国密与非国密
1.国密与非国密
什么是国密?
国密即国家密码局认定的国产密码算法。主要有SM1,SM2,SM3,SM4。具体可以参考https://zhuanlan.zhihu.com/p/132352160。
什么是非国密?
就是除了国密以外的算法,包括除国密算法以外的加密算法。
2.国密与非国密和http与https有什么关系?
使用国密算法需要依靠https进行通信。
使用非国密,如果使用了加密算法仍然要依靠https进行通信,没有加密算法可以使用http通信。
3.基于nginx搭建非国密https环境
3.1.下载并解压nginx
本文使用的版本是1.16.1,下载地址是http://nginx.org/download/nginx-1.16.1.tar.gz,下载后上传到服务器进行解压。
tar -zxvf nginx-1.16.1.tar.gz
3.2 携带ssl模块安装nginx
在解压目录下运行以下命令
1 2 3 | ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_modulemakemake install |
3.3 查看ssl是否安装成功
/usr/local/nginx/sbin/nginx -V
如果出现以下结果,则表明安装成功。
3.4启动nginx
cd /usr/local/nginx/sbin
./nginx
3.5配置ssl证书
本文把证书放在/root/notgm目录下
3.6修改nginx配置
修改/usr/local/nginx/conf/nginx.conf
在最后一个}之前填写以下信息,则表明将开启一个1445端口。
server { listen 1445 ssl; #listen 8888; server_name localhost; #limit_req zone=reqperip burst=20 nodelay; #limit_req zone=reqperserver burst=200 nodelay; #limit_conn connperip 20; #limit_conn connperserver 500; #ssl on; ssl_certificate /root/notgm/server.crt; ssl_certificate_key /root/notgm/server.key; ssl_client_certificate /root/notgm/ca.crt; ssl_verify_client on; ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; location / { # default_type application/json; # return 200 '{"code":200}'; proxy_pass http://192.168.110.27:8089/; } location ~ .*\.(json)$ { default_type application/json; return 200 '{"code":200}'; } }
3.7 加载nginx.conf
./nginx -s reload
4.验证https通信
4.1 Python
import requests session = requests.Session() r=session.post("https://192.168.110.235:1445/V1/jcc/reg_rs", verify='./192.168.110.235/ca.crt', cert=('./192.168.110.235/server.crt', './192.168.110.235/server.key')) print r.text
运行结果如下,表明可以通信成功。
4.2Java
4.2.1 使用HttpURLConnection方式
可以参考https://blog.csdn.net/qq_36313856/article/details/111407772
1、对客户端证书和私钥进行打包处理(需要输入密码,之后在代码中需要用到该密码) openssl pkcs12 -export -in server.crt -inkey server.key -out client.p12 2、.p12文件转化成JKS格式 keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype JKS 3、CA根证书转成JKS格式(需要输入密码,之后在代码中需要用到该密码) keytool -import -noprompt -file ca.crt -keystore ca.jks -storepass 123456 将ca.jks和client.jks放到/usr/local/qwzy/jcqcomponent/
package learn.https; import com.alibaba.fastjson.JSONObject; import lombok.extern.slf4j.Slf4j; import org.apache.http.HttpStatus; import javax.net.ssl.*; import java.io.*; import java.net.HttpURLConnection; import java.net.URL; import java.security.KeyStore; import java.security.SecureRandom; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.Map; @Slf4j public class HttpsUtil { //CA根证书文件路径 private String caPath="C:\\Users\\anny\\Desktop\\ca.jks"; //CA根证书生成密码 private String caPassword="123456"; //客户端证书文件名 private String clientCertPath="C:\\Users\\anny\\Desktop\\client.jks"; //客户端证书生成密码 private String clientCertPassword="123456"; private SSLSocketFactory sslFactory; public static void main(String[] args) throws Exception { HttpsUtil util=new HttpsUtil(); JSONObject jsonParam = new JSONObject(); jsonParam.put("code", 0); jsonParam.put("detail", "detail"); jsonParam.put("audit_time", "2020-11-10"); util.httpsPost("https://192.168.124.244:20443/V1/jcc/reg_rs",jsonParam.toJSONString()); } //https POST请求返回结果和结果码 public Map<String,Object> httpsPost(String requestUrl, String xml) throws Exception { Map<String,Object> map=new HashMap<>(); OutputStreamWriter wr=null; HttpURLConnection conn=null; try { URL url = new URL(requestUrl); //start 这一段代码必须加在open之前,即支持ip访问的关键代码 HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String s, SSLSession sslSession) { return true; } }); //end byte[] xmlBytes = xml.getBytes(); conn = (HttpsURLConnection) url.openConnection(); conn.setDoOutput(true); conn.setDoInput(true); conn.setUseCaches(false); conn.setInstanceFollowRedirects(true); conn.setRequestMethod("POST"); //根据自己项目需求设置Content-Type conn.setRequestProperty("Content-Type", "application/xml;charset=UTF-8"); conn.setRequestProperty("Content-Length", String.valueOf(xmlBytes.length)); conn.setRequestProperty("Content-Type", "application/xml;charset=UTF-8"); conn.setRequestProperty("Content-Length", String.valueOf(xmlBytes.length)); conn.setRequestProperty("Src-Node", "204300010001"); conn.setRequestProperty("Dst-Node", "180206020029"); conn.setRequestProperty("Source-Type", "DIRECTOR_AUDIT"); conn.setRequestProperty("BusinessData-Type", "DIRECTOR_AUDIT_RESULT"); conn.setRequestProperty("Content-Type", "application/json"); ((HttpsURLConnection) conn).setSSLSocketFactory(getSslFactory()); wr = new OutputStreamWriter(conn.getOutputStream()); wr.write(xml); wr.close(); conn.connect(); String responseBody = getResponseBodyAsString(conn); int responseCode=getResponseCode(conn); map.put("responseBody",responseBody); map.put("responseCode",responseCode); if (getResponseCode(conn) == 200) { System.out.println("请求成功"); System.out.println(map.get("responseCode").getClass().getName()); } else { System.out.println("请求失败"); } System.out.println(responseBody); conn.disconnect(); } catch (Exception e) { log.error("HTTPS请求出现异常,请求参数为:"+xml); e.printStackTrace(); throw e; }finally { try{ if(wr!=null){ wr.close(); } if(conn!=null){ conn.disconnect(); } }catch (Exception e){ } } return map; } public SSLSocketFactory getSslFactory() throws Exception { if (sslFactory == null) { SSLContext sslContext = SSLContext.getInstance("SSL"); TrustManager[] tm = {new MyX509TrustManager()}; KeyStore trustStore = KeyStore.getInstance("JKS"); //加载客户端证书 FileInputStream clientInputStream=new FileInputStream(clientCertPath); trustStore.load(clientInputStream, clientCertPassword.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(trustStore, clientCertPassword.toCharArray()); sslContext.init(kmf.getKeyManagers(), tm, new SecureRandom()); sslFactory = sslContext.getSocketFactory(); } return sslFactory; } public int getResponseCode(HttpURLConnection connection) throws Exception { return connection.getResponseCode(); } public String getResponseBodyAsString(HttpURLConnection connection) throws Exception { BufferedReader reader = null; if (connection.getResponseCode() == 200) { reader = new BufferedReader(new InputStreamReader(connection.getInputStream())); } else { reader = new BufferedReader(new InputStreamReader(connection.getErrorStream())); } StringBuffer buffer = new StringBuffer(); String line = null; while ((line = reader.readLine()) != null) { buffer.append(line); } reader.close(); return buffer.toString(); } class MyX509TrustManager implements X509TrustManager { private X509TrustManager sunJSSEX509TrustManager; MyX509TrustManager() throws Exception { KeyStore ks = KeyStore.getInstance("JKS"); //获取CA证书 FileInputStream caInputStream=new FileInputStream(caPath); ks.load(caInputStream, caPassword.toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE"); tmf.init(ks); TrustManager tms[] = tmf.getTrustManagers(); for (int i = 0; i < tms.length; i++) { if (tms[i] instanceof X509TrustManager) { sunJSSEX509TrustManager = (X509TrustManager) tms[i]; return; } } throw new Exception("Couldn't not initialize"); } @Override public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { try { sunJSSEX509TrustManager.checkClientTrusted(x509Certificates, s); } catch (Exception e) { } } @Override public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { try { sunJSSEX509TrustManager.checkServerTrusted(x509Certificates, s); } catch (Exception e) { } } @Override public X509Certificate[] getAcceptedIssuers() { return sunJSSEX509TrustManager.getAcceptedIssuers(); } } }
4.2.2使用HttpClient方式
生成jks的方式和4.2.1一样
import java.io.BufferedReader; import java.io.FileInputStream; import java.io.InputStreamReader; import java.net.URLDecoder; import java.security.KeyStore; import java.util.ArrayList; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import org.apache.http.HttpResponse; import org.apache.http.NameValuePair; import org.apache.http.client.HttpClient; import org.apache.http.client.entity.UrlEncodedFormEntity; import org.apache.http.client.methods.HttpPost; import org.apache.http.conn.scheme.Scheme; import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.message.BasicNameValuePair; public class TEst { public static void main(String[] args) throws Exception { String url = "https://192.168.110.235:1445/xxx"; TEst t = new TEst(); t.connect(url, ""); } public String connect(String queryUrl, String xml) throws Exception { BufferedReader in = null; String keyStore = "C:\\Users\\anny\\Desktop\\client.jks"; //证书的路径,pfx格式 String trustStore = "C:\\Users\\anny\\Desktop\\ca.jks";//密钥库文件,jks格式 String keyPass = "123456"; //pfx文件的密码 String trustPass = "123456"; //jks文件的密码 SSLContext sslContext = null; try { KeyStore ks = KeyStore.getInstance("jks"); // 加载pfx文件 ks.load(new FileInputStream(keyStore), keyPass.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance("sunx509"); kmf.init(ks, keyPass.toCharArray()); KeyStore ts = KeyStore.getInstance("jks"); //加载jks文件 ts.load(new FileInputStream(trustStore), trustPass.toCharArray()); TrustManager[] tm; TrustManagerFactory tmf = TrustManagerFactory.getInstance("sunx509"); tmf.init(ts); tm = tmf.getTrustManagers(); sslContext = SSLContext.getInstance("SSL"); //初始化 sslContext.init(kmf.getKeyManagers(), tm, null); } catch (Exception e) { e.printStackTrace(); } String result = null; try { HttpClient httpclient = new DefaultHttpClient(); //下面是重点 SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext); Scheme sch = new Scheme("https", 800, socketFactory); httpclient.getConnectionManager().getSchemeRegistry().register(sch); HttpPost httpPost = null; httpPost = new HttpPost(queryUrl); // 创建名/值组列表 List<NameValuePair> parameters = new ArrayList<NameValuePair>(); parameters.add(new BasicNameValuePair("Name", "zhangsan")); parameters.add(new BasicNameValuePair("passWord", "123456")); // 创建UrlEncodedFormEntity对象 UrlEncodedFormEntity formEntiry = new UrlEncodedFormEntity(parameters); System.out.println("formEntity={}" + formEntiry); httpPost.setEntity(formEntiry); HttpResponse httpResponse = httpclient.execute(httpPost); in = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent())); StringBuffer sb = new StringBuffer(""); String line = ""; String NL = System.getProperty("line.separator"); while ((line = in.readLine()) != null) { sb.append(line + NL); } in.close(); result = sb.toString(); result = URLDecoder.decode(result.toString(), "GBK"); System.out.println("result={}" + result); return result; } finally { if (in != null) { try { in.close(); } catch (Exception e) { e.printStackTrace(); } } } } }
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· 【自荐】一款简洁、开源的在线白板工具 Drawnix