Introduction to Spring Cloud Config-rsa and using RSA encryption configuration files

Brief introduction

RSA Asymmetric encryption has a very strong security, HTTPS SSL encryption is the use of this method of HTTPS requests encrypted transmission. Because the RSA algorithm involves private key and public key respectively for encryption and decryption, it is called asymmetric encryption. Private key and public key have interoperability, that is encrypted with private key can be decrypted with public key, with public key encryption can be decrypted with private key. The traditional one-way authentication is only encrypted with public key, and only one party with private key can decrypt it. For example, a Web server would have a pair of private key and public key. The browser client holds the public key of the server. When the client needs to send data to the server, it is encrypted with the server's public key, then the server receives the data and then decrypts it with private key. When the client verifies that the server is a real server, the server's authenticity is verified by comparing the public key provided by the server with its own locally saved public key.

In our config server, some high encryption requirements can be used to encrypt and decrypt the data using the RSA algorithm.

Project Source

Gitee Code Cloud

Generate Test KeyStore

We need to use the JDK's own keytool tool to generate a keystore, which holds the private key information, using the following command line:

keytool -genkeypair -alias config-server-key -keyalg RSA -dname "CN=Config Server,OU=Xuqian,O=My Own Company,L=Beijing,S=Beijing,C=CN" -keypass changeit -keystore server.jks -storepass changeit

The-genkeypair parameter produces a pair of public key and private key.
-ALIAS Specifies the alias of key, which is used to distinguish between different keys in the same keystore.
-KEYALG Specifies the algorithm that generates the key, which uses the default RSA
-DNAME specifies common name, or CN, to verify the identity of the key. Each of these items is a custom parameter, OU is the organization name, O is the organizational name, L is the city, S is the province/state, and C is the country
-keypass the password for key
-keystore is the KeyStore file name
-storepass Access to KeyStore password

The above tool saves the resulting PRIVTE key in the key store named Server.jks. So far, we have only generated the private key,spring Cloud Config Server based on the key information we provide, each time we will use the program to generate a public key, refer to the following source code org.springframework.security.rsa.crypto.KeyStoreKeyFactory :

 PublicKeyPairGetkeypair(String alias,Char[] password) {Try{synchronized(lock) {if(store = =NULL) {synchronized(lock) {get KeyStore instance objects based on the KeyStore file address and password provided by the configurationstore = KeyStore.getinstance("JKs"); Store.Load(Resource.getInputStream(), This.Password); }            }        }//Get private key from KeyStore based on the alias and password provided by the configurationRsaprivatecrtkey key = (Rsaprivatecrtkey) store.GetKey(alias, password);//define public Key generation ruleRsapublickeyspec spec =NewRsapublickeyspec (key.Getmodulus(), Key.getpublicexponent());//Generate public KeyPublicKey PublicKey = keyfactory.getinstance("RSA").Generatepublic(spec);return NewKeyPair (PublicKey, key); }Catch(Exception e) {Throw NewIllegalStateException ("Cannot load keys from store:"+ resource, E); }}

The Java Security API is used here to operate on the key. See note. The above information is then configserver provided through the bootstrap.xml configuration file in:

encrypt:  #key: Thisismysecretkey  key-store:    location: file://${user.home}/development/keys/server.jks    password: changeit    alias: config-server-key    secret: changeit

Because we cannot use both symmetric and asymmetric encryption, we encrypt.key comment out the configuration and then specify the parameters for the asymmetric encryption:

• File path for Location:keystore
• Password:keystore's password
• Aliases for Alias:key
• Secret:key's password

Test

We continue to encrypt encrypt a test data using the API:

curl http://localhost:8888/encrypt -d 23456789

Returns the encrypted character:

AQAPWOUOh4WVexGgVv+bgtKc5E0d5Aba8VUKnzEXh27HyKSAbW+wyzDwZTbk5QYfXpoCAs413rdeNIdR2ez44nkjT5V+438/VQExySzjZPhP0xYXi9YIaJqA3+Ji+IWK8hrGtJ4dzxIkmItiimCOirLdZzZGDm/yklMUVh7lARSNuMxXGKlpdBPKYWdqHm57ob6Sb0ivm4H4mL1n4d3QUCuE7hh2F4Aw4oln7XueyMkRPTtPy8OpnBEEZhRfmaL/auVZquLU5jjMNJk9JiWOy+DSTscViY/MZ+dypv6F4AfDdVvog89sNmPzcUT+zmB8jXHdjLoKy+63RG326WffY9OPuImW6/kCWZHV6Vws55hHqRy713W6yDBlrQ/gYC3Wils=

Then test the decryption

curl http://localhost:8888/decrypt -d AQAPWOUOh4+bgtKc5E0d5Aba8VUKnzEXh27HyKSAbW+wyzDwZTbk5QYfXpoCAs413rdeNIdR2ez44nkjT5V+438/VQExySzjZPhP0xYXi9YIaJqA3+Ji+IWK8hrGtJ4dzxIkmItiimCOirLdZzZGDm/yklMUVh7lARSNuMxXGKlpdBPKYWdqHm57ob6Sb0ivm4H4mL1n4d3QUCuE7hh2F4Aw4oln7XueyMkRPTtPy8OpnBEEZhRfmaL/auVZquLU5jjMNJk9JiWOy+DSTscViY/MZ+dypv6F4AfDdVvog89sNmPzcUT+zmB8jXHdjLoKy+63RG326WffY9OPuImW6/kCWZHV6Vws55hHqRy713W6yDBlrQ/gYC3Wils=

will return

23456789

We can also modify web-client.yml to verify:

#test:  #password: ‘{cipher}94c1027141add9844ec47f0be13caebb6b38ed1dcf99811b1a5cd2b874c64407‘user:  password:‘{cipher}AQAPWOUOh4WVexGgVv+bgtKc5E0d5Aba8VUKnzEXh27HyKSAbW+wyzDwZTbk5QYfXpoCAs413rdeNIdR2ez44nkjT5V+438/VQExySzjZPhP0xYXi9YIaJqA3+Ji+IWK8hrGtJ4dzxIkmItiimCOirLdZzZGDm/yklMUVh7lARSNuMxXGKlpdBPKYWdqHm57ob6Sb0ivm4H4mL1n4d3QUCuE7hh2F4Aw4oln7XueyMkRPTtPy8OpnBEEZhRfmaL/auVZquLU5jjMNJk9JiWOy+DSTscViY/MZ+dypv6F4AfDdVvog89sNmPzcUT+zmB8jXHdjLoKy+63RG326WffY9OPuImW6/kCWZHV6Vws55hHqRy713W6yDBlrQ/gYC3Wils=‘

Comment out test.password , add a new user.password configuration value that uses encryption. Then submit the Gitee repository to access this profile via a URL:

http://localhost:8888/web-client/default

The following results are obtained:

{    "Name": "Web-client",    "Profiles": [        "Default"    ],    "Label": NULL,    "Version": "3044a5345fb86d09a043ca7404b9e57c8c13c512",    "State": NULL,    "Propertysources": [        {            "Name": "Https://gitee.com/zxuqian/spring-cloud-config-remote/web-client.yml",            "Source": {                "Message": "This message comes from the remote configuration warehouse",                "Management.endpoints.web.exposure.include": "*",                "User.password": "23456789"            }        }    ]}

Introduction to Spring Cloud Config-rsa and using RSA encryption configuration files