微工卡并发调用PayrollCardService#getRelation验签失败

[zhangjs28]

错误描述

发生验签失败
https://developers.weixin.qq.com/community/pay/doc/00066ef2658830a0901f83a5e51800?fromCreate=1

重现bug的步骤

在并发查询时发生验签失败异常

预期行为

验签不应该失败

导致错误的代码片段

package com.wechat.pay.java.core.cipher;

import static java.util.Objects.requireNonNull;

import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Base64;

public abstract class AbstractSigner implements Signer {

  private final String certificateSerialNumber;
  private final String algorithm;
  private final Signature signature;

  /**
   * AbstractSigner 构造函数
   *
   * @param algorithm 微信支付的签名算法，例如SHA256-RSA2048
   * @param algorithmName 获取Signature对象时指定的算法，例如SHA256withRSA
   * @param certificateSerialNumber 商户API证书序列号
   * @param privateKey 商户API私钥
   */
  protected AbstractSigner(
      String algorithm,
      String algorithmName,
      String certificateSerialNumber,
      PrivateKey privateKey) {
    this.algorithm = requireNonNull(algorithm);
    this.certificateSerialNumber = requireNonNull(certificateSerialNumber);
    try {
      this.signature = Signature.getInstance(algorithmName);
      this.signature.initSign(privateKey);
    } catch (NoSuchAlgorithmException e) {
      throw new UnsupportedOperationException(
          "The current Java environment does not support " + algorithmName, e);
    } catch (InvalidKeyException e) {
      throw new IllegalArgumentException(algorithm + " signature uses an illegal privateKey.", e);
    }
  }

  @Override
  public SignatureResult sign(String message) {
    requireNonNull(message);
    byte[] sign;
    try {
      signature.update(message.getBytes(StandardCharsets.UTF_8));
      sign = signature.sign();
    } catch (SignatureException e) {
      throw new RuntimeException("An error occurred during the sign process.", e);
    }
    return new SignatureResult(Base64.getEncoder().encodeToString(sign), certificateSerialNumber);
  }

  @Override
  public String getAlgorithm() {
    return algorithm;
  }
}

操作系统

linux

Java 版本

1.8

wechatpay-java 版本

0.2.3

其他信息

@Override
    public SignatureResult sign(String message) {
        requireNonNull(message);
        byte[] sign;
        try {
            Signature signature = Signature.getInstance(algorithmName);
            signature.initSign(privateKey);
            signature.update(message.getBytes(StandardCharsets.UTF_8));

            sign = signature.sign();
        } catch (NoSuchAlgorithmException e) {
            throw new UnsupportedOperationException(
                    "The current Java environment does not support " + algorithmName, e);
        } catch (InvalidKeyException e) {
            throw new IllegalArgumentException(algorithm + " signature uses an illegal privateKey.", e);
        } catch (SignatureException e) {
            throw new RuntimeException("An error occurred during the sign process.", e);
        }
        return new SignatureResult(Base64.getEncoder().encodeToString(sign), certificateSerialNumber);
    }

Signature对象获取改到com.huixian.alpharisk.util.wgk.WgkSigner#sign中，生成的签名，并发调用不再发生验签失败