首页 > 其他分享 >如何使用 RSA 加密 JWT

如何使用 RSA 加密 JWT

时间:2022-08-19 22:33:40浏览次数:60  
标签:加密 String java jwt JWT RSA private ----- import

  1. 引入 nimbus-jose-jwt
<dependency>
      <groupId>com.nimbusds</groupId>
      <artifactId>nimbus-jose-jwt</artifactId>
      <version>9.23</version>
</dependency>

该包可以使用rsa算法进行jwt加密

  1. 使用openssl生成密钥

生成RSA加密私钥


openssl genrsa -aes256 -passout pass:123456 -out rsa_aes_private.key 1024

使用RSA私钥生成公钥


openssl rsa -in rsa_aes_private.key -pubout -out rsa_public.key

因为使用 openssl 生成的密钥是 pkcs1格式的密钥,java默认只能使用 pkcs8 格式的密钥,所以需要进行pkcs1到pkcs8转换的转换


openssl pkcs8 -topk8 -in rsa_aes_private.key -inform pem -out pkcs8_rsa_private.key -outform pem

  1. 在application.yml增加配置

certificate:
  useKid: k1
  certificates:
    - kid: k1
      privateKey: |
        -----BEGIN ENCRYPTED PRIVATE KEY-----
        MIIC3TBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQImUIM57O4TH4CAggA
        MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDJkNNh8w3fTcQjKP3A6oVHBIIC
        gC7Nuk2xzW2+CHycQ5InCB76u/C1L6jTKC8M7XgAhacM7WfQHHfJFjMsN9J94vwd
        8rDlTPE+nNHmLw386fBFtwDTLC8cuALmcvzH+qxYVXD5ygYGRrclUulOiRwiZ5f4
        TjdmHApP15SbglG/B4tV5ERa2nudccXDdg7fAJsqlaZsqLGnPxYBhbUwE428DFjn
        MkyA2N06AQzyU7aFYeuKGSS5D04HRAyZ/SBVUg4lBXI34TAZGG447LhHxXuorBgH
        N/JJpHGgQyURmH43HI4bpiPnXHbHTRNYUehQGUI/oNWAZugFLFrXnYl120+wkca+
        U8zQu/23uhy+4iCuy5SnNxdOKvSNpBTIh2BEbEm8nmHvbcfg5pcgExb/g7rnFWPP
        ryNdR42Vm5Wp4xrzFT71WwWSUVkC1N037QH0K09BTcJi/XV6qxxOtLSfq2uzTJQ2
        vIs9VGgKy9IAlIa6aur1Th/cpbQ+dz9ld1ZYWHgBxw8hFxZkbu+qZUeAo6c1pHZI
        rwPvYj06BK5R2xkrMYcJaEasJz0PrvxMzk9+0qSJNdT+y9nzaxLN+/ypldm3DarH
        ZiyG5QC/TJTWkckM0AIdZujLIs8j3IQc4Sp21zrjFeMBzVd3CJBGgaFAV3o6CaAp
        9OJYytj/cNAy1jEfTl7AbaRAbteBbSFQdAsSGqgC0u+JpyncH1r3YoM720HIB7Xa
        pLyOCA3zWcbKPwHTBlH1x7+ppXy/zvdAwmUlTydD1aaa2i4bv2+ctdjWhMW77Nxp
        TE3y5Kim8CSW885PgIRxKocU0DgeOEtPmuOxxMjbouSF18mSmZP8NmoiVMpf/cS9
        9c4FlRjxWiPoRY+EMWk81cU=
        -----END ENCRYPTED PRIVATE KEY-----  
      publicKey: |
        -----BEGIN PUBLIC KEY-----
        MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1iRRYvvbs7cPGfpJuND0ArkzE
        MTzeDG0OuTxcdl+A6yOB6jRRe/9fqRRZJSZOcrvr8I2YKs9n+DGo2nGUrmcRlav5
        s77g7jGJmOW6ZvNBBU4g+w9gt4tQPCBcyjSym4HUWz04FT03cfa6Yn7f2xHwjw7j
        3DXGZnp+qx3fox5ezwIDAQAB
        -----END PUBLIC KEY-----
    - kid: k2
      privateKey: |
        -----BEGIN ENCRYPTED PRIVATE KEY-----
        MIIC3TBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQI1wWdC35fHiMCAggA
        MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAd8fAg67XxjRww/6zZOYiUBIIC
        gFELh2xUblnGRTGQQ7VaRayAMHd1hNNc2P6Pe0ujXxzf1qF/iE6Rhpk2Ag9I0ky+
        siZL8lbh3QzOyQUch+BBYBuUeToSN8jQ+5rTR6Vr8eaC6jRKIZCBdxbbN4r3hSkJ
        nG+BZzjArO8U0T+QTQ3cp3rpvOsRj5xR09nku3HnaY9vNqWAWd5mjJ+b8lRnh64X
        qAAmnBUcB+5xuU/BMGpF8k2X/qNVRM/YZzP1/mWO31kw1VMjSP6zdrRVQuoUv2X8
        bUlv6kBBaaTPK4qkR6y3I7QMiGxA1UL8qTPtxpOlaWR+3ofIBPk1N35k1sFLRgc/
        UhK7q0KphZ75BZGu1PpOu8T0p2fx0BnIQUZKg7+g5oqzNKKo9RlVx87wrJO1Urur
        VJS+FzK1HoGqLtsco2lzeLqmXqCbC+MXygenJJxOZOKW9/LWQxMP3e72/N0LzdqW
        0lbu9f4w86OL7Qwk4zVxCFp9bwDAvf5ZIvfnLI1yl8q7cfny6QKGU+nwENOWn3Px
        I7Dv7vNIs9K6f6Is8XPnEnBIRi2eUwVHVqeu46DLIIzS+YIvsDfkHp3h7fBh7hYW
        Iytia/QfKmpyeZp5GCJZM0pLP0qDLspXdm0oBI+WdnbF2i9YUADGdQw1CpgskYnf
        wBNDdGmkUR4aTDdwvdzPacRDF3ZZg/AaiysuWRIjEsEabwmpi4CmmLiwxwnO5uDn
        4iiLC16PUPK+sIBskYd9UgOMyC+qKbzajCZVyRZDpNPZF+jZE+ND3TOtaWHimP9M
        B3dHj6F+/rHHko9kWsc/V/RaXm//14g8SBn3Hc+vR/IAz9SajMJDRVEmQnWhkfz9
        IdLgYdHew8l+HuvjDCXtmBM=
        -----END ENCRYPTED PRIVATE KEY-----
      publicKey: |
        -----BEGIN PUBLIC KEY-----
        MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6pyUTOpppX5JOtMbT6CjS4/U8
        ZV6Tw9kViTwrILr/AwgUFaaxptaCx+waiQgBJfTE2VVXwXipXpxfYjtgKqVqx4yR
        mVAxGNZjKIkSzAxjo7er2vP084WG/Sh958MXW8A/K7pDkSALusP8YTveEgtTKfln
        feBZh04XQmRYhPPCuQIDAQAB
        -----END PUBLIC KEY-----

以上配置的私钥是进行了转换后的密钥

  1. 解析配置文件

定义配置对象


package com.olive.jwt;
import java.io.Serializable;

public class CertVO implements Serializable{

  private String kid;
  
  private String privateKey;
  
  private String publicKey;

  //省略getter setter
  
}

对应配置对象


package com.olive.jwt;
import java.util.List;

import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;

@Component
@ConfigurationProperties(prefix="certificate")
public class CertificateConfig {

  private String useKid;
  
  private List<CertVO> certificates;

  //省略getter  setter
}

  1. 定义 jwt payload 对象

package com.olive.jwt;

import java.io.Serializable;

public class JwtPayloadVO implements Serializable{

  private String jti; //jwt token id
  
  private String tid; //companyId
  
  private String cid; //appId
  
  private String iss; //token使用方
  
  private String sub; //token主题 格式 tid:cid:uid
  
  private Long exp; //过期时间 毫秒
  
  private Long iat; //创建时间 毫秒
  
  private String uid; //user id

  //省略getter setter
}

  1. 进行jwt 生成与验证

package com.olive.jwt;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.text.ParseException;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.annotation.PostConstruct;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import com.nimbusds.jose.*;

@Component
public class CertificateProvider {

  @Autowired
  private CertificateConfig certificateConfig;

  private RSAPrivateKey rsaPrivateKey = null;

  private Map<String, RSASSAVerifier> verifiers = new HashMap<>();

  @PostConstruct
  public void init() {
    rsaPrivateKey = this.getPrivateKey();
  }

  public RSAPrivateKey getPrivateKey() {
    if (rsaPrivateKey != null) {
      return rsaPrivateKey;
    }
    String use = certificateConfig.getUseKid();
    if (StringUtils.isEmpty(use)) {
      System.out.println("certificate kid is required");
      return null;
    }
    List<CertVO> certVOs = certificateConfig.getCertificates();
    if (certVOs==null && certVOs.size()==0) {
      System.out.println("certificate is required");
      return null;
    }
    try {
      for (CertVO certVO : certVOs) {
        if (use.equals(certVO.getKid())) {
          // 加载私钥
          rsaPrivateKey = this.loadRSARSAPrivateKey(certVO.getPrivateKey());
        }
        RSAPublicKey publicKey = loadRSAPublicKey(certVO.getPublicKey());
        verifiers.put(certVO.getKid(), new RSASSAVerifier(publicKey));
      }
    } catch (Exception e) {
      e.printStackTrace();
    }
    if (rsaPrivateKey != null) {
      return rsaPrivateKey;
    } else {
      System.out.println("getPrivateKey certificate kid is required,certificate kid is required");
      return null;
    }
  }

  /**
   * 加载公钥
   *
   * @param keyStr 公钥字符串
   * @return 公钥实体
   * @throws NoSuchAlgorithmException  KeyFactory中无该算法实现
   * @throws InvalidKeySpecException 密钥无法识别
   */
  private RSAPublicKey loadRSAPublicKey(String keyStr) throws NoSuchAlgorithmException, InvalidKeySpecException {
    byte[] clear = publicKeyStrToBytes(keyStr);
    X509EncodedKeySpec keySpec = new X509EncodedKeySpec(clear);
    KeyFactory fact = KeyFactory.getInstance("RSA");
    return (RSAPublicKey) fact.generatePublic(keySpec);
  }

  private RSAPrivateKey loadRSARSAPrivateKey(String keyStr) throws Exception {
    String begin = "-----BEGIN PRIVATE KEY-----";
    String end = "-----END PRIVATE KEY-----";
    String key = keyStr.replace(begin, "").replace(end, "").replaceAll("\\s", "");
    PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(key));
    KeyFactory kf = KeyFactory.getInstance("RSA");
    return (RSAPrivateKey) kf.generatePrivate(spec);
  }
  /**
   * 公钥 字符串转换成二进制
   * @param keyStr 密钥字符串
   * @return 密钥/公钥 二进制
   */
  private byte[] publicKeyStrToBytes(String keyStr) {
    String begin = "-----BEGIN PUBLIC KEY-----";
    String end = "-----END PUBLIC KEY-----";
    String key = keyStr.replace(begin, "").replace(end, "").replaceAll("\\s", "");
    return Base64.getDecoder().decode(key);
  }

  public String generateAccessToken(JwtPayloadVO jwtPayloadVO) {
    Map<String, Object> playloadMap = new HashMap<>();
    playloadMap.put("jti", jwtPayloadVO.getJti());
    playloadMap.put("tid", jwtPayloadVO.getTid());
    playloadMap.put("cid", jwtPayloadVO.getCid());
    playloadMap.put("iss", jwtPayloadVO.getIss());
    playloadMap.put("sub", jwtPayloadVO.getSub());
    playloadMap.put("exp", jwtPayloadVO.getExp());
    playloadMap.put("iat", jwtPayloadVO.getIat());
    if (StringUtils.hasLength(jwtPayloadVO.getUid())) {
      playloadMap.put("uid", jwtPayloadVO.getUid());
    }
    try {
      // 创建JWS头,设置签名算法和类型
      JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(certificateConfig.getUseKid())
          .type(JOSEObjectType.JWT).build();
      JWTClaimsSet claimsSet = JWTClaimsSet.parse(playloadMap);
      // 创建RSA签名器
      JWSSigner signer = new RSASSASigner(rsaPrivateKey, true);
      SignedJWT signedJWT = new SignedJWT(header, claimsSet);
      signedJWT.sign(signer);
      return signedJWT.serialize();
    } catch (Exception e) {
      e.printStackTrace();
    }
    return null;
  }

  public JWTClaimsSet verify(String token) throws ParseException, JOSEException {
    SignedJWT jwt = SignedJWT.parse(token);
    JWSHeader jwtHeader = jwt.getHeader();
    String keyID = jwtHeader.getKeyID();
    RSASSAVerifier verifier = verifiers.get(keyID);
    if (verifier == null) {
      System.out.println("jwt verify error: kid " + keyID + " mismatch RSASSAVerifier");
      return null;
    }
    boolean verify = jwt.verify(verifier);
    if (!verify) {
      System.out.println("jwt verify fail, invalid token: " + token);
      return null;
    }
    return jwt.getJWTClaimsSet();
  }

}

标签:加密,String,java,jwt,JWT,RSA,private,-----,import
From: https://www.cnblogs.com/happyhuangjinjin/p/16603520.html

相关文章

  • [HFCTF2020]EasyLogin-1|JWT身份伪造
    1、打开之后只有一个登陆界面和注册界面,右键检查发现app.js代码,结果如下:app.js代码如下:/***或许该用koa-static来处理静态文件*路径该怎么配置?不管了先填个根......
  • 驱动程序无法通过使用安全套接字层(SSL)加密与 SQL Server 建立安全连接
    驱动程序无法通过使用安全套接字层(SSL)加密与SQLServer建立安全连接,Error:“TheserverselectedprotocolversionTLS10isnotacceptedbyclientpreferences[......
  • PAT Advanced 1020 Tree Traversals(25)
    题目描述:Supposethatallthekeysinabinarytreearedistinctpositiveintegers.Giventhepostorderandinordertraversalsequences,youaresupposedtoou......
  • java使用秘钥加密密码
    对称加密什么是对称加密对称加密算法是应用较早的加密算法,技术成熟。在对称加密算法中,数据发信方将明文(原始数据)和加密密钥(miyao)一起经过特殊加密算法处理后,使其变成复......
  • 加密后的数据如何进行模糊查询
    我们知道加密后的数据对模糊查询不是很友好,本篇就针对加密数据模糊查询这个问题来展开讲一讲实现的思路,希望对大家有所启发。为了数据安全我们在开发过程中经常会对重要的......
  • 145.binary-tree-postorder-traversal 二叉树的后序遍历
    对比前序遍历的"中左右",后序遍历是"左右中",颠倒一下就是"中右左",所以可以参照前序遍历的迭代法来写迭代遍历。#include<algorithm>#include<stack>#include<vector>......
  • 144.binary-tree-preorder-traversal 二叉树的前序遍历
    前序遍历即中左右,前中后序遍历区别就在于中节点是在前、中还是后。利用栈实现二叉树的迭代遍历:#include<stack>#include<vector>usingstd::stack;usingstd::vecto......
  • 1009 Forsaken喜欢独一无二的树 删边找唯一kruskal生成树
     链接:https://ac.nowcoder.com/acm/contest/26077/1009来源:牛客网题目描述       众所周知,最小生成树是指使图中所有节点连通且边......
  • 讲一讲加密数据如何进行模糊查询
    在上一篇讲一讲数据安全,如何有效预防脱库中我们提到了加密后的数据对模糊查询不是很友好,本篇就针对加密数据模糊查询这个问题来展开讲一讲实现的思路。为了数据安全我们......
  • [JSOI2007] 字串加密
    题链:luoguJS同学?Description让JS同学对环形字符串进行重组加密。加密规则是:列出\(n\)个字符串并字典序升序,一次取末尾字符作为加密后的长度为\(n\)的密码串。......