基于非对称加密实现接口的安全开放(openapi的实现)

背景

对外服务的接口为了安全起见,往往需要进行相应的安全处理:数据加密传输和身份认证。数据加密传输有对称加密和非对称加密两种,为了更加安全起见采用非对称加密比较好些,身份认证则采用数字签名可以实现。

 

程序流程

方案一:仅采用非对称加密

 

 

方案二:采用非对称加密+对称加密

 

 

核心代码(方案一)

客户端

package openapi.client.sdk;

import cn.hutool.core.util.CharsetUtil;
import cn.hutool.core.util.HexUtil;
import cn.hutool.core.util.StrUtil;
import cn.hutool.core.util.URLUtil;
import cn.hutool.crypto.SecureUtil;
import cn.hutool.crypto.SmUtil;
import cn.hutool.crypto.asymmetric.*;
import cn.hutool.http.HttpUtil;
import cn.hutool.json.JSONUtil;
import lombok.extern.slf4j.Slf4j;
import openapi.sdk.common.constant.Constant;
import openapi.sdk.common.model.AsymmetricCryEnum;
import openapi.sdk.common.model.BusinessException;
import openapi.sdk.common.model.InParams;
import openapi.sdk.common.model.OutParams;
import openapi.sdk.common.util.Base64Util;

import java.nio.charset.StandardCharsets;

import static openapi.sdk.common.util.Base64Util.bytesToBase64;

/**
 * 对外开放api客户端
 *
 * @author wanghuidong
 */
@Slf4j
public class OpenApiClient {

    private String baseUrl;
    private String selfPrivateKey;
    private String remotePublicKey;
    private AsymmetricCryEnum asymmetricCryEnum;
    private boolean retDecrypt;

    /**
     * 客户端系统的私钥
     *
     * @param baseUrl           openapi基础路径
     * @param selfPrivateKey    本系统私钥
     * @param remotePublicKey   远程系统的公钥
     * @param asymmetricCryEnum 非对称加密算法
     * @param retDecrypt        返回值是否需要解密
     */
    public OpenApiClient(String baseUrl, String selfPrivateKey, String remotePublicKey, AsymmetricCryEnum asymmetricCryEnum, boolean retDecrypt) {
        this.baseUrl = baseUrl;
        this.selfPrivateKey = selfPrivateKey;
        this.remotePublicKey = remotePublicKey;
        this.asymmetricCryEnum = asymmetricCryEnum;
        this.retDecrypt = retDecrypt;
    }

    /**
     * 调用openapi
     *
     * @param inParams 入参
     * @return 返回值
     */
    public OutParams callOpenApi(InParams inParams) {
        //加密&加签
        encryptAndSign(inParams);

        //调用openapi 并 处理返回值
        OutParams outParams = doCall(inParams);
        return outParams;
    }

    /**
     * 加密&加签
     *
     * @param inParams 入参
     */
    private void encryptAndSign(InParams inParams) {
        String body = inParams.getBody();
        if (StrUtil.isNotBlank(body)) {
            //加密
            if (asymmetricCryEnum == AsymmetricCryEnum.RSA) {
                RSA rsa = new RSA(null, remotePublicKey);
                byte[] encrypt = rsa.encrypt(StrUtil.bytes(body, CharsetUtil.CHARSET_UTF_8), KeyType.PublicKey);
                body = bytesToBase64(encrypt);
            } else if (asymmetricCryEnum == AsymmetricCryEnum.SM2) {
                SM2 sm2 = SmUtil.sm2(null, remotePublicKey);
                body = sm2.encryptBcd(body, KeyType.PublicKey);
            } else {
                throw new BusinessException("不支持的非对称加密算法");
            }
            inParams.setBody(body);

            //加签
            String signedStr = null;
            if (asymmetricCryEnum == AsymmetricCryEnum.RSA) {
                Sign sign = SecureUtil.sign(SignAlgorithm.SHA256withRSA, selfPrivateKey, null);
                //签名
                byte[] data = body.getBytes(StandardCharsets.UTF_8);
                byte[] signed = sign.sign(data);
                signedStr = bytesToBase64(signed);
            } else if (asymmetricCryEnum == AsymmetricCryEnum.SM2) {
                SM2 sm2 = SmUtil.sm2(selfPrivateKey, null);
                signedStr = sm2.signHex(HexUtil.encodeHexStr(body));
            } else {
                throw new BusinessException("不支持的非对称加密算法");
            }
            inParams.setSign(signedStr);
        }
    }

    /**
     * 调用远程openapi接口
     *
     * @param inParams 入参
     * @return 结果
     */
    private OutParams doCall(InParams inParams) {
        String url = URLUtil.completeUrl(baseUrl, Constant.OPENAPI_PATH);
        String body = JSONUtil.toJsonStr(inParams);
        log.debug("调用openapi入参:" + inParams);
        String ret = HttpUtil.post(url, body);
        log.debug("调用openapi返回值:" + ret);
        if (StrUtil.isBlank(ret)) {
            throw new BusinessException("返回值为空");
        }
        OutParams outParams = JSONUtil.toBean(ret, OutParams.class);
        if (OutParams.isSuccess(outParams)) {
            log.debug("调用openapi成功");
            //判断是否需要解密数据
            if (retDecrypt) {
                decryptData(outParams);
            }
        } else {
            throw new BusinessException("调用openapi异常:" + outParams.getMessage());
        }
        return outParams;
    }

    /**
     * 解密数据
     *
     * @param outParams 返回值
     */
    private void decryptData(OutParams outParams) {
        //解密
        String decryptedData = null;
        try {
            if (asymmetricCryEnum == AsymmetricCryEnum.RSA) {
                RSA rsa = new RSA(selfPrivateKey, null);
                byte[] dataBytes = Base64Util.base64ToBytes(outParams.getData());
                byte[] decrypt = rsa.decrypt(dataBytes, KeyType.PrivateKey);
                decryptedData = new String(decrypt, StandardCharsets.UTF_8);
            } else if (asymmetricCryEnum == AsymmetricCryEnum.SM2) {
                SM2 sm2 = SmUtil.sm2(selfPrivateKey, null);
                decryptedData = StrUtil.utf8Str(sm2.decryptFromBcd(outParams.getData(), KeyType.PrivateKey));
            } else {
                throw new BusinessException("不支持的非对称加密算法");
            }
            outParams.setData(decryptedData);
        } catch (Exception ex) {
            log.error("解密失败", ex);
            throw new BusinessException("解密失败");
        }
    }


}

服务端

package openapi.server.sdk;

import cn.hutool.core.util.*;
import cn.hutool.crypto.SecureUtil;
import cn.hutool.crypto.SmUtil;
import cn.hutool.crypto.asymmetric.*;
import lombok.extern.slf4j.Slf4j;
import openapi.server.sdk.model.ApiHandler;
import openapi.server.sdk.model.OpenApi;
import openapi.server.sdk.model.OpenApiMethod;
import openapi.sdk.common.constant.Constant;
import openapi.sdk.common.model.AsymmetricCryEnum;
import openapi.sdk.common.model.BusinessException;
import openapi.sdk.common.model.InParams;
import openapi.sdk.common.model.OutParams;
import openapi.sdk.common.util.Base64Util;
import openapi.sdk.common.util.StrObjectConvert;
import openapi.server.sdk.config.OpenApiConfig;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

import javax.annotation.PostConstruct;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;

/**
 * 对外开放api网关入口
 * <p>
 * 功能
 * 1.负责对外开放接口(基于HTTP对外提供服务)
 * 2.实现接口的参数与返回值的加解密(使用RSA或国密SM2实现非对称加解密)
 * 3.实现接口的验签(服务端会校验客户端的签名,确保调用者身份以及数据不被篡改)
 * <p>
 *
 * @author wanghuidong
 */
@Slf4j
@RestController
public class OpenApiGateway {

    /**
     * 定义api处理器映射
     * key: api_method
     * value: ApiHandler
     */
    private Map<String, ApiHandler> handlerMap = new HashMap<>();

    @Autowired
    private ApplicationContext applicationContext;

    @Autowired
    private OpenApiConfig config;

    /**
     * 初始化
     */
    @PostConstruct
    public void init() {
        //初始化所有的openapi处理器
        Map<String, Object> beanMap = applicationContext.getBeansWithAnnotation(OpenApi.class);
        for (Map.Entry<String, Object> entry : beanMap.entrySet()) {
            Object bean = entry.getValue();
            Class c = bean.getClass();
            //获取开放api名称
            OpenApi openApi = (OpenApi) c.getAnnotation(OpenApi.class);
            String openApiName = openApi.value();
            //遍历方法
            Method[] methods = c.getDeclaredMethods();
            if (ArrayUtil.isNotEmpty(methods)) {
                for (Method method : methods) {
                    if (method.isAnnotationPresent(OpenApiMethod.class)) {
                        //获取开放api方法名称
                        OpenApiMethod openApiMethod = method.getAnnotation(OpenApiMethod.class);
                        String openApiMethodName = openApiMethod.value();

                        //获取方法参数
                        Class[] classes = method.getParameterTypes();

                        //保存处理器到Map中
                        String handlerKey = getHandlerKey(openApiName, openApiMethodName);
                        ApiHandler apiHandler = new ApiHandler();
                        apiHandler.setBean(bean);
                        apiHandler.setMethod(method);
                        apiHandler.setParamClasses(classes);
                        handlerMap.put(handlerKey, apiHandler);
                    }
                }
            }
        }
    }


    /**
     * 调用具体的方法
     *
     * @param inParams 入参
     * @return 出参
     */
    @PostMapping(Constant.OPENAPI_PATH)
    public OutParams callMethod(@RequestBody InParams inParams) {
        OutParams outParams = null;
        try {
            log.debug("接收到请求:" + inParams);

            //获取openapi处理器
            ApiHandler apiHandler = getApiHandler(inParams);

            //获取方法参数
            Object param = getParam(inParams, apiHandler);

            //调用目标方法
            return outParams = doCall(apiHandler, param, inParams);
        } catch (BusinessException be) {
            log.error(be.getMessage());
            return outParams = OutParams.error(be.getMessage());
        } catch (Exception ex) {
            log.error("系统异常:", ex);
            return outParams = OutParams.error("系统异常");
        } finally {
            outParams.setUuid(inParams.getUuid());
            log.debug("调用完毕:" + outParams);
        }
    }

    /**
     * 获取openapi处理器
     *
     * @param inParams 入参
     * @return openapi处理器
     */
    private ApiHandler getApiHandler(InParams inParams) {
        String handlerKey = getHandlerKey(inParams.getApi(), inParams.getMethod());
        ApiHandler apiHandler = handlerMap.get(handlerKey);
        if (apiHandler == null) {
            throw new BusinessException("找不到指定的opeapi处理器");
        }
        return apiHandler;
    }

    /**
     * 获取方法参数
     *
     * @param inParams   入参
     * @param apiHandler openapi处理器
     * @return 方法参数
     */
    private Object getParam(InParams inParams, ApiHandler apiHandler) {
        Object param = null;
        if (StrUtil.isNotBlank(inParams.getBody())) {
            //验签
            boolean verify = false;
            String callerPublicKey = config.getCallerPublicKey(inParams.getCallerId());
            if (config.getAsymmetricCry() == AsymmetricCryEnum.RSA) {
                Sign sign = SecureUtil.sign(SignAlgorithm.SHA256withRSA, null, callerPublicKey);
                verify = sign.verify(inParams.getBody().getBytes(StandardCharsets.UTF_8), Base64Util.base64ToBytes(inParams.getSign()));
            } else if (config.getAsymmetricCry() == AsymmetricCryEnum.SM2) {
                SM2 sm2 = SmUtil.sm2(null, callerPublicKey);
                verify = sm2.verifyHex(HexUtil.encodeHexStr(inParams.getBody()), inParams.getSign());
            } else {
                throw new BusinessException("不支持的非对称加密算法");
            }
            if (!verify) {
                throw new BusinessException("验签失败");
            }

            //解密
            String decryptedBody = null;
            try {
                String selfPrivateKey = config.getSelfPrivateKey();
                if (config.getAsymmetricCry() == AsymmetricCryEnum.RSA) {
                    RSA rsa = new RSA(selfPrivateKey, null);
                    byte[] bodyBytes = Base64Util.base64ToBytes(inParams.getBody());
                    byte[] decrypt = rsa.decrypt(bodyBytes, KeyType.PrivateKey);
                    decryptedBody = new String(decrypt, StandardCharsets.UTF_8);
                } else if (config.getAsymmetricCry() == AsymmetricCryEnum.SM2) {
                    SM2 sm2 = SmUtil.sm2(selfPrivateKey, null);
                    decryptedBody = StrUtil.utf8Str(sm2.decryptFromBcd(inParams.getBody(), KeyType.PrivateKey));
                } else {
                    throw new BusinessException("不支持的非对称加密算法");
                }
            } catch (Exception ex) {
                log.error("解密失败", ex);
                throw new BusinessException("解密失败");
            }

            try {
                //当前仅支持一个参数的方法
                Class paramClass = apiHandler.getParamClasses()[0];
                param = StrObjectConvert.strToObj(decryptedBody, paramClass);
            } catch (Exception ex) {
                log.error("入参转换异常", ex);
                throw new BusinessException("入参转换异常");
            }
        }
        return param;
    }

    /**
     * 调用目标方法
     *
     * @param apiHandler openapi处理器
     * @param param      方法参数
     * @param inParams   openapi入参
     * @return 返回结果
     */
    private OutParams doCall(ApiHandler apiHandler, Object param, InParams inParams) {
        try {
            Object ret = apiHandler.getMethod().invoke(apiHandler.getBean(), param);
            String retStr = StrObjectConvert.objToStr(ret, ret.getClass());
            //返回值需要加密
            if (config.retEncrypt()) {
                retStr = encryptRet(inParams, retStr);
            }
            return OutParams.success(retStr);
        } catch (Exception ex) {
            log.error("调用opeapi处理器异常", ex);
            throw new BusinessException("调用opeapi处理器异常");
        }
    }

    /**
     * 加密返回值
     *
     * @param inParams openapi入参
     * @param retStr   返回值
     * @return 加密后的返回值
     */
    private String encryptRet(InParams inParams, String retStr) {
        try {
            String callerPublicKey = config.getCallerPublicKey(inParams.getCallerId());
            if (config.getAsymmetricCry() == AsymmetricCryEnum.RSA) {
                RSA rsa = new RSA(null, callerPublicKey);
                byte[] encrypt = rsa.encrypt(StrUtil.bytes(retStr, CharsetUtil.CHARSET_UTF_8), KeyType.PublicKey);
                retStr = Base64Util.bytesToBase64(encrypt);
            } else if (config.getAsymmetricCry() == AsymmetricCryEnum.SM2) {
                SM2 sm2 = SmUtil.sm2(null, callerPublicKey);
                retStr = sm2.encryptBcd(retStr, KeyType.PublicKey);
            } else {
                throw new BusinessException("不支持的非对称加密算法");
            }
        } catch (Exception ex) {
            throw new BusinessException("返回值加密异常", ex);
        }
        return retStr;
    }


    /**
     * 获取api处理器Map的key
     *
     * @param openApiName       开放api名称
     * @param openApiMethodName 开放api方法名称
     * @return 处理器Map的key
     */
    private String getHandlerKey(String openApiName, String openApiMethodName) {
        return openApiName + "_" + openApiMethodName;
    }


}

 

项目完整源码

OpenApi: https://github.com/hdwang123/openapi

该项目支持两种方案的API交互,已经发布jar包到maven中央仓库,大家可以直接引入项目中进行快速开发,具体使用请见github。maven依赖配置如下:

        <!-- openapi服务端sdk -->
        <dependency>
            <groupId>io.github.hdwang123</groupId>
            <artifactId>openapi-server-sdk</artifactId>
            <version>1.2.4</version>
        </dependency>

        <!-- openapi客户端sdk -->
        <dependency>
            <groupId>io.github.hdwang123</groupId>
            <artifactId>openapi-client-sdk</artifactId>
            <version>1.2.4</version>
        </dependency>

 

posted @ 2022-05-27 23:42  追极  阅读(1027)  评论(0编辑  收藏  举报