update 优化加密升级到1024密钥增加密钥长度校验(不支持1024以下不安全)

2026-05-08 10:45:22 +08:00 · 2026-05-07 11:31:52 +08:00
parent 89530d875d
commit b95f2a0435
3 changed files with 76 additions and 9 deletions
--- a/ruoyi-common/ruoyi-common-encrypt/src/main/java/org/dromara/common/encrypt/filter/CryptoFilter.java
+++ b/ruoyi-common/ruoyi-common-encrypt/src/main/java/org/dromara/common/encrypt/filter/CryptoFilter.java
@@ -10,6 +10,7 @@ import org.dromara.common.core.utils.SpringUtils;
 import org.dromara.common.core.utils.StringUtils;
 import org.dromara.common.encrypt.annotation.ApiEncrypt;
 import org.dromara.common.encrypt.properties.ApiDecryptProperties;
+import org.dromara.common.encrypt.utils.EncryptUtils;
 import org.springframework.http.HttpMethod;
 import org.springframework.web.method.HandlerMethod;
 import org.springframework.web.servlet.HandlerExceptionResolver;
@@ -29,6 +30,8 @@ public class CryptoFilter implements Filter {

    public CryptoFilter(ApiDecryptProperties properties) {
        this.properties = properties;
+        EncryptUtils.validateRsaPublicKey(properties.getPublicKey());
+        EncryptUtils.validateRsaPrivateKey(properties.getPrivateKey());
    }

    @Override
--- a/ruoyi-common/ruoyi-common-encrypt/src/main/java/org/dromara/common/encrypt/utils/EncryptUtils.java
+++ b/ruoyi-common/ruoyi-common-encrypt/src/main/java/org/dromara/common/encrypt/utils/EncryptUtils.java
@@ -10,6 +10,13 @@ import cn.hutool.crypto.asymmetric.RSA;
 import cn.hutool.crypto.asymmetric.SM2;

 import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.interfaces.RSAKey;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
 import java.util.HashMap;
 import java.util.Map;

@@ -20,6 +27,11 @@ import java.util.Map;
 */
 public class EncryptUtils {

+    /**
+     * RSA密钥最小位数
+     */
+    public static final int MIN_RSA_KEY_SIZE = 1024;
+
    /**
     * 公钥
     */
@@ -272,11 +284,17 @@ public class EncryptUtils {
     * @return 公私钥Map
     */
    public static Map<String, String> generateRsaKey() {
-        Map<String, String> keyMap = new HashMap<>(2);
-        RSA rsa = SecureUtil.rsa();
-        keyMap.put(PRIVATE_KEY, rsa.getPrivateKeyBase64());
-        keyMap.put(PUBLIC_KEY, rsa.getPublicKeyBase64());
-        return keyMap;
+        try {
+            Map<String, String> keyMap = new HashMap<>(2);
+            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+            keyPairGenerator.initialize(MIN_RSA_KEY_SIZE);
+            KeyPair keyPair = keyPairGenerator.generateKeyPair();
+            keyMap.put(PRIVATE_KEY, java.util.Base64.getEncoder().encodeToString(keyPair.getPrivate().getEncoded()));
+            keyMap.put(PUBLIC_KEY, java.util.Base64.getEncoder().encodeToString(keyPair.getPublic().getEncoded()));
+            return keyMap;
+        } catch (GeneralSecurityException e) {
+            throw new IllegalStateException("生成RSA密钥失败", e);
+        }
    }

    /**
@@ -290,6 +308,7 @@ public class EncryptUtils {
        if (StrUtil.isBlank(publicKey)) {
            throw new IllegalArgumentException("RSA需要传入公钥进行加密");
        }
+        validateRsaPublicKey(publicKey);
        RSA rsa = SecureUtil.rsa(null, publicKey);
        return rsa.encryptBase64(data, StandardCharsets.UTF_8, KeyType.PublicKey);
    }
@@ -305,6 +324,7 @@ public class EncryptUtils {
        if (StrUtil.isBlank(publicKey)) {
            throw new IllegalArgumentException("RSA需要传入公钥进行加密");
        }
+        validateRsaPublicKey(publicKey);
        RSA rsa = SecureUtil.rsa(null, publicKey);
        return rsa.encryptHex(data, StandardCharsets.UTF_8, KeyType.PublicKey);
    }
@@ -320,10 +340,54 @@ public class EncryptUtils {
        if (StrUtil.isBlank(privateKey)) {
            throw new IllegalArgumentException("RSA需要传入私钥进行解密");
        }
+        validateRsaPrivateKey(privateKey);
        RSA rsa = SecureUtil.rsa(privateKey, null);
        return rsa.decryptStr(data, KeyType.PrivateKey, StandardCharsets.UTF_8);
    }

+    /**
+     * 校验RSA公钥最低位数
+     *
+     * @param publicKey 公钥
+     */
+    public static void validateRsaPublicKey(String publicKey) {
+        if (StrUtil.isBlank(publicKey)) {
+            throw new IllegalArgumentException("RSA需要传入公钥");
+        }
+        try {
+            byte[] keyBytes = java.util.Base64.getDecoder().decode(publicKey);
+            RSAKey rsaKey = (RSAKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(keyBytes));
+            validateRsaKeySize(rsaKey);
+        } catch (IllegalArgumentException | GeneralSecurityException e) {
+            throw new IllegalArgumentException("RSA公钥格式错误或密钥长度低于" + MIN_RSA_KEY_SIZE + "位", e);
+        }
+    }
+
+    /**
+     * 校验RSA私钥最低位数
+     *
+     * @param privateKey 私钥
+     */
+    public static void validateRsaPrivateKey(String privateKey) {
+        if (StrUtil.isBlank(privateKey)) {
+            throw new IllegalArgumentException("RSA需要传入私钥");
+        }
+        try {
+            byte[] keyBytes = java.util.Base64.getDecoder().decode(privateKey);
+            RSAKey rsaKey = (RSAKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(keyBytes));
+            validateRsaKeySize(rsaKey);
+        } catch (IllegalArgumentException | GeneralSecurityException e) {
+            throw new IllegalArgumentException("RSA私钥格式错误或密钥长度低于" + MIN_RSA_KEY_SIZE + "位", e);
+        }
+    }
+
+    private static void validateRsaKeySize(RSAKey rsaKey) {
+        int keySize = rsaKey.getModulus().bitLength();
+        if (keySize < MIN_RSA_KEY_SIZE) {
+            throw new IllegalArgumentException("RSA密钥长度不能低于" + MIN_RSA_KEY_SIZE + "位，当前为" + keySize + "位");
+        }
+    }
+
    /**
     * md5加密
     *