alipay
diff --git a/‎.gitignore
+2-1 b/‎.gitignore
+2-1
diff --git a/‎LEGAL.md
+7 b/‎LEGAL.md
+7
diff --git a/‎README.md
+22 b/‎README.md
+22
diff --git a/‎lib/alipay.ts
+91-48 b/‎lib/alipay.ts
+91-48
diff --git a/‎lib/antcertutil.ts
+80 b/‎lib/antcertutil.ts
+80
@@ -4,4 +4,5 @@ lib/*.js.map
 coverage/
 .vscode/
 lib/*.d.ts
-.nyc_output
+.nyc_output
+.DS_Store
@@ -0,0 +1,7 @@
+Legal Disclaimer
+
+Within this source code, the comments in Chinese shall be the original, governing version. Any comment in other languages are for reference only. In the event of any conflict between the Chinese language version comments and other language version comments, the Chinese language version shall prevail.
+
+法律免责声明
+
+关于代码注释部分，中文注释为官方版本，其它语言注释仅做参考。中文注释可能与其它语言注释存在不一致，当中文注释与其它语言注释存在不一致时，请以中文注释为准。
@@ -23,18 +23,40 @@
 ```
 // TypeScript
 import AlipaySdk from 'alipay-sdk';
+// 普通公钥模式
+const alipaySdk = new AlipaySdk({
+  // 参考下方 SDK 配置
+  appId: '2016123456789012',
+  privateKey: fs.readFileSync('./private-key.pem', 'ascii'),
+  //可设置AES密钥，调用AES加解密相关接口时需要（可选）
+  encryptKey: '请填写您的AES密钥，例如：aa4BtZ4tspm2wnXLb1ThQA'
+});
 
+// 证书模式
 const alipaySdk = new AlipaySdk({
   // 参考下方 SDK 配置
   appId: '2016123456789012',
   privateKey: fs.readFileSync('./private-key.pem', 'ascii'),
+  alipayRootCertPath: path.join(__dirname,'../fixtures/alipayRootCert.crt'),
+  appCertPath: path.join(__dirname,'../fixtures/appCertPublicKey.crt'),
+  alipayPublicCertPath: path.join(__dirname,'../fixtures/alipayCertPublicKey_RSA2.crt'),
 });
 
+// 无需加密的接口
 const result = await alipaySdk.exec('alipay.system.oauth.token', {
 	grantType: 'authorization_code',
 	code: 'code',
 	refreshToken: 'token'
 });
+
+// 需要AES加解密的接口
+await alipaySdk.exec('alipay.open.auth.app.aes.set', {
+  bizContent: {
+    merchantAppId: '2021001170662064'
+  },
+  // 自动AES加解密
+  needEncrypt: true
+});
 ```
 
 ## Demo：
 
@@ -14,7 +14,8 @@ import * as camelcaseKeys from 'camelcase-keys';
 import * as snakeCaseKeys from 'snakecase-keys';
 
 import AliPayForm from './form';
-import { sign, ALIPAY_ALGORITHM_MAPPING } from './util';
+import { sign, ALIPAY_ALGORITHM_MAPPING, aesDecrypt } from './util';
+import { getSNFromPath, getSN, loadPublicKey, loadPublicKeyFromPath } from './antcertutil';
 
 const pkg = require('../package.json');
 
@@ -43,6 +44,26 @@ export interface AlipaySdkConfig {
   urllib?: any;
   /** 指定private key类型, 默认： PKCS1, PKCS8: PRIVATE KEY, PKCS1: RSA PRIVATE KEY */
   keyType?: 'PKCS1' | 'PKCS8';
+  /** 应用公钥证书文件路径 */
+  appCertPath?: string;
+  /** 应用公钥证书文件内容 */
+  appCertContent?: string | Buffer;
+  /** 应用公钥证书sn */
+  appCertSn?: string;
+  /** 支付宝根证书文件路径 */
+  alipayRootCertPath?: string;
+  /** 支付宝根证书文件内容 */
+  alipayRootCertContent?: string | Buffer;
+  /** 支付宝根证书sn */
+  alipayRootCertSn?: string;
+  /** 支付宝公钥证书文件路径 */
+  alipayPublicCertPath?: string;
+  /** 支付宝公钥证书文件内容 */
+  alipayPublicCertContent?: string | Buffer;
+  /** 支付宝公钥证书sn */
+  alipayCertSn?: string;
+  /** AES密钥，调用AES加解密相关接口时需要 */
+  encryptKey?: string;
 }
 
 export interface AlipaySdkCommonResult {
@@ -55,6 +76,8 @@ export interface AlipaySdkCommonResult {
 export interface IRequestParams {
   [key: string]: any;
   bizContent?: any;
+  // 自动AES加解密
+  needEncrypt?:boolean;
 }
 
 export interface IRequestOption {
@@ -75,11 +98,26 @@ class AlipaySdk {
     if (!config.privateKey) { throw Error('config.privateKey is required'); }
 
     const privateKeyType = config.keyType === 'PKCS8' ? 'PRIVATE KEY' : 'RSA PRIVATE KEY';
-    config.privateKey = this.formatKey(config.privateKey,  privateKeyType);
-    if (config.alipayPublicKey) {
+    config.privateKey = this.formatKey(config.privateKey, privateKeyType);
+    // 普通公钥模式和证书模式二选其一，传入了证书路径或内容认为是证书模式
+    if (config.appCertPath || config.appCertContent) {
+      // 证书模式，优先处理传入了证书内容的情况，其次处理传入证书文件路径的情况
+      // 应用公钥证书序列号提取
+      config.appCertSn = is.empty(config.appCertContent) ? getSNFromPath(config.appCertPath, false)
+        : getSN(config.appCertContent, false);
+      // 支付宝公钥证书序列号提取
+      config.alipayCertSn = is.empty(config.alipayPublicCertContent) ? getSNFromPath(config.alipayPublicCertPath, false)
+        : getSN(config.alipayPublicCertContent, false);
+      // 支付宝根证书序列号提取
+      config.alipayRootCertSn = is.empty(config.alipayRootCertContent) ? getSNFromPath(config.alipayRootCertPath, true)
+        : getSN(config.alipayRootCertContent, true);
+      config.alipayPublicKey = is.empty(config.alipayPublicCertContent) ? loadPublicKeyFromPath(config.alipayPublicCertPath)
+        : loadPublicKey(config.alipayPublicCertContent);
+      config.alipayPublicKey = this.formatKey(config.alipayPublicKey, 'PUBLIC KEY');
+    } else if (config.alipayPublicKey) {
+        // 普通公钥模式，传入了支付宝公钥
       config.alipayPublicKey = this.formatKey(config.alipayPublicKey, 'PUBLIC KEY');
     }
-
     this.config = Object.assign({
       urllib,
       gateway: 'https://openapi.alipay.com/gateway.do',
@@ -116,12 +154,13 @@ class AlipaySdk {
       'app_id', 'method', 'format', 'charset',
       'sign_type', 'sign', 'timestamp', 'version',
       'notify_url', 'return_url', 'auth_token', 'app_auth_token',
+      'appCertSn', 'alipayRootCertSn',
     ];
 
     for (const key in params) {
       if (urlArgs.indexOf(key) > -1) {
         const val = encodeURIComponent(params[key]);
-        requestUrl = `${requestUrl}${ requestUrl.includes('?') ? '&' : '?' }${key}=${val}`;
+        requestUrl = `${requestUrl}${requestUrl.includes('?') ? '&' : '?'}${key}=${val}`;
         // 删除 postData 中对应的数据
         delete params[key];
       }
@@ -135,8 +174,8 @@ class AlipaySdk {
     const config = this.config;
     let signParams = {} as { [key: string]: string | Object };
     let formData = {} as { [key: string]: string | Object | fs.ReadStream };
-    const infoLog =  (option.log && is.fn(option.log.info)) ? option.log.info : null;
-    const errorLog =  (option.log && is.fn(option.log.error)) ? option.log.error : null;
+    const infoLog = (option.log && is.fn(option.log.info)) ? option.log.info : null;
+    const errorLog = (option.log && is.fn(option.log.error)) ? option.log.error : null;
 
     option.formData.getFields().forEach((field) => {
       // 字段加入签名参数（文件不需要签名）
@@ -171,7 +210,7 @@ class AlipaySdk {
         json: false,
         timeout: config.timeout,
         headers: { 'user-agent': this.sdkVersion },
-      }, (err, {}, body) => {
+      }, (err, { }, body) => {
         if (err) {
           err.message = '[AlipaySdk]exec error';
           errorLog && errorLog(err);
@@ -204,7 +243,7 @@ class AlipaySdk {
   private pageExec(method: string, option: IRequestOption = {}): Promise<string> {
     let signParams = { alipaySdk: this.sdkVersion } as { [key: string]: string | Object };
     const config = this.config;
-    const infoLog =  (option.log && is.fn(option.log.info)) ? option.log.info : null;
+    const infoLog = (option.log && is.fn(option.log.info)) ? option.log.info : null;
 
     option.formData.getFields().forEach((field) => {
       signParams[field.name] = field.value;
@@ -248,7 +287,7 @@ class AlipaySdk {
 
   // 消息验签
   private notifyRSACheck(signArgs: { [key: string]: any }, signStr: string, signType: 'RSA' | 'RSA2') {
-    const signContent =  Object.keys(signArgs).sort().filter(val => val).map((key) => {
+    const signContent = Object.keys(signArgs).sort().filter(val => val).map((key) => {
       let value = signArgs[key];
 
       if (Array.prototype.toString.call(value) !== '[object String]') {
@@ -334,8 +373,8 @@ class AlipaySdk {
     // 计算签名
     const signData = sign(method, params, config);
     const { url, execParams } = this.formatUrl(config.gateway, signData);
-    const infoLog =  (option.log && is.fn(option.log.info)) ? option.log.info : null;
-    const errorLog =  (option.log && is.fn(option.log.error)) ? option.log.error : null;
+    const infoLog = (option.log && is.fn(option.log.info)) ? option.log.info : null;
+    const errorLog = (option.log && is.fn(option.log.error)) ? option.log.error : null;
 
     infoLog && infoLog('[AlipaySdk]start exec, url: %s, method: %s, params: %s',
       url, method, JSON.stringify(execParams));
@@ -349,46 +388,50 @@ class AlipaySdk {
         timeout: config.timeout,
         headers: { 'user-agent': this.sdkVersion },
       })
-      .then((ret: { status: number, data: string }) => {
-        infoLog && infoLog('[AlipaySdk]exec response: %s', ret);
-
-        if (ret.status === 200) {
-          /**
-           * 示例响应格式
-           * {"alipay_trade_precreate_response":
-           *  {"code": "10000","msg": "Success","out_trade_no": "111111","qr_code": "https:\/\/"},
-           *  "sign": "abcde="
-           * }
-           * 或者
-           * {"error_response":
-           *  {"code":"40002","msg":"Invalid Arguments","sub_code":"isv.code-invalid","sub_msg":"授权码code无效"},
-           * }
-           */
-          const result = JSON.parse(ret.data);
-          const responseKey = `${method.replace(/\./g, '_')}_response`;
-          const data = result[responseKey];
-
-          if (data) {
-            // 按字符串验签
-            const validateSuccess = option.validateSign ? this.checkResponseSign(ret.data, responseKey) : true;
-
-            if (validateSuccess) {
-              resolve(config.camelcase ? camelcaseKeys(data, { deep: true }) : data);
-            } else {
-              reject({ serverResult: ret, errorMessage: '[AlipaySdk]验签失败' });
+        .then((ret: { status: number, data: string }) => {
+          infoLog && infoLog('[AlipaySdk]exec response: %s', ret);
+
+          if (ret.status === 200) {
+            /**
+             * 示例响应格式
+             * {"alipay_trade_precreate_response":
+             *  {"code": "10000","msg": "Success","out_trade_no": "111111","qr_code": "https:\/\/"},
+             *  "sign": "abcde="
+             * }
+             * 或者
+             * {"error_response":
+             *  {"code":"40002","msg":"Invalid Arguments","sub_code":"isv.code-invalid","sub_msg":"授权码code无效"},
+             * }
+             */
+            const result = JSON.parse(ret.data);
+            const responseKey = `${method.replace(/\./g, '_')}_response`;
+            let data = result[responseKey];
+
+            if (data) {
+              if (params.needEncrypt) {
+                data = aesDecrypt(data, config.encryptKey);
+              }
+
+              // 按字符串验签
+              const validateSuccess = option.validateSign ? this.checkResponseSign(ret.data, responseKey) : true;
+
+              if (validateSuccess) {
+                resolve(config.camelcase ? camelcaseKeys(data, { deep: true }) : data);
+              } else {
+                reject({ serverResult: ret, errorMessage: '[AlipaySdk]验签失败' });
+              }
             }
+
+            reject({ serverResult: ret, errorMessage: '[AlipaySdk]HTTP 请求错误' });
           }
 
           reject({ serverResult: ret, errorMessage: '[AlipaySdk]HTTP 请求错误' });
-        }
-
-        reject({ serverResult: ret, errorMessage: '[AlipaySdk]HTTP 请求错误' });
-      })
-      .catch((err) => {
-        err.message = '[AlipaySdk]exec error';
-        errorLog && errorLog(err);
-        reject(err);
-      });
+        })
+        .catch((err) => {
+          err.message = '[AlipaySdk]exec error';
+          errorLog && errorLog(err);
+          reject(err);
+        });
     });
   }
 
 
@@ -0,0 +1,80 @@
+/**
+ * @author yisheng.cl
+ * @email [[email protected]]
+*/
+
+import * as fs from 'fs';
+import bignumber_js_1 from 'bignumber.js';
+import * as crypto from 'crypto';
+const x509_1 = require('@fidm/x509');
+/** 从公钥证书文件里读取支付宝公钥 */
+function loadPublicKeyFromPath(filePath: string): string {
+  const fileData = fs.readFileSync(filePath);
+  const certificate = x509_1.Certificate.fromPEM(fileData);
+  return certificate.publicKeyRaw.toString('base64');
+}
+/** 从公钥证书内容或buffer读取支付宝公钥 */
+function loadPublicKey(content: string|Buffer): string {
+  if (typeof content == 'string') {
+      content = Buffer.from(content);
+    }
+  const certificate = x509_1.Certificate.fromPEM(content);
+  return certificate.publicKeyRaw.toString('base64');
+}
+/** 从证书文件里读取序列号 */
+function getSNFromPath(filePath: string, isRoot: boolean= false): string {
+  const fileData = fs.readFileSync(filePath);
+  return getSN(fileData, isRoot);
+}
+/** 从上传的证书内容或Buffer读取序列号 */
+function getSN(fileData: string|Buffer, isRoot: boolean= false): string {
+  if (typeof fileData == 'string') {
+      fileData = Buffer.from(fileData);
+    }
+  if (isRoot) {
+      return getRootCertSN(fileData);
+    }
+  const certificate = x509_1.Certificate.fromPEM(fileData);
+  return getCertSN(certificate);
+}
+/** 读取序列号 */
+function getCertSN(certificate: any): string {
+  const { issuer, serialNumber } = certificate;
+  const principalName = issuer.attributes
+    .reduceRight((prev, curr) => {
+        const { shortName, value } = curr;
+        const result = `${prev}${shortName}=${value},`;
+        return result;
+    }, '')
+    .slice(0, -1);
+  const decimalNumber = new bignumber_js_1(serialNumber, 16).toString(10);
+  const SN = crypto
+        .createHash('md5')
+        .update(principalName + decimalNumber, 'utf8')
+        .digest('hex');
+  return SN;
+}
+/** 读取根证书序列号 */
+function getRootCertSN(rootContent: Buffer): string {
+  const certificates = x509_1.Certificate.fromPEMs(rootContent);
+  let rootCertSN = '';
+  certificates.forEach((item) => {
+      if (item.signatureOID.startsWith('1.2.840.113549.1.1')) {
+          const SN = getCertSN(item);
+          if (rootCertSN.length === 0) {
+              rootCertSN += SN;
+            }
+          else {
+              rootCertSN += `_${SN}`;
+            }
+        }
+    });
+  return rootCertSN;
+}
+
+export {
+    getSN,
+    getSNFromPath,
+    loadPublicKeyFromPath,
+    loadPublicKey,
+  };