支付宝RSA2公钥证书生成
前言
支付宝新的转账接口例如转账“alipay.fund.trans.uni.transfer”接口已经在推新的公钥证书模式,由支付宝作为CA帮我们的公钥做签发这样可以在与支付宝通讯时防止通信内容内容被篡改,因此安全性得到了提升,双向通信都需要做验证,但是我们通常在测试情况下需要自身mock支付宝的返回,以此验证各种情况下程序的正确性,生产可以直接下载支付宝CA签名好的公钥,这样就需要我们类似于支付宝做一个自签名的公钥证书,自签发后提供给我们的测试程序使用,同时私钥由mock程序持有来模拟支付宝服务端做签名,下面将分别介绍两种借助支付宝开放平台开发助手和openssl来生成公钥证书,并且第三节提供了测试代码可以用于测试公私钥
支付宝开放平台开发助手生成
支付宝开放平台开发助手使用介绍以及下载地址
上述文档可以指导我们配置生产证书,但是要用它做mock还需要自签名拿到公钥证书,进行下面步骤
生成秘钥→RSA2→PCKS8点击生成秘钥 获得:应用公钥 2048.txt、应用私钥 2048.txt获取CSR文件->点击获取→RSA2→ PKCS8填一下参数点击生成CSR文件:获得xx.scr文件(这里演示代指为.csr),scr是签名请求文件第一步生成的:应用私钥 2048.txt是PKCS8格式的私钥,签名需要PKCS1格式的私钥,可以用工具中的格式转换→转PKCS1做转换转换完成后得到PKCS1文本保存到本地,(此处演示使用pri_pkcs1.crt命名)注意3步骤得到的PKCS1文本需要按照65字符换行且加上头尾,头:-----BEGIN RSA PRIVATE KEY----- 尾:-----END RSA PRIVATE KEY-----使用openssl做自签名,命令:openssl x509 -req -in .csr -out testpem.crt -signkey pri_pkcs1.crt -days 3650这样我们就模拟CA为我们的公钥做了签名得到的testpem.crt证书就可以作为公钥证书使用了,加签、加密看要求是PKCS1可以用pri_pkcs1.crt、或者用PKCS8可用应用私钥 2048.txt(加上头尾-----BEGIN PRIVATE KEY-----、-----END PRIVATE KEY-----) (可以改个名如pri_pkcs8.crt )
使用openssl生成
通常mac电脑自带openssl无需额外安装
使用命令:openssl genrsa -out server.crt 2048 获得PKCS1证书使用命令:openssl pkcs8 -topk8
-inform PEM -in server.crt -outform PEM -nocrypt 可以生成不带密码的PKCS8格式的证书,可以保持为文件,这里演示保存为testprivate_pkcs8.key使用命令:openssl req -new -key server.crt -out server.csr
并根据提示输入证书信息,得到包含自身信息的证书请求文件用于请求CA为自己的公钥做签名,最后一个是密码不需要直接回车跳过使用命令:openssl x509 -req -in server.csr -out server_pem.crt -signkey
server.crt -days
3650,这样可以用自己的私钥代替CA为自己做签名,证书有效期足够使用了,注意这个不是受信任的CA签发的证书所以无法在生产环境受信任但是测试环境没问题最后公钥证书为server_pem.crt、私钥按格式分别为:
server.crt(pkcs1)和3中生成的testprivate_pkcs8.key
测试代码(golang)
下附测试证书
package mainimport ("crypto""crypto/rand""crypto/rsa""crypto/sha256""crypto/x509""encoding/base64""encoding/json""encoding/pem""errors""fmt""io/ioutil")func main() {// 待签名参数集params := "123123123,模拟待签名参数"// 从文件加载公钥证书err := LoadPublicCertFromFile("test_pub.pem")if err != nil {fmt.Println("LoadPublicCertFromFile, err=", err)return}// 加载私钥err = LoadPrivateCertFromFile("test_pri.crt")if err != nil {fmt.Println("LoadPrivateCertFromFile, err=", err)return}jsonData, err := json.Marshal(params)if err != nil {fmt.Println("json.Marshal failed, err=", err)return}signature, err := sign(jsonData)if err != nil {fmt.Println("sign failed, err=", err)return}fmt.Println("signature=", signature)err = verify(params, signature)if err != nil {fmt.Println("verify failed, err=", err)return}fmt.Println("sign and verify success!")}// sign 生成签名func sign(data []byte) (signature string, err error) {hash := sha256.New()hash.Write(data)digest := hash.Sum(nil)rsaSign, err := rsa.SignPKCS1v15(rand.Reader, c.privateKey, crypto.SHA256, digest)if err != nil {return}signature = base64.StdEncoding.EncodeToString(rsaSign)return}// verify 验签func verify(params, sign string) (err error) {b, err := base64.StdEncoding.DecodeString(sign)if err != nil {return}jsonData, err := json.Marshal(params)if err != nil {fmt.Println(err)return}hash := sha256.New()hash.Write(jsonData)digest := hash.Sum(nil)return rsa.VerifyPKCS1v15(c.publicKey, crypto.SHA256, digest, b)}// Cli 公私钥type Cli struct {publicKey *rsa.PublicKey // 支付宝公钥privateKey *rsa.PrivateKey // 私钥}var c Cli// LoadPublicCertFromFile 从指定路径加载支付宝公钥func LoadPublicCertFromFile(p string) (err error) {b, err := ioutil.ReadFile(p)if err != nil {return}block, _ := pem.Decode(b)if block == nil {return errors.New("certificate failed to load")}// 这里先解析为x509格式证书方便我们提取证书sn,演示不做提取csr, err := x509.ParseCertificate(block.Bytes)if err != nil {fmt.Println("x509.ParseCertificate failed, err=", err)return}var ok boolc.publicKey, ok = csr.PublicKey.(*rsa.PublicKey)if !ok {err = errors.New("csr.PublicKey failed")}return}// LoadPrivateCertFromFile 从指定路径加载支付宝私钥func LoadPrivateCertFromFile(p string) (err error) {cont, err := ioutil.ReadFile(p)if err != nil {return}block, _ := pem.Decode(cont)if block == nil {return fmt.Errorf("decode public key file fail")}// 这里推荐用PKCS8格式的私钥key, err := x509.ParsePKCS8PrivateKey(block.Bytes)if err != nil {return}var ok boolc.privateKey, ok = key.(*rsa.PrivateKey)if !ok {err = errors.New("cert.PublicKey failed")}return}
// 附测试证书一对,仅供测试使用// 公钥证书 server_pem.crt-----BEGIN CERTIFICATE-----MIIDgjCCAmoCCQDVk64MUGbLHzANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkJKMQswCQYDVQQHDAJCSjEUMBIGA1UECgwLdGVzdGNvbXBhbnkxDTALBgNVBAsMBHRlc3QxFjAUBgNVBAMMDXRlc3QudGVzdC5jb20xHDAaBgkqhkiG9w0BCQEWDXRlc3RAdGVzdC5jb20wHhcNMjAwNTI4MTAyMTE4WhcNMzAwNTI2MTAyMTE4WjCBgjELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkJKMQswCQYDVQQHDAJCSjEUMBIGA1UECgwLdGVzdGNvbXBhbnkxDTALBgNVBAsMBHRlc3QxFjAUBgNVBAMMDXRlc3QudGVzdC5jb20xHDAaBgkqhkiG9w0BCQEWDXRlc3RAdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4n/5sN2WE2SqpRcNoyRMNoQntvVoVb1jrR9XX5TOjw3LdYBVQBLevXPsgk8cFTRoy0f+TaftoWaRSpVAlNPcLAoXFj6MNi/Sp56j8tx1jBM9ExV5cWAsgvNgV36ZrDNnw6cf3kKX/J3TOViyDKVHOKRLXk6wiAH/9avfA0dDF8SDFb6h6ISQuFcd1c5zKOTi264BJd0pWY4ScxrKP0KhBu+bxeVbq7GNQu/SZxzXO6213It9FBMZPnmDm2Dmz2wrbYvc/uPfqLV8DGRvAiAz95P3ifwiZUtilWiPdPO2NB5IysIJqE02xAM0ySxcVFXlqthxCP4TgYqELbuHOhVb3AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAC3N5TsJQX/Z06LDCKQDH+UV2QtG6xRTlqhKBQBVlEkVNPyKURX8QgSOIy3rA3JkfDFwsOuaD4O2Xux80r7HVq80NWjguTcFBS5QnHsCc4j3v5PXqmyPAOhybnKDE9ZRZJEsWwqTrWI2RQ/96BKzIep02DUHxR9/Hj5i+LcRCAhROE2SHByuRW0oeDXNIrlihguCP5m4ABLXoz+no9rvyFPiX//zRXR2pyV3w9NHLjGRJLYITc0Ic5zHU3kPv/uw+GIQ4z4L0MJfir6xXVYj3jiqHo987TWd0Ir+qlSBgpz3o7GLgLjtViAUt/Z0dHUbkmLHaaH0DAxriTx4khU+Dmk=-----END CERTIFICATE-----// PKCS8格式私钥 testprivate_pkcs8.crt-----BEGIN PRIVATE KEY-----MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC4n/5sN2WE2SqpRcNoyRMNoQntvVoVb1jrR9XX5TOjw3LdYBVQBLevXPsgk8cFTRoy0f+TaftoWaRSpVAlNPcLAoXFj6MNi/Sp56j8tx1jBM9ExV5cWAsgvNgV36ZrDNnw6cf3kKX/J3TOViyDKVHOKRLXk6wiAH/9avfA0dDF8SDFb6h6ISQuFcd1c5zKOTi264BJd0pWY4ScxrKP0KhBu+bxeVbq7GNQu/SZxzXO6213It9FBMZPnmDm2Dmz2wrbYvc/uPfqLV8DGRvAiAz95P3ifwiZUtilWiPdPO2NB5IysIJqE02xAM0ySxcVFXlqthxCP4TgYqELbuHOhVb3AgMBAAECggEASoeL1XOnb7GbHyoicDJ7lozjzS0bKHwCkTg2gyjrZ7iGrgcTk3HUFN6cIdKGDQXLBajwWzn1W3KUeyhw6hQvhipGhjItyFIvOkdiWGIzYr2WTlS+etiv5U9Wi731GFHfyPkW2EF0QURUStdOsMQFWgwKpyvd2PwKrup3iUcp2D2GFCTlV0sk4kQNLOywQTm7BdY6A7vN5W6Nq29/6d7RBNrZ76ueubSECiAifx8GJN2i8R7R9gvO/I0lEFKgqYl2f5zzhQl8yhxvDyHA6i5ylooe6TrOOO7WgiQLnKiwxJYNYMYnK8mcoIeFVRH4+580z1sOxl0lkjmDfxToH8ECwQKBgQD0sfNdF5r+5DVTYgdhhP9rd/mVnxht1I1QaAtp0H1aIaL+uBXn/d4q4xVCFUMcASEMO0/OmxGAM73Gw5Ja/1DwOZQXProIrmvEAj3MwcwfmvWATcKJ/iz0Nf51tG1Z/RQtryNizMuPgrol9imnOrAhjv8JUSZHr/1OFWcBPgpG2wKBgQDBJ5VwWNfGQJQNunV4hewxuvI6TZNA0hHH41Jvv+EsLwAR2OE+Gu3iXB2iWIgTQ383DnG6nM/ZHCWjOC1SKbhRgaYgUEtScLGluqLz1/UCx/1LYsoMADLTUUw4QTs0EBQKkrCUGZh6qDyIdUReTdCN0/mqf/ZdoWzutRQdrKXFFQKBgGXb4bOBzQqH0s7oAqyMoYqKAcJP3OpzTXQIK6AbouKvF9uyo6PT4PS3XLUKhsoUij4+PmWB1ZIpd7lS1gy9NWMahNP8T5KnkMKiMDmY/rC1X7bOJ8ornWj3RPqYZeDM4eZ2fmN1XtNZlsWQqBwt6P2/OdkWB7pVvzsO27b/rWV7AoGBAJNke1qh0PYN7WyUbnOr7lL8jz8CV23NX5gi1ZNE3rTyoKD92NOlhQWIuWxbFmtsxDTlJs/6PXk1S1tD0QGzqF06C+T4oKGmMUmAJDzi/KpEpfrSxc9mj2JF1V3QGTdfVYvD6E77QSnIG3kd0zALPSwdJ5V91CgauJ9nOpRyXIUJAoGBAMdoNu5G9hZkbp3nLhfILWQOw9NwogUDkFCEtPf4oXc3rbqIol5QalE5WFqjNF2KIJeJJoJeNuuEyTse7m4GEZAR9JGjDdsxoVbQ/hOIJUyPKyxvONykgD3viWBBCUOtLJbMuDe2a/lWtddPWBTLzvxp7g5zMDSkZDM4hrbo5YBn-----END PRIVATE KEY-----
