1 introduction
HTTP is not secure, we need to coat it with SSL and make it HTTPS. This article will use examples to introduce Springboot to integrate HTTPS.
2. Fundamentals of cryptography
If you want to talk about HTTPS, you need to talk about Security. When it comes to security, it must involve some knowledge of cryptography.
2.1 Password System
To establish a cryptosystem, it needs to be composed of five Spaces, which are:
-
Plaintext M: information before encryption or after decryption.
-
Ciphertext C: encrypted information in plaintext.
-
Key K: consists of encryption key and decryption key.
-
Encryption E: conversion from plain text to ciphertext.
-
Decryption D: Conversion from ciphertext to plaintext.
As shown in the figure:
2.2 Two Encryption modes
2.2.1 Symmetric Encryption
Symmetric encryption, or single-key encryption, refers to encryption in which the encryption key and decryption key are the same (or easily computed from one to the other).
The main advantages of symmetric encryption are: fast encryption and decryption operation speed, high efficiency;
Limitations: complicated key distribution, difficult key management, poor openness of secure communication system, digital signature;
Represents the algorithm: DES algorithm, AES algorithm;
Here’s a quick example:
If the plaintext is 48 and the encryption algorithm f(x)=8x+71, the ciphertext C=8*48+71=455 is f(x)=(x-71)/8. Then the plaintext M=(455-71)/8=48;Copy the code
2.2.2 Asymmetric Encryption
Asymmetric encryption means that encryption and decryption use different keys, and the encryption mode of the decryption key cannot be deduced from the encryption key.
Main advantages: the key distribution is simple, easy to manage, the system is open, can realize digital signature;
Limitations: Low efficiency of encryption and decryption operation;
Representative algorithms: RSA algorithm, ECC algorithm;
Here’s a big example:
The steps are as follows:
Step | Description | Formula | Note |
---|---|---|---|
1 | Find two prime numbers | P, Q, | |
2 | Compute the common module | N=P*Q | |
3 | Compute the Euler function | Phi (N) = (P – 1) (Q) – 1) | |
4 | Computing public Key E | 1 < E < φ(N) | The value of E must be an integer. E and φ(N) must be mutually prime |
5 | Compute the private key D | E * D % φ(N) = 1 | |
6 | encryption | C is M to the E mod N | C: ciphertext M: plaintext |
7 | decryption | M = C^D mod N | C: ciphertext M: plaintext |
Public key = (E, N), private key = (D, N). Externally, only public key is exposed.
Pick any two primes. Let's find P=5 and Q=11. 2. Calculate the public modulus modulus N = P * Q = 5 * 11 = 55 (3) to calculate the euler function phi (N) = (P - 1) (Q 1) 10 = = 4 * 4 40. Calculate the public key E 1 < E < φ(N), we set E=13 5. Calculate the private key D (13*D)%40=1, then set D=37 6. Encryption assuming that the plaintext to be transmitted is 8, use the public key (E,N)=(13,55) to encrypt it using the formula C = M^E mod N=8^13%55=28 7. Decryption use key (D,N)=(37,55) decryption M = C^D mod N=28^37%55=8 in addition, we can use private key encryption, public key decryption, such as plaintext 2, The cipher text is encrypted with the private key (37 zhongguo kuangye daxue) C = 2 ^ (37) % 55 (13 zhongguo kuangye daxue) = 7 with the public key decryption 55 M = 7 ^ (13) % = 2.Copy the code
So, the whole asymmetric encryption process has been demonstrated, and HOPEFULLY you can understand it, especially asymmetric encryption, because HTTPS uses asymmetric encryption. The actual usage algorithm is more complex and the key length will be larger.
2.3 the certificate
To use SSL, you need a certificate that contains the public key, which is used in asymmetric encryption.
There are two ways to obtain a certificate:
- Obtain the Certificate from the Certificate Authority (CA), that is, the Certificate recognized by the client. Have free also have charge, charge of more stable more safe.
- From the visa, their own certificate, generally used for testing, browser does not recognize.
For convenience, self-certification is used in this example, and there is no difference in the integration process between the two certificates.
3 Springboot integrates HTTPS
3.1 Let the Web run first
As a Web application, let’s make it run and then integrate HTTPS.
(1) Introducing Web dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>Copy the code
(2) Configuration port:
server.port=80Copy the code
(3) Implement Contrlloer:
@RestController public class HelloController { @GetMapping("/hello") public String hello() { return "Welcome to www.pkslow.com"; }}Copy the code
Once you’re done, start the application.
Visit http://localhost/hello to get the following result, which shows that the entire Web is up and running.
3.2 Generating key File JKS
The following key files are generated using the cli:
keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore localhost.jks -dname CN=localhost,OU=Test,O=pkslow,L=Guangzhou,C=CN -validity 731 -storepass changeit -keypass changeitCopy the code
The meanings of important parameters on the command line:
-
Alias: indicates the key alias. The value can be arbitrary and does not conflict.
-
Keyalg: encryption algorithm.
-
Keysize: key length, 2048 is basically impossible to crack;
-
Keystore: Name of the keystore file.
-
Dname: this is very important, especially CN= after the correct domain name;
-
Validity: indicates the validity period of the CERT.
After executing the above command, the localhost. JKS file is generated and you can place it in your classpath or anywhere else, as long as the configuration file is specified correctly.
3.3 Reconfiguration and Restart
Reconfigure the application.properties file as required:
server.port=443
server.ssl.enabled=true
server.ssl.key-store-type=jks
server.ssl.key-store=classpath:localhost.jks
server.ssl.key-store-password=changeit
server.ssl.key-alias=localhostCopy the code
After the restart, access the following:
There is a red warning, because this is a self-signed CERT, which is not recognized by Chrome, so the verification will fail. The previous version of Chrome was a warning, but it was still accessible, but the new version is no longer accessible.
To access it, go to Postman:
3.4 Using PKS12 format
If you want to replace JKS with PKCS12, the commands and configurations are as follows:
Key generation:
keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype PKCS12 -keystore localhost.p12 -dname CN=localhost,OU=Test,O=pkslow,L=Guangzhou,C=CN -validity 731 -storepass changeit -keypass changeitCopy the code
The configuration file is as follows:
server.port=443
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:localhost.p12
server.ssl.key-store-password=changeit
server.ssl.key-alias=localhostCopy the code
conclusion
This article briefly covers some of the basics of cryptography and how to integrate HTTPS with Springboot. The detailed code of this article can be obtained at the official account
.
In fact, SSL is very complicated and very informative. Future articles will cover key tools, redirection, Reactive integration, two-way authentication, and more.
Visit pumpkin Talk www.pkslow.com for more exciting articles!
Welcome to pay attention to the wechat public number “Pumpkin slow Talk”, will continue to update for you…
Read more and share more; Write more. Organize more.