AS2协议详解(三)[通俗易懂]

AS2协议本身比较复杂，我们不需要了解其中太多细节，只需要知道一些重要概念就行了。

AS2是基于HTTP/HTTPS的，消息的格式使用MIME,就是邮件的格式，使用SHA1或SHA2加RSA进行签名，使用S/MIME进行加密。S/MIME加密本质就是3DES或者AES加RSA加密，有了之前的基础应该就很清楚了。

AS2的通信双方称为partner,每个partner有个partnerId,通信双方需要交互彼此的公钥。

自己实现S/MIME加密比较复杂，我们引入以下包来加密，jdk15on支持jdk1.5-jdk1.8,其他jdk版可去maven上搜索对应的版本

    <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcmail-jdk15on</artifactId>
        <version>1.70</version>
    </dependency>

接下来是实现AS2发送文件的JAVA版本

@Test
public void testAS2() throws Exception {
    //注册证书提供者BC
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    String password = "testas2";
    //生成mime消息体，放入待发送文件
    MimeBodyPart finalMessage = new MimeBodyPart();
    File file = new File("D:\\workspace\\data\\a.xml");
    finalMessage.setDataHandler(new DataHandler(new FileDataSource(file)));
    finalMessage.setHeader("Content-Type", "application/xml");
    finalMessage.setHeader("Content-Transfer-Encoding", "base64");
    finalMessage.setFileName(file.getName());
    //加载证书
    FileInputStream fis = new FileInputStream(new File("D:\\workspace\\OpenAs2App\\Server\\src\\config\\as2_certs.p12"));
    KeyStore keyStore = getKeyStore(fis, password, "PKCS12", "BC");
    PrivateKey privateKey = getPrivateKeyFromKeyStore(keyStore, "mycompany", "password");
    //签名
    X509Certificate signCert = getCertificate(keyStore, "mycompany");
    List certList = new ArrayList();
    certList.add(signCert);
    Store certs = new JcaCertStore(certList);

    SMIMESignedGenerator signer = new SMIMESignedGenerator();
    signer.setContentTransferEncoding("base64");
    //使用SHA1进行签名
    signer.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC")
            .build("SHA1WITHRSA", privateKey, signCert));
    signer.addCertificates(certs);
    MimeMultipart signedMimeMultipart = signer.generate(finalMessage);
    finalMessage = new MimeBodyPart();
    finalMessage.setContent(signedMimeMultipart);
    finalMessage.setHeader("Content-Type", signedMimeMultipart.getContentType());

    //加密
    // 加载partner的数字证书
    X509Certificate cert = getCertificate(keyStore, "partnera");
    // 创建加密器
    SMIMEEnvelopedGenerator encryptor = new SMIMEEnvelopedGenerator();
    encryptor.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(cert).setProvider("BC"));
    encryptor.setContentTransferEncoding("base64");
    //3DES加密
    JceCMSContentEncryptorBuilder jceCMSContentEncryptorBuilder =
            new JceCMSContentEncryptorBuilder(new ASN1ObjectIdentifier(SMIMEEnvelopedGenerator.DES_EDE3_CBC)).setProvider("BC");
    jceCMSContentEncryptorBuilder.setSecureRandom(new SecureRandom());
    // 进行加密
    MimeBodyPart encryptedPart = encryptor.generate(finalMessage, jceCMSContentEncryptorBuilder.build());

    //准备头字段
    InternetHeaders ih = new InternetHeaders();
    ih.addHeader("Connection", "close, TE");
    ih.addHeader("Message-ID", UUID.randomUUID().toString());
    ih.addHeader("Mime-Version", "1.0");
    ih.addHeader("Content-Type", encryptedPart.getContentType());
    ih.addHeader("AS2-To", "PartnerA_OID");
    ih.addHeader("AS2-From", "MyCompany_OID");
    ih.addHeader("Subject", "Subject: File a.xml sent from MyCompany to PartnerA");
    ih.addHeader("Disposition-Notification-To", "edi@myCompany.com");
    ih.addHeader("Content-Disposition", "attachment");

    String url = "http://localhost:10080";
    execRequest("POST", url, ih.getAllHeaders(), null, encryptedPart.getInputStream());
}

private static X509Certificate getCertificate(KeyStore keyStore,
                                              String alias) throws Exception {
    Certificate certificate = keyStore.getCertificate(alias);
    return (X509Certificate) certificate;
}

发送http请求的代码

public static void execRequest(String method, String url, Enumeration<Header> headers, NameValuePair[] params, InputStream inputStream) throws Exception {
    HttpClientBuilder httpBuilder = HttpClientBuilder.create();
    URL urlObj = new URL(url);
    /*
     * httpClient is used for this request only,
     * set a connection manager that manages just one connection.
     */
    if (urlObj.getProtocol().equalsIgnoreCase("https")) {
        /*
         * Note: registration of a custom SSLSocketFactory via httpBuilder.setSSLSocketFactory is ignored when a connection manager is set.
         * The custom SSLSocketFactory needs to be registered together with the connection manager.
         */
        SSLConnectionSocketFactory sslCsf = buildSslFactory();
        httpBuilder.setConnectionManager(new BasicHttpClientConnectionManager(RegistryBuilder.<ConnectionSocketFactory>create().register("http", PlainConnectionSocketFactory.getSocketFactory()).register("https", sslCsf).build()));
    } else {
        httpBuilder.setConnectionManager(new BasicHttpClientConnectionManager());
    }
    RequestBuilder rb = getRequestBuilder(method, urlObj, params, headers);

    if (inputStream != null) {
        InputStreamEntity ise = new InputStreamEntity(inputStream);
        rb.setEntity(ise);
    }
    final HttpUriRequest request = rb.build();

    try (CloseableHttpClient httpClient = httpBuilder.build()) {
        try (CloseableHttpResponse response = httpClient.execute(request)) {
            HttpEntity entity = response.getEntity();
            String result = EntityUtils.toString(entity);
            System.out.println(result);
        }
    }
}

private static SSLConnectionSocketFactory buildSslFactory() throws Exception {
    boolean overrideSslChecks = true;
    SSLContext sslcontext;
    sslcontext = SSLContexts.createSystemDefault();
    // String [] protocols = Properties.getProperty(HTTP_PROP_SSL_PROTOCOLS,
    // "TLSv1").split("\\s*,\\s*");
    HostnameVerifier hnv = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
    if (overrideSslChecks) {
        hnv = new HostnameVerifier() {
            @Override
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        };
    }
    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext, null, null, hnv);
    return sslsf;
}

private static RequestBuilder getRequestBuilder(String method, URL urlObj, NameValuePair[] params, Enumeration<Header> headers) throws URISyntaxException {
    RequestBuilder req = null;
    if (method == null || method.equalsIgnoreCase(Method.GET)) {
        //default get
        req = RequestBuilder.get();
    } else if (method.equalsIgnoreCase(Method.POST)) {
        req = RequestBuilder.post();
    } else if (method.equalsIgnoreCase(Method.HEAD)) {
        req = RequestBuilder.head();
    } else if (method.equalsIgnoreCase(Method.PUT)) {
        req = RequestBuilder.put();
    } else if (method.equalsIgnoreCase(Method.DELETE)) {
        req = RequestBuilder.delete();
    } else if (method.equalsIgnoreCase(Method.TRACE)) {
        req = RequestBuilder.trace();
    } else {
        throw new IllegalArgumentException("Illegal HTTP Method: " + method);
    }
    req.setUri(urlObj.toURI());
    if (params != null && params.length > 0) {
        req.addParameters(params);
    }
    if (headers != null) {
        while (headers.hasMoreElements()) {
            Header header = headers.nextElement();
            String headerValue = header.getValue();
            req.setHeader(header.getName(), headerValue);
        }
    }
    return req;
}

public abstract static class Method {
    public static final String GET = "GET";
    public static final String HEAD = "HEAD";
    public static final String POST = "POST";
    public static final String PUT = "PUT";
    public static final String DELETE = "DELETE";
    public static final String TRACE = "TRACE";
    public static final String CONNECT = "CONNECT";
}

代码讲解

来看这段代码，这段代码是加载证书库，方法上篇给出了，类型是PKCS12,BC是什么鬼？BC是证书提供者，如果是自己生成的证书，提供者是SUN，就不需要传了，我们这个证书是BC提供的所以需要传。

KeyStore keyStore = getKeyStore(fis, password, "PKCS12", "BC");

生成mime消息体，放入待发送文件那段代码很简单，就是获取待发送文件的输入流然后生成mime消息体，没啥好讲的,加载证书库获取私钥的代码前篇都讲过了，也很简单。

接下来是签名和加密，都是固定写法，唯一有改动的可能是签名的算法是SHA1还是SHA2，加密算法是3DES还是AES，需要告知接收方。这边需要注意的是签名是使用自己的私钥，对方用我们的公钥进行验签，加密是使用对方的公钥，对方用自己的私钥进行解密。

接下去就是准备头字段，填写自己的partnerId和对方的partnerId就行了

其实有现成的代码，集成AS2不难，如果是自己去找协议去实现，难度就相当大了。

​