背景
银联在线支付本身为开发人员提供了测试环境,但是在某些项目组中,无法连接外部网络,这样就给需要开发银联在线支付的人员造成了一个比较头疼的问题。
通过对银联在线支付SDK研究,银联支付5.0.0版(即报文中version=5.0.0)采用RSA非对称数字证书签名的方式进行报文合法性校验,故决定实现银联在线支付平台仿真端,为不能够连接外网,而又需要调试银联在线支付的开发人员,提供另外一种途径。
目标
- 实现银联在线支付5.0.0版,数字签名证书生成
- 实现银联在线支付5.0.0版仿真端,消费类交易(支付/付款),退货类交易(退款),交易状态查询交易
RSA非对称数字证书生成
操作系统:Ubuntu 16.04
lsb_release -a[回车]
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial使用工具:OpenSSL
openssl version[回车]
OpenSSL 1.0.2g 1 Mar 2016新建证书目录:/program/rsa_cert/
注:以下为生成证书的步骤,按步骤执行即可
一、生成CA(Certificate Authority)证书
1、生成CA证书key
openssl genrsa -des3 -out edu1t1_ca.key 2048[回车]
Generating RSA private key, 2048 bit long modulus
........................................+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for edu1t1_ca.key:(输入密码)
Verifying - Enter pass phrase for edu1t1_ca.key:(输入确认密码)2、生成CA证书
openssl req -new -x509 -days 365 -key edu1t1_ca.key -out edu1t1_ca.crt[回车]
Enter pass phrase for edu1t1_ca.key:(输入证书密码)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN(国家)
State or Province Name (full name) [Some-State]:TIANJIN(州/省)
Locality Name (eg, city) []:NANKAI(位置)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EDU1T1(组织)
Organizational Unit Name (eg, section) []:EDU1T1(单位)
Common Name (e.g. server FQDN or YOUR name) []:PAYPLATFORM(常用名)
Email Address []:abc@abc.com(电子邮箱地址)
二、生成RSA签名/验签证书
1、生成私钥
openssl genrsa -out edu1t1_sign.key 2048[回车]
Generating RSA private key, 2048 bit long modulus
..........+++
......+++
e is 65537 (0x10001)2、生成服务器端签名请求文件
openssl req -new -key edu1t1_sign.key -out edu1t1_sign.csr[回车]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN(国家)
State or Province Name (full name) [Some-State]:TIANJIN(州/省)
Locality Name (eg, city) []:NANKAI(位置)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EDU1T1(组织)
Organizational Unit Name (eg, section) []:EDU1T1(单位)
Common Name (e.g. server FQDN or YOUR name) []:PAYPLATFORM(常用名)
Email Address []:abc@abc.com(电子邮件地址)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:000000(输入)
An optional company name []:EDU1T1(输入)3、利用 CA 进行签名证书
将文件 /usr/lib/ssl/openssl.cnf 拷贝至 /program/rsa_cert 下,使用VI编辑器打开并进行如下内容修改(标红部分)
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./certs # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs.
在 /program/rsa_cert 下新建目录 certs
在certs下新建,目录newcerts,文件index.txt和文件serial(serial文件中需要输入一串十六进制数字串,作为Serial Number)
注意,Ubuntu18.04下,自带openssl 1.1.1,可能会出现以下错误(对应解决方法如下)
错误一:Can't load ~/.rnd into RNG,解决方法,在当前用户根目录下执行如下命令:
openssl rand -writerand .rnd[回车]错误二:Can't open ./certs/index.txt.attr for reading, No such file or directory,解决方法为,在certs下,新建 index.txt.attr 文件
错误三:error while loading serial number,解决方法,执行如下命令:
echo 00 > serial[回车]
如果一切正常,则如下命令可以正常执行,并得到如下:结果
openssl ca -in edu1t1_sign.csr -out edu1t1_sign.crt -keyfile edu1t1_ca.key -cert edu1t1_ca.crt -days 365 -config openssl.cnf[回车]
Using configuration from openssl.cnf
Enter pass phrase for edu1t1_ca.key:(输入证书密码)
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1193046 (0x123456)
Validity
Not Before: Mar 23 07:52:23 2018 GMT
Not After : Mar 23 07:52:23 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = TIANJIN
organizationName = EDU1T1
organizationalUnitName = EDU1T1
commonName = PAYPLATFORM
emailAddress = abc@abc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8C:00:0D:9B:C6:BD:A8:E8:53:FC:61:61:33:C5:2B:E9:4F:AD:D6:6A
X509v3 Authority Key Identifier:
keyid:B6:A4:16:2D:B0:8D:2A:27:70:8D:27:C5:B4:57:07:EB:8E:40:CA:E4
Certificate is to be certified until Mar 23 07:52:23 2019 GMT (365 days)
Sign the certificate? [y/n]:y(输入y)
1 out of 1 certificate requests certified, commit? [y/n]y(输入y)
Write out database with 1 new entries
Data Base Updated得到 pfx 格式的私钥
openssl pkcs12 -export -out edu1t1_sign.pfx -inkey edu1t1_sign.key -in edu1t1_sign.crt[回车]
Enter Export Password:(输入证书密码)
Verifying - Enter Export Password:(输入确认密码)这次输入的密码为打开pfx证书时的密码,建议为000000(因为银联的测试证书默认密码为000000,这样可以尽量减少商户端配置变更)
得到 cer 格式的公钥
openssl x509 -inform pem -in edu1t1_sign.crt -outform der -out edu1t1_validate.cer[回车]至此,银联在线支付5.0.0版签名(edu1t1_sign.pfx)和验签(edu1t1_validate.cer)证书生成完毕(已生成证书下载)。
使用Spring boot搭建银联在线支付仿真端
在此不再详述项目搭建步骤,仅提供两种形态的工程下载:
工程一下载:打包后的工程,可在Redhat Linux下运行,附工程的操作和运行说明(即readme文件内容),可直接下载用来做项目组开发银联在线支付的仿真端。
工程二下载:完整的源码下载(Maven工程),仅供学习与技术交流使用。
390
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
