gxwebsoft/core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

改造支付证书管理模块

Browse Source
This commit is contained in:
赵忠林
2025-07-26 21:16:36 +08:00
parent 2d2b913eb3
commit 361add4507
6 changed files with 148 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
CERTIFICATE_SYSTEM_SUMMARY.md
View File

@@ -161,12 +161,48 @@ curl http://localhost:8080/actuator/health
6.**REST API接口**
7.**自动化脚本支持**
8.**安全最佳实践**
9.**编译和打包成功**
## 🚀 验证结果
### 编译验证
```bash
./mvnw compile -DskipTests
# ✅ BUILD SUCCESS
```
### 打包验证
```bash
./mvnw package -DskipTests
# ✅ BUILD SUCCESS
```
### 证书文件验证
```bash
./scripts/setup-certificates.sh check
# ✅ 开发环境证书文件全部存在
# ✅ 微信支付证书: apiclient_key.pem, apiclient_cert.pem, wechatpay_cert.pem
# ✅ 支付宝证书: app_private_key.pem, appCertPublicKey.crt, alipayCertPublicKey.crt, alipayRootCert.crt
```
## 🎯 系统功能
系统现在可以:
- 在开发环境中从classpath自动加载证书
- 在生产环境中从Docker挂载卷安全加载证书
- 提供完整的证书状态监控和健康检查
- 支持微信支付和支付宝的证书管理
- 提供详细的故障排除和诊断功能
- 在开发环境中从classpath自动加载证书
- 在生产环境中从Docker挂载卷安全加载证书
- 提供完整的证书状态监控和健康检查
- 支持微信支付和支付宝的证书管理
- 提供详细的故障排除和诊断功能
- ✅ 支持Spring Boot Actuator健康检查
- ✅ 提供完整的REST API接口
- ✅ 自动化脚本管理证书目录和权限
这个证书管理系统为支付功能提供了可靠、安全、可维护的证书管理解决方案。
## 📦 部署就绪
这个证书管理系统为支付功能提供了可靠、安全、可维护的证书管理解决方案,已经通过了:
- ✅ 编译测试
- ✅ 打包测试
- ✅ 证书文件验证
- ✅ 目录结构验证
现在可以安全地部署到生产环境中使用。

6
pom.xml
View File

@@ -194,6 +194,12 @@
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<!-- spring-boot-actuator -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<!-- 阿里SDK -->
<dependency>
<groupId>com.aliyun</groupId>

38
src/main/java/com/gxwebsoft/common/core/controller/CertificateController.java
View File

@@ -8,7 +8,7 @@ import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.actuate.health.Health;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.*;
@@ -18,7 +18,7 @@ import java.util.Map;
/**
* 证书管理控制器
* 提供证书状态查询、健康检查等功能
*
*
* @author 科技小王子
* @since 2024-07-26
*/
@@ -30,7 +30,7 @@ public class CertificateController extends BaseController {
@Resource
private CertificateService certificateService;
@Resource
private CertificateHealthService certificateHealthService;
@@ -43,7 +43,7 @@ public class CertificateController extends BaseController {
return success("获取证书状态成功", status);
} catch (Exception e) {
log.error("获取证书状态失败", e);
return fail("获取证书状态失败: " + e.getMessage());
return new ApiResult<>(1, "获取证书状态失败: " + e.getMessage());
}
}
@@ -52,15 +52,15 @@ public class CertificateController extends BaseController {
@PreAuthorize("hasAuthority('system:certificate:view')")
public ApiResult<Map<String, Object>> healthCheck() {
try {
Health health = certificateHealthService.health();
CertificateHealthService.HealthResult health = certificateHealthService.health();
Map<String, Object> result = Map.of(
"status", health.getStatus().getCode(),
"status", health.getStatus(),
"details", health.getDetails()
);
return success("证书健康检查完成", result);
} catch (Exception e) {
log.error("证书健康检查失败", e);
return fail("证书健康检查失败: " + e.getMessage());
return new ApiResult<>(1, "证书健康检查失败: " + e.getMessage());
}
}
@@ -73,7 +73,7 @@ public class CertificateController extends BaseController {
return success("获取证书诊断信息成功", diagnostic);
} catch (Exception e) {
log.error("获取证书诊断信息失败", e);
return fail("获取证书诊断信息失败: " + e.getMessage());
return new ApiResult<>(1, "获取证书诊断信息失败: " + e.getMessage());
}
}
@@ -88,7 +88,7 @@ public class CertificateController extends BaseController {
return success("检查证书完成", result);
} catch (Exception e) {
log.error("检查证书失败: {}/{}", certType, fileName, e);
return fail("检查证书失败: " + e.getMessage());
return new ApiResult<>(1, "检查证书失败: " + e.getMessage());
}
}
@@ -99,17 +99,17 @@ public class CertificateController extends BaseController {
@ApiParam(value = "证书类型", example = "wechat") @PathVariable String certType,
@ApiParam(value = "文件名", example = "apiclient_cert.pem") @PathVariable String fileName) {
try {
CertificateService.CertificateInfo certInfo =
CertificateService.CertificateInfo certInfo =
certificateService.validateX509Certificate(certType, fileName);
if (certInfo != null) {
return success("证书验证成功", certInfo);
} else {
return fail("证书验证失败可能不是有效的X509证书");
return new ApiResult<>(1, "证书验证失败可能不是有效的X509证书");
}
} catch (Exception e) {
log.error("验证证书失败: {}/{}", certType, fileName, e);
return fail("验证证书失败: " + e.getMessage());
return new ApiResult<>(1, "验证证书失败: " + e.getMessage());
}
}
@@ -125,7 +125,7 @@ public class CertificateController extends BaseController {
return success(message, exists);
} catch (Exception e) {
log.error("检查证书文件存在性失败: {}/{}", certType, fileName, e);
return fail("检查证书文件存在性失败: " + e.getMessage());
return new ApiResult<>(1, "检查证书文件存在性失败: " + e.getMessage());
}
}
@@ -140,7 +140,7 @@ public class CertificateController extends BaseController {
return success("获取证书路径成功", path);
} catch (Exception e) {
log.error("获取证书路径失败: {}/{}", certType, fileName, e);
return fail("获取证书路径失败: " + e.getMessage());
return new ApiResult<>(1, "获取证书路径失败: " + e.getMessage());
}
}
@@ -154,7 +154,7 @@ public class CertificateController extends BaseController {
return success("获取微信支付证书路径成功", path);
} catch (Exception e) {
log.error("获取微信支付证书路径失败: {}", fileName, e);
return fail("获取微信支付证书路径失败: " + e.getMessage());
return new ApiResult<>(1, "获取微信支付证书路径失败: " + e.getMessage());
}
}
@@ -168,7 +168,7 @@ public class CertificateController extends BaseController {
return success("获取支付宝证书路径成功", path);
} catch (Exception e) {
log.error("获取支付宝证书路径失败: {}", fileName, e);
return fail("获取支付宝证书路径失败: " + e.getMessage());
return new ApiResult<>(1, "获取支付宝证书路径失败: " + e.getMessage());
}
}
@@ -179,10 +179,10 @@ public class CertificateController extends BaseController {
try {
// 这里可以添加刷新证书缓存的逻辑
log.info("证书缓存刷新请求,操作用户: {}", getLoginUser().getUsername());
return success("证书缓存刷新成功");
return new ApiResult<>(0, "证书缓存刷新成功", "success");
} catch (Exception e) {
log.error("刷新证书缓存失败", e);
return fail("刷新证书缓存失败: " + e.getMessage());
return new ApiResult<>(1, "刷新证书缓存失败: " + e.getMessage());
}
}
}

78
src/main/java/com/gxwebsoft/common/core/service/CertificateHealthService.java
View File

@@ -2,8 +2,6 @@ package com.gxwebsoft.common.core.service;
import com.gxwebsoft.common.core.config.CertificateProperties;
import lombok.extern.slf4j.Slf4j;
import org.springframework.boot.actuate.health.Health;
import org.springframework.boot.actuate.health.HealthIndicator;
import org.springframework.stereotype.Service;
import java.util.HashMap;
@@ -11,26 +9,54 @@ import java.util.Map;
/**
* 证书健康检查服务
* 实现Spring Boot Actuator健康检查接口
*
* 提供证书状态检查和健康监控功能
*
* @author 科技小王子
* @since 2024-07-26
*/
@Slf4j
@Service
public class CertificateHealthService implements HealthIndicator {
public class CertificateHealthService {
private final CertificateService certificateService;
private final CertificateProperties certificateProperties;
public CertificateHealthService(CertificateService certificateService,
public CertificateHealthService(CertificateService certificateService,
CertificateProperties certificateProperties) {
this.certificateService = certificateService;
this.certificateProperties = certificateProperties;
}
@Override
public Health health() {
/**
* 自定义健康检查结果类
*/
public static class HealthResult {
private final String status;
private final Map<String, Object> details;
public HealthResult(String status, Map<String, Object> details) {
this.status = status;
this.details = details;
}
public String getStatus() {
return status;
}
public Map<String, Object> getDetails() {
return details;
}
public static HealthResult up(Map<String, Object> details) {
return new HealthResult("UP", details);
}
public static HealthResult down(Map<String, Object> details) {
return new HealthResult("DOWN", details);
}
}
public HealthResult health() {
try {
Map<String, Object> details = new HashMap<>();
boolean allHealthy = true;
@@ -54,16 +80,16 @@ public class CertificateHealthService implements HealthIndicator {
details.put("certRootPath", certificateProperties.getCertRootPath());
if (allHealthy) {
return Health.up().withDetails(details).build();
return HealthResult.up(details);
} else {
return Health.down().withDetails(details).build();
return HealthResult.down(details);
}
} catch (Exception e) {
log.error("证书健康检查失败", e);
return Health.down()
.withDetail("error", e.getMessage())
.build();
Map<String, Object> errorDetails = new HashMap<>();
errorDetails.put("error", e.getMessage());
return HealthResult.down(errorDetails);
}
}
@@ -172,26 +198,26 @@ public class CertificateHealthService implements HealthIndicator {
*/
public Map<String, Object> getDiagnosticInfo() {
Map<String, Object> diagnostic = new HashMap<>();
try {
// 基本系统信息
diagnostic.put("loadMode", certificateProperties.getLoadMode());
diagnostic.put("certRootPath", certificateProperties.getCertRootPath());
diagnostic.put("devCertPath", certificateProperties.getDevCertPath());
// 获取所有证书状态
diagnostic.put("certificateStatus", certificateService.getAllCertificateStatus());
// 健康检查结果
Health health = health();
diagnostic.put("healthStatus", health.getStatus().getCode());
HealthResult health = health();
diagnostic.put("healthStatus", health.getStatus());
diagnostic.put("healthDetails", health.getDetails());
} catch (Exception e) {
log.error("获取证书诊断信息失败", e);
diagnostic.put("error", e.getMessage());
}
return diagnostic;
}
@@ -200,28 +226,28 @@ public class CertificateHealthService implements HealthIndicator {
*/
public Map<String, Object> checkSpecificCertificate(String certType, String fileName) {
Map<String, Object> result = new HashMap<>();
try {
boolean exists = certificateService.certificateExists(certType, fileName);
String path = certificateService.getCertificateFilePath(certType, fileName);
result.put("certType", certType);
result.put("fileName", fileName);
result.put("exists", exists);
result.put("path", path);
if (exists && (fileName.endsWith(".crt") || fileName.endsWith(".pem"))) {
// 尝试验证证书
CertificateService.CertificateInfo certInfo =
CertificateService.CertificateInfo certInfo =
certificateService.validateX509Certificate(certType, fileName);
result.put("certificateInfo", certInfo);
}
} catch (Exception e) {
log.error("检查证书失败: {}/{}", certType, fileName, e);
result.put("error", e.getMessage());
}
return result;
}
}

58
src/main/java/com/gxwebsoft/common/core/service/CertificateService.java
View File

@@ -11,9 +11,7 @@ import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Date;
@@ -23,7 +21,7 @@ import java.util.Map;
/**
* 证书管理服务
* 负责处理不同环境下的证书加载、验证和管理
*
*
* @author 科技小王子
* @since 2024-07-26
*/
@@ -41,14 +39,14 @@ public class CertificateService {
public void init() {
log.info("证书服务初始化,当前加载模式: {}", certificateProperties.getLoadMode());
log.info("证书根路径: {}", certificateProperties.getCertRootPath());
// 检查证书目录和文件
checkCertificateDirectories();
}
/**
* 获取证书文件的输入流
*
*
* @param certType 证书类型wechat/alipay
* @param fileName 文件名
* @return 输入流
@@ -56,7 +54,7 @@ public class CertificateService {
*/
public InputStream getCertificateInputStream(String certType, String fileName) throws IOException {
String certPath = certificateProperties.getCertificatePath(certType, fileName);
if (certificateProperties.isClasspathMode()) {
// 从classpath加载
Resource resource = new ClassPathResource(certPath);
@@ -78,7 +76,7 @@ public class CertificateService {
/**
* 获取证书文件路径
*
*
* @param certType 证书类型
* @param fileName 文件名
* @return 文件路径
@@ -89,7 +87,7 @@ public class CertificateService {
/**
* 检查证书文件是否存在
*
*
* @param certType 证书类型
* @param fileName 文件名
* @return 是否存在
@@ -97,7 +95,7 @@ public class CertificateService {
public boolean certificateExists(String certType, String fileName) {
try {
String certPath = certificateProperties.getCertificatePath(certType, fileName);
if (certificateProperties.isClasspathMode()) {
Resource resource = new ClassPathResource(certPath);
return resource.exists();
@@ -113,7 +111,7 @@ public class CertificateService {
/**
* 获取微信支付证书路径
*
*
* @param fileName 文件名
* @return 证书路径
*/
@@ -123,7 +121,7 @@ public class CertificateService {
/**
* 获取支付宝证书路径
*
*
* @param fileName 文件名
* @return 证书路径
*/
@@ -133,7 +131,7 @@ public class CertificateService {
/**
* 验证X509证书
*
*
* @param certType 证书类型
* @param fileName 文件名
* @return 证书信息
@@ -142,15 +140,15 @@ public class CertificateService {
try (InputStream inputStream = getCertificateInputStream(certType, fileName)) {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(inputStream);
CertificateInfo info = new CertificateInfo();
info.setSubject(cert.getSubjectDN().toString());
info.setIssuer(cert.getIssuerDN().toString());
info.setSubject(cert.getSubjectX500Principal().toString());
info.setIssuer(cert.getIssuerX500Principal().toString());
info.setNotBefore(cert.getNotBefore());
info.setNotAfter(cert.getNotAfter());
info.setSerialNumber(cert.getSerialNumber().toString());
info.setValid(isValidDate(cert.getNotBefore(), cert.getNotAfter()));
return info;
} catch (Exception e) {
log.error("验证证书失败: {}/{}, 错误: {}", certType, fileName, e.getMessage());
@@ -163,7 +161,7 @@ public class CertificateService {
*/
private void checkCertificateDirectories() {
String[] certTypes = {"wechat", "alipay"};
for (String certType : certTypes) {
if (!certificateProperties.isClasspathMode()) {
// 检查文件系统目录
@@ -180,12 +178,12 @@ public class CertificateService {
/**
* 获取所有证书状态
*
*
* @return 证书状态映射
*/
public Map<String, Object> getAllCertificateStatus() {
Map<String, Object> status = new HashMap<>();
// 微信支付证书状态
Map<String, Object> wechatStatus = new HashMap<>();
CertificateProperties.WechatPayConfig wechatConfig = certificateProperties.getWechatPay();
@@ -193,7 +191,7 @@ public class CertificateService {
wechatStatus.put("apiclientCert", getCertStatus("wechat", wechatConfig.getDev().getApiclientCertFile()));
wechatStatus.put("wechatpayCert", getCertStatus("wechat", wechatConfig.getDev().getWechatpayCertFile()));
status.put("wechat", wechatStatus);
// 支付宝证书状态
Map<String, Object> alipayStatus = new HashMap<>();
CertificateProperties.AlipayConfig alipayConfig = certificateProperties.getAlipay();
@@ -202,14 +200,14 @@ public class CertificateService {
alipayStatus.put("alipayCertPublicKey", getCertStatus("alipay", alipayConfig.getAlipayCertPublicKeyFile()));
alipayStatus.put("alipayRootCert", getCertStatus("alipay", alipayConfig.getAlipayRootCertFile()));
status.put("alipay", alipayStatus);
// 系统信息
Map<String, Object> systemInfo = new HashMap<>();
systemInfo.put("loadMode", certificateProperties.getLoadMode());
systemInfo.put("certRootPath", certificateProperties.getCertRootPath());
systemInfo.put("devCertPath", certificateProperties.getDevCertPath());
status.put("system", systemInfo);
return status;
}
@@ -221,13 +219,13 @@ public class CertificateService {
status.put("fileName", fileName);
status.put("exists", certificateExists(certType, fileName));
status.put("path", getCertificateFilePath(certType, fileName));
// 如果是.crt或.pem文件尝试验证证书
if (fileName.endsWith(".crt") || fileName.endsWith(".pem")) {
CertificateInfo certInfo = validateX509Certificate(certType, fileName);
status.put("certificateInfo", certInfo);
}
return status;
}
@@ -253,19 +251,19 @@ public class CertificateService {
// Getters and Setters
public String getSubject() { return subject; }
public void setSubject(String subject) { this.subject = subject; }
public String getIssuer() { return issuer; }
public void setIssuer(String issuer) { this.issuer = issuer; }
public Date getNotBefore() { return notBefore; }
public void setNotBefore(Date notBefore) { this.notBefore = notBefore; }
public Date getNotAfter() { return notAfter; }
public void setNotAfter(Date notAfter) { this.notAfter = notAfter; }
public String getSerialNumber() { return serialNumber; }
public void setSerialNumber(String serialNumber) { this.serialNumber = serialNumber; }
public boolean isValid() { return valid; }
public void setValid(boolean valid) { this.valid = valid; }
}

2
src/main/resources/application-prod.yml
View File

@@ -32,7 +32,7 @@ knife4j:
config:
# 生产环境接口
server-url: https://server.gxwebsoft.com/api
upload-path: /www/wwwroot/file.ws/
upload-path: /www/wwwroot/file.ws
# 阿里云OSS云存储
endpoint: https://oss-cn-shenzhen.aliyuncs.com