1 Introduction
HTTP is not secure, we need to put SSL on it and make it become HTTPS. This article will introduce Springboot to integrate HTTPS with examples.
2. Fundamentals of Cryptography
If you want to talk about https, you must talk about security, and naturally you must talk about security; when it comes to security, it will inevitably involve some knowledge of cryptography.
2.1 Cryptography
To establish a cryptosystem, it needs to be composed of five spaces, namely:
- Plain text M: information before encryption or after decryption;
- Ciphertext C: Information encrypted in plaintext;
- Key K: consists of an encryption key and a decryption key;
- Encryption E: Transformation from plaintext to ciphertext;
- Decryption D: The transformation from ciphertext to plaintext.
As shown in the figure:
2.2 Two encryption methods
(1) Symmetric encryption
- Symmetric encryption, or single-key encryption, refers to an encryption method in which the encryption key and the decryption key are the same (or it is easy to calculate one from the other).
- The main advantages of symmetric encryption are: encryption and decryption operations are fast and efficient;
- Limitations: complex key distribution, difficult key management, poor openness of confidential communication systems, and digital signatures;
- Representative algorithms: DES algorithm, AES algorithm;
Take a small example: the
plaintext is 48, the encryption algorithm f(x)=8x+71, then the ciphertext C=8*48+71=455, then the decryption algorithm is f(x)=(x-71)/8;
then The decrypted plaintext M=(455-71)/8=48;
(2) Asymmetric encryption
- Asymmetric encryption refers to an encryption method in which different keys are used for encryption and decryption, and the decryption key cannot be derived from the encryption key.
- Main advantages: simple key distribution, easy management, good system openness, and digital signatures can be realized;
- Limitations: low efficiency of encryption and decryption operations;
- Representative algorithms: RSA algorithm, ECC algorithm;
Give a big example:
Proceed as follows:
| Step | Description | Formula | Note |
|---|---|---|---|
| 1 | Find two prime numbers | P and Q | |
| 2 | Calculate common modulus | N = P * Q | |
| 3 | Calculate Euler function | φ(N) = (P-1)(Q-1) | |
| 4 | Calculate the public key E | 1 < E < φ(N) | The value of E must be an integer E and φ(N) must be a relatively prime number |
| 5 | Calculate the private key D | E * D% φ (N) = 1 | |
| 6 | encryption | C = M^E mod N | C: ciphertext M: plaintext |
| 7 | Decrypt | M =C^D mod N | C: ciphertext M: plaintext |
Among them, public key=(E, N), private key=(D, N), externally, we only expose the public key.
1. Find two prime numbers. Find two prime numbers at random. We find P=5 and Q=11.
2. Calculate the public modulus N=P Q=5 11=55
3. Calculate Euler function φ(N) = (P-1)(Q-1)=4*10=40
4. Calculate the public key E 1 <E <φ(N), we take E=13
5. Calculate the private key D (13*D)%40=1, then take D=37
6. Encryption Assuming that the plaintext to be transmitted is 8, use the public key (E,N)=(13,55) to encrypt through the formula C=M^E mod N=8^13%55=28
7. Decryption using key (D,N)=(37,55) Decryption and decryption M=C^D mod N=28^37%55=8
In addition, we can encrypt with the private key and decrypt with the public key. If the plaintext is 2, then use the private key (37,55) to encrypt the ciphertext C=(2^37)%55=7
to decrypt with the public key (13,55) M=(7^13)%55=2.
So far, the entire asymmetric encryption process has been demonstrated again, and I hope everyone can understand, especially asymmetric encryption, because HTTPS uses asymmetric encryption. The actual algorithm used is more complicated, and the key length will be larger.
2.3 Certificate
To use SSL, a certificate is required. This certificate file contains the public key key, which is used in asymmetric encryption.
There are two ways to obtain a certificate:
Obtained from CA (Certificate Authority), that is, the client will recognize the certificate, which has credibility; there are free and charged, and the charged is relatively stable and safe.
Self-signed certificate, self-made certificate, generally used for testing, browser does not recognize.
For convenience, the self-signed certificate is used in this example, and there is no difference between the two certificate integration processes.
3. Springboot integrates HTTPS
3.1 Let the Web run first
As a web application, we first let it run, and then integrate https.
(1) Introduce web dependencies:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
(2) Configure the port:
server.port=80
(3) Realize Contrlloer:
@RestController
public class HelloController {
@GetMapping("/hello")
public String hello() {
return "Welcome to www.pkslow.com";
}
}
After completing the above work, start the application.
Visit http://localhost/hello to get the following result, indicating that the entire Web is applied.
3.2 Generate the key file jks
The key file generated by the command line is as follows:
keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore localhost.jks -dname CN=localhost,OU=Test,O=pkslow,L=Guangzhou,C=CN -validity 731 -storepass changeit -keypass changeit
The meaning of important command line parameters:
- alias: Key alias, you can start it at will, just don't conflict;
- keyalg: encryption algorithm;
- keysize: key length, it is basically impossible to crack by 2048;
- keystore: the file name of the keystore;
- dname: This is very important, especially the correct domain name after CN=;
- validity: the validity period of the cert;
After executing the above command, the localhost.jks file will be generated, and the file can be placed under the classpath, of course, it can also be placed in other locations, and the configuration file can be specified correctly.
3.3 Reconfigure and restart
Reconfigure the application.properties file according to the actual situation:
server.port=443
server.ssl.enabled=true
server.ssl.key-store-type=jks
server.ssl.key-store=classpath:localhost.jks
server.ssl.key-store-password=changeit
server.ssl.key-alias=localhost
After restarting, the access is as follows:
A red warning is found, because this is a self-signed cert and is not recognized by Chrome, so the verification will fail. The previous version of Chrome was just a warning, but it was still accessible, but the new version is no longer accessible.
It can be accessed through Postman:
3.4 Use PKS12 format
If you want to use PKCS12 to replace JKS, the command and configuration can refer to the following:
Generate key:
keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype PKCS12 -keystore localhost.p12 -dname CN=localhost,OU=Test,O=pkslow,L=Guangzhou,C=CN -validity 731 -storepass changeit -keypass changeit
The configuration file is as follows:
server.port=443
server.ssl.enabled=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:localhost.p12
server.ssl.key-store-password=changeit
server.ssl.key-alias=localhost
Conclusion:
I wish everyone a smooth job. If you need Java learning materials or interview materials, you can
click to enter, the code: cspp , the materials have been sorted out, and you can get them for free!
Finally, I wish you all the best in your work!