feat: 敏感信息加解密支持 (#15)

1. RsaCryptoUtil.rsaEncryptOAEP()/rsaDecryptOAEP()
2. Verifier提供接口getValidCertificate()方法

Author: xy-peng

README.md

@@ -119,13 +119,41 @@ HttpClient httpClient = builder.build();
 // 后面跟使用Apache HttpClient一样
 HttpResponse response = httpClient.execute(...);
 ```
-
 ### 风险
 
 因为不需要传入微信支付平台证书，AutoUpdateCertificatesVerifier 在首次更新证书时**不会验签**，也就无法确认应答身份，可能导致下载错误的证书。
 
 但下载时会通过 **HTTPS**、**AES 对称加密**来保证证书安全，所以可以认为，在使用官方 JDK、且 APIv3 密钥不泄露的情况下，AutoUpdateCertificatesVerifier 是**安全**的。
 
+## 敏感信息加解密
+
+### 加密
+
+使用` RsaCryptoUtil.encryptOAEP(String, X509Certificate)`进行公钥加密。示例代码如下。
+
+```java
+// 建议从Verifier中获得微信支付平台证书，或使用预先下载到本地的平台证书文件中
+X509Certificate wechatpayCertificate = verifier.getValidCertificate();
+try {
+  String ciphertext = RsaCryptoUtil.encryptOAEP(text, wechatpayCertificate);
+} catch (IllegalBlockSizeException e) {
+  e.printStackTrace();
+}
+```
+
+### 解密
+
+使用`RsaCryptoUtil.decryptOAEP(String ciphertext, PrivateKey privateKey)`进行私钥解密。示例代码如下。
+
+```java
+// 使用商户私钥解密
+try {
+  String ciphertext = RsaCryptoUtil.decryptOAEP(text, merchantPrivateKey);
+} catch (BadPaddingException e) {
+  e.printStackTrace();
+}
+```
+
 ## 常见问题
 
 ### 如何下载平台证书？

src/main/java/com/wechat/pay/contrib/apache/httpclient/auth/AutoUpdateCertificatesVerifier.java

@@ -5,7 +5,6 @@
 import com.wechat.pay.contrib.apache.httpclient.Credentials;
 import com.wechat.pay.contrib.apache.httpclient.WechatPayHttpClientBuilder;
 import com.wechat.pay.contrib.apache.httpclient.util.AesUtil;
-import com.wechat.pay.contrib.apache.httpclient.util.PemUtil;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
@@ -49,26 +48,12 @@ public class AutoUpdateCertificatesVerifier implements Verifier {
 
   private ReentrantLock lock = new ReentrantLock();
 
-  //时间间隔枚举，支持一小时、六小时以及十二小时
-  public enum TimeInterval {
-    OneHour(60), SixHours(60 * 6), TwelveHours(60 * 12);
-
-    private int minutes;
-
-    TimeInterval(int minutes) {
-      this.minutes = minutes;
-    }
-
-    public int getMinutes() {
-      return minutes;
-    }
-  }
-
   public AutoUpdateCertificatesVerifier(Credentials credentials, byte[] apiV3Key) {
     this(credentials, apiV3Key, TimeInterval.OneHour.getMinutes());
   }
 
-  public AutoUpdateCertificatesVerifier(Credentials credentials, byte[] apiV3Key, int minutesInterval) {
+  public AutoUpdateCertificatesVerifier(Credentials credentials, byte[] apiV3Key,
+      int minutesInterval) {
     this.credentials = credentials;
     this.apiV3Key = apiV3Key;
     this.minutesInterval = minutesInterval;
@@ -81,9 +66,15 @@ public AutoUpdateCertificatesVerifier(Credentials credentials, byte[] apiV3Key,
     }
   }
 
+  @Override
+  public X509Certificate getValidCertificate() {
+    return verifier.getValidCertificate();
+  }
+
   @Override
   public boolean verify(String serialNumber, byte[] message, String signature) {
-    if (instant == null || Duration.between(instant, Instant.now()).toMinutes() >= minutesInterval) {
+    if (instant == null
+        || Duration.between(instant, Instant.now()).toMinutes() >= minutesInterval) {
       if (lock.tryLock()) {
         try {
           autoUpdateCert();
@@ -105,25 +96,32 @@ private void autoUpdateCert() throws IOException, GeneralSecurityException {
         .withValidator(verifier == null ? (response) -> true : new WechatPay2Validator(verifier))
         .build();
 
-    HttpGet httpGet = new HttpGet(CertDownloadPath);
-    httpGet.addHeader("Accept", "application/json");
-
-    CloseableHttpResponse response = httpClient.execute(httpGet);
-    int statusCode = response.getStatusLine().getStatusCode();
-    String body = EntityUtils.toString(response.getEntity());
-    if (statusCode == 200) {
-      List<X509Certificate> newCertList = deserializeToCerts(apiV3Key, body);
-      if (newCertList.isEmpty()) {
-        log.warn("Cert list is empty");
-        return;
+    try {
+      HttpGet httpGet = new HttpGet(CertDownloadPath);
+      httpGet.addHeader("Accept", "application/json");
+
+      CloseableHttpResponse response = httpClient.execute(httpGet);
+      try {
+        int statusCode = response.getStatusLine().getStatusCode();
+        String body = EntityUtils.toString(response.getEntity());
+        if (statusCode == 200) {
+          List<X509Certificate> newCertList = deserializeToCerts(apiV3Key, body);
+          if (newCertList.isEmpty()) {
+            log.warn("Cert list is empty");
+            return;
+          }
+          this.verifier = new CertificatesVerifier(newCertList);
+        } else {
+          log.warn("Auto update cert failed, statusCode = " + statusCode + ",body = " + body);
+        }
+      } finally {
+        response.close();
       }
-      this.verifier = new CertificatesVerifier(newCertList);
-    } else {
-      log.warn("Auto update cert failed, statusCode = " + statusCode + ",body = " + body);
+    } finally {
+      httpClient.close();
     }
   }
 
-
   /**
    * 反序列化证书并解密
    */
@@ -158,4 +156,20 @@ private List<X509Certificate> deserializeToCerts(byte[] apiV3Key, String body)
     }
     return newCertList;
   }
+
+
+  //时间间隔枚举，支持一小时、六小时以及十二小时
+  public enum TimeInterval {
+    OneHour(60), SixHours(60 * 6), TwelveHours(60 * 12);
+
+    private int minutes;
+
+    TimeInterval(int minutes) {
+      this.minutes = minutes;
+    }
+
+    public int getMinutes() {
+      return minutes;
+    }
+  }
 }

src/main/java/com/wechat/pay/contrib/apache/httpclient/auth/CertificatesVerifier.java

@@ -5,12 +5,16 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
 import java.security.SignatureException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.List;
+import java.util.NoSuchElementException;
 
 public class CertificatesVerifier implements Verifier {
+
   private final HashMap<BigInteger, X509Certificate> certificates = new HashMap<>();
 
   public CertificatesVerifier(List<X509Certificate> list) {
@@ -40,4 +44,19 @@ public boolean verify(String serialNumber, byte[] message, String signature) {
     BigInteger val = new BigInteger(serialNumber, 16);
     return certificates.containsKey(val) && verify(certificates.get(val), message, signature);
   }
+
+  @Override
+  public X509Certificate getValidCertificate() {
+    for (X509Certificate x509Cert : certificates.values()) {
+      try {
+        x509Cert.checkValidity();
+
+        return x509Cert;
+      } catch (CertificateExpiredException | CertificateNotYetValidException e) {
+        continue;
+      }
+    }
+
+    throw new NoSuchElementException("没有有效的微信支付平台证书");
+  }
 }

src/main/java/com/wechat/pay/contrib/apache/httpclient/auth/Verifier.java

@@ -1,5 +1,10 @@
 package com.wechat.pay.contrib.apache.httpclient.auth;
 
+import java.security.cert.X509Certificate;
+
 public interface Verifier {
+
   boolean verify(String serialNumber, byte[] message, String signature);
+
+  X509Certificate getValidCertificate();
 }

src/main/java/com/wechat/pay/contrib/apache/httpclient/util/RsaCryptoUtil.java

@@ -0,0 +1,50 @@
+package com.wechat.pay.contrib.apache.httpclient.util;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+
+public class RsaCryptoUtil {
+
+  public static String encryptOAEP(String message, X509Certificate certificate)
+      throws IllegalBlockSizeException {
+    try {
+      Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
+      cipher.init(Cipher.ENCRYPT_MODE, certificate.getPublicKey());
+
+      byte[] data = message.getBytes(StandardCharsets.UTF_8);
+      byte[] ciphertext = cipher.doFinal(data);
+      return Base64.getEncoder().encodeToString(ciphertext);
+    } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
+      throw new RuntimeException("当前Java环境不支持RSA v1.5/OAEP", e);
+    } catch (InvalidKeyException e) {
+      throw new IllegalArgumentException("无效的证书", e);
+    } catch (IllegalBlockSizeException | BadPaddingException e) {
+      throw new IllegalBlockSizeException("加密原串的长度不能超过214字节");
+    }
+  }
+
+  public static String decryptOAEP(String ciphertext, PrivateKey privateKey)
+      throws BadPaddingException {
+    try {
+      Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
+      cipher.init(Cipher.DECRYPT_MODE, privateKey);
+
+      byte[] data = Base64.getDecoder().decode(ciphertext);
+      return new String(cipher.doFinal(data), StandardCharsets.UTF_8);
+    } catch (NoSuchPaddingException | NoSuchAlgorithmException e) {
+      throw new RuntimeException("当前Java环境不支持RSA v1.5/OAEP", e);
+    } catch (InvalidKeyException e) {
+      throw new IllegalArgumentException("无效的私钥", e);
+    } catch (BadPaddingException | IllegalBlockSizeException e) {
+      throw new BadPaddingException("解密失败");
+    }
+  }
+}

src/test/java/com/wechat/pay/contrib/apache/httpclient/RsaCryptoTest.java

@@ -0,0 +1,101 @@
+package com.wechat.pay.contrib.apache.httpclient;
+
+import static org.junit.Assert.assertTrue;
+
+import com.wechat.pay.contrib.apache.httpclient.auth.AutoUpdateCertificatesVerifier;
+import com.wechat.pay.contrib.apache.httpclient.auth.PrivateKeySigner;
+import com.wechat.pay.contrib.apache.httpclient.auth.WechatPay2Credentials;
+import com.wechat.pay.contrib.apache.httpclient.auth.WechatPay2Validator;
+import com.wechat.pay.contrib.apache.httpclient.util.PemUtil;
+import com.wechat.pay.contrib.apache.httpclient.util.RsaCryptoUtil;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.PrivateKey;
+import org.apache.http.HttpEntity;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.entity.ContentType;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.util.EntityUtils;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+public class RsaCryptoTest {
+
+  private static String mchId = ""; // 商户号
+  private static String mchSerialNo = ""; // 商户证书序列号
+  private static String apiV3Key = ""; // api密钥
+  // 你的商户私钥
+  private static String privateKey = "-----BEGIN PRIVATE KEY-----\n"
+      + "-----END PRIVATE KEY-----\n";
+
+  private CloseableHttpClient httpClient;
+  private AutoUpdateCertificatesVerifier verifier;
+
+  @Before
+  public void setup() throws IOException {
+    PrivateKey merchantPrivateKey = PemUtil.loadPrivateKey(
+        new ByteArrayInputStream(privateKey.getBytes("utf-8")));
+
+    //使用自动更新的签名验证器，不需要传入证书
+    verifier = new AutoUpdateCertificatesVerifier(
+        new WechatPay2Credentials(mchId, new PrivateKeySigner(mchSerialNo, merchantPrivateKey)),
+        apiV3Key.getBytes("utf-8"));
+
+    httpClient = WechatPayHttpClientBuilder.create()
+        .withMerchant(mchId, mchSerialNo, merchantPrivateKey)
+        .withValidator(new WechatPay2Validator(verifier))
+        .build();
+  }
+
+  @After
+  public void after() throws IOException {
+    httpClient.close();
+  }
+
+  @Test
+  public void encryptTest() throws Exception {
+    String text = "helloworld";
+    String ciphertext = RsaCryptoUtil.encryptOAEP(text, verifier.getValidCertificate());
+
+    System.out.println("ciphertext: " + ciphertext);
+  }
+
+  @Test
+  public void postEncryptDataTest() throws Exception {
+    HttpPost httpPost = new HttpPost("https://api.mch.weixin.qq.com/v3/smartguide/guides");
+
+    String text = "helloworld";
+    String ciphertext = RsaCryptoUtil.encryptOAEP(text, verifier.getValidCertificate());
+
+    String data = "{\n"
+        + "  \"store_id\" : 1234,\n"
+        + "  \"corpid\" : \"1234567890\",\n"
+        + "  \"name\" : \"" + ciphertext + "\",\n"
+        + "  \"mobile\" : \"" + ciphertext + "\",\n"
+        + "  \"qr_code\" : \"https://open.work.weixin.qq.com/wwopen/userQRCode?vcode=xxx\",\n"
+        + "  \"sub_mchid\" : \"1234567890\",\n"
+        + "  \"avatar\" : \"logo\",\n"
+        + "  \"userid\" : \"robert\"\n"
+        + "}";
+    StringEntity reqEntity = new StringEntity(
+        data, ContentType.create("application/json", "utf-8"));
+    httpPost.setEntity(reqEntity);
+    httpPost.addHeader("Accept", "application/json");
+    httpPost.addHeader("Wechatpay-Serial", "5157F09EFDC096DE15EBE81A47057A7232F1B8E1");
+
+    CloseableHttpResponse response = httpClient.execute(httpPost);
+    assertTrue(response.getStatusLine().getStatusCode() != 401);
+    assertTrue(response.getStatusLine().getStatusCode() != 400);
+    try {
+      HttpEntity entity2 = response.getEntity();
+      // do something useful with the response body
+      // and ensure it is fully consumed
+      EntityUtils.consume(entity2);
+    } finally {
+      response.close();
+    }
+  }
+}