等保3.0实现方案记录
等保简介
信息安全等级保护,简称等保(ISO),是我国在网络安全领域实施的一项基本制度。在等保制度中,“二级”和“三级”是常见的安全保护等级。
等保二级主要适用于一般的信息系统,这些系统在国家安全、经济建设和社会生活中的重要程度相对较低,但一旦遭到破坏,仍可能对国家安全、社会秩序、公共利益以及公民、法人和其他组织的合法权益造成一定危害。因此,对这类系统实施第二级安全保护,旨在确保其正常运行和数据安全。
而等保三级则适用于更为重要和敏感的信息系统,如政府部门的核心业务系统、涉及国家安全的关键基础设施等。这些系统一旦遭受破坏,将可能对国家安全、社会秩序和公共利益造成重大威胁。因此,对这类系统实施第三级安全保护,要求采取更为严格的安全措施和技术手段,以确保其高度安全和稳定。
四级等保主要适用于极其重要的信息系统,如国家关键信息基础设施、重要领域的核心业务系统等。这些系统一旦遭受破坏,将对国家安全、社会秩序和公共利益造成极其严重的危害。因此,四级等保要求采取极为严格的安全措施和技术手段,确保系统的绝对安全。
五级等保则是信息安全等级保护中的最高等级,适用于涉及国家核心机密和最高安全要求的信息系统。这些系统通常涉及国家安全、国防建设等重要领域,其安全保护要求极为严格和机密。五级等保不仅需要采取最先进的安全技术和管理措施,还需要建立完善的安全保密体系,确保系统的绝对安全和机密性。
本文主要记录等保三级的加解密实现方案,以及实现过程中遇到的问题。
背景
该功能的实现是在已有项目的基础上进行补充,并在尽量不改动原有功能的基础上实现请求参数的验签和加解密,并把解密后的参数重新赋值到 请求中,保证控制层的正常取用,另外对响应的信息进行加密加签后返回加密体,由前端进行验签解密后展示:
- 加解密采用SM4 ,对称加密,SM4的加密和解密速度相对较快,适用于需要快速加密和解密大量数据的场景;
- 签名采用SM2 ,非对称加密算法,安全性更高,但是性能通常低于对称加密算法,非对称加密涉及复杂的数学运算,因此计算成本更高,速度较慢;
- 附带CORS访问限制管理;
- 附带Content-Security-Policy响应头缺失问题处理;
- 其他响应头信息补充;
请求及响应信息截图: 
ContentSecurityFilter过滤器,实现Filter接口
- 添加开关控制是否开启等保的验证
- 过滤一些白名单请求,封装响应信息,具体代码后续展示
- 读取请求参数,前端请求的参数包含3个,clientPubKey:SM2验签公钥,data:加密串,signature:验签字符串;
- 从redis中获取RedisEncryptKey,其中包含SM4的私钥和SM2的私钥;
- 调用verifySign方法进行验签,方法入参分别为:SM2公钥、加密字符串、验签字符串;
- 验签通过后解密获取明文请求入参(decodeParameter方法)
- 需要把请求的明文参数重新赋值到请求上,用以保证控制层的正常获取,此处分两块说明,Get请求的处理简答,把参数重新封装到Url上即可;难点在于post请求的参数替换,ServletRequest 中消息体的参数不允许修改,此处实现ResponseBodyAdvice的接口用以替换参数。
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest servletRequest = (HttpServletRequest) request;
HttpServletResponse servletResponse = (HttpServletResponse) response;
String requestURI = servletRequest.getRequestURI();
if (!GlobeParam.DENGBAO_ENABLE) {
chain.doFilter(servletRequest, servletResponse);
return;
}
List<String> list = StringToList(allowInterface);
if (list.contains(requestURI)) {
log.info("过滤器-文件上传:=>>>>>>>>>>>>>>>>>>>>>>>>{}", servletRequest.getRequestURI());
chain.doFilter(servletRequest, servletResponse);
return;
}
//相应信息请求头信息封装
setHeaderToResponse(servletResponse);
if (servletRequest.getMethod().equalsIgnoreCase("OPTIONS")) {
chain.doFilter(servletRequest, servletResponse);
return;
}
//clientPubKey:公钥,data:加密串,signature:验签字符串
String clientPubKey = null, data = null, signature = null;
if (servletRequest.getMethod().equalsIgnoreCase("POST") ||
servletRequest.getMethod().equalsIgnoreCase("delete") ||
servletRequest.getMethod().equalsIgnoreCase("put")) {
String requestBody = getRequestBody(request);
if (StringUtils.isNotEmpty(requestBody)) {
JSONObject jsonObject = JSONObject.parseObject(requestBody);
clientPubKey = jsonObject.getString("clientPubKey");
data = jsonObject.getString("data");
signature = jsonObject.getString("signature");
}
} else {
clientPubKey = servletRequest.getParameter("clientPubKey");
data = servletRequest.getParameter("data");
signature = servletRequest.getParameter("signature");
}
if (StringUtils.isAnyEmpty(clientPubKey, data, signature)) {
servletResponse.setStatus(500);
servletResponse.getWriter().write("非法访问,缺少签名信息!");
chain.doFilter(servletRequest, servletResponse);
return;
}
Object RedisEncryptKey = redisTemplate1.opsForValue().get("RedisEncryptKey");
String SM4PrivateKey = null;
if (Objects.nonNull(RedisEncryptKey)) {
JSONObject object = JSONObject.parseObject(RedisEncryptKey.toString());
SM4PrivateKey = object.getString("SM4PrivateKey");
}
//1.验签
if (!verifySign(clientPubKey, data, signature)) {
//return 异常
servletResponse.setStatus(500);
servletResponse.getWriter().write("验签未通过!");
chain.doFilter(servletRequest, servletResponse);
return;
}
if (StringUtils.isNoneBlank(data, SM4PrivateKey)) {
//2.验签通过,解密
Map<String, String[]> parameter = decodeParameter(data, SM4PrivateKey);
ParameterInterceptor modifiableRequest = new ParameterInterceptor(servletRequest, parameter);
if (modifiableRequest.getMethod().equalsIgnoreCase("POST") ||
modifiableRequest.getMethod().equalsIgnoreCase("delete") ||
modifiableRequest.getMethod().equalsIgnoreCase("put")) {
for (String key : parameter.keySet()) {
modifiableRequest.setParameter(key, parameter.get(key));
}
}
chain.doFilter(modifiableRequest, servletResponse);
} else {
chain.doFilter(servletRequest, servletResponse);
}
}
RequestBodyAdvice铭文请求信息重新赋值处理
继承RequestBodyAdviceAdapter 类,执行顺序在上述 filter后,请求到达Controller控制层前,用于post请求参数的重新赋值。
在上述ContentSecurityFilter中,我们把铭文参数存放在了request中的parameter中,此处取出getParameterMap后重新封装会了post的body中。
/**
* 请求信息参数替换
*/
@Service
@ControllerAdvice
public class RequestBodyAdvice extends RequestBodyAdviceAdapter {
@Value("${dengbao.allowInterface}")
private String allowInterface;
@Override
public boolean supports(MethodParameter methodParameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
return GlobeParam.DENGBAO_ENABLE;
}
@Override
public Object afterBodyRead(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
return super.afterBodyRead(body, inputMessage, parameter, targetType, converterType);
}
@Override
public Object handleEmptyBody(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
return body;
}
@Override
public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) throws IOException {
List<String> list = StringToList(allowInterface);
RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
HttpServletRequest request = ((ServletRequestAttributes) requestAttributes).getRequest();
String requestURI = request.getRequestURI();
boolean contains = list.contains(requestURI);
if (contains) {
return super.beforeBodyRead(inputMessage, parameter, targetType, converterType);
}
Map<String, String[]> parameterMap = request.getParameterMap();
Map<String, Object> result = new HashMap<>();
for (String key : parameterMap.keySet()) {
result.put(key, parameterMap.get(key)[0]);
}
HttpInputMessage mockHttpInputMessage = new MockHttpInputMessage(inputMessage, JSON.toJSONString(result));
return super.beforeBodyRead(mockHttpInputMessage, parameter, targetType, converterType);
}
static class MockHttpInputMessage implements HttpInputMessage {
private InputStream body;
private HttpHeaders headers;
public MockHttpInputMessage(HttpInputMessage inputMessage, String newBody) {
this.headers = inputMessage.getHeaders();
this.body = new ByteArrayInputStream(newBody.getBytes());
}
@Override
public InputStream getBody() {
return body;
}
@Override
public HttpHeaders getHeaders() {
return headers;
}
}
/**
* 字符串转为数组
*
* @param param
* @return
*/
private static List<String> StringToList(String param) {
List<String> list = new ArrayList<>();
if (param != null) {
list = Arrays.asList(param.split(","));
}
return list;
}
ResponseBodyAdvice响应信息加密、加签处理
实现ResponseBodyAdvice接口,supports方法判断是否需要处理,加密加签信息存放在redis中,参数处理后返回,统一返回信息 data:加密串,signature:签名串
/**
* 响应信息加密及加签实现方法
*/
@Service
@Slf4j
@ControllerAdvice
public class ResponseBodyAdvice implements ResponseBodyAdvice<Object> {
@Resource(name = "redisTemplateSalve")
RedisTemplate<String, Object> redisTemplate1;
@Value("${dengbao.allowInterface}")
private String allowInterface;
@Override
public boolean supports(MethodParameter returnType, Class converterType) {
return GlobeParam.DENGBAO_ENABLE;
}
/**
* 字符串转为数组
*
* @param param
* @return
*/
private static List<String> StringToList(String param) {
List<String> list = new ArrayList<>();
if (param != null) {
list = Arrays.asList(param.split(","));
}
return list;
}
@SneakyThrows
@Override
public Object beforeBodyWrite(Object body, MethodParameter returnType, MediaType selectedContentType, Class selectedConverterType, ServerHttpRequest request, ServerHttpResponse response) {
log.info(">>>>>>>>>>>>>>>>>>开始响应信息加密处理");
List<String> list = StringToList(allowInterface);
Optional<String> first = list.stream().filter(f -> request.getURI().toString().contains(f)).findFirst();
if (first.isPresent()){
return body;
}
Map<String, String> respMap = new HashMap<>();
ObjectMapper objectMapper = new ObjectMapper();
Object RedisEncryptKey= redisTemplate1.opsForValue().get("RedisEncryptKey");
String serverPriKey = null;
String sm4Key = null;
if (Objects.nonNull(RedisEncryptKey)) {
JSONObject object = JSONObject.parseObject(RedisEncryptKey.toString());
serverPriKey = object.getString("ServerPriKey");
sm4Key = object.getString("SM4PrivateKey");
} else {
return "缺失关键信息,无法返回响应数据";
}
Security.addProvider(new BouncyCastleProvider());
//加密响应数据返回前端
byte[] bytes = hexStrToBytes(sm4Key);
String responseBodyMw = null;
try {
responseBodyMw = ByteUtils.toHexString(SmSecurityUtil.SM4Encode(objectMapper.writeValueAsString(body).getBytes("UTF-8"), bytes));
} catch (Exception e) {
log.error("响应信息加密异常:{}", e.getMessage());
e.printStackTrace();
}
String sign = null;
try {
sign = SmSecurityUtil.SM2AddSign(serverPriKey, responseBodyMw);
} catch (Exception e) {
log.error("响应信息加密异常:{}", e.getMessage());
e.printStackTrace();
}
respMap.put("data", responseBodyMw);
respMap.put("signature", sign);
return respMap;
}
}
加解密、加签、验签方法
public class SmSecurityUtil {
//算法名字
private static final String name = "SM4";
//加密模式以及短快填充方式
private static final String transformation = "SM4/ECB/PKCS7Padding";
/**
* SM2加签方法
*
* @param content 待验证内容
* @return
*/
public static String SM2AddSign(String privateKey, String content) throws CryptoException {
byte[] message = content.getBytes(StandardCharsets.UTF_8);
SM2Signer sm2Signer = new SM2Signer();
X9ECParameters sm2ECParameters = GMNamedCurves.getByName("sm2p256v1");
ECDomainParameters domainParameters = new ECDomainParameters(sm2ECParameters.getCurve(), sm2ECParameters.getG(), sm2ECParameters.getN());
BigInteger bigInteger = new BigInteger(privateKey, 16);
ECPrivateKeyParameters privateKeyParameters = new ECPrivateKeyParameters(bigInteger, domainParameters);
sm2Signer.init(true, privateKeyParameters);
sm2Signer.update(message, 0, message.length);
byte[] bytes = sm2Signer.generateSignature();
return Hex.toHexString(bytes);
}
/**
* SM2验签方法
*
* @param content 待验证内容
* @param publicKey 公钥
* @param sign 签名串
* @return
*/
public static boolean SM2VerifySign(String content, String publicKey, String sign) {
byte[] message = content.getBytes(StandardCharsets.UTF_8);
byte[] signData = Hex.decode(sign);
X9ECParameters sm2ECParameters = GMNamedCurves.getByName("sm2p256v1");
// 构造ECC算法参数,曲线方程、椭圆曲线G点、大整数N
ECDomainParameters domainParameters = new ECDomainParameters(sm2ECParameters.getCurve(), sm2ECParameters.getG(), sm2ECParameters.getN());
//提取公钥点
ECPoint pukPoint = sm2ECParameters.getCurve().decodePoint(Hex.decode(publicKey));
// 公钥前面的02或者03表示是压缩公钥,04表示未压缩公钥, 04的时候,可以去掉前面的04
ECPublicKeyParameters publicKeyParameters = new ECPublicKeyParameters(pukPoint, domainParameters);
SM2Signer sm2Signer = new SM2Signer();
sm2Signer.init(false, publicKeyParameters);
sm2Signer.update(message, 0, message.length);
boolean verify = sm2Signer.verifySignature(signData);
return verify;
}
/**
* 使用指定的加密算法和密钥对给定的字节数组进行加密
*
* @param inputByte 要加密的字节数组
* @param key 加密所需的密钥
* @return 加密后的字节数组
* @throws Exception 如果加密时发生错误,则抛出异常
*/
public static byte[] SM4Encode(byte[] inputByte, byte[] key) throws Exception {
// 获取加密实例
Cipher c = Cipher.getInstance(transformation);
// 根据密钥的字节数组创建 SecretKeySpec
SecretKeySpec secretKeySpec = new SecretKeySpec(key, name);
// 初始化加密实例
c.init(Cipher.ENCRYPT_MODE, secretKeySpec);
// 返回加密后的字节数组
return c.doFinal(inputByte);
}
/**
* @param inputBytes 解密内容
* @param key 密钥
* @return
* @throws Exception
*/
public static byte[] SM4Decode(byte[] inputBytes, byte[] key) throws Exception {
Cipher cipher = Cipher.getInstance(transformation);
SecretKeySpec secretKeySpec = new SecretKeySpec(key, name);
cipher.init(Cipher.DECRYPT_MODE, secretKeySpec);
return cipher.doFinal(inputBytes);
}
public static byte[] hexStrToBytes(String hexStr) {
String t = hexStr;
if (t.length() % 2 == 1) {
t = "0" + hexStr;
}
byte[] bytes = new byte[t.length() / 2];
for (int i = 0; i < t.length(); i += 2) {
bytes[i / 2] = (byte) Integer.parseInt(t.substring(i, i + 2), 16);
}
return bytes;
}
}
响应头信息封装
/**
* 封装相应信息请求头
*
* @param response
*/
private void setHeaderToResponse(HttpServletResponse response) {
HttpServletResponse servletResponse = response;
String origin = "default-src 'self' data:";
//获取配置文件白名单IP
if (StringUtils.isNotEmpty(allowedDomains)) {
String[] split = allowedDomains.split(",");
List<String> urls = new ArrayList<>();
for (int i = 0; i < split.length; i++) {
String url = split[i];
url = url.replace("http://", "");
url = url.replace("https://", "");
urls.add(url);
}
origin += String.join(" ", urls);
}
servletResponse.setHeader("Content-Security-Policy", origin);
servletResponse.setHeader("X-Content-Type-Options", "nosniff");
servletResponse.setHeader("Referrer-Policy", "no-referrer");
servletResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
servletResponse.setHeader("X-XSS-Protection", "1;mode=block");
}
CORS访问限制管理,跨域限制
实现 WebMvcConfigurer接口,根据配置的白名单IP确定请求是否被允许,最多支持10个白名单IP.
@Configuration
public class InterceptorConfig implements WebMvcConfigurer {
@Value("${token.excludePath}")
private String excludePath;
@Value("${dengbao.allowedDomains}")
private String allowedDomains;
@Bean
public YTHInterceptor getSessionInterceptor() {
return new YTHInterceptor();
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
List<String> list = new ArrayList<>();
if (excludePath != null) {
list = Arrays.asList(excludePath.split(","));
}
registry.addInterceptor(getSessionInterceptor())
.addPathPatterns("/**") // 表示拦截所有
.excludePathPatterns(list)
.excludePathPatterns("/**/*.css","/**/**.ico",
"/**/*.js", "/**/*.png", "/**/*.jpg",
"/**/*.jpeg", "/**/*.gif", "/**/fonts/*"); // 不拦截的请求 如登录接口
}
@Bean
public org.springframework.web.client.RestTemplate restTemplate() {
return new org.springframework.web.client.RestTemplate();
}
/**
* 跨域限制,启动时加载
* @return
*/
@Bean
public WebMvcConfigurer corsConfigurer(){
return new WebMvcConfigurer() {
@Override
public void addCorsMappings(CorsRegistry registry) {
String[] origins = new String[10];
if(StringUtils.isNotEmpty(allowedDomains)){
origins = allowedDomains.split(",") ;
}
registry.addMapping("/**")
.allowedOrigins(origins)
.allowedMethods("GET", "POST", "PUT", "DELETE")
.allowedHeaders("*")
.allowCredentials(false)
.maxAge(3600);
}
};
}
}
附带:Redis多库切换方法
支持Redis从多个库中获取相关信息。
@Configuration
@EnableCaching
public class RedisSwitchConfig extends CachingConfigurerSupport {
@Value("${spring.redis.host}")
private String host;
@Value("${spring.redis.password}")
private String password;
@Value("${spring.redis.port}")
private int port;
@Value("${spring.redis.database}")
private int database;
@Value("${spring.redis.database2}")
private int database2;
public RedisConnectionFactory connectionFactory(int index) {
RedisStandaloneConfiguration redisStandaloneConfiguration = new RedisStandaloneConfiguration();
redisStandaloneConfiguration.setHostName(host);
redisStandaloneConfiguration.setPort(port);
redisStandaloneConfiguration.setPassword(password);
redisStandaloneConfiguration.setDatabase(index);
JedisConnectionFactory jedisConnectionFactory = new JedisConnectionFactory(redisStandaloneConfiguration);
jedisConnectionFactory.afterPropertiesSet();
return jedisConnectionFactory;
}
@Bean("redisTemplateMain")
public RedisTemplate<String, Object> redisTemplateMain() {
RedisTemplate<String, Object> template = new RedisTemplate<String, Object>();
template.setConnectionFactory(connectionFactory(database));
FastJson2JsonRedisSerializer serializer = new FastJson2JsonRedisSerializer(Object.class);
ObjectMapper mapper = new ObjectMapper();
mapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
mapper.activateDefaultTyping(LaissezFaireSubTypeValidator.instance,
ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
serializer.setObjectMapper(mapper);
template.setValueSerializer(serializer);
// 使用StringRedisSerializer来序列化和反序列化redis的key值
template.setKeySerializer(new StringRedisSerializer());
template.afterPropertiesSet();
return template;
}
@Bean("redisTemplateSalve")
public RedisTemplate<String, Object> redisTemplateSalve() {
RedisTemplate<String, Object> template = new RedisTemplate<String, Object>();
template.setConnectionFactory(connectionFactory(database2));
FastJson2JsonRedisSerializer serializer = new FastJson2JsonRedisSerializer(Object.class);
ObjectMapper mapper = new ObjectMapper();
mapper.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
mapper.activateDefaultTyping(LaissezFaireSubTypeValidator.instance,
ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY);
serializer.setObjectMapper(mapper);
template.setValueSerializer(serializer);
// 使用StringRedisSerializer来序列化和反序列化redis的key值
template.setKeySerializer(new StringRedisSerializer());
template.afterPropertiesSet();
return template;
}
}
public class FastJson2JsonRedisSerializer<T> implements RedisSerializer<T> {
@SuppressWarnings("unused")
private ObjectMapper objectMapper = new ObjectMapper();
public static final Charset DEFAULT_CHARSET = Charset.forName("UTF-8");
private Class<T> clazz;
static {
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
}
public FastJson2JsonRedisSerializer(Class<T> clazz) {
super();
this.clazz = clazz;
}
@Override
public byte[] serialize(T t) throws SerializationException {
if (t == null) {
return new byte[0];
}
return JSON.toJSONString(t, SerializerFeature.WriteClassName).getBytes(DEFAULT_CHARSET);
}
@Override
public T deserialize(byte[] bytes) throws SerializationException {
if (bytes == null || bytes.length <= 0) {
return null;
}
String str = new String(bytes, DEFAULT_CHARSET);
return JSON.parseObject(str, clazz);
}
public void setObjectMapper(ObjectMapper objectMapper) {
Assert.notNull(objectMapper, "'objectMapper' must not be null");
this.objectMapper = objectMapper;
}
protected JavaType getJavaType(Class<?> clazz) {
return TypeFactory.defaultInstance().constructType(clazz);
}
}
后记
实现过程繁复,拦截器也是实现了很多种类,加解密并不复杂,复杂的是保证原有的接口都可以正常使用,为此找了许多方法,最终确定了使用RequestBodyAdviceAdapter和ResponseBodyAdvice,因为该项目是一个已经在使用的产品,为了不影响原有的功能,减少代码的改动不得不做多种处理,具体实现还是要依据项目的背景,此处仅供参考,若有更好的方案和建议,欢迎留言探讨。
扫一扫
3375
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
