外卖霸王餐API网关层签名验证:从HMAC到国密SM3的升级记录
一、背景:监管要求国密改造
2024年Q2监管发文:涉及用户补贴的接口须使用国密算法进行签名与验签。旧网关沿用HMAC-SHA256,必须无缝升级到SM3/SM4,且保持:
- 向下兼容旧版本客户端
- 零停机热切换
- 性能损耗<5%
二、老方案回顾:HMAC-SHA256
AppId→Header
Timestamp→Header
Nonce→Header
Body→UTF8字符串
Secret→HMAC(key, raw)
网关统一过滤器:
public class HmacFilter implements GlobalFilter {
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
String sign = exchange.getRequest().getHeaders().getFirst("X-Sign");
String raw = buildRaw(exchange);
String expect = HmacSHA256Utils.sign(raw, secret);
if (!expect.equals(sign)) return deny(exchange);
return chain.filter(exchange);
}
}
峰值3w QPS,TP99 8ms。
三、新方案:SM3withSM4
- 摘要:SM3(256bit)
- 加密:SM4-CBC,密钥16字节,随机IV
- 签名数据:AppId+Timestamp+Nonce+SM3(Body)
- 结果转Base64放入
X-SM-Sign
四、SM3工具封装
package juwatech.cn.crypto;
public final class SM3Util {
private static final GMBaseCipher SM3 = new GMBaseCipher("SM3");
public static byte[] hash(byte[] data) {
return SM3.digest(data);
}
public static String sign(String raw, String secret) {
byte[] key = secret.getBytes(StandardCharsets.UTF_8);
byte[] data = raw.getBytes(StandardCharsets.UTF_8);
byte[] mac = HMacSM3.hmac(key, data); // 国密HMAC
return Base64.getEncoder().encodeToString(mac);
}
}
五、SM4加解密
package juwatech.cn.crypto;
public final class SM4Util {
public static byte[] encrypt(byte[] plain, byte[] key, byte[] iv) {
Cipher cipher = Cipher.getInstance("SM4/CBC/PKCS5Padding", "GMJCE");
SecretKeySpec keySpec = new SecretKeySpec(key, "SM4");
IvParameterSpec ivSpec = new IvParameterSpec(iv);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
return cipher.doFinal(plain);
}
public static byte[] decrypt(byte[] cipher, byte[] key, byte[] iv) {
// 反向逻辑
}
}
六、网关过滤器升级
@Component
public class SmSignFilter implements GlobalFilter, Ordered {
@Override
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
ServerHttpRequest req = exchange.getRequest();
String appId = req.getHeaders().getFirst("App-Id");
String ts = req.getHeaders().getFirst("Timestamp");
String nonce = req.getHeaders().getFirst("Nonce");
String smSign = req.getHeaders().getFirst("X-SM-Sign");
if (smSign == null) return oldHmacChain(exchange, chain); // 降级
String bodyStr = resolveBody(exchange);
String raw = appId + ts + nonce + Hex.toHexString(SM3Util.hash(bodyStr.getBytes()));
String secret = getSecret(appId);
String expect = SM3Util.sign(raw, secret);
if (!expect.equals(smSign)) return deny(exchange);
return chain.filter(exchange);
}
@Override
public int getOrder() { return -100; }
}
七、密钥管理:KMS+缓存
@Service
public class SecretService {
@Cacheable(value = "sm_secret", key = "#appId")
public String getSmSecret(String appId) {
return KMSClient.getSecret(appId + "/sm");
}
}
缓存30min,KMS异常时兜底用本地加解密文件。
八、灰度策略
配置中心增加feature.sm3=true:
- 新客户端Header带
X-SM-Version=2.0 - 老版本不带此头→走HMAC分支
- 监控
sm3_qps/hmac_qps比例,1周平滑到100%
九、性能压测
- 4C8G容器*3
- Gatling 5k并发持续5min
Hmac TP99 8ms → SM3 TP99 8.3ms,CPU+3%,满足<5%要求。
十、完整签名生成(客户端)
public static Map<String, String> buildSmHeader(String appId, String body, String secret) {
String ts = String.valueOf(System.currentTimeMillis() / 1000);
String nonce = UUID.randomUUID().toString();
byte[] hash = SM3Util.hash(body.getBytes(StandardCharsets.UTF_8));
String raw = appId + ts + nonce + Hex.toHexString(hash);
String sign = SM3Util.sign(raw, secret);
Map<String, String> map = new HashMap<>();
map.put("App-Id", appId);
map.put("Timestamp", ts);
map.put("Nonce", nonce);
map.put("X-SM-Sign", sign);
map.put("X-SM-Version", "2.0");
return map;
}
本文著作权归吃喝不愁app开发者团队,转载请注明出处!
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
