涓€銆佹暟鎹姞瀵嗘杩?
鏁版嵁鍔犲瘑鏄繚鎶ゆ暟鎹畨鍏ㄧ殑閲嶈鎵嬫锛?
*鍔犲瘑鍦烘櫙锛?
- 浼犺緭鍔犲瘑锛圚TTPS锛?- 瀛樺偍鍔犲瘑锛堟晱鎰熸暟鎹級
- 瀵嗛挜绠$悊
浜屻€佷紶杈撳姞瀵?
1. HTTPS閰嶇疆
@ConfigurationpublicclassSSLConfig{@BeanpublicTomcatServletWebServerFactoryservletContainer(){TomcatServletWebServerFactorytomcat=newTomcatServletWebServerFactory();tomcat.setProtocol("org.apache.coyote.http11.Http11NioProtocol");SSLssl=newSSL();ssl.setKeyStore("classpath:keystore.p12");ssl.setKeyStorePassword("password");ssl.setKeyStoreType("PKCS12");Connectorconnector=newConnector("org.apache.coyote.http11.Http11NioProtocol");connector.setScheme("https");connector.setSecure(true);connector.setPort(8443);connector.setProperty("sslProtocol","TLS");tomcat.addAdditionalTomcatConnectors(connector);returntomcat;}}2. 璇佷功閰嶇疆
# application.ymlserver:ssl:enabled:truekey-store:classpath:keystore.p12key-store-password:passwordkey-store-type:PKCS12key-alias:mycert涓夈€佸绉板姞瀵?
1. AES鍔犲瘑
@ServicepublicclassAESEncryptionService{privatestaticfinalStringALGORITHM="AES";privatestaticfinalStringTRANSFORMATION="AES/ECB/PKCS5Padding";@Value("${encryption.aes.key}")privateStringsecretKey;publicStringencrypt(Stringplaintext){try{SecretKeySpeckeySpec=newSecretKeySpec(secretKey.getBytes(),ALGORITHM);Ciphercipher=Cipher.getInstance(TRANSFORMATION);cipher.init(Cipher.ENCRYPT_MODE,keySpec);byte[]encrypted=cipher.doFinal(plaintext.getBytes());returnBase64.getEncoder().encodeToString(encrypted);}catch(Exceptione){thrownewRuntimeException("鍔犲瘑澶辫触",e);}}publicStringdecrypt(Stringciphertext){try{SecretKeySpeckeySpec=newSecretKeySpec(secretKey.getBytes(),ALGORITHM);Ciphercipher=Cipher.getInstance(TRANSFORMATION);cipher.init(Cipher.DECRYPT_MODE,keySpec);byte[]decrypted=cipher.doFinal(Base64.getDecoder().decode(ciphertext));returnnewString(decrypted);}catch(Exceptione){thrownewRuntimeException("瑙e瘑澶辫触",e);}}}2. 瀛楁鍔犲瘑
@ComponentpublicclassFieldEncryptionConverterimplementsAttributeConverter<String,String>{@AutowiredprivateAESEncryptionServiceencryptionService;@OverridepublicStringconvertToDatabaseColumn(Stringattribute){returnStringUtils.isEmpty(attribute)?attribute:encryptionService.encrypt(attribute);}@OverridepublicStringconvertToEntityAttribute(StringdbData){returnStringUtils.isEmpty(dbData)?dbData:encryptionService.decrypt(dbData);}}鍥涖€侀潪瀵圭О鍔犲瘑
1. RSA鍔犲瘑
@ServicepublicclassRSAEncryptionService{publicKeyPairgenerateKeyPair()throwsNoSuchAlgorithmException{KeyPairGeneratorgenerator=KeyPairGenerator.getInstance("RSA");generator.initialize(2048);returngenerator.generateKeyPair();}publicStringencrypt(Stringplaintext,PublicKeypublicKey)throwsException{Ciphercipher=Cipher.getInstance("RSA");cipher.init(Cipher.ENCRYPT_MODE,publicKey);byte[]encrypted=cipher.doFinal(plaintext.getBytes());returnBase64.getEncoder().encodeToString(encrypted);}publicStringdecrypt(Stringciphertext,PrivateKeyprivateKey)throwsException{Ciphercipher=Cipher.getInstance("RSA");cipher.init(Cipher.DECRYPT_MODE,privateKey);byte[]decrypted=cipher.doFinal(Base64.getDecoder().decode(ciphertext));returnnewString(decrypted);}}2. 鏁板瓧绛惧悕
@ServicepublicclassSignatureService{publicStringsign(Stringdata,PrivateKeyprivateKey)throwsException{Signaturesignature=Signature.getInstance("SHA256withRSA");signature.initSign(privateKey);signature.update(data.getBytes());returnBase64.getEncoder().encodeToString(signature.sign());}publicbooleanverify(Stringdata,StringsignatureStr,PublicKeypublicKey)throwsException{Signaturesignature=Signature.getInstance("SHA256withRSA");signature.initVerify(publicKey);signature.update(data.getBytes());returnsignature.verify(Base64.getDecoder().decode(signatureStr));}}浜斻€佸搱甯屽姞瀵?
1. 瀵嗙爜鍝堝笇
@ServicepublicclassPasswordHashService{publicStringhashPassword(Stringpassword){returnBCryptPasswordEncoder.encode(password);}publicbooleanverifyPassword(Stringpassword,StringhashedPassword){returnnewBCryptPasswordEncoder().matches(password,hashedPassword);}}2. 鏁版嵁瀹屾暣鎬?
@ServicepublicclassHashService{publicStringmd5(Stringdata){returnDigestUtils.md5Hex(data);}publicStringsha256(Stringdata){returnDigestUtils.sha256Hex(data);}publicStringhmacSha256(Stringdata,Stringkey){try{SecretKeySpecsecretKey=newSecretKeySpec(key.getBytes(),"HmacSHA256");Macmac=Mac.getInstance("HmacSHA256");mac.init(secretKey);byte[]hmac=mac.doFinal(data.getBytes());returnBase64.getEncoder().encodeToString(hmac);}catch(Exceptione){thrownewRuntimeException(e);}}}鍏€佸瘑閽ョ鐞?
1. 瀵嗛挜杞崲
@ServicepublicclassKeyRotationService{@Value("${encryption.key.version}")privateintcurrentVersion;publicvoidrotateKey()throwsException{// 1. 鐢熸垚鏂板瘑閽? KeyPair newKeyPair = rsaService.generateKeyPair();// 2. 鍔犲瘑鏃у瘑閽ョ殑鏁版嵁Map<Integer,String>encryptedKeys=newHashMap<>();// ... 浣跨敤鏂板瘑閽ュ姞瀵嗘棫瀵嗛挜// 3. 瀛樺偍鏂板瘑閽? keyStore.store(newKeyPair, currentVersion + 1);// 4. 鏇存柊鐗堟湰鍙? currentVersion++;}}2. 瀵嗛挜鎵樼
@ConfigurationpublicclassKMSConfig{@BeanpublicAWSSimpleSystemsManagementawsSSM(){returnAWSSimpleSystemsManagementClientBuilder.defaultClient();}}@ServicepublicclassKMSKeyService{@AutowiredprivateAWSSimpleSystemsManagementawsSSM;publicStringgetKey(StringkeyId){GetParameterRequestrequest=newGetParameterRequest().withName(keyId).withWithDecryption(true);returnawsSSM.getParameter(request).getParameter().getValue();}}涓冦€佹晱鎰熸暟鎹繚鎶?
1. 瀛楁鑴辨晱
@ComponentpublicclassSensitiveDataFilter{@SensitiveField(type=MaskingType.PHONE)publicStringmaskPhone(Stringphone){if(phone==null)returnnull;returnphone.substring(0,3)+"****"+phone.substring(7);}@SensitiveField(type=MaskingType.ID_CARD)publicStringmaskIdCard(StringidCard){if(idCard==null)returnnull;returnidCard.substring(0,6)+"********"+idCard.substring(14);}}2. 鍏ㄩ摼璺姞瀵?
@ComponentpublicclassEndToEndEncryptionService{// 绔埌绔姞瀵嗙ず渚? public String encryptForRecipient(String plaintext, String recipientPublicKey)throwsException{// 1. 鐢熸垚闅忔満瀵圭О瀵嗛挜KeyGeneratorkeyGen=KeyGenerator.getInstance("AES");keyGen.init(256);SecretKeysymmetricKey=keyGen.generateKey();// 2. 鐢ㄥ绉板瘑閽ュ姞瀵嗘暟鎹? Cipher aesCipher = Cipher.getInstance("AES");aesCipher.init(Cipher.ENCRYPT_MODE,symmetricKey);byte[]encryptedData=aesCipher.doFinal(plaintext.getBytes());// 3. 鐢ㄦ帴鏀惰€呭叕閽ュ姞瀵嗗绉板瘑閽? Cipher rsaCipher = Cipher.getInstance("RSA");rsaCipher.init(Cipher.ENCRYPT_MODE,getPublicKey(recipientPublicKey));byte[]encryptedKey=rsaCipher.doFinal(symmetricKey.getEncoded());// 4. 杩斿洖鍔犲瘑鍚庣殑鏁版嵁鍜屽瘑閽? return Base64.getEncoder().encodeToString(encryptedData) + ":" +Base64.getEncoder().encodeToString(encryptedKey);}}鍏€佹€荤粨
鏁版嵁鍔犲瘑鏄繚鎶ゆ暟鎹畨鍏ㄧ殑鍩虹锛?
- 浼犺緭鍔犲瘑锛欻TTPS/TLS
- 瀛樺偍鍔犲瘑锛欰ES/RSA
- 瀵嗛挜绠$悊锛氳疆鎹?鎵樼
- 鏁忔劅淇濇姢锛氳劚鏁?鍏ㄩ摼璺姞瀵?
*涓汉瑙傜偣锛屼粎渚涘弬鑰?
)
