阿里云短信服务 HTTP 协议签名 golang 版

最近写一个小服务,需要用到发短信的功能。于是打开阿里云的短信服务界面,发现它又双叒叕升级了,印象里好像是第三次还是第四次升级了。升级后接口有些变化,官方为新接口提供了常用语言的 SDK,然而并没有 golang 版的,好在官方文档里提供了 java 版的 HTTP 签名 demo

参照该 demo 我写了一个 golang 版,亲测有效。然而因为懒我并不打算封装成 golang 版的 SDK(除非阿里云给我点买服务器的优惠券……),所以这里仅贴出代码供参考。

首先官方的 java 源码如下:

public class SignDemo {
    public static void main(String[] args) throws Exception {
        String accessKeyId = "testId";
        String accessSecret = "testSecret";
        java.text.SimpleDateFormat df = new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
        df.setTimeZone(new java.util.SimpleTimeZone(0, "GMT"));// 这里一定要设置GMT时区
        java.util.Map<String, String> paras = new java.util.HashMap<String, String>();
        // 1. 系统参数
        paras.put("SignatureMethod", "HMAC-SHA1");
        paras.put("SignatureNonce", java.util.UUID.randomUUID().toString());
        paras.put("AccessKeyId", accessKeyId);
        paras.put("SignatureVersion", "1.0");
        paras.put("Timestamp", df.format(new java.util.Date()));
        paras.put("Format", "XML");
        // 2. 业务API参数
        paras.put("Action", "SendSms");
        paras.put("Version", "2017-05-25");
        paras.put("RegionId", "cn-hangzhou");
        paras.put("PhoneNumbers", "15300000001");
        paras.put("SignName", "阿里云短信测试专用");
        paras.put("TemplateParam", "{\"customer\":\"test\"}");
        paras.put("TemplateCode", "SMS_71390007");
        paras.put("OutId", "123");
        // 3. 去除签名关键字Key
        if (paras.containsKey("Signature"))
            paras.remove("Signature");
        // 4. 参数KEY排序
        java.util.TreeMap<String, String> sortParas = new java.util.TreeMap<String, String>();
        sortParas.putAll(paras);
        // 5. 构造待签名的字符串
        java.util.Iterator<String> it = sortParas.keySet().iterator();
        StringBuilder sortQueryStringTmp = new StringBuilder();
        while (it.hasNext()) {
            String key = it.next();
            sortQueryStringTmp.append("&").append(specialUrlEncode(key)).append("=").append(specialUrlEncode(paras.get(key)));
        }
        String sortedQueryString = sortQueryStringTmp.substring(1);// 去除第一个多余的&符号
        StringBuilder stringToSign = new StringBuilder();
        stringToSign.append("GET").append("&");
        stringToSign.append(specialUrlEncode("/")).append("&");
        stringToSign.append(specialUrlEncode(sortedQueryString));
        String sign = sign(accessSecret + "&", stringToSign.toString());
        // 6. 签名最后也要做特殊URL编码
        String signature = specialUrlEncode(sign);
        System.out.println(paras.get("SignatureNonce"));
        System.out.println("\r\n=========\r\n");
        System.out.println(paras.get("Timestamp"));
        System.out.println("\r\n=========\r\n");
        System.out.println(sortedQueryString);
        System.out.println("\r\n=========\r\n");
        System.out.println(stringToSign.toString());
        System.out.println("\r\n=========\r\n");
        System.out.println(sign);
        System.out.println("\r\n=========\r\n");
        System.out.println(signature);
        System.out.println("\r\n=========\r\n");
        // 最终打印出合法GET请求的URL
        System.out.println("http://dysmsapi.aliyuncs.com/?Signature=" + signature + sortQueryStringTmp);
    }
    public static String specialUrlEncode(String value) throws Exception {
        return java.net.URLEncoder.encode(value, "UTF-8").replace("+", "%20").replace("*", "%2A").replace("%7E", "~");
    }
    public static String sign(String accessSecret, String stringToSign) throws Exception {
        javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");
        mac.init(new javax.crypto.spec.SecretKeySpec(accessSecret.getBytes("UTF-8"), "HmacSHA1"));
        byte[] signData = mac.doFinal(stringToSign.getBytes("UTF-8"));
        return new sun.misc.BASE64Encoder().encode(signData);
    }
}

参考该代码写的 golang 版的:

package main

import (
	"sort"
	"time"
	"fmt"
	"crypto/hmac"
	"crypto/sha1"
	"math/rand"
	"net/url"
	"strings"
	"encoding/base64"
)

func main() {
	accessKeyId := "testId"
	accessSecret := "testSecret"

	timezone, err := time.LoadLocation("GMT0") // 这里一定要设置GMT时区
	if err != nil {
		panic(err)
	}

	paras := make(map[string]string)

	// 1. 系统参数
	paras["SignatureMethod"] = "HMAC-SHA1"
	paras["SignatureNonce"] = fmt.Sprintf("%v", randomString(16)) // 原例子中是使用 UUID,但 golang 原生包里并没有支持,故用随机字符串代替
	paras["AccessKeyId"] = accessKeyId
	paras["SignatureVersion"] = "1.0"
	paras["Timestamp"] = time.Now().In(timezone).Format("2006-01-02T15:04:05Z")
	paras["Format"] = "XML"

	// 2. 业务参数
	paras["Action"] = "SendSms"
	paras["Version"] = "2017-05-25"
	paras["RegionId"] = "cn-hangzhou"
	paras["PhoneNumbers"] = "15300000001"
	paras["SignName"] = "阿里云短信测试专用"
	paras["TemplateCode"] = `{"customer":"test"}`
	paras["TemplateParam"] = "SMS_71390007"
	paras["OutId"] = "123"

	// 3. 去除签名关键字Key
	delete(paras, "Signature")

	// 4. 参数KEY排序
	parasIndex := make([]string, 0)
	for k := range paras {
		parasIndex = append(parasIndex, k)
	}
	sort.Strings(parasIndex)

	// 5. 构造待签名的字符串
	sortedQueryString := ""
	for _, v := range parasIndex {
		sortedQueryString = sortedQueryString + "&" + specialUrlEncode(v) + "=" + specialUrlEncode(paras[v])
	}

	// 去除第一个多余的&符号
	sortedQueryString = sortedQueryString[1:]

	stringToSign := "GET" + "&" + specialUrlEncode("/") + "&" + specialUrlEncode(sortedQueryString)

	signStr := sign(accessSecret  + "&", stringToSign)

	// 6. 签名最后也要做特殊URL编码
	signature := specialUrlEncode(signStr)

	// 最终打印出合法GET请求的URL
	urlStr := "http://dysmsapi.aliyuncs.com/?Signature=" + signature + "&" + sortedQueryString
	fmt.Println(urlStr)
}

func randomString(length int) string {
	base := "abcdefghijklmnopqrstuvwxyz1234567890"
	result := ""
	r := rand.New(rand.NewSource(time.Now().UnixNano()))
	for len(result) < length {
		index := r.Intn(len(base))
		result = result + base[index : index + 1]
	}
	return result
}

func specialUrlEncode(value string) string {
	result := url.QueryEscape(value)
	result = strings.Replace(result, "+", "%20", -1)
	result = strings.Replace(result, "*", "%2A", -1)
	result = strings.Replace(result, "%7E", "~", -1)
	return result
}

func sign(accessSecret, strToSign string) string {
	mac := hmac.New(sha1.New, []byte(accessSecret))
	mac.Write([]byte(strToSign))
	signData := mac.Sum(nil)
	return base64.StdEncoding.EncodeToString(signData)
}

以上。