Shulou(Shulou.com)06/01 Report--

This article mainly introduces how Springboot integrates https. It is very detailed and has a certain reference value. Friends who are interested must finish it!

1 introduction

HTTP is not safe. We need to attach SSL to it and make it HTTPS.

2 basis of cryptography

If you want to talk about https, you have to talk about Security, naturally, you have to talk about security; when you talk about security, you have to talk about some knowledge of cryptography.

2.1 cryptosystem

To establish a cryptosystem, it needs to be composed of five spaces, which are:

Plaintext M: information before or after encryption

Ciphertext C: message encrypted in plaintext

Key K: consists of encryption key and decryption key

Encryption E: the transformation from plaintext to ciphertext

Decryption D: the transformation from ciphertext to plaintext.

As shown in the figure:

2.2 two encryption methods 2.2.1 symmetric encryption

Symmetric encryption, or single-key encryption, refers to encryption in which the encryption key is the same as the decryption key (or one is easy to calculate the other).

The main advantages of symmetric encryption are: fast operation speed and high efficiency of encryption and decryption.

Limitations: complex key distribution, difficult key management, poor openness of secure communication system, digital signature

Representative algorithms: DES algorithm, AES algorithm

Let me take a small example:

Plaintext is 48, encryption algorithm f (x) = 8x+71

Then the ciphertext Cobb 848 71455

Then the decryption algorithm is f (x) = (xmur71) / 8

Then the decrypted plaintext M = (455-71) / 848

2.2.2 asymmetric encryption

Asymmetric encryption means that encryption and decryption use different keys respectively, and the encryption mode of the decryption key can not be deduced from the encryption key.

Main advantages: simple key distribution, easy management, good openness of the system, and digital signature can be realized.

Limitation: low efficiency of encryption and decryption

Representative algorithms: RSA algorithm, ECC algorithm

Take a big example:

The steps are as follows:

StepDescriptionFormulaNote1 find two prime numbers P, Q2 calculate public modulus N=P*Q3 calculate Euler function φ (N) = (Pmur1) (QMui1) 4 calculate public key E1 < E < φ (N) E must be integers E and φ (N) must be coprimes 5 calculate private key DE * D% φ (N) = 16 encryption C = M ^ E mod NC: ciphertext M: plaintext 7 decryption M = C ^ D mod NC: plaintext M:

Where the public key = (E, N), the private key = (D, N), externally, we only expose the public key.

1. Find out two prime numbers

Randomly find two prime numbers, we are looking for Pure 5 and QQ 11.

two。 Calculate the common modulus

Common modulus N=P*Q=5*11=55

3. Calculate Euler function

φ (N) = (Pmur1) (Qmur1) = 4 × 10 × 40

4. Calculate the public key E

1 < E < φ (N), we take EF13.

5. Calculate the private key D

(13cm D)% 40cm 1, then take Dust 37.

6. Encrypt

Assume that the plaintext to be transmitted is 8, and encrypt it with the public key (Emaine N) = (13cm55).

Through the formula C = M ^ E mod N = 8 ^ 13% 55 = 28

7. Decryption

Decrypt using the key (DMagne N) = (37PING 55)

Decrypt M = C ^ D mod N = 28 ^ 37% 55 = 8

In addition, we can encrypt it with private key and decrypt it with public key.

If the plaintext is 2, encrypt the ciphertext C = (2 ^ 37)% 55 with the private key (37. 55).

Decrypt M = (7 ^ 13)% 55room2 with the public key (13.55).

So far, the whole asymmetric encryption process has been demonstrated, I hope you can understand, especially asymmetric encryption, because HTTPS uses asymmetric encryption. The actual usage algorithm is more complex, and the key length will be larger.

2.3 Certificate

To use SSL, you need a certificate, which contains the public key, which is used in asymmetric encryption.

There are two ways to obtain a certificate:

Obtained from the CA (Certificate Authority) organization, that is, the certificate that the client will recognize, has credibility; there are free and charged, the charge is relatively stable and relatively safe.

Self-signed certificates, self-made certificates, generally used for testing, browsers do not recognize.

For convenience, self-signed certificates are used in this example, and there is no difference in the integration process between the two certificates.

3 Springboot integrate HTTPS3.1 and let Web run first

As a Web application, let's get it running first, and then integrate https.

(1) introduce Web dependency:

Org.springframework.boot spring-boot-starter-web

(2) configure the port:

Server.port=80

(3) implement Contrlloer:

@ RestControllerpublic class HelloController {@ GetMapping ("/ hello") public String hello () {return "Welcome to www.pkslow.com";}}

After completing the above work, start the application.

Visit http://localhost/hello to get the following results, indicating that the entire Web is applied.

3.2 generate key file jks

Generate the key file from the command line as follows:

Keytool-genkey-alias localhost-keyalg RSA-keysize 2048-sigalg SHA256withRSA-keystore localhost.jks-dname CN=localhost,OU=Test,O=pkslow,L=Guangzhou,C=CN-validity-storepass changeit-keypass changeit

The significance of important parameters on the command line:

Alias: key alias, which can be created at will without conflict.

Keyalg: encryption algorithm

Keysize: the key length, 2048, is basically impossible to crack.

The file name of the keystore:keystore

Dname: this is very important, especially when the CN= is written according to the correct domain name.

Validity period of validity:cert

After executing the above command, the localhost.jks file will be generated, which can be placed under classpath or in another location, as long as the configuration file is specified correctly.

3.3 reconfigure and restart

Reconfigure the application.properties file as appropriate:

Server.port=443server.ssl.enabled=trueserver.ssl.key-store-type=jksserver.ssl.key-store=classpath:localhost.jksserver.ssl.key-store-password=changeitserver.ssl.key-alias=localhost

The access after restart is as follows:

A red warning was found, because this is a self-signed cert and is not recognized by Chrome, so the verification will fail. The previous version of Chrome was just a warning, but it is still accessible, but now the new version is no longer accessible.

You can access it through Postman:

3.4 use PKS12 format

If you want to replace JKS with PKCS12, you can refer to the following commands and configurations:

Generate key:

Keytool-genkey-alias localhost-keyalg RSA-keysize 2048-sigalg SHA256withRSA-storetype PKCS12-keystore localhost.p12-dname CN=localhost,OU=Test,O=pkslow,L=Guangzhou,C=CN-validity-storepass changeit-keypass changeit

The configuration file is as follows:

Server.port=443server.ssl.enabled=trueserver.ssl.key-store-type=PKCS12server.ssl.key-store=classpath:localhost.p12server.ssl.key-store-password=changeitserver.ssl.key-alias=localhost above is all the content of this article "how Springboot integrates https". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.