前言

设计 AS2 协议的主要目的，是基于 HTTP 协议之上实现安全的结构化电子商业数据交换。在这系列文章的第一部分，我们大体了解了 AS2 为何这么优秀。我们作为 B2B 集成平台 AS2Gateway 的开发者，已经在 AS2 协议这方面工作了很多年。在本篇文章中，我们希望给予更多的见解关于 AS2 协议，如何使用几行 java 代码和 S/MIME 格式去构造一个 AS2 消息。

废话不多说，让我们现在开始。AS2 消息的基本结构：他由 MIME 格式数据组成，并存在于 HTTP 消息体里面，再加上一些特有的 AS2 消息头部。

AS2 消息的最终结构如下图所示。在本文中，我们会从一个简单的文档开始，一步一步生成最终的加密过的 HTTP 消息体。

译者注：我们看到最外层是 HTTP 数据包，AS2 消息的实际内容 (使用非对称加密算法加密过的) 是挂载到 HTTP BODY (HTTP请求体) 里面的。AS2 协议重点就在于如何生成/解析这个 Encrypted HTTP Body (加密过的 HTTP 请求体)。

解密过后的 AS2 消息中还包含了基础文档 (Functional Document) 和数字签名 (Ditital Signature)，AS2 协议规定应用软件需要校验这个数据签名 (Digital Signature) 来确保数据完整性，具体做法是

使用远程客户公钥解密数字签名，得到一个散列码，记为 HASH-CODE-1

使用约定好的散列算法 (例如 MD5, SHA) 计算出基础文档 (Functional Document) 的散列码，记为 HASH-CODE-2

比较这两个散列码 HASH-CODE-1, HASH-CODE-2 从而确认数据是否被篡改

生成 MIME 消息

首先，让我们看一个 MIME 消息样例。下面的样例代码使用了 JavaMail 和 Apache Tika，用来生成一个 MIME 消息

Properties props = System.getProperties();

Session session = Session.getDefaultInstance(props, null);

MimeMessage finalMessage = new MimeMessage(session);

Tika tika = new Tika();

File file = new File("/home/rajind/sample-text-file.txt");

String mimeType = tika.detect(file);

finalMessage.setDataHandler(new DataHandler(new FileDataSource(file)));

finalMessage.setHeader("Content-Type", mimeType);

finalMessage.setHeader("Content-Transfer-Encoding", "base64");

finalMessage.setFileName(file.getName());

生成的 MIME 消息结构如下所示，注意 MIME 的头部信息和消息内容 (消息内容通过 base64 编码，因为我们在头部指定了该编码格式)

Message-ID: <1642534850.0.1512980924095@rajind-ENVY>

MIME-Version: 1.0

Content-Type: text/plain; name=sample-text-file.txt

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename=sample-text-file.txt

c2FtcGxlIHRleHQgY29udGVudCBvbmUK

签署 MIME 消息

现在我们看看 S/MIME 如何发挥作用。S/MIME 提供了两种安全措施，数字签名 (Digital Signature) 和信息加密 (Message Encryption)。这两项措施是 S/MIME 消息安全性的基础。数字签名提供身份认证，消息不可否认性以及数据完整性校验。信息加密服务则提供了数据机密性以及数据完整性。下面的代码片断展示了如何对 MIME 消息进行签名，这里我们使用了 Bouncy Castle S/MIME API, Bouncy Castle Crypto package, 以及 Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation.

// loading identity store

FileInputStream is = new FileInputStream("/home/rajind/Downloads/keystore.jks");

KeyStore identityKeystore = KeyStore.getInstance(KeyStore.getDefaultType());

String password = "password";

identityKeystore.load(is, password.toCharArray());

// extracting certificate from identity store

X509Certificate signCert = (X509Certificate) identityKeystore.getCertificate("as2gx");

List certList = new ArrayList();

certList.add(signCert);

Store certs = new JcaCertStore(certList);

// create the generator for creating an smime/signed message

SMIMESignedGenerator signer = new SMIMESignedGenerator();

signer.setContentTransferEncoding("base64");

// extracting private key from identity store

Key key = identityKeystore.getKey("as2gx", password.toCharArray());

KeyPair keyPair;

if (key instanceof PrivateKey) {

Certificate cert = identityKeystore.getCertificate("as2gx");

PublicKey publicKey = cert.getPublicKey();

keyPair = new KeyPair(publicKey, (PrivateKey) key);

} else {

throw new UnrecoverableKeyException("Identity store does not contain keypair for alias " + "as2gx");

}

// add a signer to the generator

signer.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC")

.build("SHA1WITHRSA", keyPair.getPrivate(), signCert));

// add our pool of certs and certs (if any) to go with the signature

signer.addCertificates(certs);

MimeMultipart signedMimeMultipart = signer.generate(finalMessage, "BC");

finalMessage = new MimeMessage(session);

// set the content of the signed message

finalMessage.setContent(signedMimeMultipart);

finalMessage.saveChanges();

签署过后，MIME 消息如下如示

译者注：第一部分为实际内容 "sample text content one" (经base64编码)，第二部分为数字签名

Message-ID: <1990160809.3.1512983999570@rajind-ENVY>

MIME-Version: 1.0

Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-1;

boundary="----=_Part_2_77269878.1512983999569"

------=_Part_2_77269878.1512983999569

Content-Type: text/plain; name=sample-text-file.txt

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename=sample-text-file.txt

c2FtcGxlIHRleHQgY29udGVudCBvbmUK

------=_Part_2_77269878.1512983999569

Content-Type: application/pkcs7-signature; name=smime.p7s; smime-type=signed-data

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="smime.p7s"

Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIAwggOLMIIC

c6ADAgECAgRzIbxvMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNVBAYTAlNMMRAwDgYDVQQIEwdXZXN0

ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMRQwEgYDVQQKEwtBZHJvaXRMb2dpYzERMA8GA1UECxMIRGV2

LUFTMkcxGjAYBgNVBAMTEVJhamluZCBSdXBhcmF0aG5hMB4XDTE3MTIxMTA1Mzg0NFoXDTE4MDMx

MTA1Mzg0NFowdjELMAkGA1UEBhMCU0wxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9t

Ym8xFDASBgNVBAoTC0Fkcm9pdExvZ2ljMREwDwYDVQQLEwhEZXYtQVMyRzEaMBgGA1UEAxMRUmFq

aW5kIFJ1cGFyYXRobmEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCNRy9JKmdiX84V

8dkX8SUUr61WYpJuwQ3mnjHGCEd5qyLKl4ozi1TBPrfq1lIsf0b2U+y4Pno3KRJeSR1GYZJml1ED

/j2ovUvxrpf10JI0gxNJbM/FruMULmfQXed/GhU4NeKK7E6vJeJ7w7w9Jbuy7nrf92jJ7bY64bGJ

wh6xAwurjIQqw+8AsML1LUxG10KT+mI+L5ldVlJxCeyYI5WyiYMe3OG/s2mHNgHf0TXVg80vrlRR

eQizat8ax+xsG6RBGwHYSzkgYP79rQ9UaIw0XkML2N8rpzjLgMTQ0MuA83cxeCVgj/uDFowDcSnR

5BbYSdVUT7iOt2Tp0PmvXmOvAgMBAAGjITAfMB0GA1UdDgQWBBSCwg1GygHh7KPByyzS5gVcFayr

RTANBgkqhkiG9w0BAQsFAAOCAQEAAiKgeGfGNNtIwIE7nRlfihljWng6tbyUPxR4Il96hwdlnf20

cHqRhaks0WJGuhdk+w2mJnmQZGVVRM0+qftRaDBFRKoVbjTk+I1YEEiUgX6WEnZx08vjlfSS3Ffg

n3NMiS1t7396UYpXQn5JAQG+AZaOvbNhsigCcUccN3/k3PnS2xt4Dni7CM/w5TzcXYRsGxAhaBW1

2TnnVWf/asAD2zqVIoHa1YkvsVp804D1uivG1QPn0ayeM36miEOOlr9+/eKNUtkbir6EKRr7Z4Ao

W41gqbH/pGu86bXlA3wPBDQF+WreDRzvs15Ux4jr9ydh/g3kGJK4nW7Lu1lIERXXBAAAMYICBDCC

AgACAQEwfjB2MQswCQYDVQQGEwJTTDEQMA4GA1UECBMHV2VzdGVybjEQMA4GA1UEBxMHQ29sb21i

bzEUMBIGA1UEChMLQWRyb2l0TG9naWMxETAPBgNVBAsTCERldi1BUzJHMRowGAYDVQQDExFSYWpp

bmQgUnVwYXJhdGhuYQIEcyG8bzAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH

ATAcBgkqhkiG9w0BCQUxDxcNMTcxMjExMDkxOTU5WjAjBgkqhkiG9w0BCQQxFgQUhVeT2eOCO+13

wPL/8mopwFqKuk0wDQYJKoZIhvcNAQEBBQAEggEACxCnEunose/i7kHI1fKSKAKJeUEPTprqxqIt

SmetJiffCNrGU1rf9l33h7AjKQPWHD9HkCDNHyC5F6qviezOZxEAh9e/v8uLwRn4wPorVLqP11wv

mEzPoD9ph82DzK/tCSO1Mtbu9ibB4YtirHNlSw7sFKKTyaXQU/rup2aW6YG2xjeflz6EDrxVhAh+

lgRuuNZPELzpDhuDgYajmbatzxP45s6OzSSRRHfrdoxEVEpNfV915WTPSh5DQ52sCC28RWZC9u1u

wkp0Dqhhg68JrO4cuZgCsUyhdUPzEGKhZ+ibxXzqzwx0yweaw01QgHm34b1qjXVLO4LTlJCm3UIq

agAAAAAAAA==

------=_Part_2_77269878.1512983999569--

加密 MIME 消息

// 加载partner的数字证书

CertificateFactory fact = CertificateFactory.getInstance("X.509");

FileInputStream is = new FileInputStream("/home/rajind/Downloads/partner-cert.pem");

X509Certificate cert = (X509Certificate) fact.generateCertificate(is);

// 创建加密器

SMIMEEnvelopedGenerator encryptor = new SMIMEEnvelopedGenerator();

encryptor.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(cert).setProvider("BC"));

encryptor.setContentTransferEncoding("base64");

JceCMSContentEncryptorBuilder jceCMSContentEncryptorBuilder =

new JceCMSContentEncryptorBuilder(new ASN1ObjectIdentifier(SMIMEEnvelopedGenerator.DES_EDE3_CBC)).setProvider("BC");

jceCMSContentEncryptorBuilder.setSecureRandom(new SecureRandom());

// 进行加密

MimeBodyPart encryptedPart = encryptor.generate(finalMessage, jceCMSContentEncryptorBuilder.build());

// 设置加密后的内容

finalMessage = new MimeMessage(session);

finalMessage.setContent(encryptedPart.getContent(), encryptedPart.getContentType());

finalMessage.setHeader("Content-Transfer-Encoding", "base64");

finalMessage.saveChanges();

经过签字 (sign) 和加密 (encrypt) 后，MIME 消息变成了下面那样

Message-ID: <347808407.5.1512984099462@rajind-ENVY>

MIME-Version: 1.0

Content-Type: application/pkcs7-mime; name="smime.p7m"; smime-type=enveloped-data

Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHA6CAMIACAQAxggGKMIIBhgIBADBuMGYxCzAJBgNVBAYTAkFVMQwwCgYDVQQI

EwNOU1cxDzANBgNVBAcTBlNpZG5leTERMA8GA1UEChMIRGVtby1CMkIxEjAQBgNVBAsTCURlbW8t

QVMyRzERMA8GA1UEAxMIUmFqaW5kIFICBCLGK2cwDQYJKoZIhvcNAQEBBQAEggEAYFjOBGnUaozf

RCEtPQ9MFWjT4Rletb7B2LVLonBdK44Lzp0wNjyujiW/eOu5z6iQeerg+SXTvKnNzParKCRlf+Wl

ReWNlE5ekOQBE3KSLvIzgecrCH0db4LmEIDm1Ha5uF8fqY2V42P64kBYBBEBKjR1tZ4NnGmztYiC

//6b/zKj4HKR0oF1tY+ZjQthUwFBLTYHw0yvqUTwPEe0fuIdpPpwEZEiyXVSsvzLKmoQ3UKKqNeK

vfYzCsMU0ZVZrALKfg834Se0EOFQ66E0/g+PnDGsuqTEsGeXeQS+4X6MJ3l9Vjss/hefPZSeC1fZ

3J9834SByewywjvM91PNYpC/DzCABgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECNKqTYwNgMYHoIAE

ggPouBE3SH8R9pTp1fxl6BeVH/T2q3x0Sz8SzHlTTKM52eXFVi3CprOZjnhAn1S7/zGZy7RsgYo1

1oPN0T6G/9v+5HOnLp8gp2+Qk8KXErJ2CQOw9VUo0sw+KnaMsHHGS+7VXi7WTwMtK6eykz+HbQI9

J76jCVTaccBgQDksN/ZQKV6CesOpEvDp5WXvs8IeHp4+rGMdVZDs57SE4pPtdJONmiD7elAJH54W

ZfThMjUh4IMCE+XURcyjgj0mLCDmQaLr6g1Mo/MuD1bQ/tcrUAJfDIh0eLgIld4f+2mI/iwRZC9Z

vcJuKT6GBpKQfxDMVG1kZn1Oga7kucnap7S6L8kHKSwAPvxeF3YfkCL3hKOr8CrSAtrfrYnay+ps

2d5k0KOJppTUkiGpSz5llS5xCCU34ZWjiPrbgsZ1aZQdVhpyww0FFbdLTVjIgmFvng1g7P7UFUd6

binC6fvjpGbFGn51TExirWIluQ3l6G0SKZBVY7cJ3WodWd9u0Z4qDqEtK4D2+P2stIpE6KgCakZi

sIJkW56gDvm8PYM7AjMuwhNZN07R42np7EIMQW0AmDEObF68coVb39dBFP27slNCViF+3NRtP/qJ

QQYfkaKMJhKqAUNgO2bTkRl+brCYSc5B5naVqBLSj2j5Z2Nx7vq/Ily+aewdAUBZS+QPWn1d8lqS

E5JTOZHgLXNFhaQvYo31JsNjc9d/DR7JPf9PnftIte0/G2UpNkTHlneaLYkzV3wkrca/ncJAeDjY

h1+uziIgp8MhMrqy27XbF/V09rZnpGuGnLqwUmAvb4+zy/zNkLjDeC1cqpSr8O7ZWwEMCHq29OX3

akoKHAmEfWqLqeFaYd8g0r5ijiiIP0/upGpYI+BaOGNOrMmA07jm8GwvzNXo5udjOYRIRf3BOB+W

hLtVhDIFKT8sW2zqZNjuBperQ82FZfuM9BG23qhewwgn6CGaVjM8WHOtinbmxdAHLLfAaWUo1kQQ

q4+knBUa+XH+auBKbqPTXwW7UsRvxEcGCmtT8yxD2nNMXzrZQ6mYNhQdcIwuEPDa9b/kgwNoJiA9

XMexHaOEjPMXaeZZXq7+T6DFSG2cZVs3JxXr4Qx2dfMdvlAUHADIC7ld6jZag9xnlMaKFzb8WbQ6

PDkB9EUyTaTAQBb8E08IYIJwx1h0qicVezLVmBjlgEwCjtweSGkqlqx88AypVHTDyTjiri80hR4e

JnX7lGAE3fuNPXLsvl2l+KYueGA35Q2wsVNt1D4Ggees2SYTyCKphY3xV8VC0jKck85Zglkx1N4o

mKUovfJvjT/y/uMwpAB66IDx6b2Hwz+bWUKnPPEAEwFgXASCA+gZyLkDh+w2La5G7pUJegac8yS+

29f65Y3iURRhR/3Ob/zxCoeIAmyvSE+KurPldx3h4z/bve4jekUleoGgFCNsE7pZzMUNcKTjFWxv

6nA09AqPuUDlY1ukfPJKSkpfJHD4KEoEehHuRc+X5xOJDEL6DuODg6hF2Kj0VKQc9KTALgSQc25K

Ohx+Ho2DV9Y0YVECFLBXXe/gQapi3ozfHjMQSrqLh8+KgUAG+AmdlD9QaM1hrjzrJKguIjleswuh

BU5E9gmW6b5+FPYEd6f4A/NnIqGUqM/AHzRq1jugBOmAcw/l8cL3LpkLK9XQlqQBMkY74KJ03Vvf

owmoBn4MTfxRxkzxsAUVb5b0oHiVCSBdgf+vmSzc6O9J9NlWH+SOWFaCxvE4xO/jxkp2rXFF/O8U

Pp4bG6wcsvK4VWFQYIu/koHA1L4EDsinm8g8etaS1Bejyf8+hAC+Pd+DVeJTPpD/XE4NBvMBfuX/

B15+oWooEVSg6EtQxQ5ZNPlFmOsYguO3MFQySNbkWSoQ7PeYXfrz6m0Z349j3D+Pa1G25g4P8x43

yzeIMTEGycWEqIQfLA1ENXuaN9UbAnlJmQf86tdwPmWfJS9GzPiuCEE3WLOzS4YAt094iIZ9ztY+

ssTh9SkSa3TJ4LPsPcKL2aL/6uif4hSExTpNrU9kaRml+4sJCn3y2EwgO8XZC1hPfttdaODJC8So

m7PxeCzA1Eg58Co8hONc5ZldV7qwIfzVHomLI9Zijh5vsjHHWaObECqKwARGAD+KriknQJAYpa86

6tQP6UQhZxabYvm8jom+BZ6bVmaZ1Ogwuv4iyWJ4DGOUwukIslYfCKY6tYrI7qQiJnI5NVTSju4H

HwJ0FVvT8ia3CvzLZa1/QXl+M3hcxKG0EeBME941SyBkdMB+Kp/pq+5Q0SAp/eKB5Fneudc6RV+4

puK/OXUwyxbHHrMrCn7ZWXz+0+8qWd0kNzmbM4WBoKvtGwd+FjcfK53V9HRcKr5JnlmKd5A4HVnO

Xjotl5rCKbZ47q8quWJGGp7NWKSY8nwAMTtnQ1erCFxweqvNIsjv2X082hWCQymxp04NRw7hgxUW

enCiZNG9FecKi9MQmSBJvebjQPdYXSsB5S8z3aNV5J0FPIAor9Yj6bsqMu2L57BQsHxrnf6Hy5J7

50lSBoQFsJ1KxUKjMRG6ZXUW5pE1uxopLlDPg/6qk8lj3Y0YjzannU9sW9e2gEGQx5lZ2iIU9xEv

mNE9wk2jk9xx4Ds7VoNhGdEDaj/CsD9vhPP+IBDxmbF4DoLOItV/M13sHdgh5RF0mTqnMWR53wK1

7YDgdt0P1jNBkhJIBIIC0DgpocBNlvIrpKMJhg1eYR565DrsafVBgpDrQpwp0/fJEDrclp68d0bU

UYa5s9uoraQSo6qx7kFnJ/ardLUlnmUa2RX0mTRyqhLLc9i3VX1qoaDNQWR8JKxABXZZGpn4mxaJ

u+N6pDGYj9h85RqqDJcYINKLe6mCUYalAGUAMg3i8SUKbCJDBvBE5vo6u3JExOVkBT4TbHGtuwbZ

zc0D1C5qmY6NzLryhdB4SwJI639dMrArvA8KM+TYeQlFWAIAYKqDRtC00moS/kdeCos1tQqt08d/

ePZ7TZpDQfC7CGY4Od3nrMv0B3g2h91bp7IOWbNR5E1NR6HfcyIc0Sz1aCMaUZfzogMqJRUuwk0r

JPSKx/KFpxiHN8Kn/Il75cjNo1XnVngUnUyJG+xevuqDPiRRiV+1EDjGmiq2pA5X1yhTAntgusqN

wjTy1jjGHX3vVdLRZ7def0E8ZZ6cUKLW17X6+E1pDufCU6pb1m8UpDgQawNKPZ1xQBIfW6COenrl

x8npsM6fK1yBjdCtTlgSe/URRFPgqT2iDNwAqzEX1jEik/R5oWSVNMtqgbMYztISs/X/HXbzs3xX

VGdRP6W41hwO4276AlWFJR977+5ADdo94fksYA5MIbayDfJ4s0Y/MhvTOCt6FIMDopZETHj/ZC5K

Dr3hq5e5WUbr2iDLDJtvFyX8HjcIxbH7GfkjkQRQ0bpYbPj6LkTnYcwBGpeFIidDBxFI06C2QLRJ

6wNo5YBhy+E/6/kYvXLFQfoiaaPL2uKaF4/FVcdwl1t5pVFan+1wmXwe6kW8fgbSxjm2wP20iaQW

awOT4YnGIkI39tGzrPREWXYn+gWkvVWxM9jD/xKQjL9iy2MqA8q0oX0K0QrRfbXf/ap5K5yVDTcj

3MI20+HsDWXRZXf4aSYoZrOt2JUJYshfi/EW7fexATQyBxPqefRzTgE3PCljC7qNCdkmJAAAAAAA

AAAAAAA=

你可能注意到上面代码片段中硬编码的证书和算法。在实际的 AS2 B2B 通信场景中，这些参数需要非常方便去配置。

下一步就是要加入与 AS2 有关的 HTTP 头部，并把消息发送出去，接着是解析收到的消息。这些将会在未来的文章中介绍。

P.S. 请注意上述代码片断只是给你一个关于 AS2 消息处理的初印象，他们也许不符合编程标准，也没有异步处理。