springboot实现国密ssl双向与单向认证，并前后端不分离

结合各类参考资料

jkd地址为：https://github.com/Tencent/TencentKona-8
代码参考为：https://github.com/Tencent/TencentKonaSMSuite
springboot实现使用上面代码参考中的：kona-demo即可
tongsuo国密插件8.4：https://github.com/Tongsuo-Project/Tongsuo

生成证书链信任库与密钥库

#可以先使用angie结合tongsuo一键生成各类国密证书
#注意：信任链有多级根需要在truststore.p12中导入多级ca证书。keystore.p12需要导入签名与签名证书密钥（单签名密钥不行，他喵的）

生成keystore.p12 文件
#1合并
cat server_sign.crt ca.crt > combined_server_cert.pem
cat server_enc.crt ca.crt > combined_enc_server_cert.pem
#2生成 签名证书keystore.p12与加密证书keystore_enc.p12 文件
/usr/local/tongsuo/bin/openssl pkcs12 -export -out keystore.p12 -in combined_server_cert.pem -inkey server_sign.key -name server_sign -password pass:123456
/usr/local/tongsuo/bin/openssl pkcs12 -export -out keystore_enc.p12 -in combined_enc_server_cert.pem -inkey server_enc.key -name server_enc -password pass:123456
#3合并
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -importkeystore -srckeystore keystore_enc.p12 -srcstoretype PKCS12 -srcstorepass 123456 -destkeystore keystore.p12 -deststoretype PKCS12 -deststorepass 123456

生成truststore.p12文件
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -importcert -file ca.crt -keystore truststore.p12 -storetype PKCS12 -alias ca

#验证文件
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -list -v -keystore keystore.p12 -storetype PKCS12 -storepass 123456
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -list -v -keystore truststore.p12 -storetype PKCS12 -storepass 123456

pom文件添加如下依赖

        <dependency>
            <groupId>com.tencent.kona</groupId>
            <artifactId>kona-provider</artifactId>
            <version>1.0.13</version>
        </dependency>

        <dependency>
            <groupId>com.tencent.kona</groupId>
            <artifactId>kona-ssl</artifactId>
            <version>1.0.13</version>
        </dependency>
        <dependency>
            <groupId>com.tencent.kona</groupId>
            <artifactId>kona-crypto</artifactId>
            <version>1.0.13</version>
        </dependency>

        <dependency>
            <groupId>com.tencent.kona</groupId>
            <artifactId>kona-pkix</artifactId>
            <version>1.0.13</version>
        </dependency>

springboot配置文件如下

server:
  port: 16066
  ssl:
    enabled: true

    provider: Kona

    trust-store-provider: Kona
    trust-store-type: PKCS12
    trust-store: /home/eseal-assembly1.1/start/config/ssl/truststore.p12
    trust-store-password: 123456

    key-store-provider: Kona
    key-store-type: PKCS12
    key-store: /home/eseal-assembly1.1/start/config/ssl/keystore.p12
    key-store-password: 123456

    # This context protocol supports TLCPv1.1, TLSv1.3 and TLSv1.2,
    # and will take the providers from TencentKonaSMSuite to work.
    protocol: TLCP

    client-auth-enabled: false
  http2: 
    enabled: true

#TomcatServer配置注意项AppConfig的port值修改成固定值8443，这样在默认的http端口上再启动了一个8443的国密https端口了

浏览器校验

其他参考与校验命令

#生成p12文件
export LD_LIBRARY_PATH=/usr/local/angie/lib:$LD_LIBARAY_PATH
/usr/local/tongsuo/bin/openssl pkcs12 -export -out server.p12 -inkey server_sign.key -in server_sign.crt
/usr/local/tongsuo/bin/openssl pkcs12 -export -out ca.p12 -inkey ca.key -in ca.crt
/usr/local/tongsuo/bin/openssl pkcs12 -export -out client.p12 -inkey client_sign.key -in client_sign.crt
#输入密码


#将p12文件转换成jks文件
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore server.jks -deststoretype JKS
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore client.jks -deststoretype JKS
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -importkeystore -srckeystore ca.p12 -srcstoretype PKCS12 -destkeystore ca.jks -deststoretype JKS
#导入证书 别名ca
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -importcert -file ca.crt -alias ca -keystore server.jks
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -importcert -file ca.crt -alias ca -keystore client.jks
#验证信任库
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -list -v -keystore server.jks -storepass 123456
#列出条目数
/home/eseal-assembly1.1/start/TencentKona-8.0.20-432/bin/keytool -list -v -keystore server.jks

#查看p12证书  计数 Certificate bag统计证书数量


/usr/local/tongsuo/bin/openssl pkcs12 -in server.p12 -info

#查看客户端支持的加密套件
/usr/local/tongsuo/bin/openssl s_client -connect 192.168.0.204:7779 -cipher ALL

#进行测试
curl -v --tlsv1.2 https://192.168.0.204:8443

springboot加上前端vue打包后的页面

1.新建static目录：将前端代码全部复制到static目录下
2.配置文件如果存在spring.servlet.context-path，那前端文件访问也需要加上前缀。
3.不能使用@EnableWebMvc注解，使用后无法访问前端页面。
4.如果使用了shiro框架，需要放行。

        filterChainDefinitionMap.put("/js/**", "anon");
        filterChainDefinitionMap.put("/css/**", "anon");
        filterChainDefinitionMap.put("/img/**", "anon");