标签:String 和验 param openapi inParams import 非对称 new
背景
对外服务的接口为了安全起见,往往需要进行相应的安全处理:数据加密传输和身份认证。数据加密传输有对称加密和非对称加密两种,为了更加安全起见采用非对称加密比较好些,身份认证则采用数字签名可以实现。
程序流程
核心代码
客户端
package openapi.client.sdk;
import cn.hutool.core.util.CharsetUtil;
import cn.hutool.core.util.HexUtil;
import cn.hutool.core.util.StrUtil;
import cn.hutool.core.util.URLUtil;
import cn.hutool.crypto.SecureUtil;
import cn.hutool.crypto.SmUtil;
import cn.hutool.crypto.asymmetric.*;
import cn.hutool.http.HttpUtil;
import cn.hutool.json.JSONUtil;
import lombok.extern.slf4j.Slf4j;
import openapi.sdk.common.constant.Constant;
import openapi.sdk.common.model.AsymmetricCryEnum;
import openapi.sdk.common.model.BusinessException;
import openapi.sdk.common.model.InParams;
import openapi.sdk.common.model.OutParams;
import openapi.sdk.common.util.Base64Util;
import java.nio.charset.StandardCharsets;
import static openapi.sdk.common.util.Base64Util.bytesToBase64;
/**
* 对外开放api客户端
*
* @author wanghuidong
*/
@Slf4j
public class OpenApiClient {
private String baseUrl;
private String selfPrivateKey;
private String remotePublicKey;
private AsymmetricCryEnum asymmetricCryEnum;
private boolean retDecrypt;
/**
* 客户端系统的私钥
*
* @param baseUrl openapi基础路径
* @param selfPrivateKey 本系统私钥
* @param remotePublicKey 远程系统的公钥
* @param asymmetricCryEnum 非对称加密算法
* @param retDecrypt 返回值是否需要解密
*/
public OpenApiClient(String baseUrl, String selfPrivateKey, String remotePublicKey, AsymmetricCryEnum asymmetricCryEnum, boolean retDecrypt) {
this.baseUrl = baseUrl;
this.selfPrivateKey = selfPrivateKey;
this.remotePublicKey = remotePublicKey;
this.asymmetricCryEnum = asymmetricCryEnum;
this.retDecrypt = retDecrypt;
}
/**
* 调用openapi
*
* @param inParams 入参
* @return 返回值
*/
public OutParams callOpenApi(InParams inParams) {
//加密&加签
encryptAndSign(inParams);
//调用openapi 并 处理返回值
OutParams outParams = doCall(inParams);
return outParams;
}
/**
* 加密&加签
*
* @param inParams 入参
*/
private void encryptAndSign(InParams inParams) {
String body = inParams.getBody();
if (StrUtil.isNotBlank(body)) {
//加密
if (asymmetricCryEnum == AsymmetricCryEnum.RSA) {
RSA rsa = new RSA(null, remotePublicKey);
byte[] encrypt = rsa.encrypt(StrUtil.bytes(body, CharsetUtil.CHARSET_UTF_8), KeyType.PublicKey);
body = bytesToBase64(encrypt);
} else if (asymmetricCryEnum == AsymmetricCryEnum.SM2) {
SM2 sm2 = SmUtil.sm2(null, remotePublicKey);
body = sm2.encryptBcd(body, KeyType.PublicKey);
} else {
throw new BusinessException("不支持的非对称加密算法");
}
inParams.setBody(body);
//加签
String signedStr = null;
if (asymmetricCryEnum == AsymmetricCryEnum.RSA) {
Sign sign = SecureUtil.sign(SignAlgorithm.SHA256withRSA, selfPrivateKey, null);
//签名
byte[] data = body.getBytes(StandardCharsets.UTF_8);
byte[] signed = sign.sign(data);
signedStr = bytesToBase64(signed);
} else if (asymmetricCryEnum == AsymmetricCryEnum.SM2) {
SM2 sm2 = SmUtil.sm2(selfPrivateKey, null);
signedStr = sm2.signHex(HexUtil.encodeHexStr(body));
} else {
throw new BusinessException("不支持的非对称加密算法");
}
inParams.setSign(signedStr);
}
}
/**
* 调用远程openapi接口
*
* @param inParams 入参
* @return 结果
*/
private OutParams doCall(InParams inParams) {
String url = URLUtil.completeUrl(baseUrl, Constant.OPENAPI_PATH);
String body = JSONUtil.toJsonStr(inParams);
log.debug("调用openapi入参:" + inParams);
String ret = HttpUtil.post(url, body);
log.debug("调用openapi返回值:" + ret);
if (StrUtil.isBlank(ret)) {
throw new BusinessException("返回值为空");
}
OutParams outParams = JSONUtil.toBean(ret, OutParams.class);
if (OutParams.isSuccess(outParams)) {
log.debug("调用openapi成功");
//判断是否需要解密数据
if (retDecrypt) {
decryptData(outParams);
}
} else {
throw new BusinessException("调用openapi异常:" + outParams.getMessage());
}
return outParams;
}
/**
* 解密数据
*
* @param outParams 返回值
*/
private void decryptData(OutParams outParams) {
//解密
String decryptedData = null;
try {
if (asymmetricCryEnum == AsymmetricCryEnum.RSA) {
RSA rsa = new RSA(selfPrivateKey, null);
byte[] dataBytes = Base64Util.base64ToBytes(outParams.getData());
byte[] decrypt = rsa.decrypt(dataBytes, KeyType.PrivateKey);
decryptedData = new String(decrypt, StandardCharsets.UTF_8);
} else if (asymmetricCryEnum == AsymmetricCryEnum.SM2) {
SM2 sm2 = SmUtil.sm2(selfPrivateKey, null);
decryptedData = StrUtil.utf8Str(sm2.decryptFromBcd(outParams.getData(), KeyType.PrivateKey));
} else {
throw new BusinessException("不支持的非对称加密算法");
}
outParams.setData(decryptedData);
} catch (Exception ex) {
log.error("解密失败", ex);
throw new BusinessException("解密失败");
}
}
}
服务端
package openapi.server.sdk;
import cn.hutool.core.util.*;
import cn.hutool.crypto.SecureUtil;
import cn.hutool.crypto.SmUtil;
import cn.hutool.crypto.asymmetric.*;
import lombok.extern.slf4j.Slf4j;
import openapi.server.sdk.model.ApiHandler;
import openapi.server.sdk.model.OpenApi;
import openapi.server.sdk.model.OpenApiMethod;
import openapi.sdk.common.constant.Constant;
import openapi.sdk.common.model.AsymmetricCryEnum;
import openapi.sdk.common.model.BusinessException;
import openapi.sdk.common.model.InParams;
import openapi.sdk.common.model.OutParams;
import openapi.sdk.common.util.Base64Util;
import openapi.sdk.common.util.StrObjectConvert;
import openapi.server.sdk.config.OpenApiConfig;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
import javax.annotation.PostConstruct;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
/**
* 对外开放api网关入口
* <p>
* 功能
* 1.负责对外开放接口(基于HTTP对外提供服务)
* 2.实现接口的参数与返回值的加解密(使用RSA或国密SM2实现非对称加解密)
* 3.实现接口的验签(服务端会校验客户端的签名,确保调用者身份以及数据不被篡改)
* <p>
*
* @author wanghuidong
*/
@Slf4j
@RestController
public class OpenApiGateway {
/**
* 定义api处理器映射
* key: api_method
* value: ApiHandler
*/
private Map<String, ApiHandler> handlerMap = new HashMap<>();
@Autowired
private ApplicationContext applicationContext;
@Autowired
private OpenApiConfig config;
/**
* 初始化
*/
@PostConstruct
public void init() {
//初始化所有的openapi处理器
Map<String, Object> beanMap = applicationContext.getBeansWithAnnotation(OpenApi.class);
for (Map.Entry<String, Object> entry : beanMap.entrySet()) {
Object bean = entry.getValue();
Class c = bean.getClass();
//获取开放api名称
OpenApi openApi = (OpenApi) c.getAnnotation(OpenApi.class);
String openApiName = openApi.value();
//遍历方法
Method[] methods = c.getDeclaredMethods();
if (ArrayUtil.isNotEmpty(methods)) {
for (Method method : methods) {
if (method.isAnnotationPresent(OpenApiMethod.class)) {
//获取开放api方法名称
OpenApiMethod openApiMethod = method.getAnnotation(OpenApiMethod.class);
String openApiMethodName = openApiMethod.value();
//获取方法参数
Class[] classes = method.getParameterTypes();
//保存处理器到Map中
String handlerKey = getHandlerKey(openApiName, openApiMethodName);
ApiHandler apiHandler = new ApiHandler();
apiHandler.setBean(bean);
apiHandler.setMethod(method);
apiHandler.setParamClasses(classes);
handlerMap.put(handlerKey, apiHandler);
}
}
}
}
}
/**
* 调用具体的方法
*
* @param inParams 入参
* @return 出参
*/
@PostMapping(Constant.OPENAPI_PATH)
public OutParams callMethod(@RequestBody InParams inParams) {
OutParams outParams = null;
try {
log.debug("接收到请求:" + inParams);
//获取openapi处理器
ApiHandler apiHandler = getApiHandler(inParams);
//获取方法参数
Object param = getParam(inParams, apiHandler);
//调用目标方法
return outParams = doCall(apiHandler, param, inParams);
} catch (BusinessException be) {
log.error(be.getMessage());
return outParams = OutParams.error(be.getMessage());
} catch (Exception ex) {
log.error("系统异常:", ex);
return outParams = OutParams.error("系统异常");
} finally {
outParams.setUuid(inParams.getUuid());
log.debug("调用完毕:" + outParams);
}
}
/**
* 获取openapi处理器
*
* @param inParams 入参
* @return openapi处理器
*/
private ApiHandler getApiHandler(InParams inParams) {
String handlerKey = getHandlerKey(inParams.getApi(), inParams.getMethod());
ApiHandler apiHandler = handlerMap.get(handlerKey);
if (apiHandler == null) {
throw new BusinessException("找不到指定的opeapi处理器");
}
return apiHandler;
}
/**
* 获取方法参数
*
* @param inParams 入参
* @param apiHandler openapi处理器
* @return 方法参数
*/
private Object getParam(InParams inParams, ApiHandler apiHandler) {
Object param = null;
if (StrUtil.isNotBlank(inParams.getBody())) {
//验签
boolean verify = false;
String callerPublicKey = config.getCallerPublicKey(inParams.getCallerId());
if (config.getAsymmetricCry() == AsymmetricCryEnum.RSA) {
Sign sign = SecureUtil.sign(SignAlgorithm.SHA256withRSA, null, callerPublicKey);
verify = sign.verify(inParams.getBody().getBytes(StandardCharsets.UTF_8), Base64Util.base64ToBytes(inParams.getSign()));
} else if (config.getAsymmetricCry() == AsymmetricCryEnum.SM2) {
SM2 sm2 = SmUtil.sm2(null, callerPublicKey);
verify = sm2.verifyHex(HexUtil.encodeHexStr(inParams.getBody()), inParams.getSign());
} else {
throw new BusinessException("不支持的非对称加密算法");
}
if (!verify) {
throw new BusinessException("验签失败");
}
//解密
String decryptedBody = null;
try {
String selfPrivateKey = config.getSelfPrivateKey();
if (config.getAsymmetricCry() == AsymmetricCryEnum.RSA) {
RSA rsa = new RSA(selfPrivateKey, null);
byte[] bodyBytes = Base64Util.base64ToBytes(inParams.getBody());
byte[] decrypt = rsa.decrypt(bodyBytes, KeyType.PrivateKey);
decryptedBody = new String(decrypt, StandardCharsets.UTF_8);
} else if (config.getAsymmetricCry() == AsymmetricCryEnum.SM2) {
SM2 sm2 = SmUtil.sm2(selfPrivateKey, null);
decryptedBody = StrUtil.utf8Str(sm2.decryptFromBcd(inParams.getBody(), KeyType.PrivateKey));
} else {
throw new BusinessException("不支持的非对称加密算法");
}
} catch (Exception ex) {
log.error("解密失败", ex);
throw new BusinessException("解密失败");
}
try {
//当前仅支持一个参数的方法
Class paramClass = apiHandler.getParamClasses()[0];
param = StrObjectConvert.strToObj(decryptedBody, paramClass);
} catch (Exception ex) {
log.error("入参转换异常", ex);
throw new BusinessException("入参转换异常");
}
}
return param;
}
/**
* 调用目标方法
*
* @param apiHandler openapi处理器
* @param param 方法参数
* @param inParams openapi入参
* @return 返回结果
*/
private OutParams doCall(ApiHandler apiHandler, Object param, InParams inParams) {
try {
Object ret = apiHandler.getMethod().invoke(apiHandler.getBean(), param);
String retStr = StrObjectConvert.objToStr(ret, ret.getClass());
//返回值需要加密
if (config.retEncrypt()) {
retStr = encryptRet(inParams, retStr);
}
return OutParams.success(retStr);
} catch (Exception ex) {
log.error("调用opeapi处理器异常", ex);
throw new BusinessException("调用opeapi处理器异常");
}
}
/**
* 加密返回值
*
* @param inParams openapi入参
* @param retStr 返回值
* @return 加密后的返回值
*/
private String encryptRet(InParams inParams, String retStr) {
try {
String callerPublicKey = config.getCallerPublicKey(inParams.getCallerId());
if (config.getAsymmetricCry() == AsymmetricCryEnum.RSA) {
RSA rsa = new RSA(null, callerPublicKey);
byte[] encrypt = rsa.encrypt(StrUtil.bytes(retStr, CharsetUtil.CHARSET_UTF_8), KeyType.PublicKey);
retStr = Base64Util.bytesToBase64(encrypt);
} else if (config.getAsymmetricCry() == AsymmetricCryEnum.SM2) {
SM2 sm2 = SmUtil.sm2(null, callerPublicKey);
retStr = sm2.encryptBcd(retStr, KeyType.PublicKey);
} else {
throw new BusinessException("不支持的非对称加密算法");
}
} catch (Exception ex) {
throw new BusinessException("返回值加密异常", ex);
}
return retStr;
}
/**
* 获取api处理器Map的key
*
* @param openApiName 开放api名称
* @param openApiMethodName 开放api方法名称
* @return 处理器Map的key
*/
private String getHandlerKey(String openApiName, String openApiMethodName) {
return openApiName + "_" + openApiMethodName;
}
}
项目完整源码
https://github.com/hdwang123/openapi
目前该项目已经发布jar包到maven中央仓库,大伙可以直接引入项目中进行快速开发。具体的maven依赖配置如下:
<!-- openapi服务端sdk -->
<dependency>
<groupId>io.github.hdwang123</groupId>
<artifactId>openapi-server-sdk</artifactId>
<version>1.0.0</version>
</dependency>
<!-- openapi客户端sdk -->
<dependency>
<groupId>io.github.hdwang123</groupId>
<artifactId>openapi-client-sdk</artifactId>
<version>1.0.0</version>
</dependency>
具体的使用见github。
标签:String,和验,param,openapi,inParams,import,非对称,new 来源: https://www.cnblogs.com/hdwang/p/16319481.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。