@Component
public class EncryptionUtil {
    
    /**
     * RSA加密AES密鑰
     */
    public static String encryptAesKey(String aesKey, String rsaPublicKey) throws Exception {
        PublicKey publicKey = getPublicKey(rsaPublicKey);
        Cipher cipher = Cipher.getInstance("RSA");
        cipher.init(Cipher.ENCRYPT_MODE, publicKey);
        
        byte[] encrypted = cipher.doFinal(aesKey.getBytes());
        return Base64.getEncoder().encodeToString(encrypted);
    }
    
    /**
     * AES加密數(shù)據(jù)
     */
    public static String encryptData(String data, String aesKey) throws Exception {
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        SecretKeySpec keySpec = new SecretKeySpec(aesKey.getBytes(), "AES");
        IvParameterSpec iv = new IvParameterSpec("0000000000000000".getBytes()); // 實(shí)際項(xiàng)目中應(yīng)使用隨機(jī)IV
        
        cipher.init(Cipher.ENCRYPT_MODE, keySpec, iv);
        byte[] encrypted = cipher.doFinal(data.getBytes(StandardCharsets.UTF_8));
        return Base64.getEncoder().encodeToString(encrypted);
    }
    
    /**
     * RSA解密AES密鑰
     */
    public static String decryptAesKey(String encryptedAesKey, String rsaPrivateKey) throws Exception {
        PrivateKey privateKey = getPrivateKey(rsaPrivateKey);
        Cipher cipher = Cipher.getInstance("RSA");
        cipher.init(Cipher.DECRYPT_MODE, privateKey);
        
        byte[] decrypted = cipher.doFinal(Base64.getDecoder().decode(encryptedAesKey));
        return new String(decrypted);
    }
    
    /**
     * AES解密數(shù)據(jù)
     */
    public static String decryptData(String encryptedData, String aesKey) throws Exception {
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        SecretKeySpec keySpec = new SecretKeySpec(aesKey.getBytes(), "AES");
        IvParameterSpec iv = new IvParameterSpec("0000000000000000".getBytes());
        
        cipher.init(Cipher.DECRYPT_MODE, keySpec, iv);
        byte[] decrypted = cipher.doFinal(Base64.getDecoder().decode(encryptedData));
        return new String(decrypted, StandardCharsets.UTF_8);
    }
    
    private static PublicKey getPublicKey(String key) throws Exception {
        byte[] keyBytes = Base64.getDecoder().decode(key);
        X509EncodedKeySpec spec = new X509EncodedKeySpec(keyBytes);
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        return keyFactory.generatePublic(spec);
    }
    
    private static PrivateKey getPrivateKey(String key) throws Exception {
        byte[] keyBytes = Base64.getDecoder().decode(key);
        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes);
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        return keyFactory.generatePrivate(spec);
    }
}

public class EncryptedRequestWrapper extends HttpServletRequestWrapper {
    
    private final String body;
    
    public EncryptedRequestWrapper(HttpServletRequest request) throws IOException {
        super(request);
        body = getBody(request);
    }
    
    private String getBody(HttpServletRequest request) throws IOException {
        StringBuilder stringBuilder = new StringBuilder();
        try (BufferedReader reader = request.getReader()) {
            String line;
            while ((line = reader.readLine()) != null) {
                stringBuilder.append(line);
            }
        }
        return stringBuilder.toString();
    }
    
    @Override
    public ServletInputStream getInputStream() throws IOException {
        // 解密請(qǐng)求體
        String decryptedBody = decryptRequestBody(body);
        ByteArrayInputStream byteArrayInputStream = 
            new ByteArrayInputStream(decryptedBody.getBytes(StandardCharsets.UTF_8));
        
        return new ServletInputStream() {
            @Override
            public boolean isFinished() {
                return byteArrayInputStream.available() == 0;
            }
            
            @Override
            public boolean isReady() {
                return true;
            }
            
            @Override
            public void setReadListener(ReadListener readListener) {
                // 不需要實(shí)現(xiàn)
            }
            
            @Override
            public int read() throws IOException {
                return byteArrayInputStream.read();
            }
        };
    }
    
    @Override
    public BufferedReader getReader() throws IOException {
        return new BufferedReader(new InputStreamReader(getInputStream()));
    }
    
    private String decryptRequestBody(String encryptedBody) {
        try {
            // 假設(shè)請(qǐng)求體格式為: {"encryptedData": "xxx", "encryptedKey": "xxx"}
            JSONObject jsonObject = JSON.parseObject(encryptedBody);
            String encryptedData = jsonObject.getString("encryptedData");
            String encryptedKey = jsonObject.getString("encryptedKey");
            
            // 解密AES密鑰
            String aesKey = EncryptionUtil.decryptAesKey(encryptedKey, getPrivateKey());
            
            // 解密數(shù)據(jù)
            return EncryptionUtil.decryptData(encryptedData, aesKey);
        } catch (Exception e) {
            throw new RuntimeException("解密失敗", e);
        }
    }
    
    private String getPrivateKey() {
        // 從配置或數(shù)據(jù)庫(kù)獲取私鑰
        return System.getProperty("rsa.private.key");
    }
}

@Component
public class DecryptionInterceptor implements HandlerInterceptor {
    
    @Override
    public boolean preHandle(HttpServletRequest request, 
                           HttpServletResponse response, 
                           Object handler) throws Exception {
        
        // 檢查是否需要解密
        if (isEncryptedRequest(request)) {
            // 包裝請(qǐng)求，實(shí)現(xiàn)自動(dòng)解密
            EncryptedRequestWrapper wrappedRequest = new EncryptedRequestWrapper(request);
            // 將包裝后的請(qǐng)求傳遞給后續(xù)處理
            RequestContextHolder.getRequestAttributes()
                .setAttribute("wrappedRequest", wrappedRequest, RequestAttributes.SCOPE_REQUEST);
        }
        
        return true;
    }
    
    private boolean isEncryptedRequest(HttpServletRequest request) {
        // 檢查請(qǐng)求頭或參數(shù)，判斷是否為加密請(qǐng)求
        String encryptedHeader = request.getHeader("X-Encrypted");
        return "true".equalsIgnoreCase(encryptedHeader);
    }
}

@Component
public class EncryptedParameterResolver implements HandlerMethodArgumentResolver {
    
    @Override
    public boolean supportsParameter(MethodParameter parameter) {
        return parameter.hasParameterAnnotation(EncryptedParam.class);
    }
    
    @Override
    public Object resolveArgument(MethodParameter parameter, 
                                ModelAndViewContainer mavContainer,
                                NativeWebRequest webRequest, 
                                WebDataBinderFactory binderFactory) throws Exception {
        
        String encryptedValue = webRequest.getParameter(parameter.getParameterName());
        if (encryptedValue != null) {
            // 解密參數(shù)
            String decryptedValue = decryptParameter(encryptedValue);
            return convertValue(decryptedValue, parameter.getParameterType());
        }
        
        return null;
    }
    
    private String decryptParameter(String encryptedValue) {
        try {
            // 解密邏輯
            return EncryptionUtil.decryptData(encryptedValue, getAesKey());
        } catch (Exception e) {
            throw new RuntimeException("參數(shù)解密失敗", e);
        }
    }
    
    private String getAesKey() {
        // 獲取AES密鑰
        return System.getProperty("aes.key");
    }
    
    private Object convertValue(String value, Class<?> targetType) {
        // 類(lèi)型轉(zhuǎn)換邏輯
        return value;
    }
}

@Target(ElementType.PARAMETER)
@Retention(RetentionPolicy.RUNTIME)
public @interface EncryptedParam {
    String value() default "";
}

@RestController
public class UserController {
    
    @PostMapping("/user/register")
    public ResponseEntity<String> register(
            @RequestBody @EncryptedBody UserRegisterRequest request) {
        // 業(yè)務(wù)邏輯
        return ResponseEntity.ok("注冊(cè)成功");
    }
    
    @PostMapping("/user/login")
    public ResponseEntity<String> login(
            @EncryptedParam("username") String username,
            @EncryptedParam("password") String password) {
        // 業(yè)務(wù)邏輯
        return ResponseEntity.ok("登錄成功");
    }
}

@Service
public class KeyManagementService {
    
    @Autowired
    private RedisTemplate<String, String> redisTemplate;
    
    /**
     * 生成新的AES密鑰
     */
    public String generateAesKey() {
        byte[] key = new byte[32]; // 256位
        new SecureRandom().nextBytes(key);
        return Base64.getEncoder().encodeToString(key);
    }
    
    /**
     * 獲取或創(chuàng)建AES密鑰
     */
    public String getOrCreateAesKey(String userId) {
        String cacheKey = "aes_key:" + userId;
        String cachedKey = redisTemplate.opsForValue().get(cacheKey);
        
        if (cachedKey == null) {
            cachedKey = generateAesKey();
            // 設(shè)置過(guò)期時(shí)間，定期更新密鑰
            redisTemplate.opsForValue().set(cacheKey, cachedKey, Duration.ofHours(24));
        }
        
        return cachedKey;
    }
    
    /**
     * 輪換密鑰
     */
    public void rotateKey(String userId) {
        String newKey = generateAesKey();
        String cacheKey = "aes_key:" + userId;
        redisTemplate.opsForValue().set(cacheKey, newKey, Duration.ofHours(24));
    }
}

@Component
public class SignatureValidator {
    
    public boolean validateSignature(String data, String signature, String publicKey) {
        try {
            Signature sign = Signature.getInstance("SHA256withRSA");
            sign.initVerify(EncryptionUtil.getPublicKey(publicKey));
            sign.update(data.getBytes(StandardCharsets.UTF_8));
            return sign.verify(Base64.getDecoder().decode(signature));
        } catch (Exception e) {
            return false;
        }
    }
}

public class BatchEncryptionProcessor {
    
    public List<String> encryptBatchData(List<String> dataList, String aesKey) {
        return dataList.parallelStream()
            .map(data -> {
                try {
                    return EncryptionUtil.encryptData(data, aesKey);
                } catch (Exception e) {
                    throw new RuntimeException("批量加密失敗", e);
                }
            })
            .collect(Collectors.toList());
    }
}

@Component
public class EncryptedCacheManager {
    
    @Autowired
    private RedisTemplate<String, Object> redisTemplate;
    
    public void cacheEncryptedData(String key, String encryptedData) {
        // 緩存加密后的數(shù)據(jù)
        redisTemplate.opsForValue().set("encrypted:" + key, encryptedData, Duration.ofMinutes(30));
    }
    
    public String getCachedEncryptedData(String key) {
        return (String) redisTemplate.opsForValue().get("encrypted:" + key);
    }
}

@Configuration
public class EncryptionThreadPoolConfig {
    
    @Bean("encryptionExecutor")
    public Executor encryptionExecutor() {
        ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
        executor.setCorePoolSize(10);
        executor.setMaxPoolSize(20);
        executor.setQueueCapacity(100);
        executor.setThreadNamePrefix("encryption-");
        executor.setRejectedExecutionHandler(new ThreadPoolExecutor.CallerRunsPolicy());
        executor.initialize();
        return executor;
    }
}

@Component
public class SecureKeyStore {
    
    /**
     * 從環(huán)境變量或配置中心獲取密鑰
     */
    public String getPrivateKey() {
        String key = System.getenv("RSA_PRIVATE_KEY");
        if (key == null) {
            // 從配置中心獲取
            key = configService.getRsaPrivateKey();
        }
        return key;
    }
}

public class EncryptionPolicy {
    
    public static boolean shouldEncrypt(String fieldName) {
        // 只對(duì)敏感字段進(jìn)行加密
        Set<String> sensitiveFields = Set.of("password", "idCard", "phone", "email");
        return sensitiveFields.contains(fieldName.toLowerCase());
    }
}

@ControllerAdvice
public class EncryptionExceptionHandler {
    
    @ExceptionHandler(EncryptionException.class)
    public ResponseEntity<String> handleEncryptionError(EncryptionException e) {
        log.error("加密解密異常", e);
        return ResponseEntity.status(400).body("數(shù)據(jù)格式錯(cuò)誤");
    }
}