需求-Story
项目上需要做文件的加密传输,考虑到安全性,舍弃了sftp的传送方案(22端口容易被攻击);又由于项目性质,无法采用云存储,因此决定走https加密传输的方案.
其中,要保证安全,则需要做到几点来保证:
- 信息源加密
使用AES加密流对文件进行加密
- 信息传输通道加密
使用https对传输通道进行加密
- 应用层加密
使用RSA对请求进行认证
信息传输通道加密-Https
关于https的理论有很多,我们今天只聊实战。
想要应用支持https,需要申请证书,然后跟应用进行配置。
其中,关于认证又分为单向认证和双向认证,笔者一开始也疑惑,什么是单向认证和双向认证?
用一张图来解释:
双向认证
ok,废话不多说,开始干!
我们今天采用的是JDK自带的keytool来生成证书.
使用keytool生成认证证书
1.1 以jks格式生成服务器端包含Public key和Private Key的keystore文件
keytool -genkey -alias serverA -keystore D:\tmp\key\serverKeystore.jks -keypass javaee123* -storepass javaee123* -keyalg RSA -keysize 512 -validity 3650 -v -dname “CN = 127.0.0.1,O = BTC,DC = Server Https,DC = CN,OU = China”
1.2. 从keystore中导出别名为server的服务端证书
keytool -export -alias serverA -keystore D:\tmp\key\serverKeystore.jks -storepass javaee123* -file server.cer
1.3. 将server.cer导入客户端的信任证书库clientTruststore.jks。
keytool -import -alias trustServer -file server.cer -keystore clientTruststore.jks -storepass javaee123*
////////////////////////////////////////////////////////////////////////////////////////////////////////////
1.1. 以jks格式生成服务器端包含Public key和Private Key的keystore文件。
keytool -genkey -alias clientA -keystore D:\tmp\key\clientKeystore.jks -keypass javaee123* -storepass javaee123* -keyalg RSA -keysize 512 -validity 3650 -v -dname “CN = 127.0.0.1,O = BTC,DC = Client Https,DC = CN,OU = China”
1.2. 从keystore中导出别名为client的客户端证书.
keytool -export -alias clientA -keystore D:\tmp\key\clientKeystore.jks -storepass javaee123* -file client.cer
1.3. 将client.cer导入服务端的信任证书库serverTruststore.jks。
keytool -import -alias trustClient -file client.cer -keystore serverTruststore.jks -storepass javaee123*
服务器端: serverKeystore.jks serverTruststore.jks
客户端: clientKeystore.jks clientTruststore.jks
创建一个文件夹,执行上面6条指令生成证书即可.你会得到这样一些文件:
jks
在工程中对https进行配置
server
将server的jks文件上传到resource目录
resource
在applicaiton.yml配置证书
server:
port: 9000
tomcat:
uri-encoding: UTF-8
ssl:
key-store: classpath:serverKeystore.jks
key-store-password: javaee123*
key-store-type: JKS
trust-store: classpath:serverTruststore.jks
trust-store-password: javaee123*
trust-store-type: JKS
client-auth: need
client
将client相关证书放到resource下
resource
配置RestTemplate的ClientHttpRequestFactory
package com.tea.modules.config;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.http.client.SimpleClientHttpRequestFactory;
import org.springframework.http.converter.StringHttpMessageConverter;
import org.springframework.util.ResourceUtils;
import org.springframework.web.client.RestTemplate;
import javax.net.ssl.SSLContext;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* com.jay.company.file.config
*
* @author xiejiemin
* @create 2020/9/28
*/
@Configuration
@Slf4j
public class RestTemplateConfig {
@Bean()
public RestTemplate restTemplate(ClientHttpRequestFactory httpComponentsClientHttpRequestFactory) {
RestTemplate restTemplate = new RestTemplate(httpComponentsClientHttpRequestFactory);
restTemplate.getMessageConverters().set(1, new StringHttpMessageConverter(StandardCharsets.UTF_8));
log.info("loading restTemplate");
return restTemplate;
}
@Bean("httpComponentsClientHttpRequestFactory")
public ClientHttpRequestFactory httpComponentsClientHttpRequestFactory() throws IOException, UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
final String allPassword = "123ABCdef*";
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = SSLContextBuilder
.create()
.loadKeyMaterial(new ClassPathResource("clientKeystore.jks").getURL(),
allPassword.toCharArray(), allPassword.toCharArray())
.loadTrustMaterial(new ClassPathResource("clientTruststore.jks").getURL(), allPassword.toCharArray())
.loadTrustMaterial(null, acceptingTrustStrategy)
.build();
HttpClient client = HttpClients.custom()
.setSSLContext(sslContext)
.build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(client);
return requestFactory;
}
}
需要导入的jar
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.6</version>
</dependency>
需要注意的点
- 生成证书的时候,用户名要设置成server的ip地址.比如我这里的127.0.0.1
- 使用
ResourceUtils.getFile这种方式本地调试是没问题的,但是项目部署的时候,会产生报错,其中的原因是因为项目经过编译后,路径有所改变,需要用ClassPathResource这种方式来读取.(更新时间:2021-09-06)
网友评论