簡單的 HTTPS 學習

1. 需求

現在使用的服務是HTTP調用形式，服務可能會有調用外圍https形式的服務，簡單了解了一下，然后寫了一個簡單的例子進行記錄。

HTTP（超文本傳輸協議） 是一種用于傳輸超文本的應用層協議，建立在TCP/IP協議棧之上。它定義了客戶端（如瀏覽器）如何向服務器請求資源，以及服務器如何響應這些請求。

HTTPS（超文本傳輸安全協議） 是HTTP協議的安全版本，它在HTTP與TCP之間加入了SSL/TLS加密層，通過加密數據傳輸來保障數據的安全性和完整性。

他們的主要區別如下所示：

安全性

HTTP協議不加密傳輸的數據，任何人都可以輕易地獲取和篡改傳輸的內容，存在嚴重的安全風險。

為了解決HTTP協議的安全問題，HTTPS應運而生。

HTTPS協議通過SSL/TLS加密傳輸的數據，即使數據被攔截，攻擊者也無法解密，有效地保障了數據的安全。
數據傳輸方式

HTTP使用的是不安全的TCP端口80進行數據傳輸，而HTTPS使用的是更安全的TCP端口443，并通過 SSL/TLS 協議對數據進行加密后再傳輸，進一步提升了數據傳輸的安全性。
部署成本

HTTP協議是免費的，不需要額外的證書。

而HTTPS協議需要SSL/TLS證書，這些證書通常需要從受信任的證書頒發機構（CA）購買。
性能

由于需要進行加密和解密操作，HTTPS協議可能會略微影響網站的加載速度。

但是，隨著現代硬件和優化加密算法的應用，這種影響已經被大大降低。

2. 準備

測試環境，我們使用JDK自帶的工具生成測試證書，我們此次的調用形式使用RestTemplate進行調用，調用形式分為以下情況

http 服務調用 https 服務（服務端驗證）
https 服務調用 https 服務（客戶端服務端雙向驗證）

2.1 準備證書秘鑰信息

我們本地使用 keytool 工具生成，我本地工具類位置如下C:\Program Files\Java\jdk1.8.0_131\bin：

在這里插入圖片描述

然后需要使用PowerShell工具進入到keytool目錄中，執行命令生成兩份證書信息，對應兩個https服務使用，我們要輸入秘鑰口令，以及其他基礎信息

# 參數含義如下：
# keytool: 表示keytool工具
# genkey: 表示要創建一個新的密鑰。
# alias: 表示 keystore 的別名。anyname 都可以。
# storetype: 表示密鑰的倉庫類型，存儲格式是PKCS12.
# keyalg: 表示使用的加密算法是 RSA ，一種非對稱加密算法。
# keysize: 表示密鑰的長度。這里是2048.
# keystore: 表示生成的證書文件存放位置。 這里是D:\httpsSecurityKey.p12
# validity: 表示證書的有效時間365天。
keytool -genkey -alias httpsSecurity -storetype PKCS12 -keyalg RSA -keysize 2048  -keystore D:\https_security_key\httpsSecurityKey.p12 -validity 365keytool -genkey -alias httpsSecuritySecond -storetype PKCS12 -keyalg RSA -keysize 2048  -keystore D:\https_security_key\httpsSecuritySecondKey.p12 -validity 365

在這里插入圖片描述

然后執行命令生成兩份公鑰文件

# 從密鑰庫中提取公鑰證書到獨立的證書文件
# 從 httpsSecurityKey.p12 中導出證書部分
# 生成 httpsSecurity.cer 證書文件（只包含公鑰和身份信息，不含私鑰）
# 這個證書文件可以安全地分發給其他方
keytool -export -alias httpsSecurity -keystore D:\https_security_key\httpsSecurityKey.p12 -storetype PKCS12 -file D:\https_security_key\httpsSecurity.cer# 將證書添加到信任庫中，表示信任該證書持有者
# 創建或更新 truststore.jks 信任庫文件
# 將 httpsSecurity.cer 證書導入信任庫
# 設置該證書為"受信任的"，用于驗證對方身份
keytool -import -alias httpsSecurity -file D:\https_security_key\httpsSecurity.cer -keystore D:\https_security_key\truststore.jks# 從密鑰庫中提取公鑰證書到獨立的證書文件...
keytool -export -alias httpsSecuritySecond -keystore D:\https_security_key\httpsSecuritySecondKey.p12 -storetype PKCS12 -file D:\https_security_key\httpsSecuritySecond.cer# 將證書添加到信任庫中，表示信任該證書持有者...
keytool -import -alias httpsSecuritySecond -file D:\https_security_key\httpsSecuritySecond.cer -keystore D:\https_security_key\truststoreSecond.jks

最終執行完畢后，會在目錄中看到這些文件

在這里插入圖片描述

2.2 編寫代碼

此次測試我們用到了三個服務，分別為http-server,https-server以及 https-server-second，整體的項目結構如下：

在這里插入圖片描述

2.2.1 引入pom

服務引入pom分為根pom，服務pom，具體內容如下所示

服務根pom

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>cn.git</groupId><artifactId>https-test</artifactId><version>1.0-SNAPSHOT</version><modules><module>http-server</module><module>https-server</module><module>https-server-second</module></modules><packaging>pom</packaging><properties><!-- 如果項目部署要給其他人使用，則此值必須填寫為true,否則父級pom不上傳，會引起子jar包無法下載情況 --><maven.deploy.skip>false</maven.deploy.skip><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding><java.version>1.8</java.version><mybatis-plus.version>3.3.0</mybatis-plus.version><fastjson.version>1.2.83</fastjson.version><druid.version>1.2.4</druid.version><oracle.version>11.2.0.4.0-atlassian-hosted</oracle.version><hutool.version>5.5.7</hutool.version><lombok.version>1.18.6</lombok.version><mapstruct.version>1.4.1.Final</mapstruct.version><swagger.version>3.0.0</swagger.version><elasticjob.version>3.0.0-RC1</elasticjob.version><poi-tl.version>1.9.1</poi-tl.version><poi.version>4.1.2</poi.version><easyexcel.version>2.2.8</easyexcel.version><tomcat.version>9.0.44</tomcat.version></properties><!-- springboot dependency --><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.3.8.RELEASE</version><relativePath/></parent><!-- 部署到私庫 --><distributionManagement><repository><id>git</id><name>git-releases</name><url>http://3.1.101.57:8081/repository/maven-releases/</url></repository><snapshotRepository><id>git</id><name>git-snapshot</name><url>http://3.1.101.57:8081/repository/maven-snapshots/</url></snapshotRepository></distributionManagement><dependencyManagement><dependencies><!-- fastjson --><dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>${fastjson.version}</version></dependency><!-- hutool --><dependency><groupId>cn.hutool</groupId><artifactId>hutool-all</artifactId><version>${hutool.version}</version></dependency><!-- lombok --><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><version>${lombok.version}</version></dependency><!-- mapstruct --><dependency><groupId>org.mapstruct</groupId><artifactId>mapstruct</artifactId><version>${mapstruct.version}</version></dependency><!-- swagger --><dependency><groupId>io.springfox</groupId><artifactId>springfox-boot-starter</artifactId><version>${swagger.version}</version></dependency><!-- poi --><dependency><groupId>com.deepoove</groupId><artifactId>poi-tl</artifactId><version>${poi-tl.version}</version></dependency><dependency><groupId>org.apache.poi</groupId><artifactId>poi</artifactId><version>${poi.version}</version></dependency><dependency><groupId>org.apache.poi</groupId><artifactId>poi-ooxml</artifactId><version>${poi.version}</version></dependency><!-- easyexcel --><dependency><groupId>com.alibaba</groupId><artifactId>easyexcel</artifactId><version>${easyexcel.version}</version></dependency></dependencies></dependencyManagement><dependencies><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId></dependency><dependency><groupId>cn.hutool</groupId><artifactId>hutool-all</artifactId></dependency><dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>${fastjson.version}</version></dependency></dependencies></project>

服務pom

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><parent><artifactId>https-test</artifactId><groupId>cn.git</groupId><version>1.0-SNAPSHOT</version></parent><modelVersion>4.0.0</modelVersion><artifactId>https-server-second</artifactId><properties><maven.compiler.source>8</maven.compiler.source><maven.compiler.target>8</maven.compiler.target></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-aop</artifactId><exclusions><exclusion><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-logging</artifactId></exclusion></exclusions></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><version>1.18.6</version></dependency><dependency><groupId>cn.hutool</groupId><artifactId>hutool-all</artifactId><version>5.5.7</version></dependency><dependency><groupId>org.mapstruct</groupId><artifactId>mapstruct</artifactId><version>1.4.1.Final</version></dependency><dependency><groupId>com.alibaba</groupId><artifactId>fastjson</artifactId><version>1.2.83</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId><exclusions><exclusion><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-logging</artifactId></exclusion></exclusions></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-log4j2</artifactId></dependency><dependency><groupId>com.lmax</groupId><artifactId>disruptor</artifactId><version>3.3.4</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-autoconfigure</artifactId></dependency><dependency><groupId>org.apache.httpcomponents</groupId><artifactId>httpclient</artifactId><version>4.5.14</version></dependency></dependencies><build><plugins><!-- compiler --><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-compiler-plugin</artifactId><version>3.8.1</version><configuration><source>1.8</source><target>1.8</target><annotationProcessorPaths><path><groupId>org.mapstruct</groupId><artifactId>mapstruct-processor</artifactId><version>1.4.1.Final</version></path><path><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><version>${lombok.version}</version></path></annotationProcessorPaths></configuration></plugin><!-- package --><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin><!-- maven私服jar包部署插件 --><plugin><groupId>org.apache.maven.plugins</groupId><artifactId>maven-deploy-plugin</artifactId><version>${maven-deploy-plugin.version}</version><configuration><skip>false</skip></configuration></plugin></plugins></build>
</project>

2.2.2 http-server服務

RestTemplate配置部分代碼

package cn.git.http.config;import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;import javax.net.ssl.SSLContext;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.*;
import java.security.cert.CertificateException;/*** @description: RestTemplate 配置類* @program: bank-credit-sy* @author: lixuchun* @create: 2025-08-13*/
@Configuration
public class RestTemplateConfig {@Value("${client.ssl.trust-store}")private String trustStorePath;@Value("${client.ssl.trust-store-password}")private String trustStorePassword;@Value("${client.ssl.trust-store-type}")private String trustStoreType;/*** 創建RestTemplate實例** @return* @throws KeyStoreException* @throws NoSuchAlgorithmException* @throws KeyManagementException*/@Beanpublic RestTemplate restTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {// 加載https服務提供的公鑰信息KeyStore trustStore = KeyStore.getInstance(trustStoreType);try {// 處理 classpath 資源ClassPathResource resource = new ClassPathResource(trustStorePath);InputStream in = resource.getInputStream();trustStore.load(in, trustStorePassword.toCharArray());in.close();} catch (IOException | NoSuchAlgorithmException | CertificateException e) {e.printStackTrace();}// 構建SSL上下文SSLContext sslContext = SSLContextBuilder.create()// 信任的證書.loadTrustMaterial(trustStore, null).build();SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext,// 禁用主機名驗證NoopHostnameVerifier.INSTANCE);HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build();HttpComponentsClientHttpRequestFactory factory =new HttpComponentsClientHttpRequestFactory(httpClient);return new RestTemplate(factory);}
}

請求controller代碼

package cn.git.http.controller;import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.client.RestTemplate;/*** @description: httpController測試接口* @program: bank-credit-sy* @author: lixuchun* @create: 2025-08-13*/
@Slf4j
@RestController
@RequestMapping("/http")
public class HttpController {@Autowiredprivate RestTemplate restTemplate;@GetMapping("/getHttpInfo")public String getHttpInfo() {log.info("getHttpInfo");return "http";}/*** GET獲取https服務信息** @return*/@GetMapping("/getHttpsInfo")public String getHttpsInfo() {return restTemplate.getForObject("https://3.2.36.116:443/https/getHttpsInfo", String.class);}/*** POST獲取https服務信息** @return*/@GetMapping("/getPostHttpsInfo")public String getPostHttpsInfo() {String requestBody = "{\"id\":\"1\",\"name\": \"jack\"}";// 創建請求頭，設置Content-Type為JSONHttpHeaders headers = new HttpHeaders();headers.setContentType(MediaType.APPLICATION_JSON);// 創建HttpEntityHttpEntity<String> requestEntity = new HttpEntity<>(requestBody, headers);// POST請求，調用https服務return restTemplate.postForObject("https://3.2.36.116:443/https/getPostHttpsInfo", requestEntity, String.class);}
}

application.yaml配置文件內容

spring:application:name: @project.artifactId@main:allow-bean-definition-overriding: trueserver:port: 80# https-server 客戶端公鑰密碼配置
client:ssl:# 服務端提供信任庫文件trust-store: truststore.jkstrust-store-type: JKS# 信任庫文件密碼trust-store-password: 888666li

并且我們需要將生成的信任庫文件放入到 resoures 目錄之中

在這里插入圖片描述

2.2.3 https-server服務

controller測試接口文件

package cn.git.https.controller;import cn.git.https.vo.HttpsInVO;
import com.alibaba.fastjson.JSONObject;
import org.springframework.web.bind.annotation.*;/*** @description: httpController測試接口* @program: bank-credit-sy* @author: lixuchun* @create: 2025-08-13*/
@RestController
@RequestMapping("/https")
public class HttpsController {@GetMapping("/getHttpsInfo")public String getHttpInfo() {return "https";}@PostMapping("/getPostHttpsInfo")public String getPostHttpInfo(@RequestBody HttpsInVO httpsInVO) {return JSONObject.toJSONString(httpsInVO);}
}

POST形式調用參數inVO文件

package cn.git.https.vo;import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;/*** @description: 傳入inVO* @program: bank-credit-sy* @author: lixuchun* @create: 2025-08-13*/
@Data
@NoArgsConstructor
@AllArgsConstructor
public class HttpsInVO {private String id;private String name;
}

application.yaml 服務配置文件

spring:application:name: @project.artifactId@main:allow-bean-definition-overriding: trueserver:port: 443ssl:# 服務器端HTTPS證書key-store: classpath:httpsSecurityKey.p12# 服務器端HTTPS證書密碼key-store-password: 666888li# 服務器端HTTPS證書別名key-alias: httpsSecurity# 服務器端HTTPS證書類型,默認JKSkey-store-type: PKCS12# 新增的雙向認證配置# 信任庫（包含客戶端公鑰證書）trust-store: classpath:truststoreSecond.jks# 信任庫密碼trust-store-password: 888666secondli# 要求客戶端認證 : want-不強制希望，need-強制，none-不認證client-auth: need

注意，我們需要將生成的服務證書以及另一個https服務提供的信任庫文件放到resources目錄中

在這里插入圖片描述

2.2.4 https-server-second服務

RestTemplate配置，此為雙向驗證，所以與http-server的restTemplate配置略有不同

package cn.git.https.config;import cn.hutool.core.util.StrUtil;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;import javax.net.ssl.SSLContext;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.*;
import java.security.cert.CertificateException;/*** @description: RestTemplate 配置類* @program: bank-credit-sy* @author: lixuchun* @create: 2025-08-13*/
@Configuration
public class RestTemplateConfig {@Value("${client.ssl.trust-store}")private String trustStorePath;@Value("${client.ssl.trust-store-password}")private String trustStorePassword;@Value("${client.ssl.trust-store-type}")private String trustStoreType;@Value("${server.ssl.key-store}")private String keyStorePath;@Value("${server.ssl.key-store-password}")private String keyStorePassword;@Value("${server.ssl.key-store-type}")private String keyStoreType;/*** 創建RestTemplate實例** @return* @throws KeyStoreException* @throws NoSuchAlgorithmException* @throws KeyManagementException*/@Beanpublic RestTemplate restTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException, UnrecoverableKeyException {// 加載客戶端證書（用于雙向認證）KeyStore keyStore = KeyStore.getInstance(keyStoreType);try {// 處理 classpath 資源ClassPathResource resource = new ClassPathResource(keyStorePath.substring(10));InputStream in = resource.getInputStream();keyStore.load(in, keyStorePassword.toCharArray());in.close();} catch (IOException | NoSuchAlgorithmException | CertificateException e) {e.printStackTrace();}// 加載信任證書KeyStore trustStore = KeyStore.getInstance(trustStoreType);try {// 處理 classpath 資源ClassPathResource resource = new ClassPathResource(trustStorePath);InputStream in = resource.getInputStream();trustStore.load(in, trustStorePassword.toCharArray());in.close();} catch (IOException | NoSuchAlgorithmException | CertificateException e) {e.printStackTrace();}// 構建SSL上下文SSLContext sslContext = SSLContextBuilder.create().loadKeyMaterial(keyStore, keyStorePassword.toCharArray())// 信任的證書.loadTrustMaterial(trustStore, null).build();SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext,// 禁用主機名驗證NoopHostnameVerifier.INSTANCE);// 創建HttpClient實例HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory).build();// 創建RestTemplate實例HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);return new RestTemplate(factory);}
}

controller測試接口代碼

package cn.git.https.controller;import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.client.RestTemplate;/*** @description: second-https controller測試接口* @program: bank-credit-sy* @author: lixuchun* @create: 2025-08-13*/
@RestController
@RequestMapping("/https")
public class HttpsSecondController {@Autowiredprivate RestTemplate restTemplate;@GetMapping("/getLocalHttpsSecondInfo")public String getHttpInfo() {return "getHttpsSecondInfo";}/*** GET獲取https服務信息** @return*/@GetMapping("/getHttpsSecondInfo")public String getHttpsSecondInfo() {return restTemplate.getForObject("https://3.2.36.116:443/https/getHttpsInfo", String.class);}/*** POST獲取https服務信息** @return*/@GetMapping("/getPostHttpsSecondInfo")public String getPostHttpsInfo() {String requestBody = "{\"id\":\"1\",\"name\": \"jack\"}";// 創建請求頭，設置Content-Type為JSONHttpHeaders headers = new HttpHeaders();headers.setContentType(MediaType.APPLICATION_JSON);// 創建HttpEntityHttpEntity<String> requestEntity = new HttpEntity<>(requestBody, headers);// POST請求，調用https服務return restTemplate.postForObject("https://3.2.36.116:443/https/getPostHttpsInfo", requestEntity, String.class);}
}

application.yaml配置文件信息

spring:application:name: @project.artifactId@main:allow-bean-definition-overriding: true# 服務器端HTTPS配置
server:port: 8443ssl:# 服務器端HTTPS證書key-store: classpath:httpsSecuritySecondKey.p12# 服務器端HTTPS證書密碼key-store-password: 666888secondli# 服務器端HTTPS證書別名key-alias: httpsSecuritySecond# 服務器端HTTPS證書類型key-store-type: PKCS12# 新增的雙向認證配置# 信任庫（包含客戶端公鑰證書）trust-store: classpath:truststore.jks# 信任庫密碼trust-store-password: 888666li# 要求客戶端認證 : want-不強制希望，need-強制，none-不認證client-auth: none# https-server 客戶端公鑰密碼配置
client:ssl:# 服務端提供信任庫文件trust-store: truststore.jks# 服務端提供信任庫文件類型trust-store-type: JKS# 信任庫文件密碼trust-store-password: 888666li