 包后，如果你没有证书，第一次下载证书的命令如下，具体说明请看 [常见问题-第一次下载证书](#如何第一次下载证书)：\n\n```bash\njava -jar CertificateDownloader.jar -k ${apiV3key} -m ${mchId} -f ${mchPrivateKeyFilePath} -s ${mchSerialNo} -o ${outputFilePath}\n```\n\n如果你已有微信支付平台证书，完整命令如：\n\n```\njava -jar CertificateDownloader.jar -k ${apiV3key} -m ${mchId} -f ${mchPrivateKeyFilePath} -s ${mchSerialNo} -o ${outputFilePath} -c ${wechatpayCertificateFilePath}\n```\n\n## 使用\n\n必需参数有：\n\n- `-f \u003cprivateKeyFilePath\u003e`，商户API私钥文件路径\n- `-k \u003capiV3Key\u003e`，证书解密的密钥\n- `-m \u003cmerchantId\u003e`，商户号\n- `-o \u003coutputFilePath\u003e`，保存证书的路径\n- `-s \u003cmerchantSerialNo\u003e`，商户API证书的序列号\n\n非必需参数有：\n\n- `-c \u003cwechatpayCertificatePath\u003e`，微信支付平台证书的路径。如果你还没有证书，请先不传该参数。\n\n你还可以运行 `java -jar CertificateDownloader.jar -h`，查看帮助：\n\n![1564047129669](images/help.png)\n\n## 安全性说明\n\n工具做了以下安全措施：\n\n- **HTTPS**：证书下载请求使用了 HTTPS\n- **AES 加密**：微信支付对证书信息进行了 AES-256-GCM 加密，所以工具得到应答后，会使用**对称密钥**来解密证书（这里需要用户传入对称密钥，出于对**对称密钥**安全的考虑，后续版本将可直接保存未解密的证书，由用户进行解密）\n- **报文验签**：微信支付会在应答的 HTTP 头包含签名，工具会通过解密得到的证书，来验证报文的签名，以此确认证书正确\n\n下载证书后，如果仍然担心证书出错，可：\n\n- **核对颁发者**：使用证书查看工具，核对证书的颁发者为 **Tenpay.com Root CA**\n- **信任链验证**：通过证书信任链验证平台证书\n\n### 使用信任链验证平台证书\n\n使用 openssl 工具，通过证书信任链验证平台证书：\n- 首先，从微信支付商户平台下载平台证书信任链 [CertTrustChain.p7b](https://wx.gtimg.com/mch/files/CertTrustChain.p7b)，并将它转换为 pem 证书格式：\n  \n  ```bash\n  openssl pkcs7 -print_certs -in CertTrustChain.p7b -inform der -out CertTrustChain.pem\n  ```\n  \n- 然后，-CAfile file 指定受信任的证书，验证下载的平台证书：\n\n  ```bash\n  openssl verify -verbose -CAfile ./CertTrustChain.pem ./WeChatPayPlatform.pem\n  ```\n  \n\n## 常见问题\n\n### 如何第一次下载证书\n\n对于微信支付的应答，需要使用平台证书来进行验签；但平台证书只能通过 [获取平台证书接口](https://wechatpay-api.gitbook.io/wechatpay-api-v3/jie-kou-wen-dang/ping-tai-zheng-shu#huo-qu-ping-tai-zheng-shu-lie-biao) 下载，所以当第一次去获取证书时，会出现个“死循环”。\n\n为解决这个“死循环”，可以临时跳过验签，来获得证书。也就是说可以不提供微信支付证书参数（-c 参数）来下载，在下载得到证书后，工具会使用下载得到的证书对报文的签名进行验证。\n\n第一次下载证书后，我们**强烈建议**参考[如何通过证书信任链验证平台证书](https://pay.weixin.qq.com/docs/merchant/development/interface-rules/certificate-faqs.html#%E5%A6%82%E4%BD%95%E9%80%9A%E8%BF%87%E8%AF%81%E4%B9%A6%E4%BF%A1%E4%BB%BB%E9%93%BE%E9%AA%8C%E8%AF%81%E5%B9%B3%E5%8F%B0%E8%AF%81%E4%B9%A6)，验证证书的真实性。 \n\n### 有没有其他语言的下载工具\n\n有的：\n\n+ PHP，请参考 [wechatpay-php](https://github.com/wechatpay-apiv3/wechatpay-php#%E5%A6%82%E4%BD%95%E4%B8%8B%E8%BD%BD%E5%B9%B3%E5%8F%B0%E8%AF%81%E4%B9%A6)\n+ Go，请参考 [wechatpay_download_certs.go](https://github.com/wechatpay-apiv3/wechatpay-go/blob/main/cmd/wechatpay_download_certs/wechatpay_download_certs.go)\n\n## 参考\n\n- [微信支付 wechatpay-apache-httpclient 文档](https://github.com/wechatpay-apiv3/wechatpay-apache-httpclient/blob/master/README.md)\n- [微信支付 APIv3 文档](https://pay.weixin.qq.com/wiki/doc/apiv3/wechatpay/wechatpay-1.shtml)\n- [Picocli 文档](https://github.com/remkop/picocli/blob/master/README.md)\n- [Gson 文档](https://github.com/google/gson/blob/master/README.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwechatpay-apiv3%2FCertificateDownloader","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwechatpay-apiv3%2FCertificateDownloader","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwechatpay-apiv3%2FCertificateDownloader/lists"}