To enable HTTPS communication through the State Cryptomatic Agreement between two Spring Boot projects (Project A and Project B), we need to complete the following steps:
- Generate a certificate that supports national secrets.
- Configure two Spring Boot projects to implement HTTPS using a national secret certificate.
- Project A uses RestTemplate to call the interface of Project B to verify that the communication is successful.
1. Generate a certificate that supports national secrets
In order to use the national secret algorithm, it is usually necessary to use some tools that support the national secret algorithm to generate the certificate. You can use OpenSSL combined with gmssl tools, or directly use specialized tools, such as the national secret certificate generation tool provided by some companies. Here we assume that we use the GMSSL tool to generate the certificate.
1.1 Install GMSSL (if not installed)
You can download and compile and install it from the official GitHub repository of GMSSL.
1.2 Generate SM2 key pairs and certificates
Generate a CA certificate(Used to issue server and client certificates):
gmssl ecparam -genkey -name sm2p256v1 -out gmssl req -new -x509 -sm3 -key -out -subj "/CN=GM CA"
Generate server certificate(assumed to be used in Project B):
gmssl ecparam -genkey -name sm2p256v1 -out gmssl req -new -key -out -subj "/CN=localhost" gmssl x509 -req -in -sm3 -CA -CAkey -out -days 365 -CAcreateserial
Generate client certificate(Assumed to be used in Project A):
gmssl ecparam -genkey -name sm2p256v1 -out gmssl req -new -key -out -subj "/CN=localhost" gmssl x509 -req -in -sm3 -CA -CAkey -out -days 365 -CAcreateserial
Export certificates and keys to PKCS12 format(For Spring Boot projects):
- Server side (Project B):
gmssl pkcs12 -export -in -inkey -out server-keystore.p12 -name server -CAfile -caname root
- Client (Project A):
gmssl pkcs12 -export -in -inkey -out client-keystore.p12 -name client -CAfile -caname root
2. Configure the Spring Boot project to use HTTPS
2.1 Project B: Provide HTTPS interface
- Place server-keystore.p12 in the resources directory of project B.
- In the configuration file of Project B, configure the HTTPS connection:
server:
port: 8443
ssl:
# server-keystore.p12 file is placed in the project src/main/resource directory key-store: classpath:server-keystore.p12
key-store-password: changeit # Use the password set during export key-store-type: PKCS12
key-alias: server
- Create a simple HTTPS endpoint for project A to call:
@RestController
public class HelloController {
@GetMapping("/hello")
public String sayHello() {
return "Hello from Project B with GMSSL!";
}
}
2.2 Project A: Call Project B using HTTPS
Will
client-keystore.p12Placed in Project AresourcesIn the directory.In Project A
Configure the SSL certificate in so that project A can trust project B's server certificate:
server:
ssl:
# client-keystore.p12 file is placed in the project src/main/resource directory key-store: classpath:client-keystore.p12
key-store-password: changeit
key-store-type: PKCS12
key-alias: client
Configure RestTemplate, load the client certificate and trust the certificate of Project B:
import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;
@Configuration
public class RestTemplateConfig {
@Bean
public RestTemplate restTemplate() throws Exception {
SSLContext sslContext = SSLContextBuilder
.create()
.loadKeyMaterial(
new File("src/main/resources/client-keystore.p12"), // Client certificate path "changeit".toCharArray(), // KeyStore Password "changeit".toCharArray()) // Key Password // If you are using standard certificates issued by a third-party authoritative CA (such as DigiCert, GlobalSign, Let's Encrypt, etc.), you usually do not need to manually configure the CA certificate on the client side. Because these authoritative CA root certificates are already included in the default truststore of most JDKs. Omit the following line .loadTrustMaterial(new File("src/main/resources/"), new TrustSelfSignedStrategy())
.build();
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(
().setSSLContext(sslContext).build());
return new RestTemplate(requestFactory);
}
}
Call the HTTPS interface of project B in project A:
import ;
import ;
import ;
import ;
@RestController
public class TestController {
@Autowired
private RestTemplate restTemplate;
@GetMapping("/call-hello")
public String callHello() {
String url = "https://localhost:8443/hello"; // HTTPS address of Project B return (url, );
}
}
3. Start and test
- Start Project B, and then start Project A.
- Accessing the interface of Project A
http://localhost:8080/call-hello, it connects to project B via HTTPS. - If the configuration is correct, you will see a return message:
Hello from Project B with GMSSL!
Remark
- This example uses a self-signed certificate. In actual production environment, it is recommended to use a national secret certificate issued by an authoritative CA.
- If there is a requirement for two-way authentication of client and server certificates, it is also necessary to configure it on the server side.
client-auth=need。
How to verify that national secrets are effective
To verify whether projects A and B are using the national secret algorithm communication, the following methods can be confirmed:
1. Check the certificate algorithm information
You can view the server certificate for Project B to make sure it is indeed generated based on the National Secret algorithm (such as the SM2 algorithm). Find the certificate in the keystore of Project B and use the following command to view the certificate's algorithm:
keytool -list -v -keystore server-keystore.p12 -storepass <password>
Found in the outputSignature algorithmField, make sure it is a national secret algorithm (e.g.SM2WITHSM3) signed. If the server certificate uses SM2, both parties will use the public and private key of the State Secret to encrypt and decrypt the data during communication.
2. Use packet capture tool to analyze encryption algorithm
Use packet capture tools such as Wireshark to check HTTPS traffic between A and B in detail. When catching packets, pay attention to the encryption algorithm and key exchange algorithm in the TLS handshake packet to confirm whether it contains SM2, SM3, SM4 and other national secret algorithms.
Specific steps:
- Open Wireshark and start catching packets.
- Filter traffic is HTTPS or specify the IP address of Project B.
- Find the TLS handshake package, view the negotiation information of the encryption algorithm, and ensure that the national secretariat agreement is included (e.g.
ECDHE-SM2-WITH-SM4-SM3or other SM series).
3. View project startup log
Some SSL/TLS libraries output the encryption algorithm used during handshake, check the startup log or request log of projects A and B, and sometimes find the specific encryption algorithm information used. If the configuration is correct, the national secret algorithm used for handshake may be recorded in the log.
4. Server-side code adjustment test
In Project B, you can use debug code to confirm the key pair used. For example, useSSLContextPrint out the encryption algorithm for the current session to ensure that it uses SM series algorithms:
import ;
import ;
import ;
public void checkSSLConnection() throws Exception {
URL url = new URL("https://localhost:8443/hello");
HttpsURLConnection connection = (HttpsURLConnection) ();
();
SSLSession session = ();
("Cipher Suite: " + ()); // Confirm whether it is an SM algorithm}
Through these methods, it is possible to better verify whether projects A and B do indeed use the Guose algorithm for communication.
The above is the detailed content of the process steps for SpringBoot to implement national secret communications. For more information about SpringBoot to implement national secret communications, please pay attention to my other related articles!