前后端接口AES+RSA混合加解密

     為什么需要對(duì)前后端接口加解密？主要是甲方要求。

一、AES加密原理和為什么不使用AES加密

  AES是最常見的對(duì)稱加密算法，加密和解密用到的密鑰是相同的，這種加密方式加密速度非常快，適合經(jīng)常發(fā)送數(shù)據(jù)的場(chǎng)合，且加密長(zhǎng)文本比較方便。缺點(diǎn)是密鑰的傳輸比較麻煩，只能將一把公鑰分別在前后端代碼中各存放一份，還有一個(gè)遇到的問(wèn)題下面會(huì)講到，那就是美國(guó)對(duì)AES加密密鑰長(zhǎng)度的限制。優(yōu)點(diǎn)是加密效率高，缺點(diǎn)是安全性低。

二、RSA加密原理和為什么不使用rsa加密

RSA也就是非對(duì)稱加密算法，是使用不同密鑰進(jìn)行加密和解密的算法，也稱為公私鑰加密。公鑰和私鑰是同時(shí)生成的，公鑰用來(lái)加密，私鑰用來(lái)解密，加解密的密鑰是成對(duì)出現(xiàn)。但是不推薦用RSA加密請(qǐng)求報(bào)文，因?yàn)镽SA加密后的報(bào)文會(huì)很長(zhǎng)，經(jīng)常會(huì)出現(xiàn)超過(guò)請(qǐng)求體長(zhǎng)度限制。優(yōu)點(diǎn)是安全性高，缺點(diǎn)是RSA的加密效率低。

三、AES和RSA混合加密的原理

我們可以結(jié)合兩者的優(yōu)點(diǎn)，AES的加密效率高，那我們可以使用aes來(lái)加密報(bào)文，而RSA的靈活性和安全性來(lái)加密aes的密鑰?？偟乃悸肪褪抢肦SA來(lái)加密傳輸AES的密鑰，用 AES的密鑰來(lái)加密請(qǐng)求報(bào)文。

四、代碼樣例

前端

1. 請(qǐng)求增加加密標(biāo)識(shí)

  首先這個(gè)功能我們的出發(fā)點(diǎn)是可以靈活配置，所以我們?cè)谛枰用艿恼?qǐng)求頭添加一個(gè)加密標(biāo)識(shí)代碼如下：

import axios from '@common/plugins/Axios'saveStudent: data => {return axios.request({url: `/demo/saveStudent`,method: 'post',headers: {//需要加密的請(qǐng)求在頭部塞入標(biāo)識(shí)isEncrypt: 1},data})}

2. 前端加密工具類

import JSEncrypt from 'jsencrypt'
import CryptoJS from 'crypto-js'//
// 加密
export function rsaEncrypt(Str, afterPublicKey) {const encryptor = new JSEncrypt()encryptor.setPublicKey(afterPublicKey) // 設(shè)置公鑰return encryptor.encrypt(Str) // 對(duì)數(shù)據(jù)進(jìn)行加密
}// 解密
export function rsaDecrypt(Str, frontPrivateKey) {const encryptor = new JSEncrypt()encryptor.setPrivateKey(frontPrivateKey) // 設(shè)置私鑰return encryptor.decrypt(Str) // 對(duì)數(shù)據(jù)進(jìn)行解密
}export function aesEncrypt(aeskey, Str) {// 設(shè)置一個(gè)默認(rèn)值，如果第二個(gè)參數(shù)為空采用默認(rèn)值，不為空則采用新設(shè)置的密鑰var key = CryptoJS.enc.Utf8.parse(aeskey)var srcs = CryptoJS.enc.Utf8.parse(Str)var encrypted = CryptoJS.AES.encrypt(srcs, key, {// 切記   需要和后端算法模式一致mode: CryptoJS.mode.ECB,padding: CryptoJS.pad.Pkcs7})return encrypted.toString()
}export function aesDecrypt(aeskey, Str) {var key = CryptoJS.enc.Utf8.parse(aeskey)var decrypt = CryptoJS.AES.decrypt(Str, key, {// 切記   需要和后端算法模式一致mode: CryptoJS.mode.ECB,padding: CryptoJS.pad.Pkcs7})return CryptoJS.enc.Utf8.stringify(decrypt).toString()
}
/*** 獲取16位隨機(jī)碼AES* @returns {string}*/
export function get16RandomNum() {var chars = [       '0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F','G','H','I','J','K', 'L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','a','b','c','d','e','f',
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z']var nums = ''//這個(gè)地方切記要選擇16位，因?yàn)槊绹?guó)對(duì)密鑰長(zhǎng)度有限制，選擇32位的話加解密會(huì)報(bào)錯(cuò)，需要根據(jù)jdk版本去修改相關(guān)jar包，有點(diǎn)惱火，選擇16位就不用處理。for (var i = 0; i < 16; i++) {var id = parseInt(Math.random() * 61)nums += chars[id]}return nums
}
//獲取rsa密鑰對(duì)
export function getRsaKeys() {return new Promise((resolve, reject) => {window.crypto.subtle.generateKey({name: 'RSA-OAEP',modulusLength: 2048, //can be 1024, 2048, or 4096publicExponent: new Uint8Array([0x01, 0x00, 0x01]),hash: { name: 'SHA-512' } //can be "SHA-1", "SHA-256", "SHA-384", or "SHA-512"},true, //whether the key is extractable (i.e. can be used in exportKey)['encrypt', 'decrypt'] //must be ["encrypt", "decrypt"] or ["wrapKey", "unwrapKey"]).then(function(key) {window.crypto.subtle.exportKey('pkcs8', key.privateKey).then(function(keydata1) {window.crypto.subtle.exportKey('spki', key.publicKey).then(function(keydata2) {var privateKey = RSA2text(keydata1, 1)var publicKey = RSA2text(keydata2)resolve({ privateKey, publicKey })}).catch(function(err) {reject(err)})}).catch(function(err) {reject(err)})}).catch(function(err) {reject(err)})})
}
function RSA2text(buffer, isPrivate = 0) {var binary = ''var bytes = new Uint8Array(buffer)var len = bytes.byteLengthfor (var i = 0; i < len; i++) {binary += String.fromCharCode(bytes[i])}var base64 = window.btoa(binary)let text = base64.replace(/[^\x00-\xff]/g, '$&\x01').replace(/.{64}\x01?/g, '$&\n')return text
}

3.前端axios請(qǐng)求統(tǒng)一封裝，和返回統(tǒng)一封裝

import Axios from 'axios'
import { getRsaKeys, rsaEncrypt, rsaDecrypt, aesDecrypt, aesEncrypt, get32RandomNum } from '@common/util'
/*** axios實(shí)例* @type {AxiosInstance}*/
const instance = Axios.create({headers: {x_requested_with: 'XMLHttpRequest'}
})
let frontPrivateKey
/*** axios請(qǐng)求過(guò)濾器*/
instance.interceptors.request.use(async config => {if (sessionStorage.getItem('X-Access-Token')) {// 判斷是否存在token，如果存在的話，則每個(gè)http header都加上tokenconfig.headers['X-Access-Token'] = sessionStorage.getItem('X-Access-Token')}if (config.headers['isEncrypt']) {config.headers['Content-Type'] = 'application/json;charset=utf-8'if (config.method === 'post' || config.method === 'put') {const { privateKey, publicKey } = await getRsaKeys()let afterPublicKey = sessionStorage.getItem('afterPublicKey')frontPrivateKey = privateKey//每次請(qǐng)求生成aeskeylet aesKey = get16RandomNum()//用登陸后后端生成并返回給前端的的RSA密鑰對(duì)的公鑰將AES16位密鑰進(jìn)行加密let aesKeyByRsa = rsaEncrypt(aesKey, afterPublicKey)//使用AES16位的密鑰將請(qǐng)求報(bào)文加密（使用的是加密前的aes密鑰）if (config.data) {let data = aesEncrypt(aesKey, JSON.stringify(config.data))config.data = {data: data,aeskey: aesKeyByRsa,frontPublicKey: publicKey}}if (config.params) {let data = aesEncrypt(aesKey, JSON.stringify(config.params))config.params = {params: data,aeskey: aesKeyByRsa,frontPublicKey: publicKey}}}}config.url ="你的后端接口請(qǐng)求地址" + config.urlreturn config},err => {return Promise.reject(err)}
)
/*** axios響應(yīng)過(guò)濾器*/
instance.interceptors.response.use(response => {//后端返回的通過(guò)rsa加密后的aes密鑰let aesKeyByRsa = response.data.aesKeyByRsaif (aesKeyByRsa) {//通過(guò)rsa的私鑰對(duì)后端返回的加密的aeskey進(jìn)行解密let aesKey = rsaDecrypt(aesKeyByRsa, frontPrivateKey)//使用解密后的aeskey對(duì)加密的返回報(bào)文進(jìn)行解密response.data.data = JSON.parse(JSON.parse(aesDecrypt(aesKey, response.data.data)))return response.data}else{ return response}      }},error => {if (error.response.status === 500) {const { data } = erro