国密与非国密
1.国密与非国密
什么是国密?
国密即国家密码局认定的国产密码算法。主要有SM1,SM2,SM3,SM4。具体可以参考https://zhuanlan.zhihu.com/p/132352160。
什么是非国密?
就是除了国密以外的算法,包括除国密算法以外的加密算法。
2.国密与非国密和http与https有什么关系?
使用国密算法需要依靠https进行通信。
使用非国密,如果使用了加密算法仍然要依靠https进行通信,没有加密算法可以使用http通信。
3.基于nginx搭建非国密https环境
3.1.下载并解压nginx
本文使用的版本是1.16.1,下载地址是http://nginx.org/download/nginx-1.16.1.tar.gz,下载后上传到服务器进行解压。
tar -zxvf nginx-1.16.1.tar.gz
3.2 携带ssl模块安装nginx
在解压目录下运行以下命令
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module make make install
3.3 查看ssl是否安装成功
/usr/local/nginx/sbin/nginx -V
如果出现以下结果,则表明安装成功。
3.4启动nginx
cd /usr/local/nginx/sbin
./nginx
3.5配置ssl证书
本文把证书放在/root/notgm目录下
3.6修改nginx配置
修改/usr/local/nginx/conf/nginx.conf
在最后一个}之前填写以下信息,则表明将开启一个1445端口。
server { listen 1445 ssl; #listen 8888; server_name localhost; #limit_req zone=reqperip burst=20 nodelay; #limit_req zone=reqperserver burst=200 nodelay; #limit_conn connperip 20; #limit_conn connperserver 500; #ssl on; ssl_certificate /root/notgm/server.crt; ssl_certificate_key /root/notgm/server.key; ssl_client_certificate /root/notgm/ca.crt; ssl_verify_client on; ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; location / { # default_type application/json; # return 200 '{"code":200}'; proxy_pass http://192.168.110.27:8089/; } location ~ .*\.(json)$ { default_type application/json; return 200 '{"code":200}'; } }
3.7 加载nginx.conf
./nginx -s reload
4.验证https通信
https://blog.csdn.net/qq_36313856/article/details/111407772
1、对客户端证书和私钥进行打包处理(需要输入密码,之后在代码中需要用到该密码)
openssl pkcs12 -export -in server.crt -inkey server.key -out client.p12
2、.p12文件转化成JKS格式
keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype JKS
3、CA根证书转成JKS格式(需要输入密码,之后在代码中需要用到该密码)
keytool -import -noprompt -file ca.crt -keystore ca.jks -storepass 123456
将ca.jks和client.jks放到/usr/local/qwzy/jcqcomponent/
package learn.https;
import com.alibaba.fastjson.JSONObject;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.HttpStatus;
import javax.net.ssl.*;
import java.io.*;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
@Slf4j
public class HttpsUtil {
//CA根证书文件路径
private String caPath="C:\\Users\\anny\\Desktop\\ca.jks";
//CA根证书生成密码
private String caPassword="123456";
//客户端证书文件名
private String clientCertPath="C:\\Users\\anny\\Desktop\\client.jks";
//客户端证书生成密码
private String clientCertPassword="123456";
private SSLSocketFactory sslFactory;
public static void main(String[] args) throws Exception {
HttpsUtil util=new HttpsUtil();
JSONObject jsonParam = new JSONObject();
jsonParam.put("code", 0);
jsonParam.put("detail", "detail");
jsonParam.put("audit_time", "2020-11-10");
util.httpsPost("https://192.168.124.244:20443/V1/jcc/reg_rs",jsonParam.toJSONString());
}
//https POST请求返回结果和结果码
public Map httpsPost(String requestUrl, String xml) throws Exception {
Map map=new HashMap<>();
OutputStreamWriter wr=null;
HttpURLConnection conn=null;
try {
URL url = new URL(requestUrl);
//start 这一段代码必须加在open之前,即支持ip访问的关键代码
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String s, SSLSession sslSession) {
return true;
}
});
//end
byte[] xmlBytes = xml.getBytes();
conn = (HttpsURLConnection) url.openConnection();
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setUseCaches(false);
conn.setInstanceFollowRedirects(true);
conn.setRequestMethod("POST");
//根据自己项目需求设置Content-Type
conn.setRequestProperty("Content-Type", "application/xml;charset=UTF-8");
conn.setRequestProperty("Content-Length", String.valueOf(xmlBytes.length));
conn.setRequestProperty("Content-Type", "application/xml;charset=UTF-8");
conn.setRequestProperty("Content-Length", String.valueOf(xmlBytes.length));
conn.setRequestProperty("Src-Node", "204300010001");
conn.setRequestProperty("Dst-Node", "180206020029");
conn.setRequestProperty("Source-Type", "DIRECTOR_AUDIT");
conn.setRequestProperty("BusinessData-Type", "DIRECTOR_AUDIT_RESULT");
conn.setRequestProperty("Content-Type", "application/json");
((HttpsURLConnection) conn).setSSLSocketFactory(getSslFactory());
wr = new OutputStreamWriter(conn.getOutputStream());
wr.write(xml);
wr.close();
conn.connect();
String responseBody = getResponseBodyAsString(conn);
int responseCode=getResponseCode(conn);
map.put("responseBody",responseBody);
map.put("responseCode",responseCode);
if (getResponseCode(conn) == 200) {
System.out.println("请求成功");
System.out.println(map.get("responseCode").getClass().getName());
} else {
System.out.println("请求失败");
}
System.out.println(responseBody);
conn.disconnect();
} catch (Exception e) {
log.error("HTTPS请求出现异常,请求参数为:"+xml);
e.printStackTrace();
throw e;
}finally {
try{
if(wr!=null){
wr.close();
}
if(conn!=null){
conn.disconnect();
}
}catch (Exception e){
}
}
return map;
}
public SSLSocketFactory getSslFactory() throws Exception {
if (sslFactory == null) {
SSLContext sslContext = SSLContext.getInstance("SSL");
TrustManager[] tm = {new MyX509TrustManager()};
KeyStore trustStore = KeyStore.getInstance("JKS");
//加载客户端证书
FileInputStream clientInputStream=new FileInputStream(clientCertPath);
trustStore.load(clientInputStream, clientCertPassword.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(trustStore, clientCertPassword.toCharArray());
sslContext.init(kmf.getKeyManagers(), tm, new SecureRandom());
sslFactory = sslContext.getSocketFactory();
}
return sslFactory;
}
public int getResponseCode(HttpURLConnection connection) throws Exception {
return connection.getResponseCode();
}
public String getResponseBodyAsString(HttpURLConnection connection) throws Exception {
BufferedReader reader = null;
if (connection.getResponseCode() == 200) {
reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
} else {
reader = new BufferedReader(new InputStreamReader(connection.getErrorStream()));
}
StringBuffer buffer = new StringBuffer();
String line = null;
while ((line = reader.readLine()) != null) {
buffer.append(line);
}
reader.close();
return buffer.toString();
}
class MyX509TrustManager implements X509TrustManager {
private X509TrustManager sunJSSEX509TrustManager;
MyX509TrustManager() throws Exception {
KeyStore ks = KeyStore.getInstance("JKS");
//获取CA证书
FileInputStream caInputStream=new FileInputStream(caPath);
ks.load(caInputStream, caPassword.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
tmf.init(ks);
TrustManager tms[] = tmf.getTrustManagers();
for (int i = 0; i < tms.length; i++) {
if (tms[i] instanceof X509TrustManager) {
sunJSSEX509TrustManager = (X509TrustManager) tms[i];
return;
}
}
throw new Exception("Couldn't not initialize");
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
try {
sunJSSEX509TrustManager.checkClientTrusted(x509Certificates, s);
} catch (Exception e) {
}
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
try {
sunJSSEX509TrustManager.checkServerTrusted(x509Certificates, s);
} catch (Exception e) {
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return sunJSSEX509TrustManager.getAcceptedIssuers();
}
}
}
4.2.2使用HttpClient方式
生成jks的方式和4.2.1一样
import java.io.BufferedReader; import java.io.FileInputStream; import java.io.InputStreamReader; import java.net.URLDecoder; import java.security.KeyStore; import java.util.ArrayList; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import org.apache.http.HttpResponse; import org.apache.http.NameValuePair; import org.apache.http.client.HttpClient; import org.apache.http.client.entity.UrlEncodedFormEntity; import org.apache.http.client.methods.HttpPost; import org.apache.http.conn.scheme.Scheme; import org.apache.http.conn.ssl.SSLSocketFactory; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.message.BasicNameValuePair; public class TEst { public static void main(String[] args) throws Exception { String url = "https://192.168.110.235:1445/xxx"; TEst t = new TEst(); t.connect(url, ""); } public String connect(String queryUrl, String xml) throws Exception { BufferedReader in = null; String keyStore = "C:\\Users\\anny\\Desktop\\client.jks"; //证书的路径,pfx格式 String trustStore = "C:\\Users\\anny\\Desktop\\ca.jks";//密钥库文件,jks格式 String keyPass = "123456"; //pfx文件的密码 String trustPass = "123456"; //jks文件的密码 SSLContext sslContext = null; try { KeyStore ks = KeyStore.getInstance("jks"); // 加载pfx文件 ks.load(new FileInputStream(keyStore), keyPass.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance("sunx509"); kmf.init(ks, keyPass.toCharArray()); KeyStore ts = KeyStore.getInstance("jks"); //加载jks文件 ts.load(new FileInputStream(trustStore), trustPass.toCharArray()); TrustManager[] tm; TrustManagerFactory tmf = TrustManagerFactory.getInstance("sunx509"); tmf.init(ts); tm = tmf.getTrustManagers(); sslContext = SSLContext.getInstance("SSL"); //初始化 sslContext.init(kmf.getKeyManagers(), tm, null); } catch (Exception e) { e.printStackTrace(); } String result = null; try { HttpClient httpclient = new DefaultHttpClient(); //下面是重点 SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext); Scheme sch = new Scheme("https", 800, socketFactory); httpclient.getConnectionManager().getSchemeRegistry().register(sch); HttpPost httpPost = null; httpPost = new HttpPost(queryUrl); // 创建名/值组列表 Listparameters = new ArrayList (); parameters.add(new BasicNameValuePair("Name", "zhangsan")); parameters.add(new BasicNameValuePair("passWord", "123456")); // 创建UrlEncodedFormEntity对象 UrlEncodedFormEntity formEntiry = new UrlEncodedFormEntity(parameters); System.out.println("formEntity={}" + formEntiry); httpPost.setEntity(formEntiry); HttpResponse httpResponse = httpclient.execute(httpPost); in = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent())); StringBuffer sb = new StringBuffer(""); String line = ""; String NL = System.getProperty("line.separator"); while ((line = in.readLine()) != null) { sb.append(line + NL); } in.close(); result = sb.toString(); result = URLDecoder.decode(result.toString(), "GBK"); System.out.println("result={}" + result); return result; } finally { if (in != null) { try { in.close(); } catch (Exception e) { e.printStackTrace(); } } } } }