出现原因
Apache Shiro < 1.2.4的版本会出现shiro反序列化漏洞问题,攻击者可以使用Shiro的默认密钥构造恶意序列化对象进行编码来伪造用户的Cookie,服务端反序列化时触发漏洞,从而执行命令。
只要rememberMe的AES加密密钥泄漏,无论shiro什么版本都会导致反序列化漏洞。
给大家分享一下近期遇到项目的处理方式,尚有上升空间,请前辈们指教!
bean配置形式处理
首先检查项目的ShiroConfig(shiro配置类)rememberMeManager()记住我方法。其中cookieRememberMeManager.setCipherKey(“字符”),字符一般会设置为默认的,不注意的话就会造成反序列化漏洞,这里我设置成RSA随机加密的形式,这样就不会出错。
下面上代码:
/**
* 记住我
*/
public CookieRememberMeManager rememberMeManager() throws Exception {
Map<String, Object> keyMap = RSAUtil.initKey();
//生成公钥
String publicKey = RSAUtil.getPublicKey(keyMap);
//生成私钥
String privateKey = RSAUtil.getPrivateKey(keyMap);
//这里设置自己想要的字符
String sourceString = "随机字符";
byte[] encodedData = RSAUtil.encrypt(sourceString.getBytes(), publicKey, true);
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
cookieRememberMeManager.setCookie(rememberMeCookie());
cookieRememberMeManager.setCipherKey(encodedData);
);
return cookieRememberMeManager;
}
RSA工具类:
import javax.crypto.Cipher;
import java.security.*;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
/**
* RSA工具类
*/
public class RSAUtil {
public static final String ENCRYPTION_ALGORITHM = "RSA";
public static final String SIGNATURE_ALGORITHM = "MD5withRSA";
/**
* 生成密钥
*/
public static Map<String, Object> initKey() throws Exception {
/* 初始化密钥生成器 */
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(ENCRYPTION_ALGORITHM);
keyPairGenerator.initialize(1024);
/* 生成密钥 */
KeyPair keyPair = keyPairGenerator.generateKeyPair();
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
Map<String, Object> keyMap = new HashMap<String, Object>(2);
keyMap.put("PublicKey", publicKey);
keyMap.put("PrivateKey", privateKey);
return keyMap;
}
/**
* 取得公钥
*/
public static String getPublicKey(Map<String, Object> keyMap)
throws Exception {
Key key = (Key) keyMap.get("PublicKey");
return Base64Util.encryptBASE64(key.getEncoded());
}
/**
* 取得私钥
*/
public static String getPrivateKey(Map<String, Object> keyMap)
throws Exception {
Key key = (Key) keyMap.get("PrivateKey");
return Base64Util.encryptBASE64(key.getEncoded());
}
/**
* 加密
*/
public static byte[] encrypt(byte[] data, String keyString, boolean isPublic) throws Exception {
Map<String, Object> keyAndFactoryMap = RSAUtil.generateKeyAndFactory(keyString, isPublic);
KeyFactory keyFactory = RSAUtil.getKeyFactory(keyAndFactoryMap);
Key key = RSAUtil.getKey(keyAndFactoryMap);
// 对数据加密
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm());
cipher.init(Cipher.ENCRYPT_MODE, key);
return cipher.doFinal(data);
}
/**
* 解密
*/
public static byte[] decrypt(byte[] data, String keyString, boolean isPublic) throws Exception {
Map<String, Object> keyAndFactoryMap = RSAUtil.generateKeyAndFactory(keyString, isPublic);
KeyFactory keyFactory = RSAUtil.getKeyFactory(keyAndFactoryMap);
Key key = RSAUtil.getKey(keyAndFactoryMap);
// 对数据加密
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm());
cipher.init(Cipher.DECRYPT_MODE, key);
return cipher.doFinal(data);
}
/**
* 生成钥匙
*/
public static Map<String, Object> generateKeyAndFactory(String keyString, boolean isPublic) throws Exception {
byte[] keyBytes = Base64Util.decryptBASE64(keyString);
KeyFactory keyFactory = KeyFactory.getInstance(ENCRYPTION_ALGORITHM);
Key key = null;
if (isPublic) {
X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
key = keyFactory.generatePublic(x509KeySpec);
} else {
PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes);
key = keyFactory.generatePrivate(pkcs8KeySpec);
}
Map<String, Object> keyAndFactoryMap = new HashMap<String, Object>(2);
keyAndFactoryMap.put("key", key);
keyAndFactoryMap.put("keyFactory", keyFactory);
return keyAndFactoryMap;
}
/**
* 从指定对象中获取钥匙
*/
public static Key getKey(Map<String, Object> map) {
if (map.get("key") == null) {
return null;
}
return (Key)map.get("key");
}
/**
* 从指定对象中获取钥匙工厂
*/
public static KeyFactory getKeyFactory(Map<String, Object> map) {
if (map.get("keyFactory") == null) {
return null;
}
return (KeyFactory)map.get("keyFactory");
}
/**
* 对信息生成数字签名(用私钥)
*/
public static String sign(byte[] data, String keyString) throws Exception {
Map<String, Object> keyAndFactoryMap = RSAUtil.generateKeyAndFactory(keyString, false);
Key key = RSAUtil.getKey(keyAndFactoryMap);
PrivateKey privateKey = (PrivateKey)key;
// 用私钥对信息生成数字签名
Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);
signature.initSign(privateKey);
signature.update(data);
return Base64Util.encryptBASE64(signature.sign());
}
/**
* 校验数字签名(用公钥)
*/
public static boolean verify(byte[] data, String keyString, String sign)
throws Exception {
Map<String, Object> keyAndFactoryMap = RSAUtil.generateKeyAndFactory(keyString, true);
Key key = RSAUtil.getKey(keyAndFactoryMap);
PublicKey publicKey = (PublicKey)key;
// 取公钥匙对象
Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);
signature.initVerify(publicKey);
signature.update(data);
// 验证签名是否正常
return signature.verify(Base64Util.decryptBASE64(sign));
}
public static void main(String[] args) throws Exception {
Map<String, Object> keyMap = RSAUtil.initKey();
//生成公钥
String publicKey = RSAUtil.getPublicKey(keyMap);
//生成私钥
String privateKey = RSAUtil.getPrivateKey(keyMap);
System.out.println("公钥 -> " + publicKey);
System.out.println("私钥 -> " + privateKey);
System.out.println("公钥加密,私钥解密");
String sourceString = "test";
byte[] encodedData = RSAUtil.encrypt(sourceString.getBytes(), publicKey, true);
byte[] decodedData = RSAUtil.decrypt(encodedData, privateKey, false);
String targetString = new String(decodedData);
System.out.println("加密前: " + sourceString + ",解密后: " + targetString);
System.out.println("私钥签名,公钥验证签名");
byte[] data = sourceString.getBytes();
// 产生签名
String sign = RSAUtil.sign(data, privateKey);
System.out.println("签名 -> " + sign);
// 验证签名
boolean status = RSAUtil.verify(data, publicKey, sign);
System.out.println("状态 -> " + status);
}
}
xml配置形式处理
其他版本的处理方式(比较老的架构)
在shiro-context.xml里,可以用下面处理方式:
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<property name="cipherKey" value="#{T(com.cms.common.util.GenerateCipherKey).generateNewKey()}"></property>
</bean>
下面是随机码工具类:
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import java.security.NoSuchAlgorithmException;
public class GenerateCipherKey {
/**
* 随机生成秘钥,参考org.apache.shiro.crypto.AbstractSymmetricCipherService#generateNewKey(int)
* @return
*/
public static byte[] generateNewKey() {
KeyGenerator kg;
try {
kg = KeyGenerator.getInstance("AES");
} catch (NoSuchAlgorithmException var5) {
String msg = "Unable to acquire AES algorithm. This is required to function.";
throw new IllegalStateException(msg, var5);
}
kg.init(128);
SecretKey key = kg.generateKey();
byte[] encoded = key.getEncoded();
return encoded;
}
}