AS协议本身很复杂,我们不需要知道太多的细节,只需要知道一些重要的概念。
AS2是基于HTTP/HTTPS使用新闻格式MIME,是邮件格式,使用SHA1或SHA2加RSA签名使用S/MIME进行加密。S/MIME加密的本质是3DES或者AES加RSA有了以前的基础,加密应该很清楚。
AS通信双方都称之为partner,每个partner有个partnerId,通信双方需要交互公钥。
自己实现S/MIME加密比较复杂,我们介绍以下包加密,jdk15on支持jdk1.5-jdk1.8,其他jdk版可去maven搜索相应的版本
<dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcmail-jdk15on</artifactId> <version>1.70</version> </dependency>下一步是实现AS2发送文件的JAVA版本
@Test public void testAS2() throws Exception { ///注册证书提供者BC Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); String password = "testas2"; //生成mime消息体,放入待发送文件 MimeBodyPart finalMessage = new MimeBodyPart(); File file = new File("D:\\workspace\\data\\a.xml"); finalMessage.setDataHandler(new DataHandler(new FileDataSource(file))); finalMessage.setHeader("Content-Type", "application/xml"); finalMessage.setHeader("Content-Transfer-Encoding", "base64"); finalMessage.setFileName(file.getName()); //加载证书 FileInputStream fis = new FileInputStream(new File("D:\\workspace\\OpenAs2App\\Server\\src\\config\\as2_certs.p12")); KeyStore keyStore = getKeyStore(fis, password, "PKCS12", "BC"); PrivateKey privateKey = getPrivateKeyFromKeyStore(keyStore, "mycompany", "password"); //签名 X509Certificate signCert = getCertificate(keyStore, "mycompany"); List certList = new ArrayList(); certList.add(signCert); Store certs = new JcaCertStore(certList); SMIMESignedGenerator signer = new SMIMESignedGenerator(); signer.setContentTransferEncoding("base64"); //使用SHA1进行签名 signer.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC") .build("SHA1WITHRSA", privateKey, signCert)); signer.addCertificates(certs); MimeMultipart signedMimeMultipart = signer.generate(finalMessage); finalMessage = new MimeBodyPart(); finalMessage.setContent(signedMimeMultipart); finalMessage.setHeader("Content-Type", signedMimeMultipart.getContentType()); //加密 // 加载partner的数字证书 X509Certificate cert = getCertificate(keyStore, "partnera"); // 创建加密器 SMIMEEnvelopedGenerator encryptor = new SMIMEEnvelopedGenerator(); encryptor.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(cert).setProvider("BC")); encryptor.setContentTransferEncoding("base64"); //3DES加密 JceCMSContentEncryptorBuilder jceCMSContentEncryptorBuilder = new JceCMSContentEncryptorBuilder(new ASN1ObjectIdentifier(SMIMEEnvelopedGenerator.DES_EDE3_CBC)).setProvider("BC"); jceCMSContentEncryptorBuilder.setSecureRandom(new SecureRandom()); // 进行加密 MimeBodyPart encryptedPart = encryptor.generate(finalMessage, jceCMSContentEncryptorBuilder.build()); //准备头字段 InternetHeaders ih = new InternetHeaders(); ih.addHeader("Connection", "close, TE"); ih.addHeader("Message-ID", UUID.randomUUID().toString()); ih.addHeader("Mime-Version", "1.0"); ih.addHeader("Content-Type", encryptedPart.getContentType()); ih.addHeader("AS2-To", "PartnerA_OID"); ih.addHeader("AS2-From", "MyCompany_OID"); ih.addHeader("Subject", "Subject: File a.xml sent from MyCompany to PartnerA"); ih.addHeader("Disposition-Notification-To", "edi@myCompany.com"); ih.addHeader("Content-Disposition", "attachment"); String url = "http://localhost:10080"; execRequest("POST", url, ih.getAllHeaders(), null, encryptedPart.getInputStream()); } private static X509Certificate getCertificate(KeyStore keyStore, String alias) throws Exception { Certificate certificate = keyStore.getCertificate(alias); return (X509Certificate) certificate; } 发送http请求的代码
public static void execRequest(String method, String url, Enumeration<Header> headers, NameValuePair[] params, InputStream inputStream) throws Exception { HttpClientBuilder httpBuilder = HttpClientBuilder.create(); URL urlObj = new URL(url); /* * httpClient is used for this request only, * set a connection manager that manages just one connection. */ if (urlObj.getProtocol().equalsIgnoreCase("https")) { /* * Note: registration of a custom SSLSocketFactory via httpBuilder.setSSLSocketFactory is ignored when a connection manager is set. * The custom SSLSocketFactory needs to be registered together with the connection manager. */ SSLConnectionSocketFactory sslCsf = buildSslFactory(); httpBuilder.setConnectionManager(new BasicHttpClientConnectionManager(RegistryBuilder.<ConnctionSocketFactory>create().register("http", PlainConnectionSocketFactory.getSocketFactory()).register("https", sslCsf).build()));
} else {
httpBuilder.setConnectionManager(new BasicHttpClientConnectionManager());
}
RequestBuilder rb = getRequestBuilder(method, urlObj, params, headers);
if (inputStream != null) {
InputStreamEntity ise = new InputStreamEntity(inputStream);
rb.setEntity(ise);
}
final HttpUriRequest request = rb.build();
try (CloseableHttpClient httpClient = httpBuilder.build()) {
try (CloseableHttpResponse response = httpClient.execute(request)) {
HttpEntity entity = response.getEntity();
String result = EntityUtils.toString(entity);
System.out.println(result);
}
}
}
private static SSLConnectionSocketFactory buildSslFactory() throws Exception {
boolean overrideSslChecks = true;
SSLContext sslcontext;
sslcontext = SSLContexts.createSystemDefault();
// String [] protocols = Properties.getProperty(HTTP_PROP_SSL_PROTOCOLS,
// "TLSv1").split("\\s*,\\s*");
HostnameVerifier hnv = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
if (overrideSslChecks) {
hnv = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
}
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext, null, null, hnv);
return sslsf;
}
private static RequestBuilder getRequestBuilder(String method, URL urlObj, NameValuePair[] params, Enumeration<Header> headers) throws URISyntaxException {
RequestBuilder req = null;
if (method == null || method.equalsIgnoreCase(Method.GET)) {
//default get
req = RequestBuilder.get();
} else if (method.equalsIgnoreCase(Method.POST)) {
req = RequestBuilder.post();
} else if (method.equalsIgnoreCase(Method.HEAD)) {
req = RequestBuilder.head();
} else if (method.equalsIgnoreCase(Method.PUT)) {
req = RequestBuilder.put();
} else if (method.equalsIgnoreCase(Method.DELETE)) {
req = RequestBuilder.delete();
} else if (method.equalsIgnoreCase(Method.TRACE)) {
req = RequestBuilder.trace();
} else {
throw new IllegalArgumentException("Illegal HTTP Method: " + method);
}
req.setUri(urlObj.toURI());
if (params != null && params.length > 0) {
req.addParameters(params);
}
if (headers != null) {
while (headers.hasMoreElements()) {
Header header = headers.nextElement();
String headerValue = header.getValue();
req.setHeader(header.getName(), headerValue);
}
}
return req;
}
public abstract static class Method {
public static final String GET = "GET";
public static final String HEAD = "HEAD";
public static final String POST = "POST";
public static final String PUT = "PUT";
public static final String DELETE = "DELETE";
public static final String TRACE = "TRACE";
public static final String CONNECT = "CONNECT";
}
代码讲解
来看这段代码,这段代码是加载证书库,方法上篇给出了,类型是PKCS12,BC是什么鬼?BC是证书提供者,如果是JKS类型的证书,提供者是SUN,就不需要传了,如果是PKCS12类型的证书,就需要传provider。
KeyStore keyStore = getKeyStore(fis, password, "PKCS12", "BC");生成mime消息体,放入待发送文件那段代码很简单,就是获取待发送文件的输入流然后生成mime消息体,没啥好讲的,加载证书库获取私钥的代码前篇都讲过了,也很简单。
接下来是签名和加密,都是固定写法,唯一有改动的可能是签名的算法是SHA1还是SHA2,加密算法是3DES还是AES,需要告知接收方。这边需要注意的是签名是使用自己的私钥,对方用我们的公钥进行验签,加密是使用对方的公钥,对方用自己的私钥进行解密。
接下去就是准备头字段,填写自己的partnerId和对方的partnerId就行了
其实有现成的代码,集成AS2不难,如果是自己去找协议去实现,难度就相当大了。