银联在线支付5.0.0版-仿真端

背景

银联在线支付本身为开发人员提供了测试环境，但是在某些项目组中，无法连接外部网络，这样就给需要开发银联在线支付的人员造成了一个比较头疼的问题。

通过对银联在线支付SDK研究，银联支付5.0.0版（即报文中version=5.0.0）采用RSA非对称数字证书签名的方式进行报文合法性校验，故决定实现银联在线支付平台仿真端，为不能够连接外网，而又需要调试银联在线支付的开发人员，提供另外一种途径。

目标

实现银联在线支付5.0.0版，数字签名证书生成
实现银联在线支付5.0.0版仿真端，消费类交易（支付/付款），退货类交易（退款），交易状态查询交易

RSA非对称数字证书生成

操作系统:Ubuntu 16.04

lsb_release -a[回车]
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:    16.04
Codename:   xenial

使用工具:OpenSSL

openssl version[回车]
OpenSSL 1.0.2g  1 Mar 2016

新建证书目录：/program/rsa_cert/

注：以下为生成证书的步骤，按步骤执行即可

一、生成CA（Certificate Authority）证书

1、生成CA证书key

openssl genrsa -des3 -out edu1t1_ca.key 2048[回车]
Generating RSA private key, 2048 bit long modulus
........................................+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for edu1t1_ca.key:(输入密码)
Verifying - Enter pass phrase for edu1t1_ca.key:(输入确认密码)

2、生成CA证书

openssl req -new -x509 -days 365 -key edu1t1_ca.key -out edu1t1_ca.crt[回车]
Enter pass phrase for edu1t1_ca.key:(输入证书密码)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN(国家)
State or Province Name (full name) [Some-State]:TIANJIN(州/省)
Locality Name (eg, city) []:NANKAI(位置)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EDU1T1(组织)
Organizational Unit Name (eg, section) []:EDU1T1(单位)
Common Name (e.g. server FQDN or YOUR name) []:PAYPLATFORM(常用名)
Email Address []:abc@abc.com(电子邮箱地址)

二、生成RSA签名/验签证书

1、生成私钥

openssl genrsa -out edu1t1_sign.key 2048[回车]
Generating RSA private key, 2048 bit long modulus
..........+++
......+++
e is 65537 (0x10001)

2、生成服务器端签名请求文件

openssl req -new -key edu1t1_sign.key -out edu1t1_sign.csr[回车]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN(国家)
State or Province Name (full name) [Some-State]:TIANJIN(州/省)
Locality Name (eg, city) []:NANKAI(位置)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EDU1T1(组织)
Organizational Unit Name (eg, section) []:EDU1T1(单位)
Common Name (e.g. server FQDN or YOUR name) []:PAYPLATFORM(常用名)
Email Address []:abc@abc.com(电子邮件地址)Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:000000(输入)
An optional company name []:EDU1T1(输入)

3、利用 CA 进行签名证书

将文件 /usr/lib/ssl/openssl.cnf 拷贝至 /program/rsa_cert 下，使用VI编辑器打开并进行如下内容修改（标红部分）

####################################################################
    [ ca ]
    default_ca   = CA_default       # The default ca section
    ####################################################################
    [ CA_default ]
    dir       = ./certs                                # Where everything is kept
    certs       = $dir/certs                        # Where the issued certs are kept
    crl_dir       = $dir/crl                        # Where the issued crl are kept
    database   = $dir/index.txt                # database index file.
    #unique_subject   = no                    # Set to 'no' to allow creation of
                                                            # several ctificates with same subject.

new_certs_dir   = $dir/newcerts       # default place for new certs.

在 /program/rsa_cert 下新建目录 certs

在certs下新建，目录newcerts，文件index.txt和文件serial（serial文件中需要输入一串十六进制数字串，作为Serial Number）

注意，Ubuntu18.04下，自带openssl 1.1.1，可能会出现以下错误（对应解决方法如下）

错误一：Can't load ~/.rnd into RNG，解决方法，在当前用户根目录下执行如下命令：
openssl rand -writerand .rnd[回车]
错误二：Can't open ./certs/index.txt.attr for reading, No such file or directory，解决方法为，在certs下，新建 index.txt.attr 文件

错误三：error while loading serial number，解决方法，执行如下命令：
echo 00 > serial[回车]

如果一切正常，则如下命令可以正常执行，并得到如下：结果

openssl ca -in edu1t1_sign.csr -out edu1t1_sign.crt -keyfile edu1t1_ca.key -cert edu1t1_ca.crt -days 365 -config openssl.cnf[回车]
Using configuration from openssl.cnf
Enter pass phrase for edu1t1_ca.key:(输入证书密码)
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1193046 (0x123456)ValidityNot Before: Mar 23 07:52:23 2018 GMTNot After : Mar 23 07:52:23 2019 GMTSubject:countryName               = CNstateOrProvinceName       = TIANJINorganizationName          = EDU1T1organizationalUnitName    = EDU1T1commonName                = PAYPLATFORMemailAddress              = abc@abc.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 8C:00:0D:9B:C6:BD:A8:E8:53:FC:61:61:33:C5:2B:E9:4F:AD:D6:6AX509v3 Authority Key Identifier: keyid:B6:A4:16:2D:B0:8D:2A:27:70:8D:27:C5:B4:57:07:EB:8E:40:CA:E4Certificate is to be certified until Mar 23 07:52:23 2019 GMT (365 days)
Sign the certificate? [y/n]:y（输入y）1 out of 1 certificate requests certified, commit? [y/n]y（输入y）
Write out database with 1 new entries
Data Base Updated

得到 pfx 格式的私钥

openssl pkcs12 -export -out edu1t1_sign.pfx -inkey edu1t1_sign.key -in edu1t1_sign.crt[回车]
Enter Export Password:（输入证书密码）
Verifying - Enter Export Password:（输入确认密码）

这次输入的密码为打开pfx证书时的密码，建议为000000（因为银联的测试证书默认密码为000000，这样可以尽量减少商户端配置变更）

得到 cer 格式的公钥

openssl x509 -inform pem -in edu1t1_sign.crt -outform der -out edu1t1_validate.cer[回车]

至此，银联在线支付5.0.0版签名（edu1t1_sign.pfx）和验签（edu1t1_validate.cer）证书生成完毕（已生成证书下载）。

使用Spring boot搭建银联在线支付仿真端

在此不再详述项目搭建步骤，仅提供两种形态的工程下载：

工程一下载：打包后的工程，可在Redhat Linux下运行，附工程的操作和运行说明（即readme文件内容），可直接下载用来做项目组开发银联在线支付的仿真端。

工程二下载：完整的源码下载（Maven工程），仅供学习与技术交流使用。