需要提供給接口調(diào)用方一個(gè)用來加密的key归露,調(diào)用方根據(jù)key雕什、一些其他參數(shù)以及業(yè)務(wù)參數(shù)進(jìn)行加密裕照,還需要對報(bào)文進(jìn)行簽名,使用加密的參數(shù)請求接口在刺。
APIGateway接收到請求后進(jìn)行驗(yàn)簽逆害,再進(jìn)行解密头镊,得到參數(shù)后進(jìn)行處理。
處理完成需要按照跟請求接口一樣的方式將結(jié)果進(jìn)行加密加簽魄幕,然后將結(jié)果返回給調(diào)用方相艇,調(diào)用方按照同樣的方式進(jìn)行驗(yàn)簽解密拿到結(jié)果。
方案:摘要簽名纯陨、對稱加密
- kv參數(shù)排序坛芽,按照key自然排序,ASCII升序翼抠,并將參數(shù)值URLEncode一下靡馁。
- 在參數(shù)中加入兩個(gè)額外參數(shù)timestamp和nonce。timestamp表示請求發(fā)送時(shí)間机久,APIGateway可以對比當(dāng)前時(shí)間戳,來判斷請求是否正常赔嚎;nonce表示一個(gè)隨機(jī)數(shù)膘盖,也就是常說的鹽值,APIGateway可以通過一定時(shí)間段內(nèi)判斷nonce是否重復(fù)來判斷請求是否正常尤误。
- 使用給定的key侠畔,將參數(shù)進(jìn)行加密,使用AES或者DES等损晤。
- 再將所有參數(shù)進(jìn)行簽名软棺,MD5或者SHA1等
示例代碼:
public class CodecClient {
public static final String HMAC_SHA1 = "HmacSHA1";
public static final String AES = "AES";
public static final String AES_CBC = "AES/CBC/PKCS5Padding";
public static String encrypt(String key, String content) {
try {
SecretKeySpec secretKeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), AES);
Cipher cipher = Cipher.getInstance(AES_CBC);
IvParameterSpec iv = new IvParameterSpec(new byte[16]);
cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, iv);
return bytesToHexString(cipher.doFinal(content.getBytes(StandardCharsets.UTF_8)));
} catch (NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException | BadPaddingException | IllegalBlockSizeException | InvalidAlgorithmParameterException e) {
throw new RuntimeException("Encrypt data error!");
}
}
public static String decrypt(String key, String content) {
try {
SecretKeySpec secretKeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), AES);
Cipher cipher = Cipher.getInstance(AES_CBC);
IvParameterSpec iv = new IvParameterSpec(new byte[16]);
cipher.init(Cipher.DECRYPT_MODE, secretKeySpec, iv);
return new String(cipher.doFinal(hexStringToBytes(content)));
} catch (NoSuchAlgorithmException | InvalidKeyException | InvalidAlgorithmParameterException | NoSuchPaddingException | BadPaddingException | IllegalBlockSizeException e) {
e.printStackTrace();
throw new RuntimeException("Decrypt data error!");
}
}
public static String sign(String key, String data, String nonce) {
try {
SecretKeySpec secretKeySpec = new SecretKeySpec(key.getBytes(StandardCharsets.UTF_8), HMAC_SHA1);
Mac mac = Mac.getInstance(HMAC_SHA1);
mac.init(secretKeySpec);
mac.update(data.getBytes(StandardCharsets.UTF_8));
return bytesToHexString(mac.doFinal(nonce.getBytes(StandardCharsets.UTF_8)));
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new RuntimeException("Sign error!");
}
}
private static String bytesToHexString(byte[] bytes) {
StringBuilder builder = new StringBuilder(bytes.length * 2);
for (byte data : bytes) {
builder.append(String.format("%02x", data & 0xff));
}
return builder.toString();
}
private static byte[] hexStringToBytes(String str) {
byte[] bytes = new byte[str.length() / 2];
for(int i = 0; i < str.length() / 2; i++) {
String subStr = str.substring(i * 2, i * 2 + 2);
bytes[i] = (byte) Integer.parseInt(subStr, 16);
}
return bytes;
}
public static void main(String[] args) throws UnsupportedEncodingException {
String key = "xxxhhhsshkjkkddd";
JSONObject jsonObject = new JSONObject();
jsonObject.put("id", 123);
jsonObject.put("name", "測試姓名");
jsonObject.put("alias", "tom");
String param = URLEncoder.encode(jsonObject.toJSONString(), "utf-8");
System.out.println("param: " + param);
int nonce = new SecureRandom().nextInt();
String data = String.format("apiCode=%s&data=%s&nonce=%d", "createUser#XDFFDDD", param, nonce);
System.out.println("data: " + data);
data = encrypt(key, data);
System.out.println("encrypt data: " + data);
String sign = sign(key, data, nonce + "");
System.out.println("sign: " + sign);
System.out.println("key: " + key);
String decryptData = decrypt(key, data);
System.out.println("DecryptData: " + decryptData);
}
}
源碼:https://github.com/dachengxi/APIGateway
原文鏈接:https://cxis.me/2020/04/08/APIGateway%E4%B8%AD%E5%8A%A0%E5%AF%86%E9%AA%8C%E7%AD%BE%E4%BB%8B%E7%BB%8D/
