前后端分离技术之加签,验签,防篡改
上一篇讲解了加密解密,这次来个加签验签,实际项目里,我们采用的是react 和nodejs 来进行加签验签,用的jsrsasign库,下面贴点核心代码
react加签
nodejs验签
实际应用在nodejs层可以将时间戳和sign签名验证通过剔除掉,所以对后端就是无感的。
下面来介绍下客户端见加签验签,前面的代码也有,以java为例
import org.apache.commons.codec.binary.Base64;
import javax.crypto.Cipher;
import java.security.*;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
/**
* @author ALvis
* @ctreate 2019/11/26
*/
public class RSACoder {
public static final String KEY_ALGORITHM = "RSA";
public static final String SIGNATURE_ALGORITHM = "MD5withRSA";
public static byte[] decryptBASE64(String key) {
return Base64.decodeBase64(key);
}
public static String encryptBASE64(byte[] bytes) {
return Base64.encodeBase64String(bytes);
}
/**
* 用私钥对信息生成数字签名
*
* @param data 加密数据
* @param privateKey 私钥
* @return
* @throws Exception
*/
public static String sign(byte[] data, String privateKey) throws Exception {
// 解密由base64编码的私钥
byte[] keyBytes = decryptBASE64(privateKey);
// 构造PKCS8EncodedKeySpec对象
PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes);
// KEY_ALGORITHM 指定的加密算法
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
// 取私钥匙对象
PrivateKey priKey = keyFactory.generatePrivate(pkcs8KeySpec);
// 用私钥对信息生成数字签名
Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);
signature.initSign(priKey);
signature.update(data);
return encryptBASE64(signature.sign());
}
/**
* 校验数字签名
*
* @param data 加密数据
* @param publicKey 公钥
* @param sign 数字签名
* @return 校验成功返回true 失败返回false
* @throws Exception
*/
public static boolean verify(byte[] data, String publicKey, String sign)
throws Exception {
// 解密由base64编码的公钥
byte[] keyBytes = decryptBASE64(publicKey);
// 构造X509EncodedKeySpec对象
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
// KEY_ALGORITHM 指定的加密算法
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
// 取公钥匙对象
PublicKey pubKey = keyFactory.generatePublic(keySpec);
Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);
signature.initVerify(pubKey);
signature.update(data);
// 验证签名是否正常
return signature.verify(decryptBASE64(sign));
}
}下面是测试代码
public class Test2 {
private static final String publicKey="MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHuKQKF9zgk3Y2OOeULroJnP4qHOGw/Jh/3+vKIqpXqZjjk2RW+eJLScHMWSxeZ+vwiboETGMlgSovywQN7qph6r10btW/V6B1PvHZr57N1nJ1MxtrIWKKYJKVUMZtwkhGes65YtZ7rMDMvCRas/3sP8NixHV8RYNm/KrnMknoAQIDAQAB";
private static final String privateKey = "MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAIe4pAoX3OCTdjY455Quugmc/ioc4bD8mH/f68oiqlepmOOTZFb54ktJwcxZLF5n6/CJugRMYyWBKi/LBA3uqmHqvXRu1b9XoHU+8dmvns3WcnUzG2shYopgkpVQxm3CSEZ6zrli1nuswMy8JFqz/ew/w2LEdXxFg2b8qucySegBAgMBAAECgYBW9BEE9mzo5REjhCm6YoWGizK7wG1Ie00pAEmM49DHAT2W8GOk5cv5+HNVfPxUL7iWD2dCQb5z1OE2ZZdfZb16q9YdAXxTt90exoDX8q4i0xWTKPooVni8+tdypzizw0m3XN/adq6RC4Hz8Xc5n6RTl+1rAGc60AkTmmhZaAx0EQJBAP6+yegOa9uQS06ww+pWZKO+hm3kIPunIkYlN3Y7KkPCOJq4WiS7D/oIyBYIBG/UltloF3ROOIf3uMROvdcvlE8CQQCIY8X3ICn5p+Ot32V/ZhT0aebUKGFvG9b/Zx072xEumG0xIhtOic1Vr10hvPYckWbJcEY6s+oeiXzi9CwutJqvAkEA4N+SZCK2228YyzIG/8mbtV/uUvtakksLWlhoCRpZSM8eIJY0HNB0Xgd6eNhC8mT7dJcKfUS/amcm10ObGWWKyQJATo/aGk1GoG3ase66UjYE3/yYX6Ca7xtELn3A0xeOwB5A10pkHEs4IaEPrj1gLnh6kpG/glTcCJb9fuVTBdw2NQJALFt2PMr8PwPKnV74MZFcKGlF7Qz31SIAPBgClsS/bUweJ/3lw9Xopv0WO8INdSqgwjAX2+PjDwOiwBYtD7bPNw==";
@Test
public void test1() throws Exception{
EvalUser user = new EvalUser();
user.setUserid("001");
user.setUsername("alvis");
user.setOrgId("111");
user.setLevel("222");
String content = JSON.toJSONString(user);
String sign = RSACoder.sign(content.getBytes(), privateKey);
String lastSign = URLEncoder.encode(sign.replace("\n", ""), "UTF-8");
System.out.println("签名内容:" + content);
System.out.println("最终签名:" + lastSign);
// 签名验证
String test ="{\"level\":\"222\",\"orgId\":\"111\",\"userid\":\"001\",\"username\":\"alvis\"}";
boolean bverify = RSACoder.verify(test.getBytes(), publicKey, URLDecoder.decode(lastSign, "UTF-8"));
System.out.println("验证结果:" + bverify +";decode sign="+URLDecoder.decode(lastSign, "UTF-8"));
}
}加签验签一般失败的原因就是json转换时的顺序,比如用fastjson转换成字符串加签,那么解签时就要注意,把json转成字符串的排序是否一致,同是fastjson排序规则也会随着版本的改变而不同,解决方案之一就是要么用同版本的工具,要么可以结合加密解密来进行。