1、方案1(jsencrypt加密 java解密 )
首先要了解到rsa加密后的byte數組類型需要base64加密才能變成String類型;解密的時候也是需要經過base64處理。同理,js這邊rsa加密也是一樣的,但是使用jsencrypt.js庫人就不需要了,因為庫里面會自動用base64處理。其次使用rsa處理的明文不能超過公鑰的長度,公鑰達到1024就屬於安全了,如果用2048會是解密的時間變長,所以就用1024。但是這樣就需要把所傳的參數分段處理,注意使用slice (js)方法。最后就是上代碼了。
//盡量長yidia var sRequestData = "在這樣雨雪交加的日子里,如果沒有什么緊要事,人們寧願一整天足不出戶。因此,縣城的大街小巷倒也比平時少了許多嘈雜。"; $(function () { $("#one").on("click", function() { $.post("http://192.168.102.136:8080/mxpp-web/servlet/user/getTokenServlet",{},function(result){ token = result.token; console.log(token); }); }); $("#two").on("click", function() { var encrypt = new JSEncrypt(); encrypt.setPublicKey(token); var arr=Array(); var arr1=Array(); var str = ""; var byteData = str2UTF8(sRequestData); if(byteData.length > 128) { var arr=Array(); var arr1=Array(); for(var i=0;i<sRequestData.length;i+=37){ //約定好的用37就算中文也不會超過長度 arr.push(sRequestData.slice(i,i+37)); //slice比substring更好 } console.log(arr); for(var i in arr){ arr1.push(encrypt.encrypt(arr[i])); console.log(arr[i]); } str=arr1.join(','); } else { str = encrypt.encrypt(sRequestData); } $.post("http://192.168.102.136:8080/mxpp-web/servlet/user/test",{jsonStr:str, token:token},function(result){ debugger; token = result.token; }); }); }); function str2UTF8(str){ var bytes = new Array(); var len,c; len = str.length; for(var i = 0; i < len; i++){ c = str.charCodeAt(i); if(c >= 0x010000 && c <= 0x10FFFF){ bytes.push(((c >> 18) & 0x07) | 0xF0); bytes.push(((c >> 12) & 0x3F) | 0x80); bytes.push(((c >> 6) & 0x3F) | 0x80); bytes.push((c & 0x3F) | 0x80); }else if(c >= 0x000800 && c <= 0x00FFFF){ bytes.push(((c >> 12) & 0x0F) | 0xE0); bytes.push(((c >> 6) & 0x3F) | 0x80); bytes.push((c & 0x3F) | 0x80); }else if(c >= 0x000080 && c <= 0x0007FF){ bytes.push(((c >> 6) & 0x1F) | 0xC0); bytes.push((c & 0x3F) | 0x80); }else{ bytes.push(c & 0xFF); } } return bytes; } </script> </html>
import java.io.ByteArrayOutputStream; import java.math.BigInteger; import java.security.Key; import java.security.KeyFactory; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.Provider; import java.security.PublicKey; import java.security.SecureRandom; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.RSAPublicKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.HashMap; import java.util.Map; import javax.crypto.Cipher; import org.bouncycastle.jce.provider.BouncyCastleProvider; import sun.misc.BASE64Decoder; import sun.misc.BASE64Encoder; /** * rsa加密 * 此類主要針對於jsencrypt.js給明文加密,server端java解密 * @author liangjiawei * */ @SuppressWarnings("restriction") public class RSAUtil { public static final Provider provider = new BouncyCastleProvider(); private static final String PUBLIC_KEY = "RSAPublicKey"; private static final String PRIVATE_KEY = "RSAPrivateKey"; private static final String charSet = "UTF-8"; public static final String KEY_ALGORITHM = "RSA"; // 種子,改變后,生成的密鑰對會發生變化 //private static final String seedKey = "seedKey"; /** * RSA最大加密明文大小 */ private static final int MAX_ENCRYPT_BLOCK = 117; /** * RSA最大解密密文大小 */ private static final int MAX_DECRYPT_BLOCK = 128; /** * 生成密鑰對(公鑰和私鑰) * @return * @throws Exception */ public static synchronized Map<String, Object> generateKeyPair() throws Exception { KeyPairGenerator kpg = KeyPairGenerator.getInstance(KEY_ALGORITHM, provider); kpg.initialize(1024, new SecureRandom());//seedKey.getBytes() KeyPair keyPair = kpg.generateKeyPair(); RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); Map<String, Object> keyMap = new HashMap<String, Object>(2); keyMap.put(PUBLIC_KEY, publicKey); keyMap.put(PRIVATE_KEY, privateKey); return keyMap; } public static PublicKey getPublicRSAKey(String modulus, String exponent) throws Exception { RSAPublicKeySpec spec = new RSAPublicKeySpec( new BigInteger(modulus, 16), new BigInteger(exponent, 16)); KeyFactory kf = KeyFactory.getInstance(KEY_ALGORITHM, provider); return kf.generatePublic(spec); } /** * 獲取公鑰 * @param key base64加密后的公鑰 * @return * @throws Exception */ public static PublicKey getPublicRSAKey(String key) throws Exception { X509EncodedKeySpec x509 = new X509EncodedKeySpec(decryptBase64(key)); KeyFactory kf = KeyFactory.getInstance(KEY_ALGORITHM, provider); return kf.generatePublic(x509); } /** * 獲取私鑰 * @param key base64加密后的私鑰 * @return * @throws Exception */ public static PrivateKey getPrivateRSAKey(String key) throws Exception { PKCS8EncodedKeySpec pkgs8 = new PKCS8EncodedKeySpec(decryptBase64(key)); KeyFactory kf = KeyFactory.getInstance(KEY_ALGORITHM, provider); return kf.generatePrivate(pkgs8); } /** * 加密 * @param input 明文 * @param publicKey 公鑰 * @return * @throws Exception */ public static byte[] encrypt(String input, PublicKey publicKey) throws Exception { Cipher cipher = Cipher.getInstance("RSA/None/PKCS1Padding", provider); cipher.init(Cipher.ENCRYPT_MODE, publicKey); byte[] re = cipher.doFinal(input.getBytes(charSet)); return re; } /** * 解密 * @param encrypted * @param privateKey * @return * @throws Exception */ public static byte[] decrypt(byte[] encrypted, PrivateKey privateKey) throws Exception { Cipher cipher = Cipher.getInstance("RSA/None/PKCS1Padding", provider); cipher.init(Cipher.DECRYPT_MODE, privateKey); byte[] re = cipher.doFinal(encrypted); return re; } /** * base64加密 * @param key * @return * @throws Exception */ public static byte[] decryptBase64(String key) throws Exception { return (new BASE64Decoder()).decodeBuffer(key); } /** * base64解密 * @param key * @return * @throws Exception */ public static String encryptBase64(byte[] key) throws Exception { return (new BASE64Encoder()).encodeBuffer(key); } public static String getPrivateKey(Map<String, Object> keyMap) throws Exception { Key key = (Key) keyMap.get(PRIVATE_KEY); return encryptBase64(key.getEncoded()); } public static String getPublicKey(Map<String, Object> keyMap) throws Exception { Key key = (Key) keyMap.get(PUBLIC_KEY); return encryptBase64(key.getEncoded()); } /** * 分段解密 * @param jsonEncryptStr 密文 格式 base64(rsa(明文)),base64(rsa(明文)),base64(rsa(明文)) * @param privateKey base64加密后的秘鑰 * @return * @throws Exception */ public static String segmentdecrypt(String jsonEncryptStr, String privateKey) throws Exception { String jsonStr = ""; String[] str = jsonEncryptStr.split(","); if(str !=null && str.length > 0) { int inputLen = str.length; ByteArrayOutputStream out = new ByteArrayOutputStream(); byte[] cache; int i = 0; // 對數據分段解密 while (inputLen - 1 >= 0) { byte[] bt = RSAUtil.decryptBase64(str[i]); cache = RSAUtil.decrypt(bt, RSAUtil.getPrivateRSAKey(privateKey)); out.write(cache, 0, cache.length); i++; inputLen--; } byte[] decryptedData = out.toByteArray(); out.close(); jsonStr = new String(decryptedData); } return jsonStr; } }
//生成公鑰私鑰 try { Map<String, Object> map = RSAUtil.generateKeyPair(); String publicKey = RSAUtil.getPublicKey(map); String privateKey = RSAUtil.getPrivateKey(map); ICacheClient client = WebContextHolder.getCacheClient(); client.set(publicKey, privateKey); comRes.setRetCode(GetTokenRes.OPT_RESULT_SUCCESS); comRes.setToken(publicKey); } catch (Exception e) { log.error(DataTypeConstant.MOD_CODE_SUBTYPE16, "getTokenServlet", "用戶生成公鑰接口異常.", e); comRes.setErrMsg("用戶TOKEN生成失敗!"); } String jsonResult = JSON.toJSONString(comRes, SerializerFeature.WriteMapNullValue, SerializerFeature.WriteNullStringAsEmpty, SerializerFeature.WriteNullNumberAsZero); return writeAjaxResponse(jsonResult);
ICacheClient client = WebContextHolder.getCacheClient(); String privateKey = client.get(token); jsonStr = RSAUtil.segmentdecrypt(jsonEncryptStr, privateKey);
有用回復:
1、我在使用的時候中文參數解碼后會出現亂碼問題,在RSAUtil中改成 jsonStr = new String(decryptedData,"utf-8")就可以了
2、要注意一點js的rsa和java 生產的rsa不一定對接的上
2、方案2(node-forge加密 java解密)
前端(JavaScript/TypeScript)加密實踐
前端進行RSA加密的第三方庫采用 node-forge 庫
import * as forge from 'node-forge'; // publicKey需要先通過http從后台獲取,后台可以寫一些geKey接口供前端調用 const pki = forge.pki; // 規定格式:publicKey之前需要加'-----BEGIN PUBLIC KEY-----\n',之后需要加'\n-----END PUBLIC KEY-----' const publicK = pki.publicKeyFromPem('-----BEGIN PUBLIC KEY-----\n' + publicKey + '\n-----END PUBLIC KEY-----'); // forge通過公鑰加密后一般會是亂碼格式,可進行base64編碼操作再進行傳輸,相應的,后台獲取到密文的密碼后需要先進行base64解碼操作再進行解密 const passwordCrypto = forge.util.encode64(publicK.encrypt(password)); // ... 后面就是進行常規的發送登錄請求,不同的是,也需要將publicKey作為一個參數傳輸到后台,后台需要以此找到對應的私鑰
后端(Java)解密實踐
網上后端解密的代碼很多,但質量無法確保,正好我使用的 Hutool 這個Java的工具庫,其中包含了非對稱加密的工具,可以直接使用
/** * 獲取秘鑰-RSA * @return */ @RequestMapping(value = "/getKey",method = RequestMethod.POST) @ResponseBody public Result<String> getKeyOfRSA() { Result<String> result = new Result<>(); RSA rsa = new RSA(); String privateKeyBase64 = rsa.getPrivateKeyBase64(); String publicKeyBase64 = rsa.getPublicKeyBase64(); // 使用當前用戶的session進行保存公鑰私鑰對 Subject currentUser = SecurityUtils.getSubject(); Session session = currentUser.getSession(); session.setAttribute(publicKeyBase64, privateKeyBase64); return result.successWithData(publicKeyBase64); } /** * 解密password * @param password * @param publicKey * @return * @throws Exception */ private String checkPassword(String password, String publicKey, String algorithm) throws Exception { Subject currentUser = SecurityUtils.getSubject(); Session session = currentUser.getSession(); // publicKey需要前端返回 String privateKey = (String) session.getAttribute(publicKey); if(privateKey ==null){ log.error("session中私鑰失效.publickey={},password={}",publicKey,password); return null; } // 獲取到私鑰之后,需要將session中的該公鑰私鑰對信息移除 session.removeAttribute(publicKey); // 構建,當只用私鑰進行構造對象時,只允許使用該私鑰進行加密和解密操作,本文只需要進行私鑰解密,故只使用私鑰構造對象 RSA rsa = new RSA(privateKey, null); // 密碼的密文先進行base64解碼,之后再進行解密 byte[] decrypt = rsa.decrypt(Base64.decode(password), KeyType.PrivateKey); String decryptStr = StrUtil.str(decrypt, CharsetUtil.CHARSET_UTF_8); return decryptStr; }
參考:https://blog.csdn.net/u010457492/article/details/78331549
https://blog.csdn.net/adai_study/article/details/103496795