java 第三方接口安全性_提供接口给第三方使用,需要加上校验保证接口的安全性(rsa加密解密)...
最近项目组给了一个需求,需要我这边写一个接口,给第三方使用。当时就想,这不是很简单嘛,唰唰唰,就写好了。突然想到,没有限制条件,那岂不是太不安全了,谁都可以调我这个接口了啊。然后就想了想,emmmm,ras好像可以用的啊,那就直接写写看吧。
RSA的加密过程如下:
(1)A生成一对密钥(公钥和私钥),私钥不公开,A自己保留。公钥为公开的,任何人可以获取。
(2)A传递自己的公钥给B,B用A的公钥对消息进行加密。
(3)A接收到B加密的消息,利用A自己的私钥对消息进行解密。
先上代码:public static void main(String[] args) throws Exception {
//生成公钥和私钥
genKeyPair();
//加密字符串
String message = "df723820";
System.out.println("随机生成的公钥为:" + keyMap.get(0));
System.out.println("随机生成的私钥为:" + keyMap.get(1));
}
/**
* 随机生成密钥对
* @throws NoSuchAlgorithmException
*/ public static void genKeyPair() throws NoSuchAlgorithmException {
// KeyPairGenerator类用于生成公钥和私钥对,基于RSA算法生成对象
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
// 初始化密钥对生成器,密钥大小为96-1024位
keyPairGen.initialize(1024,new SecureRandom());
// 生成一个密钥对,保存在keyPair中
KeyPair keyPair = keyPairGen.generateKeyPair();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); // 得到私钥
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); // 得到公钥
String publicKeyString = new String(Base64.encodeBase64(publicKey.getEncoded()));
// 得到私钥字符串
String privateKeyString = new String(Base64.encodeBase64((privateKey.getEncoded())));
// 将公钥和私钥保存到Map
keyMap.put(0,publicKeyString); //0表示公钥
keyMap.put(1,privateKeyString); //1表示私钥
}
公钥,私钥生成后,公钥可对外公开,私钥需自己保存。
加密,解密方法:/**
* RSA公钥加密
*
* @param str
* 加密字符串
* 公钥
* @return 密文
* @throws Exception
* 加密过程中的异常信息
*/
public String encrypt( String str ) throws Exception{
//base64编码的公钥
byte[] decoded = Base64.decodeBase64(publicKey);
RSAPublicKey pubKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(decoded));
//RSA加密
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
String outStr = Base64.encodeBase64String(cipher.doFinal(str.getBytes("UTF-8")));
return outStr;
}
/**
* RSA私钥解密
*
* @param str
* 加密字符串
* 私钥
* @return 铭文
* @throws Exception
* 解密过程中的异常信息
*/
public String decrypt(String str) throws Exception{
//64位解码加密后的字符串
byte[] inputByte = Base64.decodeBase64(str.getBytes("UTF-8"));
//base64编码的私钥
byte[] decoded = Base64.decodeBase64(privateKey);
RSAPrivateKey priKey = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(decoded));
//RSA解密
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, priKey);
String outStr = new String(cipher.doFinal(inputByte));
return outStr;
}
这段代码中的 publicKey 和 privateKey,就是我们上段代码中获取到的,只需生成一次。这个时候我们就可以在我们的接口里进行验证了。
附上自己使用时的代码:
我这边是把加密解密的方法放到了一个工具类里,使用的时候直接调用工具类的方法就可以了,完整如下:package com.pactera.rms.util;
import org.apache.commons.codec.binary.Base64;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import javax.crypto.Cipher;
import java.security.*;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
/**
* @author qps
* Date 2020/10/25 19:30 */@Component
public class RSAEncrypt {
@Value("${rms.rsa.publicKey.key}")
private String publicKey;
@Value("${rms.rsa.privateKey.key}")
private String privateKey;
private static Map keyMap = new HashMap(); //用于封装随机产生的公钥与私钥
public static void main(String[] args) throws Exception {
//生成公钥和私钥
genKeyPair();
//加密字符串
String message = "df723820";
System.out.println("随机生成的公钥为:" + keyMap.get(0));
System.out.println("随机生成的私钥为:" + keyMap.get(1));
// String messageEn = encrypt(message,keyMap.get(0));
// System.out.println(message + "t加密后的字符串为:" + messageEn);
// String messageDe = decrypt(messageEn,keyMap.get(1));
// System.out.println("还原后的字符串为:" + messageDe);
}
/**
* 随机生成密钥对
* @throws NoSuchAlgorithmException
*/ public static void genKeyPair() throws NoSuchAlgorithmException {
// KeyPairGenerator类用于生成公钥和私钥对,基于RSA算法生成对象
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
// 初始化密钥对生成器,密钥大小为96-1024位
keyPairGen.initialize(1024,new SecureRandom());
// 生成一个密钥对,保存在keyPair中
KeyPair keyPair = keyPairGen.generateKeyPair();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); // 得到私钥
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); // 得到公钥
String publicKeyString = new String(Base64.encodeBase64(publicKey.getEncoded()));
// 得到私钥字符串
String privateKeyString = new String(Base64.encodeBase64((privateKey.getEncoded())));
// 将公钥和私钥保存到Map
keyMap.put(0,publicKeyString); //0表示公钥
keyMap.put(1,privateKeyString); //1表示私钥
}
/**
* RSA公钥加密
*
* @param str
* 加密字符串
* 公钥
* @return 密文
* @throws Exception
* 加密过程中的异常信息
*/
public String encrypt( String str ) throws Exception{
//base64编码的公钥
byte[] decoded = Base64.decodeBase64(publicKey);
RSAPublicKey pubKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(decoded));
//RSA加密
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
String outStr = Base64.encodeBase64String(cipher.doFinal(str.getBytes("UTF-8")));
return outStr;
}
/**
* RSA私钥解密
*
* @param str
* 加密字符串
* 私钥
* @return 铭文
* @throws Exception
* 解密过程中的异常信息
*/
public String decrypt(String str) throws Exception{
//64位解码加密后的字符串
byte[] inputByte = Base64.decodeBase64(str.getBytes("UTF-8"));
//base64编码的私钥
byte[] decoded = Base64.decodeBase64(privateKey);
RSAPrivateKey priKey = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(decoded));
//RSA解密
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, priKey);
String outStr = new String(cipher.doFinal(inputByte));
return outStr;
}
}
另外,还有一段代码,是我用来获取传过来的headers 中的key和value的:package com.pactera.rms.util;
import org.apache.commons.io.IOUtils;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
/**
* @author qps
*/public class MultiReadHttpServletRequest extends HttpServletRequestWrapper {
private final byte[] bytes;
public MultiReadHttpServletRequest(HttpServletRequest request) throws IOException {
super(request);
bytes = IOUtils.toByteArray(request.getInputStream());
}
@Override
public ServletInputStream getInputStream() throws IOException {
return new ServletInputStream() {
private int lastIndexRetrieved = -1;
private ReadListener readListener = null;
@Override
public boolean isFinished() {
return (lastIndexRetrieved == bytes.length-1);
}
@Override
public boolean isReady() {
// This implementation will never block
// We also never need to call the readListener from this method, as this method will never return false return isFinished();
}
@Override
public void setReadListener(ReadListener readListener) {
this.readListener = readListener;
if (!isFinished()) {
try {
readListener.onDataAvailable();
} catch (IOException e) {
readListener.onError(e);
}
} else {
try {
readListener.onAllDataRead();
} catch (IOException e) {
readListener.onError(e);
}
}
}
@Override
public int read() throws IOException {
int i;
if (!isFinished()) {
i = bytes[lastIndexRetrieved+1];
lastIndexRetrieved++;
if (isFinished() && (readListener != null)) {
try {
readListener.onAllDataRead();
} catch (IOException ex) {
readListener.onError(ex);
throw ex;
}
}
return i;
} else {
return -1;
}
}
};
}
@Override
public BufferedReader getReader() throws IOException {
ByteArrayInputStream is = new ByteArrayInputStream(bytes);
BufferedReader temp = new BufferedReader(new InputStreamReader(is));
return temp;
}
}
这两个文件放好之后,就可以在自己方法使用了:@ApiOperation("简历解析")
@ApiParam(name = "files", value = "files", required = true)
@RequestMapping(value = "/resume", method = RequestMethod.POST, consumes = {"multipart/*"}, headers = {"content-type=multipart/form-data"})
public ListOutput resumeAnalysis(@RequestParam("files") MultipartFile[] files, ServletRequest servletRequest) throws Exception {
MultiReadHttpServletRequest request = new MultiReadHttpServletRequest((HttpServletRequest) servletRequest);
String sign = request.getHeader("Authorization");
String decrypt = rsaEncrypt.decrypt(sign);
StringBuilder params = new StringBuilder();
for (int i = 0; i < files.length; i++) {
String originalFilename = files[i].getOriginalFilename();
int i1 = originalFilename.lastIndexOf(".");
String substring = originalFilename.substring((i1 + 1), originalFilename.length());
params.append("&").append(substring);
}
//源数据
String data = params.toString().replaceFirst("&", "");
// String encrypt = rsaEncrypt.encrypt(data);
// System.out.println(encrypt);
//校验
System.out.println(data.equals(decrypt));
if(data.equals(decrypt)){
logger.info("调用接口成功,开始执行....." + files);
String type = "Campus";
List jsonObject = service.resume(files, type);
return new ListOutput(200, "成功", null, jsonObject);
}else {
return new ListOutput(407, "身份验证失败,请重新提交", null, null);
}
}
这时就大功告成了。
PS:RSA加密对明文的长度有所限制,规定需加密的明文最大长度=密钥长度-11(单位是字节,即byte),所以在加密和解密的过程中需要分块进行。而密钥默认是1024位,即1024位/8位-11=128-11=117字节。所以默认加密前的明文最大长度117字节,解密密文最大长度为128字。那么为啥两者相差11字节呢?是因为RSA加密使用到了填充模式(padding),即内容不足117字节时会自动填满,用到填充模式自然会占用一定的字节,而且这部分字节也是参与加密的。