Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how Springboot integrates https". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1 introduction

HTTP is not safe. We need to attach SSL to it and make it HTTPS. This article will introduce Springboot integration with HTTPS with an example.

2 basis of cryptography

If you want to talk about https, you have to talk about Security, naturally, you have to talk about security; when you talk about security, you have to talk about some knowledge of cryptography.

2.1 cryptosystem

To establish a cryptosystem, it needs to be composed of five spaces, which are:

Plaintext M: information before or after encryption

Ciphertext C: message encrypted in plaintext

Key K: consists of encryption key and decryption key

Encryption E: the transformation from plaintext to ciphertext

Decryption D: the transformation from ciphertext to plaintext.

As shown in the figure:

2.2 two encryption methods 2.2.1 symmetric encryption

Symmetric encryption, or single-key encryption, refers to encryption in which the encryption key is the same as the decryption key (or one is easy to calculate the other).

The main advantages of symmetric encryption are: fast operation speed and high efficiency of encryption and decryption.

Limitations: complex key distribution, difficult key management, poor openness of secure communication system, digital signature

Representative algorithms: DES algorithm, AES algorithm

Let me take a small example:

If the plaintext is 48 and the encryption algorithm f (x) = 8x+71, the decryption algorithm is f (x) = (xmai 71) / 8, and the decrypted plaintext M = (455-71) / 8encrypted 48th 2.2.2 asymmetric encryption.

Asymmetric encryption means that encryption and decryption use different keys respectively, and the encryption mode of the decryption key can not be deduced from the encryption key.

Main advantages: simple key distribution, easy management, good openness of the system, and digital signature can be realized.

Limitation: low efficiency of encryption and decryption

Representative algorithms: RSA algorithm, ECC algorithm

Take a big example:

The steps are as follows:

StepDescriptionFormulaNote1 finds two prime numbers P and Q

2 calculate the common modulus N=P*Q

3 calculate Euler function φ (N) = (Pmur1) (QMur1)

4 to calculate the public key E1 < E < φ (N) E must be an integer E and φ (N) must be a coprime number 5 calculate the private key DE * D% φ (N) = 1

6 encryption C = M ^ E mod NC: ciphertext M: plaintext 7 decryption M = C ^ D mod NC: ciphertext M: plaintext

Where the public key = (E, N), the private key = (D, N), externally, we only expose the public key.

1. Find out two prime numbers. Find two prime numbers randomly. Let's find Prun5 and QQ 11. two。 Calculate the common modulus N=P*Q=5*11=553. Calculate Euler function φ (N) = (Pmur1) (QMur1) = 4 × 10 × 404. To calculate the public key E 1 < E < φ (N), we take E E 135. If you compute the private key D _ (13) D _ (40) _ 1, you will take the private key D _ (13) _ D _ 40 ~ (1). Encryption assumes that the plaintext to be transmitted is 8, and the formula C = M ^ E mod N = 8 ^ 13% 55 = 287 is used for encryption using the public key (Emaine N) = (13,055). Decryption uses the key (DMagne N) = (37) decryption decryption M = C ^ D mod N = 28 ^ 37% 55 = 8 in addition, we can use the private key to encrypt, and the public key to decrypt. If the plaintext is 2, then encrypt the ciphertext C = (2 ^ 37)% 55 with the private key (37), decrypt M = (7 ^ 13)% 55 with the public key (13).

So far, the whole asymmetric encryption process has been demonstrated, I hope you can understand, especially asymmetric encryption, because HTTPS uses asymmetric encryption. The actual usage algorithm is more complex, and the key length will be larger.

2.3 Certificate

To use SSL, you need a certificate, which contains the public key, which is used in asymmetric encryption.

There are two ways to obtain a certificate:

Obtained from the CA (Certificate Authority) organization, that is, the certificate that the client will recognize, has credibility; there are free and charged, the charge is relatively stable and relatively safe.

Self-signed certificates, self-made certificates, generally used for testing, browsers do not recognize.

For convenience, self-signed certificates are used in this example, and there is no difference in the integration process between the two certificates.

3 Springboot integrate HTTPS3.1 and let Web run first

As a Web application, let's get it running first, and then integrate https.

(1) introduce Web dependency:

Org.springframework.boot spring-boot-starter-web

(2) configure the port:

Server.port=80

(3) implement Contrlloer:

@ RestControllerpublic class HelloController {@ GetMapping ("/ hello") public String hello () {return "Welcome to www.pkslow.com";}}

After completing the above work, start the application.

Visit http://localhost/hello to get the following results, indicating that the entire Web is applied.

3.2 generate key file jks

Generate the key file from the command line as follows:

Keytool-genkey-alias localhost-keyalg RSA-keysize 2048-sigalg SHA256withRSA-keystore localhost.jks-dname CN=localhost,OU=Test,O=pkslow,L=Guangzhou,C=CN-validity-storepass changeit-keypass changeit

The significance of important parameters on the command line:

Alias: key alias, which can be created at will without conflict.

Keyalg: encryption algorithm

Keysize: the key length, 2048, is basically impossible to crack.

The file name of the keystore:keystore

Dname: this is very important, especially when the CN= is written according to the correct domain name.

Validity period of validity:cert

After executing the above command, the localhost.jks file will be generated, which can be placed under classpath or in another location, as long as the configuration file is specified correctly.

3.3 reconfigure and restart

Reconfigure the application.properties file as appropriate:

Server.port=443server.ssl.enabled=trueserver.ssl.key-store-type=jksserver.ssl.key-store=classpath:localhost.jksserver.ssl.key-store-password=changeitserver.ssl.key-alias=localhost

The access after restart is as follows:

A red warning was found, because this is a self-signed cert and is not recognized by Chrome, so the verification will fail. The previous version of Chrome was just a warning, but it is still accessible, but now the new version is no longer accessible.

You can access it through Postman:

3.4 use PKS12 format

If you want to replace JKS with PKCS12, you can refer to the following commands and configurations:

Generate key:

Keytool-genkey-alias localhost-keyalg RSA-keysize 2048-sigalg SHA256withRSA-storetype PKCS12-keystore localhost.p12-dname CN=localhost,OU=Test,O=pkslow,L=Guangzhou,C=CN-validity-storepass changeit-keypass changeit

The configuration file is as follows:

This is the end of server.port=443server.ssl.enabled=trueserver.ssl.key-store-type=PKCS12server.ssl.key-store=classpath:localhost.p12server.ssl.key-store-password=changeitserver.ssl.key-alias=localhost 's "how to integrate https with Springboot". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.