在不同服务器或系统之间进行交互时我们往往需要进行身份的认证,以满足安全上的防抵赖和防篡改。
要实现以上要求使用非对称加密算法是目前最理想的方案。
以下是具体的实现:
1. 生成RSA算法私钥和公钥对,用openssl(openssl的安装网上有很多资料,可以自行查看)
生成RSA私钥
openssl>genrsa -out rsa_private_key.pem 1024
生成RSA公钥
openssl>rsa -in rsa_private_key.pem -pubout -out rsa_public_key.pem
将RSA私钥转换成PKCS8格式
openssl>pkcs8 -topk8 -inform PEM -in rsa_private_key.pem -outform PEM -nocrypt
2. 私钥由请求方系统妥善保管,不能泄漏;公钥交由系统的响应方用于验证签名
3. 请求方使用私钥对发送的请求进行签名,具体的实现方法如下(JAVA)
import java.security.KeyFactory; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import org.apache.commons.codec.binary.Base64; public String sign(String data, String privateKey) { String result = ""; byte[] keyBytes = Base64.decodeBase64(privateKey); PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes); try{ KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM); PrivateKey priKey = keyFactory.generatePrivate(pkcs8KeySpec); Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM); signature.initSign(priKey); signature.update(data.getBytes()); result = (new Base64()).encodeAsString(signature.sign()); }catch(Exception ex){ throw new ServiceException(ex); } return result; }
4. 响应方的系统对请求数据验证签名
public boolean verify(String data, String publicKey, String sign) { boolean result; byte[] keyBytes = Base64.decodeBase64(publicKey); X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes); KeyFactory keyFactory; try { keyFactory = KeyFactory.getInstance(KEY_ALGORITHM); PublicKey pubKey = keyFactory.generatePublic(keySpec); Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM); signature.initVerify(pubKey); signature.update(data.getBytes()); result = signature.verify((new Base64()).decode(sign)); } catch (Exception ex) { throw new RuntimeException(ex); } return result; }
时间: 2024-12-14 04:21:06