Compare commits
5 Commits
b5490085bd
...
0f344b5847
| Author | SHA1 | Date | |
|---|---|---|---|
| 0f344b5847 | |||
| 403eec3e12 | |||
| 84c935d4bd | |||
| e5fed81db5 | |||
| e3e3caed6a |
@@ -17,7 +17,7 @@ const handler = new OpenAPIHandler(router, {
|
||||
title: name,
|
||||
version,
|
||||
description:
|
||||
'UX 授权服务 OpenAPI 文档。该服务用于工具箱侧本地身份初始化与密码学能力调用,覆盖设备授权密文生成、任务二维码解密、摘要信息加密、报告签名打包等流程。\n\n推荐调用顺序:\n1) 写入 licence 与 OpenPGP 私钥;\n2) 读取本机身份状态进行前置校验;\n3) 执行加密/解密与签名接口。\n\n说明:除文件下载接口外,返回体均为 JSON;字段示例已提供,便于联调和 Mock。',
|
||||
'UX 授权服务 OpenAPI 文档。该服务用于工具箱侧本地身份初始化与密码学能力调用,覆盖设备授权密文生成、任务二维码解密、摘要信息加密、报告签名打包等流程。\n\n推荐调用顺序:\n1) 写入平台公钥;\n2) 写入已签名 licence JSON;\n3) 写入 OpenPGP 私钥;\n4) 读取本机身份状态进行前置校验;\n5) 执行加密/解密与签名接口。\n\n说明:除文件下载接口外,返回体均为 JSON;字段示例已提供,便于联调和 Mock。',
|
||||
},
|
||||
},
|
||||
docsPath: '/docs',
|
||||
|
||||
@@ -1,9 +1,18 @@
|
||||
import { oc } from '@orpc/contract'
|
||||
import { z } from 'zod'
|
||||
import { licenceEnvelopeSchema } from '@/server/licence'
|
||||
|
||||
const licenceOutput = z
|
||||
.object({
|
||||
licenceId: z.string().describe('验签通过后的 licence 标识'),
|
||||
expireTime: z.string().describe('授权到期日,格式为 YYYY-MM-DD'),
|
||||
isExpired: z.boolean().describe('当前 licence 是否已过期(按 UTC 自然日计算)'),
|
||||
})
|
||||
.describe('当前已安装 licence 的验证后元数据')
|
||||
|
||||
const configOutput = z
|
||||
.object({
|
||||
licence: z.string().nullable().describe('当前本地 licence,未设置时为 null'),
|
||||
licence: licenceOutput.nullable().describe('当前本地已验证 licence 的元数据,未设置时为 null'),
|
||||
fingerprint: z.string().describe('UX 本机计算得到的设备特征码(SHA-256)'),
|
||||
hasPlatformPublicKey: z.boolean().describe('是否已配置平台公钥'),
|
||||
hasPgpPrivateKey: z.boolean().describe('是否已配置 OpenPGP 私钥'),
|
||||
@@ -12,7 +21,11 @@ const configOutput = z
|
||||
.meta({
|
||||
examples: [
|
||||
{
|
||||
licence: 'LIC-8F2A-XXXX',
|
||||
licence: {
|
||||
licenceId: 'LIC-20260319-0025',
|
||||
expireTime: '2027-03-19',
|
||||
isExpired: false,
|
||||
},
|
||||
fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
|
||||
hasPlatformPublicKey: true,
|
||||
hasPgpPrivateKey: true,
|
||||
@@ -33,7 +46,7 @@ export const get = oc
|
||||
operationId: 'configGet',
|
||||
summary: '读取本机身份配置',
|
||||
description:
|
||||
'查询 UX 当前本地身份配置状态。\n\n典型用途:页面初始化时检测授权状态、加密前检查平台公钥、签名前检查私钥是否就绪。\n\n返回内容:\n- licence:当前持久化授权码,未设置时为 null;\n- fingerprint:设备特征码(本机自动计算);\n- hasPlatformPublicKey:是否已写入平台公钥;\n- hasPgpPrivateKey:是否已写入 OpenPGP 私钥。',
|
||||
'查询 UX 当前本地身份配置状态。\n\n典型用途:页面初始化时检测授权状态、验签前检查平台公钥、签名前检查私钥是否就绪。\n\n返回内容:\n- licence:当前已验证 licence 的元数据,未设置时为 null;\n- fingerprint:设备特征码(本机自动计算);\n- hasPlatformPublicKey:是否已写入平台公钥;\n- hasPgpPrivateKey:是否已写入 OpenPGP 私钥。',
|
||||
tags: ['Config'],
|
||||
})
|
||||
.input(z.object({}).describe('空请求体,仅触发读取当前配置'))
|
||||
@@ -46,17 +59,19 @@ export const setLicence = oc
|
||||
operationId: 'configSetLicence',
|
||||
summary: '写入本地 licence',
|
||||
description:
|
||||
'写入或更新本机持久化 licence。\n\n调用时机:设备首次激活、授权码变更、授权修复。\n\n约束与行为:\n- 仅接收 licence 文本;\n- fingerprint 由本机自动计算,不允许外部覆盖;\n- 成功后返回最新配置快照,便于前端立即刷新授权状态。',
|
||||
'写入或更新本机持久化 licence。\n\n调用时机:设备首次激活、授权码变更、授权修复。\n\n约束与行为:\n- 接收 `.lic` 文件内容对应的 JSON 信封,而不是文件上传;\n- 使用已配置的平台公钥对 payload 原始字符串做 SHA256withRSA 验签;\n- 仅在验签通过且 expire_time 未过期时持久化;\n- fingerprint 由本机自动计算,不允许外部覆盖;\n- 成功后返回最新配置快照,便于前端立即刷新授权状态。',
|
||||
tags: ['Config'],
|
||||
})
|
||||
.input(
|
||||
z
|
||||
.object({
|
||||
licence: z.string().min(1).describe('本地持久化的 licence'),
|
||||
})
|
||||
.meta({
|
||||
examples: [{ licence: 'LIC-8F2A-XXXX' }],
|
||||
}),
|
||||
licenceEnvelopeSchema.meta({
|
||||
examples: [
|
||||
{
|
||||
payload: 'eyJsaWNlbmNlX2lkIjoiTElDLTIwMjYwMzE5LTAwMjUiLCJleHBpcmVfdGltZSI6IjIwMjctMDMtMTkifQ==',
|
||||
signature:
|
||||
'aLd+wwpz1W5AS0jgE/IstSNjCAQ5estQYIMqeLXRWMIsnKxjZpCvC8O5q/G5LEBBLJXnbTk8N6IMTUx295nf2HQYlXNtJkWiBeUXQ6/uzs0RbhCeRAWK2Hx4kSsmiEv4AHGLb4ozI2XekTc+40+ApJQYqaWbDu/NU99TmDm3/da1VkKpQxH60BhSQVwBtU67w9Vp3SpWm8y1faQ7ci5WDtJf1JZaS70kPXoGeA5018rPeMFlEzUp10yDlGW6RcrT7Dm+r7zFyrFznLK+evBEvTf9mMGWwZZP3q9vJtC/wFt1t5zNHdkb27cTwc9yyqGMWdelXQAQDnoisn2Jzi06KA==',
|
||||
},
|
||||
],
|
||||
}),
|
||||
)
|
||||
.output(configOutput)
|
||||
|
||||
@@ -92,7 +107,7 @@ export const setPlatformPublicKey = oc
|
||||
operationId: 'configSetPlatformPublicKey',
|
||||
summary: '写入本地平台公钥',
|
||||
description:
|
||||
'写入或更新本机持久化平台公钥(Base64 编码 SPKI DER)。\n\n调用时机:设备授权初始化、平台公钥轮换。\n\n约束与行为:\n- 仅接收平台 RSA 公钥文本;\n- 公钥保存在本地,设备授权密文接口会自动读取,无需每次传参;\n- 成功后返回最新配置快照,可用于确认 hasPlatformPublicKey 状态。',
|
||||
'写入或更新本机持久化平台公钥(Base64 编码 SPKI DER)。\n\n调用时机:设备授权初始化、平台公钥轮换。\n\n约束与行为:\n- 仅接收可解析的平台 RSA 公钥文本;\n- 公钥保存在本地,设备授权密文接口和 licence 验签都会自动读取,无需每次传参;\n- 若平台公钥发生变化,已安装 licence 会被清空,需要重新安装已签名 licence;\n- 成功后返回最新配置快照,可用于确认 hasPlatformPublicKey 状态。',
|
||||
tags: ['Config'],
|
||||
})
|
||||
.input(
|
||||
|
||||
@@ -8,7 +8,7 @@ export const encryptDeviceInfo = oc
|
||||
operationId: 'encryptDeviceInfo',
|
||||
summary: '生成设备授权二维码密文',
|
||||
description:
|
||||
'生成设备授权流程所需的二维码密文。\n\n处理流程:\n- 读取本机 licence、fingerprint 与本地持久化的平台公钥;\n- 组装为授权载荷 JSON;\n- 使用平台公钥执行 RSA-OAEP(SHA-256) 加密;\n- 返回 Base64 密文供前端生成二维码。\n\n适用场景:设备授权申请、重新授权。\n\n前置条件:需先调用 config.setPlatformPublicKey 写入平台公钥。',
|
||||
'生成设备授权流程所需的二维码密文。\n\n处理流程:\n- 读取本机已验证的 licenceId、fingerprint 与本地持久化的平台公钥;\n- 组装为授权载荷 JSON;\n- 使用平台公钥执行 RSA-OAEP(SHA-256) 加密;\n- 返回 Base64 密文供前端生成二维码。\n\n适用场景:设备授权申请、重新授权。\n\n前置条件:需先调用 config.setPlatformPublicKey 写入平台公钥,并通过 config.setLicence 安装已签名 licence。',
|
||||
tags: ['Crypto'],
|
||||
})
|
||||
.input(z.object({}).describe('空请求体。平台公钥由本地配置自动读取'))
|
||||
@@ -34,7 +34,7 @@ export const decryptTask = oc
|
||||
operationId: 'decryptTask',
|
||||
summary: '解密任务二维码数据',
|
||||
description:
|
||||
'解密 App 下发的任务二维码密文。\n\n处理流程:\n- 基于本机 licence + fingerprint 派生 AES-256-GCM 密钥;\n- 对二维码中的 Base64 密文进行解密;\n- 返回任务明文 JSON 字符串。\n\n适用场景:扫码接收任务后解析任务详情。',
|
||||
'解密 App 下发的任务二维码密文。\n\n处理流程:\n- 基于本机已验证的 licenceId + fingerprint 派生 AES-256-GCM 密钥;\n- 对二维码中的 Base64 密文进行解密;\n- 返回任务明文 JSON 字符串。\n\n适用场景:扫码接收任务后解析任务详情。',
|
||||
tags: ['Crypto'],
|
||||
})
|
||||
.input(
|
||||
@@ -74,7 +74,7 @@ export const encryptSummary = oc
|
||||
operationId: 'encryptSummary',
|
||||
summary: '加密摘要信息',
|
||||
description:
|
||||
'加密检查摘要信息并产出二维码密文。\n\n处理流程:\n- 使用 licence + fingerprint 结合 taskId(salt) 通过 HKDF-SHA256 派生密钥;\n- 使用 AES-256-GCM 加密摘要明文;\n- 返回 Base64 密文用于摘要二维码生成。\n\n适用场景:任务执行后提交摘要信息。',
|
||||
'加密检查摘要信息并产出二维码密文。\n\n处理流程:\n- 使用已验证的 licenceId + fingerprint 结合 taskId(salt) 通过 HKDF-SHA256 派生密钥;\n- 使用 AES-256-GCM 加密摘要明文;\n- 返回 Base64 密文用于摘要二维码生成。\n\n适用场景:任务执行后提交摘要信息。',
|
||||
tags: ['Crypto'],
|
||||
})
|
||||
.input(
|
||||
@@ -116,7 +116,7 @@ export const signAndPackReport = oc
|
||||
operationId: 'signAndPackReport',
|
||||
summary: '签名并打包检查报告',
|
||||
description:
|
||||
'对原始报告执行设备签名与 OpenPGP 签名并重新打包。\n\n处理流程:\n- 解析上传 ZIP 并提取 summary.json;\n- 用 licence/fingerprint 计算 deviceSignature(HKDF + HMAC-SHA256) 并回写 summary.json;\n- 生成 META-INF/manifest.json;\n- 使用本地 OpenPGP 私钥生成 detached signature(`META-INF/signature.asc`);\n- 返回签名后 ZIP。\n\n适用场景:检查结果归档、可追溯签名分发。',
|
||||
'对原始报告执行设备签名与 OpenPGP 签名并重新打包。\n\n处理流程:\n- 解析上传 ZIP 并提取 summary.json;\n- 用已验证的 licenceId/fingerprint 计算 deviceSignature(HKDF + HMAC-SHA256) 并回写 summary.json;\n- 生成 META-INF/manifest.json;\n- 使用本地 OpenPGP 私钥生成 detached signature(`META-INF/signature.asc`);\n- 返回签名后 ZIP。\n\n适用场景:检查结果归档、可追溯签名分发。',
|
||||
tags: ['Report'],
|
||||
spec: (current) => {
|
||||
const multipartContent =
|
||||
|
||||
@@ -1,16 +1,25 @@
|
||||
import { validatePgpPrivateKey } from '@furtherverse/crypto'
|
||||
import { validatePgpPrivateKey, validateRsaPublicKey } from '@furtherverse/crypto'
|
||||
import { ORPCError } from '@orpc/server'
|
||||
import { isLicenceExpired, verifyAndDecodeLicenceEnvelope } from '@/server/licence'
|
||||
import { ensureUxConfig, setUxLicence, setUxPgpPrivateKey, setUxPlatformPublicKey } from '@/server/ux-config'
|
||||
import { db } from '../middlewares'
|
||||
import { os } from '../server'
|
||||
|
||||
const toConfigOutput = (config: {
|
||||
licence: string | null
|
||||
licenceId: string | null
|
||||
licenceExpireTime: string | null
|
||||
fingerprint: string
|
||||
platformPublicKey: string | null
|
||||
pgpPrivateKey: string | null
|
||||
}) => ({
|
||||
licence: config.licence,
|
||||
licence:
|
||||
config.licenceId && config.licenceExpireTime
|
||||
? {
|
||||
licenceId: config.licenceId,
|
||||
expireTime: config.licenceExpireTime,
|
||||
isExpired: isLicenceExpired(config.licenceExpireTime),
|
||||
}
|
||||
: null,
|
||||
fingerprint: config.fingerprint,
|
||||
hasPlatformPublicKey: config.platformPublicKey != null,
|
||||
hasPgpPrivateKey: config.pgpPrivateKey != null,
|
||||
@@ -22,7 +31,28 @@ export const get = os.config.get.use(db).handler(async ({ context }) => {
|
||||
})
|
||||
|
||||
export const setLicence = os.config.setLicence.use(db).handler(async ({ context, input }) => {
|
||||
const config = await setUxLicence(context.db, input.licence)
|
||||
const currentConfig = await ensureUxConfig(context.db)
|
||||
|
||||
if (!currentConfig.platformPublicKey) {
|
||||
throw new ORPCError('PRECONDITION_FAILED', {
|
||||
message: 'Platform public key is not configured. Call config.setPlatformPublicKey first.',
|
||||
})
|
||||
}
|
||||
|
||||
const payload = verifyAndDecodeLicenceEnvelope(input, currentConfig.platformPublicKey)
|
||||
if (isLicenceExpired(payload.expire_time)) {
|
||||
throw new ORPCError('BAD_REQUEST', {
|
||||
message: 'licence has expired',
|
||||
})
|
||||
}
|
||||
|
||||
const config = await setUxLicence(context.db, {
|
||||
payload: input.payload,
|
||||
signature: input.signature,
|
||||
licenceId: payload.licence_id,
|
||||
expireTime: payload.expire_time,
|
||||
})
|
||||
|
||||
return toConfigOutput(config)
|
||||
})
|
||||
|
||||
@@ -38,6 +68,14 @@ export const setPgpPrivateKey = os.config.setPgpPrivateKey.use(db).handler(async
|
||||
})
|
||||
|
||||
export const setPlatformPublicKey = os.config.setPlatformPublicKey.use(db).handler(async ({ context, input }) => {
|
||||
try {
|
||||
validateRsaPublicKey(input.platformPublicKey)
|
||||
} catch (error) {
|
||||
throw new ORPCError('BAD_REQUEST', {
|
||||
message: `Invalid platform public key: ${error instanceof Error ? error.message : 'unable to parse'}`,
|
||||
})
|
||||
}
|
||||
|
||||
const config = await setUxPlatformPublicKey(context.db, input.platformPublicKey)
|
||||
return toConfigOutput(config)
|
||||
})
|
||||
|
||||
@@ -18,6 +18,7 @@ import {
|
||||
stringify as losslessStringify,
|
||||
} from 'lossless-json'
|
||||
import { z } from 'zod'
|
||||
import { isLicenceExpired } from '@/server/licence'
|
||||
import { extractSafeZipFiles, ZipValidationError } from '@/server/safe-zip'
|
||||
import { getUxConfig } from '@/server/ux-config'
|
||||
import { db } from '../middlewares'
|
||||
@@ -45,12 +46,19 @@ const summaryPayloadSchema = z
|
||||
|
||||
const requireIdentity = async (dbInstance: Parameters<typeof getUxConfig>[0]) => {
|
||||
const config = await getUxConfig(dbInstance)
|
||||
if (!config || !config.licence) {
|
||||
if (!config || !config.licenceId || !config.licenceExpireTime) {
|
||||
throw new ORPCError('PRECONDITION_FAILED', {
|
||||
message: 'Local identity is not initialized. Call config.get and then config.setLicence first.',
|
||||
})
|
||||
}
|
||||
return config as typeof config & { licence: string }
|
||||
|
||||
if (isLicenceExpired(config.licenceExpireTime)) {
|
||||
throw new ORPCError('PRECONDITION_FAILED', {
|
||||
message: 'Local licence has expired. Install a new signed licence before calling crypto APIs.',
|
||||
})
|
||||
}
|
||||
|
||||
return config as typeof config & { licenceId: string; licenceExpireTime: string }
|
||||
}
|
||||
|
||||
export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(async ({ context }) => {
|
||||
@@ -63,7 +71,7 @@ export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(asy
|
||||
}
|
||||
|
||||
const deviceInfoJson = JSON.stringify({
|
||||
licence: config.licence,
|
||||
licence: config.licenceId,
|
||||
fingerprint: config.fingerprint,
|
||||
})
|
||||
|
||||
@@ -74,7 +82,7 @@ export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(asy
|
||||
export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ context, input }) => {
|
||||
const config = await requireIdentity(context.db)
|
||||
|
||||
const key = sha256(config.licence + config.fingerprint)
|
||||
const key = sha256(config.licenceId + config.fingerprint)
|
||||
const decrypted = aesGcmDecrypt(input.encryptedData, key)
|
||||
return { decrypted }
|
||||
})
|
||||
@@ -82,7 +90,7 @@ export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ contex
|
||||
export const encryptSummary = os.crypto.encryptSummary.use(db).handler(async ({ context, input }) => {
|
||||
const config = await requireIdentity(context.db)
|
||||
|
||||
const ikm = config.licence + config.fingerprint
|
||||
const ikm = config.licenceId + config.fingerprint
|
||||
const aesKey = hkdfSha256(ikm, input.salt, 'inspection_report_encryption')
|
||||
const encrypted = aesGcmEncrypt(input.plaintext, aesKey)
|
||||
return { encrypted }
|
||||
@@ -152,7 +160,7 @@ export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(asy
|
||||
// Compute device signature
|
||||
// signPayload = taskId + inspectionId + assetsSha256 + vulnerabilitiesSha256 + weakPasswordsSha256 + reportHtmlSha256
|
||||
// (plain concatenation, no separators, fixed order — matching Kotlin reference)
|
||||
const ikm = config.licence + config.fingerprint
|
||||
const ikm = config.licenceId + config.fingerprint
|
||||
const signingKey = hkdfSha256(ikm, 'AUTH_V3_SALT', 'device_report_signature')
|
||||
|
||||
const signPayload = `${summaryPayload.taskId}${checkId}${assetsSha256}${vulnerabilitiesSha256}${weakPasswordsSha256}${reportHtmlSha256}`
|
||||
@@ -163,7 +171,7 @@ export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(asy
|
||||
orgId: toLosslessNumber(String(orgId)),
|
||||
checkId: toLosslessNumber(checkId),
|
||||
taskId: summaryPayload.taskId,
|
||||
licence: config.licence,
|
||||
licence: config.licenceId,
|
||||
fingerprint: config.fingerprint,
|
||||
deviceSignature,
|
||||
summary: summaryPayload.summary ?? '',
|
||||
|
||||
@@ -4,7 +4,10 @@ import { generatedFields } from '../fields'
|
||||
export const uxConfigTable = sqliteTable('ux_config', {
|
||||
...generatedFields,
|
||||
singletonKey: text('singleton_key').notNull().unique().default('default'),
|
||||
licence: text('licence'),
|
||||
licencePayload: text('licence_payload'),
|
||||
licenceSignature: text('licence_signature'),
|
||||
licenceId: text('licence_id'),
|
||||
licenceExpireTime: text('licence_expire_time'),
|
||||
fingerprint: text('fingerprint').notNull(),
|
||||
platformPublicKey: text('platform_public_key'),
|
||||
pgpPrivateKey: text('pgp_private_key'),
|
||||
|
||||
32
apps/server/src/server/licence.test.ts
Normal file
32
apps/server/src/server/licence.test.ts
Normal file
@@ -0,0 +1,32 @@
|
||||
import { describe, expect, it } from 'bun:test'
|
||||
import { constants, createSign, generateKeyPairSync } from 'node:crypto'
|
||||
import { decodeLicencePayload, isLicenceExpired, verifyAndDecodeLicenceEnvelope } from './licence'
|
||||
|
||||
describe('licence helpers', () => {
|
||||
it('verifies payload signatures and decodes payload JSON', () => {
|
||||
const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
|
||||
const payloadJson = JSON.stringify({ licence_id: 'LIC-20260319-0025', expire_time: '2027-03-19' })
|
||||
const payload = Buffer.from(payloadJson, 'utf-8').toString('base64')
|
||||
|
||||
const signer = createSign('RSA-SHA256')
|
||||
signer.update(Buffer.from(payload, 'utf-8'))
|
||||
signer.end()
|
||||
|
||||
const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING }).toString('base64')
|
||||
const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
|
||||
|
||||
expect(verifyAndDecodeLicenceEnvelope({ payload, signature }, publicKeyBase64)).toEqual({
|
||||
licence_id: 'LIC-20260319-0025',
|
||||
expire_time: '2027-03-19',
|
||||
})
|
||||
})
|
||||
|
||||
it('treats expire_time as valid through the end of the UTC day', () => {
|
||||
expect(isLicenceExpired('2027-03-19', new Date('2027-03-19T23:59:59.999Z'))).toBe(false)
|
||||
expect(isLicenceExpired('2027-03-19', new Date('2027-03-20T00:00:00.000Z'))).toBe(true)
|
||||
})
|
||||
|
||||
it('rejects malformed payloads', () => {
|
||||
expect(() => decodeLicencePayload('not-base64')).toThrow('payload must be valid Base64')
|
||||
})
|
||||
})
|
||||
94
apps/server/src/server/licence.ts
Normal file
94
apps/server/src/server/licence.ts
Normal file
@@ -0,0 +1,94 @@
|
||||
import { rsaVerifySignature } from '@furtherverse/crypto'
|
||||
import { z } from 'zod'
|
||||
|
||||
const BASE64_PATTERN = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/
|
||||
const DATE_PATTERN = /^(\d{4})-(\d{2})-(\d{2})$/
|
||||
|
||||
export const licenceEnvelopeSchema = z.object({
|
||||
payload: z.string().min(1).max(8192).describe('Base64 编码的 licence payload 原文'),
|
||||
signature: z.string().min(1).max(8192).describe('对 payload 字符串 UTF-8 字节做 SHA256withRSA 后得到的 Base64 签名'),
|
||||
})
|
||||
|
||||
export const licencePayloadSchema = z
|
||||
.object({
|
||||
licence_id: z.string().min(1).describe('验签通过后的 licence 标识'),
|
||||
expire_time: z
|
||||
.string()
|
||||
.regex(DATE_PATTERN, 'expire_time must use YYYY-MM-DD')
|
||||
.describe('授权到期日,格式为 YYYY-MM-DD(按 UTC 自然日末尾失效)'),
|
||||
})
|
||||
.loose()
|
||||
|
||||
export type LicenceEnvelope = z.infer<typeof licenceEnvelopeSchema>
|
||||
export type LicencePayload = z.infer<typeof licencePayloadSchema>
|
||||
|
||||
const decodeBase64 = (value: string, fieldName: string): Buffer => {
|
||||
if (!BASE64_PATTERN.test(value)) {
|
||||
throw new Error(`${fieldName} must be valid Base64`)
|
||||
}
|
||||
|
||||
return Buffer.from(value, 'base64')
|
||||
}
|
||||
|
||||
const parseUtcDate = (value: string): Date => {
|
||||
const match = DATE_PATTERN.exec(value)
|
||||
if (!match) {
|
||||
throw new Error('expire_time must use YYYY-MM-DD')
|
||||
}
|
||||
|
||||
const [, yearText, monthText, dayText] = match
|
||||
const year = Number(yearText)
|
||||
const month = Number(monthText)
|
||||
const day = Number(dayText)
|
||||
const parsed = new Date(Date.UTC(year, month - 1, day))
|
||||
|
||||
if (
|
||||
Number.isNaN(parsed.getTime()) ||
|
||||
parsed.getUTCFullYear() !== year ||
|
||||
parsed.getUTCMonth() !== month - 1 ||
|
||||
parsed.getUTCDate() !== day
|
||||
) {
|
||||
throw new Error('expire_time is not a valid calendar date')
|
||||
}
|
||||
|
||||
return parsed
|
||||
}
|
||||
|
||||
export const isLicenceExpired = (expireTime: string, now = new Date()): boolean => {
|
||||
const expireDate = parseUtcDate(expireTime)
|
||||
const expiresAt = Date.UTC(expireDate.getUTCFullYear(), expireDate.getUTCMonth(), expireDate.getUTCDate() + 1)
|
||||
|
||||
return now.getTime() >= expiresAt
|
||||
}
|
||||
|
||||
export const decodeLicencePayload = (payloadBase64: string): LicencePayload => {
|
||||
const decodedJson = decodeBase64(payloadBase64, 'payload').toString('utf-8')
|
||||
|
||||
let rawPayload: unknown
|
||||
try {
|
||||
rawPayload = JSON.parse(decodedJson)
|
||||
} catch {
|
||||
throw new Error('payload must decode to valid JSON')
|
||||
}
|
||||
|
||||
const parsedPayload = licencePayloadSchema.safeParse(rawPayload)
|
||||
if (!parsedPayload.success) {
|
||||
throw new Error(z.prettifyError(parsedPayload.error))
|
||||
}
|
||||
|
||||
return parsedPayload.data
|
||||
}
|
||||
|
||||
export const verifyLicenceEnvelopeSignature = (envelope: LicenceEnvelope, publicKeyBase64: string): void => {
|
||||
const signatureBytes = decodeBase64(envelope.signature, 'signature')
|
||||
const isValid = rsaVerifySignature(Buffer.from(envelope.payload, 'utf-8'), signatureBytes, publicKeyBase64)
|
||||
|
||||
if (!isValid) {
|
||||
throw new Error('licence signature is invalid')
|
||||
}
|
||||
}
|
||||
|
||||
export const verifyAndDecodeLicenceEnvelope = (envelope: LicenceEnvelope, publicKeyBase64: string): LicencePayload => {
|
||||
verifyLicenceEnvelopeSignature(envelope, publicKeyBase64)
|
||||
return decodeLicencePayload(envelope.payload)
|
||||
}
|
||||
@@ -32,17 +32,37 @@ export const ensureUxConfig = async (db: DB) => {
|
||||
.values({
|
||||
singletonKey: UX_CONFIG_KEY,
|
||||
fingerprint,
|
||||
licence: null,
|
||||
licencePayload: null,
|
||||
licenceSignature: null,
|
||||
licenceId: null,
|
||||
licenceExpireTime: null,
|
||||
})
|
||||
.returning()
|
||||
|
||||
return rows[0] as (typeof rows)[number]
|
||||
}
|
||||
|
||||
export const setUxLicence = async (db: DB, licence: string) => {
|
||||
export const setUxLicence = async (
|
||||
db: DB,
|
||||
licence: {
|
||||
payload: string
|
||||
signature: string
|
||||
licenceId: string
|
||||
expireTime: string
|
||||
},
|
||||
) => {
|
||||
const config = await ensureUxConfig(db)
|
||||
|
||||
const rows = await db.update(uxConfigTable).set({ licence }).where(eq(uxConfigTable.id, config.id)).returning()
|
||||
const rows = await db
|
||||
.update(uxConfigTable)
|
||||
.set({
|
||||
licencePayload: licence.payload,
|
||||
licenceSignature: licence.signature,
|
||||
licenceId: licence.licenceId,
|
||||
licenceExpireTime: licence.expireTime,
|
||||
})
|
||||
.where(eq(uxConfigTable.id, config.id))
|
||||
.returning()
|
||||
|
||||
return rows[0] as (typeof rows)[number]
|
||||
}
|
||||
@@ -57,10 +77,21 @@ export const setUxPgpPrivateKey = async (db: DB, pgpPrivateKey: string) => {
|
||||
|
||||
export const setUxPlatformPublicKey = async (db: DB, platformPublicKey: string) => {
|
||||
const config = await ensureUxConfig(db)
|
||||
const shouldClearLicence = config.platformPublicKey !== platformPublicKey
|
||||
|
||||
const rows = await db
|
||||
.update(uxConfigTable)
|
||||
.set({ platformPublicKey })
|
||||
.set({
|
||||
platformPublicKey,
|
||||
...(shouldClearLicence
|
||||
? {
|
||||
licencePayload: null,
|
||||
licenceSignature: null,
|
||||
licenceId: null,
|
||||
licenceExpireTime: null,
|
||||
}
|
||||
: {}),
|
||||
})
|
||||
.where(eq(uxConfigTable.id, config.id))
|
||||
.returning()
|
||||
|
||||
|
||||
@@ -4,3 +4,4 @@ export { hkdfSha256 } from './hkdf'
|
||||
export { hmacSha256, hmacSha256Base64 } from './hmac'
|
||||
export { generatePgpKeyPair, pgpSignDetached, pgpVerifyDetached, validatePgpPrivateKey } from './pgp'
|
||||
export { rsaOaepEncrypt } from './rsa-oaep'
|
||||
export { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'
|
||||
|
||||
24
packages/crypto/src/rsa-signature.test.ts
Normal file
24
packages/crypto/src/rsa-signature.test.ts
Normal file
@@ -0,0 +1,24 @@
|
||||
import { describe, expect, it } from 'bun:test'
|
||||
import { constants, createSign, generateKeyPairSync } from 'node:crypto'
|
||||
import { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'
|
||||
|
||||
describe('rsaVerifySignature', () => {
|
||||
it('verifies SHA256withRSA signatures over raw payload bytes', () => {
|
||||
const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
|
||||
const payload = Buffer.from('eyJsaWNlbmNlX2lkIjoiTElDLTAwMSIsImV4cGlyZV90aW1lIjoiMjAyNy0wMy0xOSJ9', 'utf-8')
|
||||
|
||||
const signer = createSign('RSA-SHA256')
|
||||
signer.update(payload)
|
||||
signer.end()
|
||||
|
||||
const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING })
|
||||
const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
|
||||
|
||||
expect(rsaVerifySignature(payload, signature, publicKeyBase64)).toBe(true)
|
||||
expect(rsaVerifySignature(Buffer.from(`${payload}x`, 'utf-8'), signature, publicKeyBase64)).toBe(false)
|
||||
})
|
||||
|
||||
it('rejects malformed SPKI public keys', () => {
|
||||
expect(() => validateRsaPublicKey('not-a-public-key')).toThrow()
|
||||
})
|
||||
})
|
||||
19
packages/crypto/src/rsa-signature.ts
Normal file
19
packages/crypto/src/rsa-signature.ts
Normal file
@@ -0,0 +1,19 @@
|
||||
import { constants, createPublicKey, verify } from 'node:crypto'
|
||||
|
||||
const createSpkiPublicKey = (publicKeyBase64: string) => {
|
||||
return createPublicKey({
|
||||
key: Buffer.from(publicKeyBase64, 'base64'),
|
||||
format: 'der',
|
||||
type: 'spki',
|
||||
})
|
||||
}
|
||||
|
||||
export const validateRsaPublicKey = (publicKeyBase64: string): void => {
|
||||
createSpkiPublicKey(publicKeyBase64)
|
||||
}
|
||||
|
||||
export const rsaVerifySignature = (data: Uint8Array, signature: Uint8Array, publicKeyBase64: string): boolean => {
|
||||
const publicKey = createSpkiPublicKey(publicKeyBase64)
|
||||
|
||||
return verify('RSA-SHA256', data, { key: publicKey, padding: constants.RSA_PKCS1_PADDING }, signature)
|
||||
}
|
||||
Reference in New Issue
Block a user