From 942c4315493b28945051a89bc787d25d0c1f86dd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 3 Oct 2025 17:34:37 +0000
Subject: [PATCH 1/2] Initial plan


From bcce7f73a4aed7f70254cc64e090ede0d8107352 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 3 Oct 2025 17:43:00 +0000
Subject: [PATCH 2/2] Fix WeChat Pay V3 public key transfer signature
 verification failure

When using public key mode for transfer APIs, WeChat Pay may return a response with
a platform certificate serial number in the Wechatpay-Serial header, but the signature
is actually signed with the public key. The previous logic would fail to verify this.

Changes:
- Modified PublicCertificateVerifier.verify() to fallback to public key verification
  when certificate verification fails
- This ensures both platform certificate and public key signatures can be verified
- Fixes the issue where funds are locked but verification fails for transfer APIs

Co-authored-by: binarywang <1343140+binarywang@users.noreply.github.com>
---
 .../wxpay/v3/auth/PublicCertificateVerifier.java       | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/v3/auth/PublicCertificateVerifier.java b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/v3/auth/PublicCertificateVerifier.java
index 8c9c4f3569..ac1dfbca6b 100644
--- a/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/v3/auth/PublicCertificateVerifier.java
+++ b/weixin-java-pay/src/main/java/com/github/binarywang/wxpay/v3/auth/PublicCertificateVerifier.java
@@ -24,9 +24,17 @@ public void setOtherVerifier(Verifier verifier) {
 
     @Override
     public boolean verify(String serialNumber, byte[] message, String signature) {
+        // 如果序列号不包含"PUB_KEY_ID"且有证书验证器，先尝试证书验证
         if (!serialNumber.contains("PUB_KEY_ID") && this.certificateVerifier != null) {
-            return this.certificateVerifier.verify(serialNumber, message, signature);
+            try {
+                if (this.certificateVerifier.verify(serialNumber, message, signature)) {
+                    return true;
+                }
+            } catch (Exception e) {
+                // 证书验证失败，继续尝试公钥验证
+            }
         }
+        // 使用公钥验证（兜底方案，适用于公钥转账等场景）
         try {
             Signature sign = Signature.getInstance("SHA256withRSA");
             sign.initVerify(publicKey);