RSA算法属于非对称加密算法,通常是生成一对密钥,其中之一是保密密钥,由用户保存;另一个为公开密钥,可对外公开,甚至可在网络服务器中注册。安全性来说,迄今为止都没被真正破解过。
文末附完整RSA加密代码。
项目场景:
APP端登录模块需要对密码进行加密,评估后采用非对称加密算法Rsa实现,由android端公钥加密后,服务端(Java)侧对其解密。
本次rsa加解密模块的开发一共遇到2个问题:
1、Android端和Java端默认填充模式不一致导致的问题;
2、APP上线安全扫描,报安全漏洞问题:使用RSA加密时,应设置其填充方式为OAEP;
问题一:
问题描述:
APP端(Android)侧加密后的数据在服务端(Java)侧解密错误。
原因分析:
客户端是Android端,服务端是Java端,双方采用的默认填充模式不一样,虽然设置的填充模式是一样的,仍然导致解密失败。代码如下:
/**
* 公钥加密.</br>
*
* @param content 要加密的内容
* @param publicKeyBytes 公钥
* @return 加密后的内容
* @throws Exception 异常
*/
public static byte[] publicEncrypt(byte[] content, byte[] publicKeyBytes) throws Exception{
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(keySpec);
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
return cipher.doFinal(content);
}
/**
* 私钥解密.<br/>
*
* @param content 要加密的内容
* @param privateKeyBytes 私钥
* @return 解密后的内容
* @throws Exception 异常
*/
public static byte[] privateDecrypt(byte[] content, byte[] privateKeyBytes) throws Exception{
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(privateKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, privateKey);
return cipher.doFinal(content);
}
解决方案:
Android端加密填充方式修改成Java默认的,加解密成功,代码如下:
/**
* 公钥加密.</br>
*
* @param content 要加密的内容
* @param publicKeyBytes 公钥
* @return 加密后的内容
* @throws Exception 异常
*/
public static byte[] publicEncrypt(byte[] content, byte[] publicKeyBytes) throws Exception{
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(keySpec);
Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
return cipher.doFinal(content);
}
/**
* 私钥解密.<br/>
*
* @param content 要加密的内容
* @param privateKeyBytes 私钥
* @return 解密后的内容
* @throws Exception 异常
*/
public static byte[] privateDecrypt(byte[] content, byte[] privateKeyBytes) throws Exception{
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(privateKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, privateKey);
return cipher.doFinal(content);
}
问题二:
问题描述:
APP上线安全扫描,报安全漏洞问题:使用RSA加密时,应设置其填充方式为OAEP;
问题分析:
Android端和Java端修改填充模式为OAEP即可。
问题解决:
代码如下:
/**
* 公钥加密.</br>
*
* @param content 要加密的内容
* @param publicKeyBytes 公钥
* @return 加密后的内容
* @throws Exception 异常
*/
public static byte[] publicEncrypt(byte[] content, byte[] publicKeyBytes) throws Exception{
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(keySpec);
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
OAEPParameterSpec oaepParameterSpec = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-1"), PSpecified.DEFAULT);
cipher.init(Cipher.ENCRYPT_MODE, publicKey, oaepParameterSpec);
return cipher.doFinal(content);
}
/**
* 私钥解密.<br/>
*
* @param content 要加密的内容
* @param privateKeyBytes 私钥
* @return 解密后的内容
* @throws Exception 异常
*/
public static byte[] privateDecrypt(byte[] content, byte[] privateKeyBytes) throws Exception{
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(privateKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
OAEPParameterSpec oaepParameterSpec = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-1"), PSpecified.DEFAULT);
cipher.init(Cipher.ENCRYPT_MODE, privateKey, oaepParameterSpec);
return cipher.doFinal(content);
}
附RSA工具类代码:
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource.PSpecified;
/**
* .<br/>
*
* @author iaoyou1
* @date 2022-08-14 22:18
*/
public class RSAUtils {
/**
* 生成秘钥对.</br>
*
* @return {@link Map}
* @throws Exception 异常
*/
public static Map<String, byte[]> getKeyPair() throws Exception {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
Map<String, byte[]> map = new HashMap<>();
map.put("public", keyPair.getPublic().getEncoded());
map.put("private", keyPair.getPrivate().getEncoded());
return map;
}
/**
* 公钥加密.</br>
*
* @param content 要加密的内容
* @param publicKeyBytes 公钥
* @return 加密后的内容
* @throws Exception 异常
*/
public static byte[] publicEncrypt(byte[] content, byte[] publicKeyBytes) throws Exception {
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(keySpec);
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
OAEPParameterSpec oaepParameterSpec = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-1"), PSpecified.DEFAULT);
cipher.init(Cipher.ENCRYPT_MODE, publicKey, oaepParameterSpec);
return cipher.doFinal(content);
}
/**
* 私钥解密.<br/>
*
* @param content 要加密的内容
* @param privateKeyBytes 私钥
* @return 解密后的内容
* @throws Exception 异常
*/
public static byte[] privateDecrypt(byte[] content, byte[] privateKeyBytes) throws Exception {
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(privateKeyBytes);
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
OAEPParameterSpec oaepParameterSpec = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-1"), PSpecified.DEFAULT);
cipher.init(Cipher.ENCRYPT_MODE, privateKey, oaepParameterSpec);
return cipher.doFinal(content);
}
}