1)RSA私鑰和公鑰生成步驟
步驟一,生成JKS文件ecouponNotificationRsa.jks,別名為:ecoupon_notification_key,期限20年,jks證書密碼123456,算法是RSA keytool -genkeypair -keyalg RSA -keysize 2048 -validity 7300 -dname "CN=disney, OU=disney, O=disney, L=shanghai, ST=shanghai, C=CN" -alias ecoupon_notification_key -keystore myRsa.jks -storepass 123456 步驟二,查看JKS證書信息 keytool -list -v -keystore ecouponNotificationRsa.jks -storepass 123456 步驟三,根據 jks 私鑰生成cer證書, cer證書密碼設置為 555666 keytool -export -alias my_service_key -keystore myRsa.jks -storepass 555666 -file myRsaPublicKey.cer 步驟四,根據 cer 證書生成公鑰,並將公鑰導入到客戶端秘鑰庫中(這一步是調用此service的對方app操作,需要借助第三步生成的cer證書) keytool -import -alias ecoupon_notification_rsa_public_key -file myRsaPublicKey.cer -keystore ecoupon_notification_rsa_public_key.jks -storepass 555666 步驟五,將第一步生成好的jks證書的絕對路徑地址配置到配置中心,例子如下
rsa.private.key.jks.path=/key/library/myRsa.jks
rsa.private.key.jks.password=123456
rsa.public.key.certificate.alias=my_service_key
rsa.public.key.certificate.password=555666
2)生成私鑰 bean 和 公鑰 bean,注入到 spring 容器
import java.io.FileInputStream; import java.io.IOException; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.UnrecoverableKeyException; import java.security.cert.CertificateException; @Slf4j @Configuration public class ConfigRsa { @Bean("keyStore") public KeyStore getKeyStore( @Value("${rsa.private.key.jks.path}") String privateKeyJksPath, @Value("${rsa.private.key.jks.password}") String privateKeyJksPassword ) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException { try (FileInputStream fis = new FileInputStream(privateKeyJksPath)) { KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(fis, privateKeyJksPassword.toCharArray()); return keyStore; } } @Bean("privateKey") public PrivateKey getPrivateKey( @Qualifier("keyStore") KeyStore keyStore, @Value("${rsa.public.key.certificate.alias}") String publicKeyCertificateAlias, @Value("${rsa.public.key.certificate.password}") String publicKeyCertificatePassword ) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException { return (PrivateKey) keyStore.getKey(publicKeyCertificateAlias, publicKeyCertificatePassword.toCharArray()); } @Bean("publicKey") public PublicKey getPublicKey( @Qualifier("keyStore") KeyStore keyStore, @Value("${rsa.public.key.certificate.alias}") String publicKeyCertificateAlias ) throws KeyStoreException { return keyStore.getCertificate(publicKeyCertificateAlias).getPublicKey(); } }
3)自定義 RsaUtil 類去簽名和驗簽
import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Component; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; import java.security.SignatureException; import java.util.Base64; @Slf4j @Component("rsaUtil") public class RsaUtil { private static final String ALGORITHM = "SHA256withRSA"; // sign type: RSA2, refer doc: https://opendocs.alipay.com/open/291/106115 @Autowired @Qualifier("privateKey") private PrivateKey privateKey; @Autowired @Qualifier("publicKey") private PublicKey publicKey; public String sign(String originalData) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException { Signature signature = Signature.getInstance(ALGORITHM); signature.initSign(privateKey); signature.update(originalData.getBytes()); String signedData = java.util.Base64.getEncoder() .encodeToString(signature.sign()).replace("\r\n","").replace("\n",""); return signedData; } public boolean verify(String originalData, String signedData) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException { Signature signature = Signature.getInstance(ALGORITHM); signature.initVerify(publicKey); signature.update(originalData.getBytes()); boolean isVerify = signature.verify(Base64.getDecoder().decode(signedData)); return isVerify; } }
end.