关于java:提供接口给第三方使用需要加上校验保证接口的安全性rsa加密解密

28次阅读

共计 8371 个字符,预计需要花费 21 分钟才能阅读完成。

最近项目组给了一个需要,须要我这边写一个接口,给第三方应用。过后就想,这不是很简略嘛,唰唰唰,就写好了。忽然想到,没有限度条件,那岂不是太不平安了,谁都能够调我这个接口了啊。而后就想了想,emmmm,ras 如同能够用的啊,那就间接写写看吧。
RSA 的加密过程如下:
(1)A 生成一对密钥(公钥和私钥),私钥不公开,A 本人保留。公钥为公开的,任何人能够获取。
(2)A 传递本人的公钥给 B,B 用 A 的公钥对音讯进行加密。
(3)A 接管到 B 加密的音讯,利用 A 本人的私钥对音讯进行解密。
先上代码:

public static void main(String[] args) throws Exception {
        // 生成公钥和私钥
 genKeyPair();
 // 加密字符串
 String message = "df723820";
 System.out.println("随机生成的公钥为:" + keyMap.get(0));
 System.out.println("随机生成的私钥为:" + keyMap.get(1));
 }
    /**
 * 随机生成密钥对
 * @throws NoSuchAlgorithmException
 */ public static void genKeyPair() throws NoSuchAlgorithmException {
        // KeyPairGenerator 类用于生成公钥和私钥对,基于 RSA 算法生成对象
 KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
 // 初始化密钥对生成器,密钥大小为 96-1024 位
 keyPairGen.initialize(1024,new SecureRandom());
 // 生成一个密钥对,保留在 keyPair 中
 KeyPair keyPair = keyPairGen.generateKeyPair();
 RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); // 失去私钥
 RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); // 失去公钥
 String publicKeyString = new String(Base64.encodeBase64(publicKey.getEncoded()));
 // 失去私钥字符串
 String privateKeyString = new String(Base64.encodeBase64((privateKey.getEncoded())));
 // 将公钥和私钥保留到 Map
 keyMap.put(0,publicKeyString); // 0 示意公钥
 keyMap.put(1,privateKeyString); // 1 示意私钥
 }

公钥,私钥生成后,公钥可对外公开,私钥需本人保留。
加密,解密办法:

/**
 * RSA 公钥加密
 *
 * @param str
 * 加密字符串
 * 公钥
 * @return 密文
 * @throws Exception
 * 加密过程中的异样信息
 */
public String encrypt(String str) throws Exception{
    //base64 编码的公钥
 byte[] decoded = Base64.decodeBase64(publicKey);
 RSAPublicKey pubKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(decoded));
 //RSA 加密
 Cipher cipher = Cipher.getInstance("RSA");
 cipher.init(Cipher.ENCRYPT_MODE, pubKey);
 String outStr = Base64.encodeBase64String(cipher.doFinal(str.getBytes("UTF-8")));
 return outStr;
}
/**
 * RSA 私钥解密
 *
 * @param str
 * 加密字符串
 * 私钥
 * @return 铭文
 * @throws Exception
 * 解密过程中的异样信息
 */
public String decrypt(String str) throws Exception{
    //64 位解码加密后的字符串
 byte[] inputByte = Base64.decodeBase64(str.getBytes("UTF-8"));
 //base64 编码的私钥
 byte[] decoded = Base64.decodeBase64(privateKey);
 RSAPrivateKey priKey = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(decoded));
 //RSA 解密
 Cipher cipher = Cipher.getInstance("RSA");
 cipher.init(Cipher.DECRYPT_MODE, priKey);
 String outStr = new String(cipher.doFinal(inputByte));
 return outStr;
}

这段代码中的 publicKey 和 privateKey, 就是咱们上段代码中获取到的,只需生成一次。这个时候咱们就能够在咱们的接口里进行验证了。
附上本人应用时的代码:
我这边是把加密解密的办法放到了一个工具类里,应用的时候间接调用工具类的办法就能够了,残缺如下:

package com.pactera.rms.util;
import org.apache.commons.codec.binary.Base64;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import javax.crypto.Cipher;
import java.security.*;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
/**
 * @author qps
 * Date 2020/10/25 19:30 */@Component
public class RSAEncrypt {@Value("${rms.rsa.publicKey.key}")
   private String publicKey;
 @Value("${rms.rsa.privateKey.key}")
    private String privateKey;
 private static Map<Integer, String> keyMap = new HashMap<Integer, String>(); // 用于封装随机产生的公钥与私钥
 public static void main(String[] args) throws Exception {
        // 生成公钥和私钥
 genKeyPair();
 // 加密字符串
 String message = "df723820";
 System.out.println("随机生成的公钥为:" + keyMap.get(0));
 System.out.println("随机生成的私钥为:" + keyMap.get(1));
//        String messageEn = encrypt(message,keyMap.get(0));
//        System.out.println(message + "t 加密后的字符串为:" + messageEn);
//        String messageDe = decrypt(messageEn,keyMap.get(1));
//        System.out.println("还原后的字符串为:" + messageDe);
 }
    /**
 * 随机生成密钥对
 * @throws NoSuchAlgorithmException
 */ public static void genKeyPair() throws NoSuchAlgorithmException {
        // KeyPairGenerator 类用于生成公钥和私钥对,基于 RSA 算法生成对象
 KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
 // 初始化密钥对生成器,密钥大小为 96-1024 位
 keyPairGen.initialize(1024,new SecureRandom());
 // 生成一个密钥对,保留在 keyPair 中
 KeyPair keyPair = keyPairGen.generateKeyPair();
 RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); // 失去私钥
 RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); // 失去公钥
 String publicKeyString = new String(Base64.encodeBase64(publicKey.getEncoded()));
 // 失去私钥字符串
 String privateKeyString = new String(Base64.encodeBase64((privateKey.getEncoded())));
 // 将公钥和私钥保留到 Map
 keyMap.put(0,publicKeyString); // 0 示意公钥
 keyMap.put(1,privateKeyString); // 1 示意私钥
 }
    /**
 * RSA 公钥加密
 *
 * @param str
 * 加密字符串
 * 公钥
 * @return 密文
 * @throws Exception
 * 加密过程中的异样信息
 */
 public String encrypt(String str) throws Exception{
        //base64 编码的公钥
 byte[] decoded = Base64.decodeBase64(publicKey);
 RSAPublicKey pubKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(decoded));
 //RSA 加密
 Cipher cipher = Cipher.getInstance("RSA");
 cipher.init(Cipher.ENCRYPT_MODE, pubKey);
 String outStr = Base64.encodeBase64String(cipher.doFinal(str.getBytes("UTF-8")));
 return outStr;
 }
    /**
 * RSA 私钥解密
 *
 * @param str
 * 加密字符串
 * 私钥
 * @return 铭文
 * @throws Exception
 * 解密过程中的异样信息
 */
 public String decrypt(String str) throws Exception{
        //64 位解码加密后的字符串
 byte[] inputByte = Base64.decodeBase64(str.getBytes("UTF-8"));
 //base64 编码的私钥
 byte[] decoded = Base64.decodeBase64(privateKey);
 RSAPrivateKey priKey = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(decoded));
 //RSA 解密
 Cipher cipher = Cipher.getInstance("RSA");
 cipher.init(Cipher.DECRYPT_MODE, priKey);
 String outStr = new String(cipher.doFinal(inputByte));
 return outStr;
 }
}

另外,还有一段代码,是我用来获取传过来的 headers 中的 key 和 value 的:

package com.pactera.rms.util;
import org.apache.commons.io.IOUtils;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
/**
 * @author qps
 */public class MultiReadHttpServletRequest extends HttpServletRequestWrapper {private final byte[] bytes;
 public MultiReadHttpServletRequest(HttpServletRequest request) throws IOException {super(request);
 bytes = IOUtils.toByteArray(request.getInputStream());
 }
    @Override
 public ServletInputStream getInputStream() throws IOException {return new ServletInputStream() {
            private int lastIndexRetrieved = -1;
 private ReadListener readListener = null;
 @Override
 public boolean isFinished() {return (lastIndexRetrieved == bytes.length-1);
 }
            @Override
 public boolean isReady() {
                // This implementation will never block
 // We also never need to call the readListener from this method, as this method will never return false return isFinished();}
            @Override
 public void setReadListener(ReadListener readListener) {
                this.readListener = readListener;
 if (!isFinished()) {
                    try {readListener.onDataAvailable();
 } catch (IOException e) {readListener.onError(e);
 }
                } else {
                    try {readListener.onAllDataRead();
 } catch (IOException e) {readListener.onError(e);
 }
                }
            }
            @Override
 public int read() throws IOException {
                int i;
 if (!isFinished()) {i = bytes[lastIndexRetrieved+1];
 lastIndexRetrieved++;
 if (isFinished() && (readListener != null)) {
                        try {readListener.onAllDataRead();
 } catch (IOException ex) {readListener.onError(ex);
 throw ex;
 }
                    }
                    return i;
 } else {return -1;}
            }
        };
 }
    @Override
 public BufferedReader getReader() throws IOException {ByteArrayInputStream is = new ByteArrayInputStream(bytes);
 BufferedReader temp = new BufferedReader(new InputStreamReader(is));
 return temp;
 }
}

这两个文件放好之后,就能够在本人办法应用了:

@ApiOperation("简历解析")
@ApiParam(name = "files", value = "files", required = true)
@RequestMapping(value = "/resume", method = RequestMethod.POST, consumes = {"multipart/*"}, headers = {"content-type=multipart/form-data"})
public ListOutput resumeAnalysis(@RequestParam("files") MultipartFile[] files, ServletRequest servletRequest) throws Exception {MultiReadHttpServletRequest request = new MultiReadHttpServletRequest((HttpServletRequest) servletRequest);
 String sign = request.getHeader("Authorization");
 String decrypt = rsaEncrypt.decrypt(sign);
 StringBuilder params = new StringBuilder();
 for (int i = 0; i < files.length; i++) {String originalFilename = files[i].getOriginalFilename();
 int i1 = originalFilename.lastIndexOf(".");
 String substring = originalFilename.substring((i1 + 1), originalFilename.length());
 params.append("&").append(substring);
 }
    // 源数据
 String data = params.toString().replaceFirst("&", "");
//        String encrypt = rsaEncrypt.encrypt(data);
//        System.out.println(encrypt);
 // 校验
 System.out.println(data.equals(decrypt));
 if(data.equals(decrypt)){logger.info("调用接口胜利,开始执行....." + files);
 String type = "Campus";
 List jsonObject = service.resume(files, type);
 return new ListOutput(200, "胜利", null, jsonObject);
 }else {return new ListOutput(407, "身份验证失败,请从新提交", null, null);
 }
}

这时就功败垂成了。
PS:RSA 加密对明文的长度有所限度,规定需加密的明文最大长度 = 密钥长度 -11(单位是字节,即 byte),所以在 加密和解密的过程中须要分块进行。而密钥默认是 1024 位,即 1024 位 / 8 位 -11=128-11=117 字节。所以默认加密前的明文最大长度 117 字节,解密密文最大长度为 128 字。那么为啥两者相差 11 字节呢?是因为 RSA 加密应用到了填充模式(padding),即内容有余 117 字节时会主动填满,用到填充模式天然会占用肯定的字节,而且这部分字节也是参加加密的。

正文完
 0