基于非对称加密实现接口的安全开放(openapi的实现)
背景
对外服务的接口为了安全起见,往往需要进行相应的安全处理:数据加密传输和身份认证。数据加密传输有对称加密和非对称加密两种,为了更加安全起见采用非对称加密比较好些,身份认证则采用数字签名可以实现。
程序流程
方案一:仅采用非对称加密
方案二:采用非对称加密+对称加密
核心代码(方案一)
客户端
package openapi.client.sdk; import cn.hutool.core.util.CharsetUtil; import cn.hutool.core.util.HexUtil; import cn.hutool.core.util.StrUtil; import cn.hutool.core.util.URLUtil; import cn.hutool.crypto.SecureUtil; import cn.hutool.crypto.SmUtil; import cn.hutool.crypto.asymmetric.*; import cn.hutool.http.HttpUtil; import cn.hutool.json.JSONUtil; import lombok.extern.slf4j.Slf4j; import openapi.sdk.common.constant.Constant; import openapi.sdk.common.model.AsymmetricCryEnum; import openapi.sdk.common.model.BusinessException; import openapi.sdk.common.model.InParams; import openapi.sdk.common.model.OutParams; import openapi.sdk.common.util.Base64Util; import java.nio.charset.StandardCharsets; import static openapi.sdk.common.util.Base64Util.bytesToBase64; /** * 对外开放api客户端 * * @author wanghuidong */ @Slf4j public class OpenApiClient { private String baseUrl; private String selfPrivateKey; private String remotePublicKey; private AsymmetricCryEnum asymmetricCryEnum; private boolean retDecrypt; /** * 客户端系统的私钥 * * @param baseUrl openapi基础路径 * @param selfPrivateKey 本系统私钥 * @param remotePublicKey 远程系统的公钥 * @param asymmetricCryEnum 非对称加密算法 * @param retDecrypt 返回值是否需要解密 */ public OpenApiClient(String baseUrl, String selfPrivateKey, String remotePublicKey, AsymmetricCryEnum asymmetricCryEnum, boolean retDecrypt) { this.baseUrl = baseUrl; this.selfPrivateKey = selfPrivateKey; this.remotePublicKey = remotePublicKey; this.asymmetricCryEnum = asymmetricCryEnum; this.retDecrypt = retDecrypt; } /** * 调用openapi * * @param inParams 入参 * @return 返回值 */ public OutParams callOpenApi(InParams inParams) { //加密&加签 encryptAndSign(inParams); //调用openapi 并 处理返回值 OutParams outParams = doCall(inParams); return outParams; } /** * 加密&加签 * * @param inParams 入参 */ private void encryptAndSign(InParams inParams) { String body = inParams.getBody(); if (StrUtil.isNotBlank(body)) { //加密 if (asymmetricCryEnum == AsymmetricCryEnum.RSA) { RSA rsa = new RSA(null, remotePublicKey); byte[] encrypt = rsa.encrypt(StrUtil.bytes(body, CharsetUtil.CHARSET_UTF_8), KeyType.PublicKey); body = bytesToBase64(encrypt); } else if (asymmetricCryEnum == AsymmetricCryEnum.SM2) { SM2 sm2 = SmUtil.sm2(null, remotePublicKey); body = sm2.encryptBcd(body, KeyType.PublicKey); } else { throw new BusinessException("不支持的非对称加密算法"); } inParams.setBody(body); //加签 String signedStr = null; if (asymmetricCryEnum == AsymmetricCryEnum.RSA) { Sign sign = SecureUtil.sign(SignAlgorithm.SHA256withRSA, selfPrivateKey, null); //签名 byte[] data = body.getBytes(StandardCharsets.UTF_8); byte[] signed = sign.sign(data); signedStr = bytesToBase64(signed); } else if (asymmetricCryEnum == AsymmetricCryEnum.SM2) { SM2 sm2 = SmUtil.sm2(selfPrivateKey, null); signedStr = sm2.signHex(HexUtil.encodeHexStr(body)); } else { throw new BusinessException("不支持的非对称加密算法"); } inParams.setSign(signedStr); } } /** * 调用远程openapi接口 * * @param inParams 入参 * @return 结果 */ private OutParams doCall(InParams inParams) { String url = URLUtil.completeUrl(baseUrl, Constant.OPENAPI_PATH); String body = JSONUtil.toJsonStr(inParams); log.debug("调用openapi入参:" + inParams); String ret = HttpUtil.post(url, body); log.debug("调用openapi返回值:" + ret); if (StrUtil.isBlank(ret)) { throw new BusinessException("返回值为空"); } OutParams outParams = JSONUtil.toBean(ret, OutParams.class); if (OutParams.isSuccess(outParams)) { log.debug("调用openapi成功"); //判断是否需要解密数据 if (retDecrypt) { decryptData(outParams); } } else { throw new BusinessException("调用openapi异常:" + outParams.getMessage()); } return outParams; } /** * 解密数据 * * @param outParams 返回值 */ private void decryptData(OutParams outParams) { //解密 String decryptedData = null; try { if (asymmetricCryEnum == AsymmetricCryEnum.RSA) { RSA rsa = new RSA(selfPrivateKey, null); byte[] dataBytes = Base64Util.base64ToBytes(outParams.getData()); byte[] decrypt = rsa.decrypt(dataBytes, KeyType.PrivateKey); decryptedData = new String(decrypt, StandardCharsets.UTF_8); } else if (asymmetricCryEnum == AsymmetricCryEnum.SM2) { SM2 sm2 = SmUtil.sm2(selfPrivateKey, null); decryptedData = StrUtil.utf8Str(sm2.decryptFromBcd(outParams.getData(), KeyType.PrivateKey)); } else { throw new BusinessException("不支持的非对称加密算法"); } outParams.setData(decryptedData); } catch (Exception ex) { log.error("解密失败", ex); throw new BusinessException("解密失败"); } } }
服务端
package openapi.server.sdk; import cn.hutool.core.util.*; import cn.hutool.crypto.SecureUtil; import cn.hutool.crypto.SmUtil; import cn.hutool.crypto.asymmetric.*; import lombok.extern.slf4j.Slf4j; import openapi.server.sdk.model.ApiHandler; import openapi.server.sdk.model.OpenApi; import openapi.server.sdk.model.OpenApiMethod; import openapi.sdk.common.constant.Constant; import openapi.sdk.common.model.AsymmetricCryEnum; import openapi.sdk.common.model.BusinessException; import openapi.sdk.common.model.InParams; import openapi.sdk.common.model.OutParams; import openapi.sdk.common.util.Base64Util; import openapi.sdk.common.util.StrObjectConvert; import openapi.server.sdk.config.OpenApiConfig; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RestController; import javax.annotation.PostConstruct; import java.lang.reflect.Method; import java.nio.charset.StandardCharsets; import java.util.HashMap; import java.util.Map; /** * 对外开放api网关入口 * <p> * 功能 * 1.负责对外开放接口(基于HTTP对外提供服务) * 2.实现接口的参数与返回值的加解密(使用RSA或国密SM2实现非对称加解密) * 3.实现接口的验签(服务端会校验客户端的签名,确保调用者身份以及数据不被篡改) * <p> * * @author wanghuidong */ @Slf4j @RestController public class OpenApiGateway { /** * 定义api处理器映射 * key: api_method * value: ApiHandler */ private Map<String, ApiHandler> handlerMap = new HashMap<>(); @Autowired private ApplicationContext applicationContext; @Autowired private OpenApiConfig config; /** * 初始化 */ @PostConstruct public void init() { //初始化所有的openapi处理器 Map<String, Object> beanMap = applicationContext.getBeansWithAnnotation(OpenApi.class); for (Map.Entry<String, Object> entry : beanMap.entrySet()) { Object bean = entry.getValue(); Class c = bean.getClass(); //获取开放api名称 OpenApi openApi = (OpenApi) c.getAnnotation(OpenApi.class); String openApiName = openApi.value(); //遍历方法 Method[] methods = c.getDeclaredMethods(); if (ArrayUtil.isNotEmpty(methods)) { for (Method method : methods) { if (method.isAnnotationPresent(OpenApiMethod.class)) { //获取开放api方法名称 OpenApiMethod openApiMethod = method.getAnnotation(OpenApiMethod.class); String openApiMethodName = openApiMethod.value(); //获取方法参数 Class[] classes = method.getParameterTypes(); //保存处理器到Map中 String handlerKey = getHandlerKey(openApiName, openApiMethodName); ApiHandler apiHandler = new ApiHandler(); apiHandler.setBean(bean); apiHandler.setMethod(method); apiHandler.setParamClasses(classes); handlerMap.put(handlerKey, apiHandler); } } } } } /** * 调用具体的方法 * * @param inParams 入参 * @return 出参 */ @PostMapping(Constant.OPENAPI_PATH) public OutParams callMethod(@RequestBody InParams inParams) { OutParams outParams = null; try { log.debug("接收到请求:" + inParams); //获取openapi处理器 ApiHandler apiHandler = getApiHandler(inParams); //获取方法参数 Object param = getParam(inParams, apiHandler); //调用目标方法 return outParams = doCall(apiHandler, param, inParams); } catch (BusinessException be) { log.error(be.getMessage()); return outParams = OutParams.error(be.getMessage()); } catch (Exception ex) { log.error("系统异常:", ex); return outParams = OutParams.error("系统异常"); } finally { outParams.setUuid(inParams.getUuid()); log.debug("调用完毕:" + outParams); } } /** * 获取openapi处理器 * * @param inParams 入参 * @return openapi处理器 */ private ApiHandler getApiHandler(InParams inParams) { String handlerKey = getHandlerKey(inParams.getApi(), inParams.getMethod()); ApiHandler apiHandler = handlerMap.get(handlerKey); if (apiHandler == null) { throw new BusinessException("找不到指定的opeapi处理器"); } return apiHandler; } /** * 获取方法参数 * * @param inParams 入参 * @param apiHandler openapi处理器 * @return 方法参数 */ private Object getParam(InParams inParams, ApiHandler apiHandler) { Object param = null; if (StrUtil.isNotBlank(inParams.getBody())) { //验签 boolean verify = false; String callerPublicKey = config.getCallerPublicKey(inParams.getCallerId()); if (config.getAsymmetricCry() == AsymmetricCryEnum.RSA) { Sign sign = SecureUtil.sign(SignAlgorithm.SHA256withRSA, null, callerPublicKey); verify = sign.verify(inParams.getBody().getBytes(StandardCharsets.UTF_8), Base64Util.base64ToBytes(inParams.getSign())); } else if (config.getAsymmetricCry() == AsymmetricCryEnum.SM2) { SM2 sm2 = SmUtil.sm2(null, callerPublicKey); verify = sm2.verifyHex(HexUtil.encodeHexStr(inParams.getBody()), inParams.getSign()); } else { throw new BusinessException("不支持的非对称加密算法"); } if (!verify) { throw new BusinessException("验签失败"); } //解密 String decryptedBody = null; try { String selfPrivateKey = config.getSelfPrivateKey(); if (config.getAsymmetricCry() == AsymmetricCryEnum.RSA) { RSA rsa = new RSA(selfPrivateKey, null); byte[] bodyBytes = Base64Util.base64ToBytes(inParams.getBody()); byte[] decrypt = rsa.decrypt(bodyBytes, KeyType.PrivateKey); decryptedBody = new String(decrypt, StandardCharsets.UTF_8); } else if (config.getAsymmetricCry() == AsymmetricCryEnum.SM2) { SM2 sm2 = SmUtil.sm2(selfPrivateKey, null); decryptedBody = StrUtil.utf8Str(sm2.decryptFromBcd(inParams.getBody(), KeyType.PrivateKey)); } else { throw new BusinessException("不支持的非对称加密算法"); } } catch (Exception ex) { log.error("解密失败", ex); throw new BusinessException("解密失败"); } try { //当前仅支持一个参数的方法 Class paramClass = apiHandler.getParamClasses()[0]; param = StrObjectConvert.strToObj(decryptedBody, paramClass); } catch (Exception ex) { log.error("入参转换异常", ex); throw new BusinessException("入参转换异常"); } } return param; } /** * 调用目标方法 * * @param apiHandler openapi处理器 * @param param 方法参数 * @param inParams openapi入参 * @return 返回结果 */ private OutParams doCall(ApiHandler apiHandler, Object param, InParams inParams) { try { Object ret = apiHandler.getMethod().invoke(apiHandler.getBean(), param); String retStr = StrObjectConvert.objToStr(ret, ret.getClass()); //返回值需要加密 if (config.retEncrypt()) { retStr = encryptRet(inParams, retStr); } return OutParams.success(retStr); } catch (Exception ex) { log.error("调用opeapi处理器异常", ex); throw new BusinessException("调用opeapi处理器异常"); } } /** * 加密返回值 * * @param inParams openapi入参 * @param retStr 返回值 * @return 加密后的返回值 */ private String encryptRet(InParams inParams, String retStr) { try { String callerPublicKey = config.getCallerPublicKey(inParams.getCallerId()); if (config.getAsymmetricCry() == AsymmetricCryEnum.RSA) { RSA rsa = new RSA(null, callerPublicKey); byte[] encrypt = rsa.encrypt(StrUtil.bytes(retStr, CharsetUtil.CHARSET_UTF_8), KeyType.PublicKey); retStr = Base64Util.bytesToBase64(encrypt); } else if (config.getAsymmetricCry() == AsymmetricCryEnum.SM2) { SM2 sm2 = SmUtil.sm2(null, callerPublicKey); retStr = sm2.encryptBcd(retStr, KeyType.PublicKey); } else { throw new BusinessException("不支持的非对称加密算法"); } } catch (Exception ex) { throw new BusinessException("返回值加密异常", ex); } return retStr; } /** * 获取api处理器Map的key * * @param openApiName 开放api名称 * @param openApiMethodName 开放api方法名称 * @return 处理器Map的key */ private String getHandlerKey(String openApiName, String openApiMethodName) { return openApiName + "_" + openApiMethodName; } }
项目完整源码
OpenApi: https://github.com/hdwang123/openapi
该项目支持两种方案的API交互,已经发布jar包到maven中央仓库,大家可以直接引入项目中进行快速开发,具体使用请见github。maven依赖配置如下:
<!-- openapi服务端sdk --> <dependency> <groupId>io.github.hdwang123</groupId> <artifactId>openapi-server-sdk</artifactId> <version>1.2.4</version> </dependency> <!-- openapi客户端sdk --> <dependency> <groupId>io.github.hdwang123</groupId> <artifactId>openapi-client-sdk</artifactId> <version>1.2.4</version> </dependency>