HMAC-SHA256签名

拷贝忍者_

已于 2024-07-25 20:08:33 修改

阅读量1.2k

点赞数 11

分类专栏：安全与加密文章标签： java

于 2023-12-15 17:11:46 首次发布

本文链接：https://blog.csdn.net/qq_32954567/article/details/135021620

版权

安全与加密专栏收录该内容

1 篇文章

订阅专栏

文章介绍了如何在HTTP请求中添加Authorization头部，使用HMAC-SHA256算法生成并验证签名，包括获取时间戳、构造签名字符串、计算签名并进行比对的过程。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

一.需求

请求加上Authorization头部，按指定格式添加校验内容。Authorization包含以下几个方面信息：
校验方式：固定为HMAC-SHA256
timestamp：当前时间的13位毫秒时间戳
signature：请求签名，按指定方式生成

二.实现

final String secretKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
final String algorithm = "HmacSHA256";
private boolean authorizationValidation(HttpServletRequest request) {
    CachedBodyHttpServletRequest cachedRequest = (CachedBodyHttpServletRequest) request;
    String authorizationHeader = request.getHeader("Authorization");
    try {
      // 解析 Authorization 值
      String[] authValues = authorizationHeader.split(",");
      String timestamp = authValues[1];
      String body = cachedRequest.getBody();
      if (body == null) {
        body = "";
      }
      String receivedSignature = authValues[2];
      String path = request.getRequestURI();
      String query = request.getQueryString();
      if (StringUtils.isNotBlank(query)) {
        path += "?" + query;
      }
      // 构建参与签名的字符串
      StringBuilder stringToSign = new StringBuilder();
      stringToSign.append(path).append("\n");
      stringToSign.append(timestamp).append("\n");
      stringToSign.append(body).append("\n");
      // 使用 HMAC-SHA256 算法进行签名
      SecretKeySpec signingKey = new SecretKeySpec(secretKey.getBytes(StandardCharsets.UTF_8),algorithm);
      Mac mac = Mac.getInstance(algorithm);
      mac.init(signingKey);
      byte[] signatureBytes = mac.doFinal(stringToSign.toString().getBytes(StandardCharsets.UTF_8));

      // 对签名进行 Base64 编码
      String calculatedSignature = Base64.getEncoder().encodeToString(signatureBytes);// 对比签名值
      if (calculatedSignature.equals(receivedSignature)) {
      	return true;
      }
    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
      e.printStackTrace();
      log.info(e.getMessage());
    }
    return false;
  }

public class CachedBodyHttpServletRequest extends HttpServletRequestWrapper {

  private final byte[] cachedBody;

  public CachedBodyHttpServletRequest(HttpServletRequest request) throws IOException {
    super(request);
    InputStream requestInputStream = request.getInputStream();
    this.cachedBody = StreamUtils.copyToByteArray(requestInputStream);
  }

  @Override
  public ServletInputStream getInputStream() {
    return new CachedBodyServletInputStream(this.cachedBody);
  }

  @Override
  public BufferedReader getReader() throws IOException {
    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this.cachedBody);
    return new BufferedReader(new InputStreamReader(byteArrayInputStream));
  }

  public String getBody() {
    return new String(cachedBody);
  }
}

public abstract class StreamUtils {
    public static final int BUFFER_SIZE = 4096;

    public StreamUtils() {
    }

    public static byte[] copyToByteArray(InputStream in) throws IOException {
        ByteArrayOutputStream out = new ByteArrayOutputStream(4096);
        copy(in, out);
        return out.toByteArray();
    }

    public static int copy(InputStream in, OutputStream out) throws IOException {
        int byteCount = 0;
        byte[] buffer = new byte[4096];

        int bytesRead;
        for(boolean var4 = true; (bytesRead = in.read(buffer)) != -1; byteCount += bytesRead) {
            out.write(buffer, 0, bytesRead);
        }

        out.flush();
        return byteCount;
    }
}