imbytecat/fullstack-starter
1
1
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: imbytecat:main
Branches Tags
imbytecat:main imbytecat:ux imbytecat:backup/legacy imbytecat:backup/ux
..
compare: imbytecat:0f344b584777252b0c22147704ac22e3890efb50
Branches Tags
imbytecat:main imbytecat:ux imbytecat:backup/legacy imbytecat:backup/ux

40 Commits
main ... 0f344b5847

Author SHA1 Message Date
imbytecat
0f344b5847 refactor(server): crypto 流程改用验证后的 licenceId 2026-03-19 16:16:53 +08:00
imbytecat
403eec3e12 feat(server): 配置接口接入 licence 验签 2026-03-19 16:16:42 +08:00
imbytecat
84c935d4bd refactor(server): 规范化 licence 持久化结构 2026-03-19 16:16:29 +08:00
imbytecat
e5fed81db5 feat(server): 新增 signed licence 校验工具 2026-03-19 16:16:18 +08:00
imbytecat
e3e3caed6a feat(crypto): 新增 RSA 验签工具 2026-03-19 16:16:07 +08:00
imbytecat
b5490085bd chore(deps): bump dependencies to latest versions 2026-03-16 15:09:01 +08:00
imbytecat
713ee5b79f docs(server): update encryptSummary example summary structure 2026-03-10 16:58:28 +08:00
imbytecat
d7d6b06e35 fix(server): simplify report tag and hide platformPublicKey in config output 2026-03-10 16:35:00 +08:00
imbytecat
1997655875 feat(server): persist platform public key and enrich OpenAPI docs 2026-03-10 16:20:49 +08:00
imbytecat
9a2bd5c43a fix(server): 使用 lossless-json 无损处理 summary.json Long 精度 2026-03-10 16:10:25 +08:00
imbytecat
42bc8605b4 docs: 添加摘要+ZIP 加密测试控制器参考 2026-03-10 15:09:11 +08:00
imbytecat
04ff718f47 docs: 移除旧版工具箱端授权对接指南文档 2026-03-10 15:08:36 +08:00
imbytecat
da82403f7f refactor(server): signAndPackReport 对齐 Kotlin 参考实现的摘要与签名结构 2026-03-10 15:08:12 +08:00
imbytecat
4a5dd437fa fix(server): setPgpPrivateKey 接口增加私钥格式校验 2026-03-10 15:07:31 +08:00
imbytecat
1945417f28 feat(crypto): 新增 validatePgpPrivateKey 校验函数 2026-03-10 15:07:07 +08:00
imbytecat
8be32bf15b refactor(server): extract ZIP security checks into reusable safe-zip module 2026-03-06 16:51:33 +08:00
imbytecat
1110edc974 docs: remove outdated UX API docs (superseded by OpenAPI /api/docs) 2026-03-06 16:41:15 +08:00
imbytecat
a5fd9c1833 fix(crypto): replace deprecated .passthrough() with .loose() (Zod 4) 2026-03-06 16:40:46 +08:00
imbytecat
3d27f8ccfa refactor(crypto): use Zod safeParse for summary.json validation instead of manual checks 2026-03-06 16:39:38 +08:00
imbytecat
4d64cfb93d docs: 添加管理平台标准加密算法 Kotlin 参考实现 2026-03-06 15:34:04 +08:00
imbytecat
2651ec0835 fix(crypto): 修复 RSA-OAEP 加密与 Java SunJCE 的 MGF1 哈希不兼容问题 
Node.js publicEncrypt({ oaepHash }) 会将 OAEP hash 和 MGF1 hash
绑定为同一算法,而 Java OAEPWithSHA-256AndMGF1Padding 默认使用
SHA-256(OAEP) + SHA-1(MGF1)。改用 node-forge 独立配置两个哈希,
确保密文可被管理平台正确解密。
 2026-03-06 15:33:07 +08:00
imbytecat
122dead202 refactor(server): 简化 signAndPackReport 接口,PGP 私钥本地存储、summary.json 从 ZIP 提取 
- DB schema 新增 pgpPrivateKey 字段
- 新增 config.setPgpPrivateKey 接口,私钥与设备绑定
- signAndPackReport 只需传 rawZip,signingContext 自动从 summary.json 派生
- configOutput 新增 hasPgpPrivateKey 字段
- 抽取 requireIdentity 减少重复校验代码
 2026-03-06 14:55:12 +08:00
imbytecat
ec41a4cfc7 docs(contract): 为所有 API 的 input/output 添加 OpenAPI examples,便于厂商测试 2026-03-06 14:37:50 +08:00
imbytecat
86754f73c1 docs(contract): 优化 API summary/description,对齐工具箱端对接指南文档 2026-03-06 14:30:09 +08:00
imbytecat
9296ab31e4 fix(server): 每次启动重新计算设备特征码,环境变化时自动更新 2026-03-06 11:28:14 +08:00
imbytecat
72d1727eb6 refactor(server): 设备特征码直接使用完整 SHA-256,移除 FP- 前缀和截断 2026-03-06 11:23:52 +08:00
imbytecat
aabd60e619 refactor(server): 使用 systeminformation 替代手动采集生成设备特征码 
硬件级 SMBIOS 标识(uuid/serial/model/manufacturer)跨平台稳定,
不再依赖 Linux 独有的 machine-id 和易变的 OS release/内存/MAC 地址。
 2026-03-06 11:16:17 +08:00
imbytecat
cdb3298f6d refactor(db): 删除去业务化后残留的 device/task 表定义 2026-03-06 10:39:09 +08:00
imbytecat
060ddd8e12 docs: 更新 UX 本地身份配置流程与对接说明 2026-03-06 10:02:56 +08:00
imbytecat
b50d2eaf10 refactor(server): 重构为本地身份配置 + 底层 crypto 能力接口 2026-03-06 10:02:26 +08:00
imbytecat
46e2c94faf fix(db): 修正 drizzle-kit 在 Bun SQLite 下的配置与脚本 2026-03-05 16:59:25 +08:00
imbytecat
b1062a5aed refactor(api): signAndPackReport 直接返回签名 ZIP 文件 2026-03-05 16:58:59 +08:00
imbytecat
b193759e90 docs: 新增第三方 OpenAPI 对接指南 2026-03-05 16:44:01 +08:00
imbytecat
eb941c06c0 docs(api): 补全 OpenAPI 元数据与字段描述 2026-03-05 16:43:53 +08:00
imbytecat
eb2f6554b2 docs: 更新 signAndPackReport 为 multipart 文件上传说明 2026-03-05 16:32:49 +08:00
imbytecat
58d57fa148 refactor(server): 使用 multipart File 替代报告 ZIP 的 base64 上传 2026-03-05 16:32:41 +08:00
imbytecat
509860bba8 docs: 补充 UX 集成模式与授权对接说明 2026-03-05 16:24:21 +08:00
imbytecat
4e7c4e1aa5 feat(server): 实现设备授权与报告 ZIP 签名打包接口 2026-03-05 16:24:10 +08:00
imbytecat
8261409d7d refactor(server): 切换 SQLite 并重建设备/任务表结构 2026-03-05 16:23:30 +08:00
imbytecat
d2eb98d612 feat: 新增共享加密包并引入 ZIP/PGP 依赖 2026-03-05 16:23:13 +08:00
42 changed files with 2170 additions and 558 deletions
Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -9,6 +9,11 @@
# Bun build # Bun build
*.bun-build *.bun-build
# SQLite database files
*.db
*.db-wal
*.db-shm
# Turborepo # Turborepo
.turbo/ .turbo/

2
apps/server/.env.example
View File

@@ -1 +1 @@
DATABASE_URL=postgres://postgres:postgres@localhost:5432/postgres DATABASE_PATH=data.db

7
apps/server/drizzle.config.ts
View File

@@ -1,11 +1,12 @@
import { defineConfig } from 'drizzle-kit' import { defineConfig } from 'drizzle-kit'
import { env } from '@/env'
const databasePath = process.env.DATABASE_PATH ?? 'data.db'
export default defineConfig({ export default defineConfig({
out: './drizzle', out: './drizzle',
schema: './src/server/db/schema/index.ts', schema: './src/server/db/schema/index.ts',
dialect: 'postgresql', dialect: 'sqlite',
dbCredentials: { dbCredentials: {
url: env.DATABASE_URL, url: databasePath,
}, },
}) })

16
apps/server/package.json
View File

@@ -14,15 +14,16 @@
"compile:linux:x64": "bun compile.ts --target bun-linux-x64", "compile:linux:x64": "bun compile.ts --target bun-linux-x64",
"compile:windows": "bun run compile:windows:x64", "compile:windows": "bun run compile:windows:x64",
"compile:windows:x64": "bun compile.ts --target bun-windows-x64", "compile:windows:x64": "bun compile.ts --target bun-windows-x64",
"db:generate": "drizzle-kit generate", "db:generate": "bun --bun drizzle-kit generate",
"db:migrate": "drizzle-kit migrate", "db:migrate": "bun --bun drizzle-kit migrate",
"db:push": "drizzle-kit push", "db:push": "bun --bun drizzle-kit push",
"db:studio": "drizzle-kit studio", "db:studio": "bun --bun drizzle-kit studio",
"dev": "bunx --bun vite dev", "dev": "bunx --bun vite dev",
"fix": "biome check --write", "fix": "biome check --write",
"typecheck": "tsc --noEmit" "typecheck": "tsc --noEmit"
}, },
"dependencies": { "dependencies": {
"@furtherverse/crypto": "workspace:*",
"@orpc/client": "catalog:", "@orpc/client": "catalog:",
"@orpc/contract": "catalog:", "@orpc/contract": "catalog:",
"@orpc/openapi": "catalog:", "@orpc/openapi": "catalog:",
@@ -35,9 +36,11 @@
"@tanstack/react-router-ssr-query": "catalog:", "@tanstack/react-router-ssr-query": "catalog:",
"@tanstack/react-start": "catalog:", "@tanstack/react-start": "catalog:",
"drizzle-orm": "catalog:", "drizzle-orm": "catalog:",
"postgres": "catalog:", "jszip": "catalog:",
"lossless-json": "catalog:",
"react": "catalog:", "react": "catalog:",
"react-dom": "catalog:", "react-dom": "catalog:",
"systeminformation": "catalog:",
"uuid": "catalog:", "uuid": "catalog:",
"zod": "catalog:" "zod": "catalog:"
}, },
@@ -54,6 +57,7 @@
"drizzle-kit": "catalog:", "drizzle-kit": "catalog:",
"nitro": "catalog:", "nitro": "catalog:",
"tailwindcss": "catalog:", "tailwindcss": "catalog:",
"vite": "catalog:" "vite": "catalog:",
"vite-tsconfig-paths": "catalog:"
} }
} }

28
apps/server/src/client/orpc.ts
View File

@@ -24,30 +24,4 @@ const getORPCClient = createIsomorphicFn()
const client: RouterClient = getORPCClient() const client: RouterClient = getORPCClient()
export const orpc = createTanstackQueryUtils(client, { export const orpc = createTanstackQueryUtils(client)
experimental_defaults: {
todo: {
create: {
mutationOptions: {
onSuccess: (_, __, ___, ctx) => {
ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
},
},
},
update: {
mutationOptions: {
onSuccess: (_, __, ___, ctx) => {
ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
},
},
},
remove: {
mutationOptions: {
onSuccess: (_, __, ___, ctx) => {
ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
},
},
},
},
},
})

2
apps/server/src/env.ts
View File

@@ -3,7 +3,7 @@ import { z } from 'zod'
export const env = createEnv({ export const env = createEnv({
server: { server: {
DATABASE_URL: z.url(), DATABASE_PATH: z.string().min(1).default('data.db'),
}, },
clientPrefix: 'VITE_', clientPrefix: 'VITE_',
client: { client: {

2
apps/server/src/routes/api/$.ts
View File

@@ -16,6 +16,8 @@ const handler = new OpenAPIHandler(router, {
info: { info: {
title: name, title: name,
version, version,
description:
'UX 授权服务 OpenAPI 文档。该服务用于工具箱侧本地身份初始化与密码学能力调用,覆盖设备授权密文生成、任务二维码解密、摘要信息加密、报告签名打包等流程。\n\n推荐调用顺序\n1) 写入平台公钥;\n2) 写入已签名 licence JSON\n3) 写入 OpenPGP 私钥;\n4) 读取本机身份状态进行前置校验;\n5) 执行加密/解密与签名接口。\n\n说明除文件下载接口外返回体均为 JSON字段示例已提供便于联调和 Mock。',
}, },
}, },
docsPath: '/docs', docsPath: '/docs',

194
apps/server/src/routes/index.tsx
View File

@@ -1,192 +1,20 @@
import { useMutation, useSuspenseQuery } from '@tanstack/react-query'
import { createFileRoute } from '@tanstack/react-router' import { createFileRoute } from '@tanstack/react-router'
import type { ChangeEventHandler, SubmitEventHandler } from 'react'
import { useState } from 'react'
import { orpc } from '@/client/orpc'
export const Route = createFileRoute('/')({ export const Route = createFileRoute('/')({
component: Todos, component: Home,
loader: async ({ context }) => {
await context.queryClient.ensureQueryData(orpc.todo.list.queryOptions())
},
}) })
function Todos() { function Home() {
const [newTodoTitle, setNewTodoTitle] = useState('')
const listQuery = useSuspenseQuery(orpc.todo.list.queryOptions())
const createMutation = useMutation(orpc.todo.create.mutationOptions())
const updateMutation = useMutation(orpc.todo.update.mutationOptions())
const deleteMutation = useMutation(orpc.todo.remove.mutationOptions())
const handleCreateTodo: SubmitEventHandler<HTMLFormElement> = (e) => {
e.preventDefault()
if (newTodoTitle.trim()) {
createMutation.mutate({ title: newTodoTitle.trim() })
setNewTodoTitle('')
}
}
const handleInputChange: ChangeEventHandler<HTMLInputElement> = (e) => {
setNewTodoTitle(e.target.value)
}
const handleToggleTodo = (id: string, currentCompleted: boolean) => {
updateMutation.mutate({
id,
data: { completed: !currentCompleted },
})
}
const handleDeleteTodo = (id: string) => {
deleteMutation.mutate({ id })
}
const todos = listQuery.data
const completedCount = todos.filter((todo) => todo.completed).length
const totalCount = todos.length
const progress = totalCount > 0 ? (completedCount / totalCount) * 100 : 0
return ( return (
<div className="min-h-screen bg-slate-50 py-12 px-4 sm:px-6 font-sans"> <div className="min-h-screen bg-slate-50 flex items-center justify-center font-sans">
<div className="max-w-2xl mx-auto space-y-8"> <div className="text-center space-y-4">
{/* Header */} <h1 className="text-3xl font-bold text-slate-900 tracking-tight">UX Server</h1>
<div className="flex items-end justify-between"> <p className="text-slate-500">
<div> API:&nbsp;
<h1 className="text-3xl font-bold text-slate-900 tracking-tight"></h1> <a href="/api" className="text-indigo-600 hover:text-indigo-700 underline">
<p className="text-slate-500 mt-1"></p> /api
</div> </a>
<div className="text-right"> </p>
<div className="text-2xl font-semibold text-slate-900">
{completedCount}
<span className="text-slate-400 text-lg">/{totalCount}</span>
</div>
<div className="text-xs font-medium text-slate-400 uppercase tracking-wider"></div>
</div>
</div>
{/* Add Todo Form */}
<form onSubmit={handleCreateTodo} className="relative group z-10">
<div className="relative transform transition-all duration-200 focus-within:-translate-y-1">
<input
type="text"
value={newTodoTitle}
onChange={handleInputChange}
placeholder="添加新任务..."
className="w-full pl-6 pr-32 py-5 bg-white rounded-2xl shadow-[0_8px_30px_rgb(0,0,0,0.04)] border-0 ring-1 ring-slate-100 focus:ring-2 focus:ring-indigo-500/50 outline-none transition-all placeholder:text-slate-400 text-lg text-slate-700"
disabled={createMutation.isPending}
/>
<button
type="submit"
disabled={createMutation.isPending || !newTodoTitle.trim()}
className="absolute right-3 top-3 bottom-3 px-6 bg-indigo-600 hover:bg-indigo-700 text-white rounded-xl font-medium transition-all shadow-md shadow-indigo-200 disabled:opacity-50 disabled:shadow-none hover:shadow-lg hover:shadow-indigo-300 active:scale-95"
>
{createMutation.isPending ? '添加中' : '添加'}
</button>
</div>
</form>
{/* Progress Bar (Only visible when there are tasks) */}
{totalCount > 0 && (
<div className="h-1.5 w-full bg-slate-200 rounded-full overflow-hidden">
<div
className="h-full bg-indigo-500 transition-all duration-500 ease-out rounded-full"
style={{ width: `${progress}%` }}
/>
</div>
)}
{/* Todo List */}
<div className="space-y-3">
{todos.length === 0 ? (
<div className="py-20 text-center">
<div className="inline-flex items-center justify-center w-16 h-16 rounded-full bg-slate-100 mb-4">
<svg
className="w-8 h-8 text-slate-400"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
aria-hidden="true"
>
<path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
</svg>
</div>
<p className="text-slate-500 text-lg font-medium"></p>
<p className="text-slate-400 text-sm mt-1"></p>
</div>
) : (
todos.map((todo) => (
<div
key={todo.id}
className={`group relative flex items-center p-4 bg-white rounded-xl border border-slate-100 shadow-sm transition-all duration-200 hover:shadow-md hover:border-slate-200 ${
todo.completed ? 'bg-slate-50/50' : ''
}`}
>
<button
type="button"
onClick={() => handleToggleTodo(todo.id, todo.completed)}
className={`flex-shrink-0 w-6 h-6 rounded-full border-2 transition-all duration-200 flex items-center justify-center mr-4 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500 ${
todo.completed
? 'bg-indigo-500 border-indigo-500'
: 'border-slate-300 hover:border-indigo-500 bg-white'
}`}
>
{todo.completed && (
<svg
className="w-3.5 h-3.5 text-white"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
strokeWidth={3}
aria-hidden="true"
>
<path strokeLinecap="round" strokeLinejoin="round" d="M5 13l4 4L19 7" />
</svg>
)}
</button>
<div className="flex-1 min-w-0">
<p
className={`text-lg transition-all duration-200 truncate ${
todo.completed
? 'text-slate-400 line-through decoration-slate-300 decoration-2'
: 'text-slate-700'
}`}
>
{todo.title}
</p>
</div>
<div className="flex items-center opacity-0 group-hover:opacity-100 transition-opacity duration-200 absolute right-4 pl-4 bg-gradient-to-l from-white via-white to-transparent sm:static sm:bg-none">
<span className="text-xs text-slate-400 mr-3 hidden sm:inline-block">
{new Date(todo.createdAt).toLocaleDateString('zh-CN')}
</span>
<button
type="button"
onClick={() => handleDeleteTodo(todo.id)}
className="p-2 text-slate-400 hover:text-red-500 hover:bg-red-50 rounded-lg transition-colors focus:outline-none"
title="删除"
>
<svg
className="w-5 h-5"
fill="none"
viewBox="0 0 24 24"
stroke="currentColor"
strokeWidth={1.5}
aria-hidden="true"
>
<path
strokeLinecap="round"
strokeLinejoin="round"
d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16"
/>
</svg>
</button>
</div>
</div>
))
)}
</div>
</div> </div>
</div> </div>
) )

127
apps/server/src/server/api/contracts/config.contract.ts Normal file
View File

@@ -0,0 +1,127 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
import { licenceEnvelopeSchema } from '@/server/licence'
const licenceOutput = z
.object({
licenceId: z.string().describe('验签通过后的 licence 标识'),
expireTime: z.string().describe('授权到期日,格式为 YYYY-MM-DD'),
isExpired: z.boolean().describe('当前 licence 是否已过期(按 UTC 自然日计算)'),
})
.describe('当前已安装 licence 的验证后元数据')
const configOutput = z
.object({
licence: licenceOutput.nullable().describe('当前本地已验证 licence 的元数据,未设置时为 null'),
fingerprint: z.string().describe('UX 本机计算得到的设备特征码SHA-256'),
hasPlatformPublicKey: z.boolean().describe('是否已配置平台公钥'),
hasPgpPrivateKey: z.boolean().describe('是否已配置 OpenPGP 私钥'),
})
.describe('本地身份配置快照,用于判断设备授权初始化是否完成')
.meta({
examples: [
{
licence: {
licenceId: 'LIC-20260319-0025',
expireTime: '2027-03-19',
isExpired: false,
},
fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
hasPlatformPublicKey: true,
hasPgpPrivateKey: true,
},
{
licence: null,
fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
hasPlatformPublicKey: false,
hasPgpPrivateKey: false,
},
],
})
export const get = oc
.route({
method: 'POST',
path: '/config/get',
operationId: 'configGet',
summary: '读取本机身份配置',
description:
'查询 UX 当前本地身份配置状态。\n\n典型用途页面初始化时检测授权状态、验签前检查平台公钥、签名前检查私钥是否就绪。\n\n返回内容\n- licence当前已验证 licence 的元数据,未设置时为 null\n- fingerprint设备特征码本机自动计算\n- hasPlatformPublicKey是否已写入平台公钥\n- hasPgpPrivateKey是否已写入 OpenPGP 私钥。',
tags: ['Config'],
})
.input(z.object({}).describe('空请求体,仅触发读取当前配置'))
.output(configOutput)
export const setLicence = oc
.route({
method: 'POST',
path: '/config/set-licence',
operationId: 'configSetLicence',
summary: '写入本地 licence',
description:
'写入或更新本机持久化 licence。\n\n调用时机设备首次激活、授权码变更、授权修复。\n\n约束与行为\n- 接收 `.lic` 文件内容对应的 JSON 信封,而不是文件上传;\n- 使用已配置的平台公钥对 payload 原始字符串做 SHA256withRSA 验签;\n- 仅在验签通过且 expire_time 未过期时持久化;\n- fingerprint 由本机自动计算,不允许外部覆盖;\n- 成功后返回最新配置快照,便于前端立即刷新授权状态。',
tags: ['Config'],
})
.input(
licenceEnvelopeSchema.meta({
examples: [
{
payload: 'eyJsaWNlbmNlX2lkIjoiTElDLTIwMjYwMzE5LTAwMjUiLCJleHBpcmVfdGltZSI6IjIwMjctMDMtMTkifQ==',
signature:
'aLd+wwpz1W5AS0jgE/IstSNjCAQ5estQYIMqeLXRWMIsnKxjZpCvC8O5q/G5LEBBLJXnbTk8N6IMTUx295nf2HQYlXNtJkWiBeUXQ6/uzs0RbhCeRAWK2Hx4kSsmiEv4AHGLb4ozI2XekTc+40+ApJQYqaWbDu/NU99TmDm3/da1VkKpQxH60BhSQVwBtU67w9Vp3SpWm8y1faQ7ci5WDtJf1JZaS70kPXoGeA5018rPeMFlEzUp10yDlGW6RcrT7Dm+r7zFyrFznLK+evBEvTf9mMGWwZZP3q9vJtC/wFt1t5zNHdkb27cTwc9yyqGMWdelXQAQDnoisn2Jzi06KA==',
},
],
}),
)
.output(configOutput)
export const setPgpPrivateKey = oc
.route({
method: 'POST',
path: '/config/set-pgp-private-key',
operationId: 'configSetPgpPrivateKey',
summary: '写入本地 OpenPGP 私钥',
description:
'写入或更新本机持久化 OpenPGP 私钥ASCII armored。\n\n调用时机首次导入签名私钥、私钥轮换。\n\n约束与行为\n- 仅接收 ASCII armored 私钥文本;\n- 私钥保存在本地,后续报告签名接口会自动读取;\n- 成功后返回最新配置快照,可用于确认 hasPgpPrivateKey 状态。',
tags: ['Config'],
})
.input(
z
.object({
pgpPrivateKey: z.string().min(1).describe('OpenPGP 私钥ASCII armored 格式)'),
})
.meta({
examples: [
{
pgpPrivateKey: '-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nxcMGBGd...\n-----END PGP PRIVATE KEY BLOCK-----',
},
],
}),
)
.output(configOutput)
export const setPlatformPublicKey = oc
.route({
method: 'POST',
path: '/config/set-platform-public-key',
operationId: 'configSetPlatformPublicKey',
summary: '写入本地平台公钥',
description:
'写入或更新本机持久化平台公钥Base64 编码 SPKI DER。\n\n调用时机设备授权初始化、平台公钥轮换。\n\n约束与行为\n- 仅接收可解析的平台 RSA 公钥文本;\n- 公钥保存在本地,设备授权密文接口和 licence 验签都会自动读取,无需每次传参;\n- 若平台公钥发生变化,已安装 licence 会被清空,需要重新安装已签名 licence\n- 成功后返回最新配置快照,可用于确认 hasPlatformPublicKey 状态。',
tags: ['Config'],
})
.input(
z
.object({
platformPublicKey: z.string().min(1).describe('平台公钥Base64 编码 SPKI DER'),
})
.meta({
examples: [
{
platformPublicKey:
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB',
},
],
}),
)
.output(configOutput)

163
apps/server/src/server/api/contracts/crypto.contract.ts Normal file
View File

@@ -0,0 +1,163 @@
import { oc } from '@orpc/contract'
import { z } from 'zod'
export const encryptDeviceInfo = oc
.route({
method: 'POST',
path: '/crypto/encrypt-device-info',
operationId: 'encryptDeviceInfo',
summary: '生成设备授权二维码密文',
description:
'生成设备授权流程所需的二维码密文。\n\n处理流程\n- 读取本机已验证的 licenceId、fingerprint 与本地持久化的平台公钥;\n- 组装为授权载荷 JSON\n- 使用平台公钥执行 RSA-OAEP(SHA-256) 加密;\n- 返回 Base64 密文供前端生成二维码。\n\n适用场景设备授权申请、重新授权。\n\n前置条件需先调用 config.setPlatformPublicKey 写入平台公钥,并通过 config.setLicence 安装已签名 licence。',
tags: ['Crypto'],
})
.input(z.object({}).describe('空请求体。平台公钥由本地配置自动读取'))
.output(
z
.object({
encrypted: z.string().describe('Base64 密文(可直接用于设备授权二维码内容)'),
})
.describe('设备授权密文生成结果')
.meta({
examples: [
{
encrypted: 'dGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVkIFJTQS1PQUVQIGVuY3J5cHRlZCBkZXZpY2UgaW5mby4uLg==',
},
],
}),
)
export const decryptTask = oc
.route({
method: 'POST',
path: '/crypto/decrypt-task',
operationId: 'decryptTask',
summary: '解密任务二维码数据',
description:
'解密 App 下发的任务二维码密文。\n\n处理流程\n- 基于本机已验证的 licenceId + fingerprint 派生 AES-256-GCM 密钥;\n- 对二维码中的 Base64 密文进行解密;\n- 返回任务明文 JSON 字符串。\n\n适用场景扫码接收任务后解析任务详情。',
tags: ['Crypto'],
})
.input(
z
.object({
encryptedData: z.string().min(1).describe('Base64 编码的 AES-256-GCM 密文(来自任务二维码扫描结果)'),
})
.describe('任务二维码解密请求')
.meta({
examples: [
{
encryptedData: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
},
],
}),
)
.output(
z
.object({
decrypted: z.string().describe('解密后的任务信息 JSON 字符串(可进一步反序列化)'),
})
.describe('任务二维码解密结果')
.meta({
examples: [
{
decrypted:
'{"taskId":"TASK-20260115-4875","enterpriseId":"1173040813421105152","orgName":"超艺科技有限公司","inspectionId":"702286470691215417","inspectionPerson":"警务通","issuedAt":1734571234567}',
},
],
}),
)
export const encryptSummary = oc
.route({
method: 'POST',
path: '/crypto/encrypt-summary',
operationId: 'encryptSummary',
summary: '加密摘要信息',
description:
'加密检查摘要信息并产出二维码密文。\n\n处理流程\n- 使用已验证的 licenceId + fingerprint 结合 taskId(salt) 通过 HKDF-SHA256 派生密钥;\n- 使用 AES-256-GCM 加密摘要明文;\n- 返回 Base64 密文用于摘要二维码生成。\n\n适用场景任务执行后提交摘要信息。',
tags: ['Crypto'],
})
.input(
z
.object({
salt: z.string().min(1).describe('HKDF salt通常为 taskId需与任务上下文一致'),
plaintext: z.string().min(1).describe('待加密的摘要信息 JSON 明文字符串'),
})
.describe('摘要信息加密请求')
.meta({
examples: [
{
salt: 'TASK-20260115-4875',
plaintext:
'{"enterpriseId":"1173040813421105152","inspectionId":"702286470691215417","summary":{"orgId":"1","orgName":"超艺科技有限公司","checkId":"1","vcheckId":"1","task":{"startTime":"2022-01-01 00:00:00","endTime":"2022-01-01 00:00:00"},"asset":{"count":183},"weakPwd":{"count":5},"vul":{"emergency":13,"high":34,"medium":45,"low":12,"info":3}},"timestamp":1734571234567}',
},
],
}),
)
.output(
z
.object({
encrypted: z.string().describe('Base64 密文(用于摘要信息二维码内容)'),
})
.describe('摘要信息加密结果')
.meta({
examples: [
{
encrypted: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
},
],
}),
)
export const signAndPackReport = oc
.route({
method: 'POST',
path: '/crypto/sign-and-pack-report',
operationId: 'signAndPackReport',
summary: '签名并打包检查报告',
description:
'对原始报告执行设备签名与 OpenPGP 签名并重新打包。\n\n处理流程\n- 解析上传 ZIP 并提取 summary.json\n- 用已验证的 licenceId/fingerprint 计算 deviceSignature(HKDF + HMAC-SHA256) 并回写 summary.json\n- 生成 META-INF/manifest.json\n- 使用本地 OpenPGP 私钥生成 detached signature(`META-INF/signature.asc`)\n- 返回签名后 ZIP。\n\n适用场景检查结果归档、可追溯签名分发。',
tags: ['Report'],
spec: (current) => {
const multipartContent =
current.requestBody && !('$ref' in current.requestBody)
? (current.requestBody.content?.['multipart/form-data'] ?? current.requestBody.content?.['application/json'])
: undefined
return {
...current,
requestBody:
multipartContent && current.requestBody && !('$ref' in current.requestBody)
? {
...current.requestBody,
content: {
'multipart/form-data': multipartContent,
},
}
: current.requestBody,
}
},
})
.input(
z
.object({
rawZip: z
.file()
.mime(['application/zip', 'application/x-zip-compressed'])
.describe(
'原始报告 ZIP 文件(必须包含 summary.json以及 assets.json、vulnerabilities.json、weakPasswords.json、漏洞评估报告.html 等报告文件)',
),
outputFileName: z
.string()
.min(1)
.optional()
.describe('返回 ZIP 文件名(可选,默认 signed-report.zip')
.meta({ examples: ['signed-report.zip'] }),
})
.describe('报告签名与打包请求'),
)
.output(
z
.file()
.describe('签名后报告 ZIP 文件(二进制响应,包含 summary.json、META-INF/manifest.json、META-INF/signature.asc'),
)

6
apps/server/src/server/api/contracts/index.ts
View File

@@ -1,7 +1,9 @@
import * as todo from './todo.contract' import * as config from './config.contract'
import * as crypto from './crypto.contract'
export const contract = { export const contract = {
todo, config,
crypto,
} }
export type Contract = typeof contract export type Contract = typeof contract

32
apps/server/src/server/api/contracts/todo.contract.ts
View File

@@ -1,32 +0,0 @@
import { oc } from '@orpc/contract'
import { createInsertSchema, createSelectSchema, createUpdateSchema } from 'drizzle-orm/zod'
import { z } from 'zod'
import { generatedFieldKeys } from '@/server/db/fields'
import { todoTable } from '@/server/db/schema'
const selectSchema = createSelectSchema(todoTable)
const insertSchema = createInsertSchema(todoTable).omit(generatedFieldKeys)
const updateSchema = createUpdateSchema(todoTable).omit(generatedFieldKeys)
export const list = oc.input(z.void()).output(z.array(selectSchema))
export const create = oc.input(insertSchema).output(selectSchema)
export const update = oc
.input(
z.object({
id: z.uuid(),
data: updateSchema,
}),
)
.output(selectSchema)
export const remove = oc
.input(
z.object({
id: z.uuid(),
}),
)
.output(z.void())

81
apps/server/src/server/api/routers/config.router.ts Normal file
View File

@@ -0,0 +1,81 @@
import { validatePgpPrivateKey, validateRsaPublicKey } from '@furtherverse/crypto'
import { ORPCError } from '@orpc/server'
import { isLicenceExpired, verifyAndDecodeLicenceEnvelope } from '@/server/licence'
import { ensureUxConfig, setUxLicence, setUxPgpPrivateKey, setUxPlatformPublicKey } from '@/server/ux-config'
import { db } from '../middlewares'
import { os } from '../server'
const toConfigOutput = (config: {
licenceId: string | null
licenceExpireTime: string | null
fingerprint: string
platformPublicKey: string | null
pgpPrivateKey: string | null
}) => ({
licence:
config.licenceId && config.licenceExpireTime
? {
licenceId: config.licenceId,
expireTime: config.licenceExpireTime,
isExpired: isLicenceExpired(config.licenceExpireTime),
}
: null,
fingerprint: config.fingerprint,
hasPlatformPublicKey: config.platformPublicKey != null,
hasPgpPrivateKey: config.pgpPrivateKey != null,
})
export const get = os.config.get.use(db).handler(async ({ context }) => {
const config = await ensureUxConfig(context.db)
return toConfigOutput(config)
})
export const setLicence = os.config.setLicence.use(db).handler(async ({ context, input }) => {
const currentConfig = await ensureUxConfig(context.db)
if (!currentConfig.platformPublicKey) {
throw new ORPCError('PRECONDITION_FAILED', {
message: 'Platform public key is not configured. Call config.setPlatformPublicKey first.',
})
}
const payload = verifyAndDecodeLicenceEnvelope(input, currentConfig.platformPublicKey)
if (isLicenceExpired(payload.expire_time)) {
throw new ORPCError('BAD_REQUEST', {
message: 'licence has expired',
})
}
const config = await setUxLicence(context.db, {
payload: input.payload,
signature: input.signature,
licenceId: payload.licence_id,
expireTime: payload.expire_time,
})
return toConfigOutput(config)
})
export const setPgpPrivateKey = os.config.setPgpPrivateKey.use(db).handler(async ({ context, input }) => {
await validatePgpPrivateKey(input.pgpPrivateKey).catch((error) => {
throw new ORPCError('BAD_REQUEST', {
message: `Invalid PGP private key: ${error instanceof Error ? error.message : 'unable to parse'}`,
})
})
const config = await setUxPgpPrivateKey(context.db, input.pgpPrivateKey)
return toConfigOutput(config)
})
export const setPlatformPublicKey = os.config.setPlatformPublicKey.use(db).handler(async ({ context, input }) => {
try {
validateRsaPublicKey(input.platformPublicKey)
} catch (error) {
throw new ORPCError('BAD_REQUEST', {
message: `Invalid platform public key: ${error instanceof Error ? error.message : 'unable to parse'}`,
})
}
const config = await setUxPlatformPublicKey(context.db, input.platformPublicKey)
return toConfigOutput(config)
})

219
apps/server/src/server/api/routers/crypto.router.ts Normal file
View File

@@ -0,0 +1,219 @@
import {
aesGcmDecrypt,
aesGcmEncrypt,
hkdfSha256,
hmacSha256Base64,
pgpSignDetached,
rsaOaepEncrypt,
sha256,
sha256Hex,
} from '@furtherverse/crypto'
import { ORPCError } from '@orpc/server'
import JSZip from 'jszip'
import {
isInteger,
isSafeNumber,
LosslessNumber,
parse as losslessParse,
stringify as losslessStringify,
} from 'lossless-json'
import { z } from 'zod'
import { isLicenceExpired } from '@/server/licence'
import { extractSafeZipFiles, ZipValidationError } from '@/server/safe-zip'
import { getUxConfig } from '@/server/ux-config'
import { db } from '../middlewares'
import { os } from '../server'
const safeNumberParser = (value: string): number | string => {
if (isSafeNumber(value)) return Number(value)
if (isInteger(value)) return value
return Number(value)
}
const toLosslessNumber = (value: string): LosslessNumber | string =>
value !== '' && /^-?\d+$/.test(value) ? new LosslessNumber(value) : value
const summaryPayloadSchema = z
.object({
taskId: z.string().min(1, 'summary.json must contain a non-empty taskId'),
checkId: z.union([z.string(), z.number()]).optional(),
inspectionId: z.union([z.string(), z.number()]).optional(),
orgId: z.union([z.string(), z.number()]).optional(),
enterpriseId: z.union([z.string(), z.number()]).optional(),
summary: z.string().optional(),
})
.loose()
const requireIdentity = async (dbInstance: Parameters<typeof getUxConfig>[0]) => {
const config = await getUxConfig(dbInstance)
if (!config || !config.licenceId || !config.licenceExpireTime) {
throw new ORPCError('PRECONDITION_FAILED', {
message: 'Local identity is not initialized. Call config.get and then config.setLicence first.',
})
}
if (isLicenceExpired(config.licenceExpireTime)) {
throw new ORPCError('PRECONDITION_FAILED', {
message: 'Local licence has expired. Install a new signed licence before calling crypto APIs.',
})
}
return config as typeof config & { licenceId: string; licenceExpireTime: string }
}
export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(async ({ context }) => {
const config = await requireIdentity(context.db)
if (!config.platformPublicKey) {
throw new ORPCError('PRECONDITION_FAILED', {
message: 'Platform public key is not configured. Call config.setPlatformPublicKey first.',
})
}
const deviceInfoJson = JSON.stringify({
licence: config.licenceId,
fingerprint: config.fingerprint,
})
const encrypted = rsaOaepEncrypt(deviceInfoJson, config.platformPublicKey)
return { encrypted }
})
export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ context, input }) => {
const config = await requireIdentity(context.db)
const key = sha256(config.licenceId + config.fingerprint)
const decrypted = aesGcmDecrypt(input.encryptedData, key)
return { decrypted }
})
export const encryptSummary = os.crypto.encryptSummary.use(db).handler(async ({ context, input }) => {
const config = await requireIdentity(context.db)
const ikm = config.licenceId + config.fingerprint
const aesKey = hkdfSha256(ikm, input.salt, 'inspection_report_encryption')
const encrypted = aesGcmEncrypt(input.plaintext, aesKey)
return { encrypted }
})
export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(async ({ context, input }) => {
const config = await requireIdentity(context.db)
if (!config.pgpPrivateKey) {
throw new ORPCError('PRECONDITION_FAILED', {
message: 'PGP private key is not configured. Call config.setPgpPrivateKey first.',
})
}
const rawZipBytes = Buffer.from(await input.rawZip.arrayBuffer())
const zipFiles = await extractSafeZipFiles(rawZipBytes).catch((error) => {
if (error instanceof ZipValidationError) {
throw new ORPCError('BAD_REQUEST', { message: error.message })
}
throw error
})
// Extract and validate summary.json from the ZIP
const summaryFile = zipFiles.find((f) => f.name === 'summary.json')
if (!summaryFile) {
throw new ORPCError('BAD_REQUEST', {
message: 'rawZip must contain a summary.json file',
})
}
let rawJson: unknown
try {
rawJson = losslessParse(Buffer.from(summaryFile.bytes).toString('utf-8'), undefined, safeNumberParser)
} catch {
throw new ORPCError('BAD_REQUEST', {
message: 'summary.json in the ZIP is not valid JSON',
})
}
const parsed = summaryPayloadSchema.safeParse(rawJson)
if (!parsed.success) {
throw new ORPCError('BAD_REQUEST', {
message: `Invalid summary.json: ${z.prettifyError(parsed.error)}`,
})
}
const summaryPayload = parsed.data
const checkId = String(summaryPayload.checkId ?? summaryPayload.inspectionId ?? '')
const orgId = summaryPayload.orgId ?? summaryPayload.enterpriseId ?? ''
// Helper: find file in ZIP and compute its SHA256 hash
const requireFileHash = (name: string): string => {
const file = zipFiles.find((f) => f.name === name)
if (!file) {
throw new ORPCError('BAD_REQUEST', { message: `rawZip must contain ${name}` })
}
return sha256Hex(Buffer.from(file.bytes))
}
// Compute SHA256 of each content file (fixed order, matching Kotlin reference)
const assetsSha256 = requireFileHash('assets.json')
const vulnerabilitiesSha256 = requireFileHash('vulnerabilities.json')
const weakPasswordsSha256 = requireFileHash('weakPasswords.json')
const reportHtmlSha256 = requireFileHash('漏洞评估报告.html')
// Compute device signature
// signPayload = taskId + inspectionId + assetsSha256 + vulnerabilitiesSha256 + weakPasswordsSha256 + reportHtmlSha256
// (plain concatenation, no separators, fixed order — matching Kotlin reference)
const ikm = config.licenceId + config.fingerprint
const signingKey = hkdfSha256(ikm, 'AUTH_V3_SALT', 'device_report_signature')
const signPayload = `${summaryPayload.taskId}${checkId}${assetsSha256}${vulnerabilitiesSha256}${weakPasswordsSha256}${reportHtmlSha256}`
const deviceSignature = hmacSha256Base64(signingKey, signPayload)
// Build final summary.json with flat structure (matching Kotlin reference)
const finalSummary = {
orgId: toLosslessNumber(String(orgId)),
checkId: toLosslessNumber(checkId),
taskId: summaryPayload.taskId,
licence: config.licenceId,
fingerprint: config.fingerprint,
deviceSignature,
summary: summaryPayload.summary ?? '',
}
const summaryJson = losslessStringify(finalSummary)
if (!summaryJson) {
throw new ORPCError('INTERNAL_SERVER_ERROR', {
message: 'Failed to serialize summary.json',
})
}
const summaryBytes = Buffer.from(summaryJson, 'utf-8')
// Build manifest.json (fixed file list, matching Kotlin reference)
const manifestFiles: Record<string, string> = {
'summary.json': sha256Hex(summaryBytes),
'assets.json': assetsSha256,
'vulnerabilities.json': vulnerabilitiesSha256,
'weakPasswords.json': weakPasswordsSha256,
'漏洞评估报告.html': reportHtmlSha256,
}
const manifestBytes = Buffer.from(JSON.stringify({ files: manifestFiles }, null, 2), 'utf-8')
const signatureAsc = await pgpSignDetached(manifestBytes, config.pgpPrivateKey)
// Pack signed ZIP
const signedZip = new JSZip()
signedZip.file('summary.json', summaryBytes)
for (const item of zipFiles) {
if (item.name !== 'summary.json') {
signedZip.file(item.name, item.bytes)
}
}
signedZip.file('META-INF/manifest.json', manifestBytes)
signedZip.file('META-INF/signature.asc', signatureAsc)
const signedZipBytes = await signedZip.generateAsync({
type: 'uint8array',
compression: 'DEFLATE',
compressionOptions: { level: 9 },
})
return new File([Buffer.from(signedZipBytes)], input.outputFileName ?? 'signed-report.zip', {
type: 'application/zip',
})
})

6
apps/server/src/server/api/routers/index.ts
View File

@@ -1,6 +1,8 @@
import { os } from '../server' import { os } from '../server'
import * as todo from './todo.router' import * as config from './config.router'
import * as crypto from './crypto.router'
export const router = os.router({ export const router = os.router({
todo, config,
crypto,
}) })

40
apps/server/src/server/api/routers/todo.router.ts
View File

@@ -1,40 +0,0 @@
import { ORPCError } from '@orpc/server'
import { eq } from 'drizzle-orm'
import { todoTable } from '@/server/db/schema'
import { db } from '../middlewares'
import { os } from '../server'
export const list = os.todo.list.use(db).handler(async ({ context }) => {
const todos = await context.db.query.todoTable.findMany({
orderBy: { createdAt: 'desc' },
})
return todos
})
export const create = os.todo.create.use(db).handler(async ({ context, input }) => {
const [newTodo] = await context.db.insert(todoTable).values(input).returning()
if (!newTodo) {
throw new ORPCError('INTERNAL_SERVER_ERROR', { message: 'Failed to create todo' })
}
return newTodo
})
export const update = os.todo.update.use(db).handler(async ({ context, input }) => {
const [updatedTodo] = await context.db.update(todoTable).set(input.data).where(eq(todoTable.id, input.id)).returning()
if (!updatedTodo) {
throw new ORPCError('NOT_FOUND')
}
return updatedTodo
})
export const remove = os.todo.remove.use(db).handler(async ({ context, input }) => {
const [deleted] = await context.db.delete(todoTable).where(eq(todoTable.id, input.id)).returning({ id: todoTable.id })
if (!deleted) {
throw new ORPCError('NOT_FOUND')
}
})

41
apps/server/src/server/db/fields.ts
View File

@@ -1,47 +1,28 @@
import { sql } from 'drizzle-orm' import { integer, text } from 'drizzle-orm/sqlite-core'
import { timestamp, uuid } from 'drizzle-orm/pg-core'
import { v7 as uuidv7 } from 'uuid' import { v7 as uuidv7 } from 'uuid'
// id export const pk = (name = 'id') =>
text(name)
.primaryKey()
.$defaultFn(() => uuidv7())
const id = (name: string) => uuid(name) export const createdAt = (name = 'created_at') =>
export const pk = (name: string, strategy?: 'native' | 'extension') => { integer(name, { mode: 'timestamp_ms' })
switch (strategy) { .notNull()
// PG 18+ .$defaultFn(() => new Date())
case 'native':
return id(name).primaryKey().default(sql`uuidv7()`)
// PG 13+ with extension
case 'extension':
return id(name).primaryKey().default(sql`uuid_generate_v7()`)
// Any PG version
default:
return id(name)
.primaryKey()
.$defaultFn(() => uuidv7())
}
}
// timestamp
export const createdAt = (name = 'created_at') => timestamp(name, { withTimezone: true }).notNull().defaultNow()
export const updatedAt = (name = 'updated_at') => export const updatedAt = (name = 'updated_at') =>
timestamp(name, { withTimezone: true }) integer(name, { mode: 'timestamp_ms' })
.notNull() .notNull()
.defaultNow() .$defaultFn(() => new Date())
.$onUpdateFn(() => new Date()) .$onUpdateFn(() => new Date())
// generated fields
export const generatedFields = { export const generatedFields = {
id: pk('id'), id: pk('id'),
createdAt: createdAt('created_at'), createdAt: createdAt('created_at'),
updatedAt: updatedAt('updated_at'), updatedAt: updatedAt('updated_at'),
} }
// Helper to create omit keys from generatedFields
const createGeneratedFieldKeys = <T extends Record<string, unknown>>(fields: T): Record<keyof T, true> => { const createGeneratedFieldKeys = <T extends Record<string, unknown>>(fields: T): Record<keyof T, true> => {
return Object.keys(fields).reduce( return Object.keys(fields).reduce(
(acc, key) => { (acc, key) => {

14
apps/server/src/server/db/index.ts
View File

@@ -1,12 +1,14 @@
import { drizzle } from 'drizzle-orm/postgres-js' import { Database } from 'bun:sqlite'
import { drizzle } from 'drizzle-orm/bun-sqlite'
import { env } from '@/env' import { env } from '@/env'
import { relations } from '@/server/db/relations' import { relations } from '@/server/db/relations'
export const createDB = () => export const createDB = () => {
drizzle({ const sqlite = new Database(env.DATABASE_PATH)
connection: env.DATABASE_URL, sqlite.exec('PRAGMA journal_mode = WAL')
relations, sqlite.exec('PRAGMA foreign_keys = ON')
}) return drizzle({ client: sqlite, relations })
}
export type DB = ReturnType<typeof createDB> export type DB = ReturnType<typeof createDB>

2
apps/server/src/server/db/relations.ts
View File

@@ -1,4 +1,4 @@
import { defineRelations } from 'drizzle-orm' import { defineRelations } from 'drizzle-orm'
import * as schema from './schema' import * as schema from './schema'
export const relations = defineRelations(schema, (_r) => ({})) export const relations = defineRelations(schema, () => ({}))

2
apps/server/src/server/db/schema/index.ts
View File

@@ -1 +1 @@
export * from './todo' export * from './ux-config'

8
apps/server/src/server/db/schema/todo.ts
View File

@@ -1,8 +0,0 @@
import { boolean, pgTable, text } from 'drizzle-orm/pg-core'
import { generatedFields } from '../fields'
export const todoTable = pgTable('todo', {
...generatedFields,
title: text('title').notNull(),
completed: boolean('completed').notNull().default(false),
})

14
apps/server/src/server/db/schema/ux-config.ts Normal file
View File

@@ -0,0 +1,14 @@
import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
import { generatedFields } from '../fields'
export const uxConfigTable = sqliteTable('ux_config', {
...generatedFields,
singletonKey: text('singleton_key').notNull().unique().default('default'),
licencePayload: text('licence_payload'),
licenceSignature: text('licence_signature'),
licenceId: text('licence_id'),
licenceExpireTime: text('licence_expire_time'),
fingerprint: text('fingerprint').notNull(),
platformPublicKey: text('platform_public_key'),
pgpPrivateKey: text('pgp_private_key'),
})

10
apps/server/src/server/device-fingerprint.ts Normal file
View File

@@ -0,0 +1,10 @@
import { sha256Hex } from '@furtherverse/crypto'
import { system } from 'systeminformation'
export const computeDeviceFingerprint = async (): Promise<string> => {
const { uuid, serial, model, manufacturer } = await system()
const source = [uuid, serial, model, manufacturer].join('|')
const hash = sha256Hex(source)
return hash
}

32
apps/server/src/server/licence.test.ts Normal file
View File

@@ -0,0 +1,32 @@
import { describe, expect, it } from 'bun:test'
import { constants, createSign, generateKeyPairSync } from 'node:crypto'
import { decodeLicencePayload, isLicenceExpired, verifyAndDecodeLicenceEnvelope } from './licence'
describe('licence helpers', () => {
it('verifies payload signatures and decodes payload JSON', () => {
const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
const payloadJson = JSON.stringify({ licence_id: 'LIC-20260319-0025', expire_time: '2027-03-19' })
const payload = Buffer.from(payloadJson, 'utf-8').toString('base64')
const signer = createSign('RSA-SHA256')
signer.update(Buffer.from(payload, 'utf-8'))
signer.end()
const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING }).toString('base64')
const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
expect(verifyAndDecodeLicenceEnvelope({ payload, signature }, publicKeyBase64)).toEqual({
licence_id: 'LIC-20260319-0025',
expire_time: '2027-03-19',
})
})
it('treats expire_time as valid through the end of the UTC day', () => {
expect(isLicenceExpired('2027-03-19', new Date('2027-03-19T23:59:59.999Z'))).toBe(false)
expect(isLicenceExpired('2027-03-19', new Date('2027-03-20T00:00:00.000Z'))).toBe(true)
})
it('rejects malformed payloads', () => {
expect(() => decodeLicencePayload('not-base64')).toThrow('payload must be valid Base64')
})
})

94
apps/server/src/server/licence.ts Normal file
View File

@@ -0,0 +1,94 @@
import { rsaVerifySignature } from '@furtherverse/crypto'
import { z } from 'zod'
const BASE64_PATTERN = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/
const DATE_PATTERN = /^(\d{4})-(\d{2})-(\d{2})$/
export const licenceEnvelopeSchema = z.object({
payload: z.string().min(1).max(8192).describe('Base64 编码的 licence payload 原文'),
signature: z.string().min(1).max(8192).describe('对 payload 字符串 UTF-8 字节做 SHA256withRSA 后得到的 Base64 签名'),
})
export const licencePayloadSchema = z
.object({
licence_id: z.string().min(1).describe('验签通过后的 licence 标识'),
expire_time: z
.string()
.regex(DATE_PATTERN, 'expire_time must use YYYY-MM-DD')
.describe('授权到期日,格式为 YYYY-MM-DD按 UTC 自然日末尾失效)'),
})
.loose()
export type LicenceEnvelope = z.infer<typeof licenceEnvelopeSchema>
export type LicencePayload = z.infer<typeof licencePayloadSchema>
const decodeBase64 = (value: string, fieldName: string): Buffer => {
if (!BASE64_PATTERN.test(value)) {
throw new Error(`${fieldName} must be valid Base64`)
}
return Buffer.from(value, 'base64')
}
const parseUtcDate = (value: string): Date => {
const match = DATE_PATTERN.exec(value)
if (!match) {
throw new Error('expire_time must use YYYY-MM-DD')
}
const [, yearText, monthText, dayText] = match
const year = Number(yearText)
const month = Number(monthText)
const day = Number(dayText)
const parsed = new Date(Date.UTC(year, month - 1, day))
if (
Number.isNaN(parsed.getTime()) ||
parsed.getUTCFullYear() !== year ||
parsed.getUTCMonth() !== month - 1 ||
parsed.getUTCDate() !== day
) {
throw new Error('expire_time is not a valid calendar date')
}
return parsed
}
export const isLicenceExpired = (expireTime: string, now = new Date()): boolean => {
const expireDate = parseUtcDate(expireTime)
const expiresAt = Date.UTC(expireDate.getUTCFullYear(), expireDate.getUTCMonth(), expireDate.getUTCDate() + 1)
return now.getTime() >= expiresAt
}
export const decodeLicencePayload = (payloadBase64: string): LicencePayload => {
const decodedJson = decodeBase64(payloadBase64, 'payload').toString('utf-8')
let rawPayload: unknown
try {
rawPayload = JSON.parse(decodedJson)
} catch {
throw new Error('payload must decode to valid JSON')
}
const parsedPayload = licencePayloadSchema.safeParse(rawPayload)
if (!parsedPayload.success) {
throw new Error(z.prettifyError(parsedPayload.error))
}
return parsedPayload.data
}
export const verifyLicenceEnvelopeSignature = (envelope: LicenceEnvelope, publicKeyBase64: string): void => {
const signatureBytes = decodeBase64(envelope.signature, 'signature')
const isValid = rsaVerifySignature(Buffer.from(envelope.payload, 'utf-8'), signatureBytes, publicKeyBase64)
if (!isValid) {
throw new Error('licence signature is invalid')
}
}
export const verifyAndDecodeLicenceEnvelope = (envelope: LicenceEnvelope, publicKeyBase64: string): LicencePayload => {
verifyLicenceEnvelopeSignature(envelope, publicKeyBase64)
return decodeLicencePayload(envelope.payload)
}

96
apps/server/src/server/safe-zip.ts Normal file
View File

@@ -0,0 +1,96 @@
import type { JSZipObject } from 'jszip'
import JSZip from 'jszip'
export class ZipValidationError extends Error {
override name = 'ZipValidationError'
}
export interface ZipFileItem {
name: string
bytes: Uint8Array
}
export interface SafeZipOptions {
maxRawBytes?: number
maxEntries?: number
maxSingleFileBytes?: number
maxTotalUncompressedBytes?: number
}
const DEFAULTS = {
maxRawBytes: 50 * 1024 * 1024,
maxEntries: 64,
maxSingleFileBytes: 20 * 1024 * 1024,
maxTotalUncompressedBytes: 60 * 1024 * 1024,
} satisfies Required<SafeZipOptions>
const normalizePath = (name: string): string => name.replaceAll('\\', '/')
const isUnsafePath = (name: string): boolean => {
const normalized = normalizePath(name)
const segments = normalized.split('/')
return (
normalized.startsWith('/') ||
normalized.includes('\0') ||
segments.some((segment) => segment === '..' || segment.trim().length === 0)
)
}
export const extractSafeZipFiles = async (
rawBytes: Uint8Array | Buffer,
options?: SafeZipOptions,
): Promise<ZipFileItem[]> => {
const opts = { ...DEFAULTS, ...options }
if (rawBytes.byteLength === 0 || rawBytes.byteLength > opts.maxRawBytes) {
throw new ZipValidationError('ZIP is empty or exceeds max size limit')
}
const zip = await JSZip.loadAsync(rawBytes, { checkCRC32: true }).catch(() => {
throw new ZipValidationError('Not a valid ZIP file')
})
const entries = Object.values(zip.files) as JSZipObject[]
if (entries.length > opts.maxEntries) {
throw new ZipValidationError(`ZIP contains too many entries: ${entries.length}`)
}
let totalUncompressedBytes = 0
const files: ZipFileItem[] = []
const seen = new Set<string>()
for (const entry of entries) {
if (entry.dir) {
continue
}
if (isUnsafePath(entry.name)) {
throw new ZipValidationError(`ZIP contains unsafe entry path: ${entry.name}`)
}
const normalizedName = normalizePath(entry.name)
if (seen.has(normalizedName)) {
throw new ZipValidationError(`ZIP contains duplicate entry: ${normalizedName}`)
}
seen.add(normalizedName)
const content = await entry.async('uint8array')
if (content.byteLength > opts.maxSingleFileBytes) {
throw new ZipValidationError(`ZIP entry too large: ${normalizedName}`)
}
totalUncompressedBytes += content.byteLength
if (totalUncompressedBytes > opts.maxTotalUncompressedBytes) {
throw new ZipValidationError('ZIP total uncompressed content exceeds max size limit')
}
files.push({ name: normalizedName, bytes: content })
}
if (files.length === 0) {
throw new ZipValidationError('ZIP has no file entries')
}
return files
}

99
apps/server/src/server/ux-config.ts Normal file
View File

@@ -0,0 +1,99 @@
import { eq } from 'drizzle-orm'
import type { DB } from '@/server/db'
import { uxConfigTable } from '@/server/db/schema'
import { computeDeviceFingerprint } from './device-fingerprint'
const UX_CONFIG_KEY = 'default'
export const getUxConfig = async (db: DB) => {
return await db.query.uxConfigTable.findFirst({
where: { singletonKey: UX_CONFIG_KEY },
})
}
export const ensureUxConfig = async (db: DB) => {
const fingerprint = await computeDeviceFingerprint()
const existing = await getUxConfig(db)
if (existing) {
if (existing.fingerprint !== fingerprint) {
const rows = await db
.update(uxConfigTable)
.set({ fingerprint })
.where(eq(uxConfigTable.id, existing.id))
.returning()
return rows[0] as (typeof rows)[number]
}
return existing
}
const rows = await db
.insert(uxConfigTable)
.values({
singletonKey: UX_CONFIG_KEY,
fingerprint,
licencePayload: null,
licenceSignature: null,
licenceId: null,
licenceExpireTime: null,
})
.returning()
return rows[0] as (typeof rows)[number]
}
export const setUxLicence = async (
db: DB,
licence: {
payload: string
signature: string
licenceId: string
expireTime: string
},
) => {
const config = await ensureUxConfig(db)
const rows = await db
.update(uxConfigTable)
.set({
licencePayload: licence.payload,
licenceSignature: licence.signature,
licenceId: licence.licenceId,
licenceExpireTime: licence.expireTime,
})
.where(eq(uxConfigTable.id, config.id))
.returning()
return rows[0] as (typeof rows)[number]
}
export const setUxPgpPrivateKey = async (db: DB, pgpPrivateKey: string) => {
const config = await ensureUxConfig(db)
const rows = await db.update(uxConfigTable).set({ pgpPrivateKey }).where(eq(uxConfigTable.id, config.id)).returning()
return rows[0] as (typeof rows)[number]
}
export const setUxPlatformPublicKey = async (db: DB, platformPublicKey: string) => {
const config = await ensureUxConfig(db)
const shouldClearLicence = config.platformPublicKey !== platformPublicKey
const rows = await db
.update(uxConfigTable)
.set({
platformPublicKey,
...(shouldClearLicence
? {
licencePayload: null,
licenceSignature: null,
licenceId: null,
licenceExpireTime: null,
}
: {}),
})
.where(eq(uxConfigTable.id, config.id))
.returning()
return rows[0] as (typeof rows)[number]
}

5
apps/server/vite.config.ts
View File

@@ -4,12 +4,14 @@ import { tanstackStart } from '@tanstack/react-start/plugin/vite'
import react from '@vitejs/plugin-react' import react from '@vitejs/plugin-react'
import { nitro } from 'nitro/vite' import { nitro } from 'nitro/vite'
import { defineConfig } from 'vite' import { defineConfig } from 'vite'
import tsconfigPaths from 'vite-tsconfig-paths'
export default defineConfig({ export default defineConfig({
clearScreen: false, clearScreen: false,
plugins: [ plugins: [
tanstackDevtools(), tanstackDevtools(),
tailwindcss(), tailwindcss(),
tsconfigPaths(),
tanstackStart(), tanstackStart(),
react({ react({
babel: { babel: {
@@ -21,9 +23,6 @@ export default defineConfig({
serveStatic: 'inline', serveStatic: 'inline',
}), }),
], ],
resolve: {
tsconfigPaths: true,
},
server: { server: {
port: 3000, port: 3000,
strictPort: true, strictPort: true,

611
bun.lock
View File

File diff suppressed because it is too large Load Diff

432
docs/摘要+zip/EncryptionTestController.kt Normal file
View File

@@ -0,0 +1,432 @@
package top.tangyh.lamp.filing.controller.compress
import com.fasterxml.jackson.databind.ObjectMapper
import io.swagger.annotations.Api
import io.swagger.annotations.ApiOperation
import io.swagger.annotations.ApiParam
import org.springframework.validation.annotation.Validated
import org.springframework.web.bind.annotation.*
import top.tangyh.basic.annotation.log.WebLog
import top.tangyh.basic.base.R
import top.tangyh.lamp.filing.dto.management.UploadInspectionFileV2Request
import top.tangyh.lamp.filing.utils.AesGcmUtil
import top.tangyh.lamp.filing.utils.HkdfUtil
import top.tangyh.lamp.filing.utils.PgpSignatureUtil
import java.util.*
/**
* 加密测试工具类
*
* 用于生成加密后的 encrypted 数据,测试 uploadInspectionFileV2Encrypted 接口
*
* 使用说明:
* 1. 调用 /compression/test/generateEncrypted 接口
* 2. 传入 licence、fingerprint、taskId 和明文数据
* 3. 获取加密后的 Base64 字符串
* 4. 使用返回的 encrypted 数据测试 uploadInspectionFileV2Encrypted 接口
*/
@Validated
@RestController
@RequestMapping("/compression/test")
@Api(value = "EncryptionTest", tags = ["加密测试工具"])
class EncryptionTestController {
private val objectMapper = ObjectMapper()
companion object {
private const val DEFAULT_PGP_PRIVATE_KEY = """-----BEGIN PGP PRIVATE KEY BLOCK-----
lFgEaSZqXBYJKwYBBAHaRw8BAQdARzZ5JXreuTeTgMFwYcw0Ju7aCWmXuUMmQyff
5vmN8RQAAP4nli0R/MTNtgx9+g5ZPyAj8XSAnjHaW9u2UJQxYhMIYw8XtBZpdHRj
PGl0dGNAaXR0Yy5zaC5jbj6IkwQTFgoAOxYhBG8IkI1kmkNpEu8iuqWu91t6SEzN
BQJpJmpcAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEKWu91t6SEzN
dSQBAPM5llVG0X6SBa4YM90Iqyb2jWvlNjstoF8jjPVny1CiAP4hIOUvb686oSA0
OrS3AuICi7X/r+JnSo1Z7pngUA3VC5xdBGkmalwSCisGAQQBl1UBBQEBB0BouQlG
hIL0bq7EbaB55s+ygLVFOfhjFA8E4fwFBFJGVAMBCAcAAP98ZXRGgzld1XUa5ZGx
cTE+1qGZY4E4BVIeqkVxdg5tqA64iHgEGBYKACAWIQRvCJCNZJpDaRLvIrqlrvdb
ekhMzQUCaSZqXAIbDAAKCRClrvdbekhMzcaSAQDB/4pvDuc7SploQg1fBYobFm5P
vxguByr8I+PrYWKKOQEAnaeXT4ipi1nICXFiigztsIl2xTth3D77XG6pZUU/Zw8=
=/k1H
-----END PGP PRIVATE KEY BLOCK-----"""
private const val DEFAULT_PGP_PASSPHRASE = ""
}
/**
* 生成加密数据请求 DTO
*/
data class GenerateEncryptedRequest(
@ApiParam(value = "授权码", required = true)
val licence: String,
@ApiParam(value = "硬件指纹", required = true)
val fingerprint: String,
@ApiParam(value = "任务ID", required = true)
val taskId: String,
@ApiParam(value = "企业ID", required = true)
val enterpriseId: Long,
@ApiParam(value = "检查ID", required = true)
val inspectionId: Long,
@ApiParam(value = "摘要信息", required = true)
val summary: String
)
/**
* 生成加密数据响应 DTO
*/
data class GenerateEncryptedResponse(
val encrypted: String,
val requestBody: UploadInspectionFileV2Request,
val plaintext: String,
val keyDerivationInfo: KeyDerivationInfo
)
/**
* 密钥派生信息
*/
data class KeyDerivationInfo(
val ikm: String,
val salt: String,
val info: String,
val keyLength: Int,
val keyHex: String
)
/**
* 生成加密数据
*
* 模拟工具箱端的加密逻辑:
* 1. 使用 HKDF-SHA256 派生 AES 密钥
* - ikm = licence + fingerprint
* - salt = taskId
* - info = "inspection_report_encryption"
* - length = 32 bytes
*
* 2. 使用 AES-256-GCM 加密数据
* - 格式IV (12字节) + Ciphertext + Tag (16字节)
* - Base64 编码返回
*
* @param request 生成加密数据请求
* @return 加密后的数据和完整的请求体
*/
@ApiOperation(value = "生成加密数据", notes = "生成加密后的 encrypted 数据,用于测试 uploadInspectionFileV2Encrypted 接口")
@PostMapping("/generateEncrypted")
@WebLog(value = "'生成加密数据:'", request = false)
fun generateEncrypted(
@RequestBody request: GenerateEncryptedRequest
): R<GenerateEncryptedResponse> {
return try {
// 1. 组装明文数据JSON格式
val timestamp = System.currentTimeMillis()
val plaintextMap = mapOf(
"enterpriseId" to request.enterpriseId.toString(),
"inspectionId" to request.inspectionId.toString(),
"summary" to request.summary,
"timestamp" to timestamp
)
val plaintext = objectMapper.writeValueAsString(plaintextMap)
// 2. 使用 HKDF-SHA256 派生 AES 密钥
// ikm = licence + fingerprint
// salt = taskId工具箱从二维码获取平台从请求获取
// info = "inspection_report_encryption"(固定值)
// length = 32 bytes
val ikm = "${request.licence}${request.fingerprint}"
val salt = request.taskId.toString()
val info = "inspection_report_encryption"
val keyLength = 32
val aesKey = HkdfUtil.deriveKey(ikm, salt, info, keyLength)
// 3. 使用 AES-256-GCM 加密数据
val encrypted = AesGcmUtil.encrypt(plaintext, aesKey)
// 4. 组装完整的请求体appid 需要前端自己赋值)
val requestBody = UploadInspectionFileV2Request().apply {
this.appid = "test-appid" // 测试用的 appid实际使用时前端会赋值
this.taskId = request.taskId
this.encrypted = encrypted
}
// 5. 返回加密数据和密钥派生信息
val response = GenerateEncryptedResponse(
encrypted = encrypted,
requestBody = requestBody,
plaintext = plaintext,
keyDerivationInfo = KeyDerivationInfo(
ikm = ikm,
salt = salt,
info = info,
keyLength = keyLength,
keyHex = aesKey.joinToString("") { "%02x".format(it) }
)
)
R.success(response, "加密数据生成成功")
} catch (e: Exception) {
R.fail("生成加密数据失败: ${e.message}")
}
}
/**
* 快速生成测试数据(使用默认值)
*
* @return 加密后的数据和完整的请求体
*/
@ApiOperation(value = "快速生成测试数据", notes = "使用默认值快速生成加密数据,用于快速测试")
@GetMapping("/generateTestData")
@WebLog(value = "'快速生成测试数据:'", request = false)
fun generateTestData(): R<GenerateEncryptedResponse> {
return try {
// 使用默认测试数据
val request = GenerateEncryptedRequest(
licence = "TEST-LICENCE-001",
fingerprint = "TEST-FINGERPRINT-001",
taskId = "TASK-20260115-4875",
enterpriseId = 1173040813421105152L,
inspectionId = 702286470691215417L,
summary = "测试摘要信息"
)
generateEncrypted(request).data?.let {
R.success(it, "测试数据生成成功")
} ?: R.fail("生成测试数据失败")
} catch (e: Exception) {
R.fail("生成测试数据失败: ${e.message}")
}
}
/**
* 验证加密数据(解密测试)
*
* 用于验证生成的加密数据是否能正确解密
*
* @param encrypted 加密后的 Base64 字符串
* @param licence 授权码
* @param fingerprint 硬件指纹
* @param taskId 任务ID
* @return 解密后的明文数据
*/
@ApiOperation(value = "验证加密数据", notes = "解密加密数据,验证加密是否正确")
@PostMapping("/verifyEncrypted")
@WebLog(value = "'验证加密数据:'", request = false)
fun verifyEncrypted(
@ApiParam(value = "加密后的 Base64 字符串", required = true)
@RequestParam encrypted: String,
@ApiParam(value = "授权码", required = true)
@RequestParam licence: String,
@ApiParam(value = "硬件指纹", required = true)
@RequestParam fingerprint: String,
@ApiParam(value = "任务ID", required = true)
@RequestParam taskId: String
): R<Map<String, Any>> {
return try {
// 1. 使用相同的密钥派生规则派生密钥
val ikm = "$licence$fingerprint"
val salt = taskId.toString()
val info = "inspection_report_encryption"
val aesKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
// 2. 解密数据
val decrypted = AesGcmUtil.decrypt(encrypted, aesKey)
// 3. 解析 JSON
@Suppress("UNCHECKED_CAST")
val dataMap = objectMapper.readValue(decrypted, Map::class.java) as Map<String, Any>
R.success(dataMap, "解密成功")
} catch (e: Exception) {
R.fail("解密失败: ${e.message}")
}
}
/**
* 生成加密报告 ZIP 文件请求 DTO
*/
data class GenerateEncryptedZipRequest(
@ApiParam(value = "授权码", required = true)
val licence: String,
@ApiParam(value = "硬件指纹", required = true)
val fingerprint: String,
@ApiParam(value = "任务ID", required = true)
val taskId: String,
@ApiParam(value = "企业ID", required = true)
val enterpriseId: Long,
@ApiParam(value = "检查ID", required = true)
val inspectionId: Long,
@ApiParam(value = "摘要信息", required = true)
val summary: String,
@ApiParam(value = "资产信息 JSON", required = true)
val assetsJson: String,
@ApiParam(value = "漏洞信息 JSON", required = true)
val vulnerabilitiesJson: String,
@ApiParam(value = "弱密码信息 JSON", required = true)
val weakPasswordsJson: String,
@ApiParam(value = "漏洞评估报告 HTML", required = true)
val reportHtml: String,
@ApiParam(value = "PGP 私钥(可选,不提供则跳过 PGP 签名)", required = false)
val pgpPrivateKey: String? = null,
@ApiParam(value = "PGP 私钥密码(可选)", required = false)
val pgpPassphrase: String? = null
)
/**
* 生成加密报告 ZIP 文件
*
* 按照文档《工具箱端-报告加密与签名生成指南.md》生成加密报告 ZIP 文件
*
* @param request 生成请求
* @return ZIP 文件(二进制流)
*/
@ApiOperation(value = "生成加密报告 ZIP", notes = "生成带设备签名的加密报告 ZIP 文件,可被 uploadInspectionFileV2 接口解密")
@PostMapping("/generateEncryptedZip")
@WebLog(value = "'生成加密报告 ZIP:'", request = false)
fun generateEncryptedZip(
@RequestBody request: GenerateEncryptedZipRequest,
response: javax.servlet.http.HttpServletResponse
) {
try {
// 1. 准备文件内容
val assetsContent = request.assetsJson.toByteArray(Charsets.UTF_8)
val vulnerabilitiesContent = request.vulnerabilitiesJson.toByteArray(Charsets.UTF_8)
val weakPasswordsContent = request.weakPasswordsJson.toByteArray(Charsets.UTF_8)
val reportHtmlContent = request.reportHtml.toByteArray(Charsets.UTF_8)
// 2. 生成设备签名
// 2.1 密钥派生
val ikm = "${request.licence}${request.fingerprint}"
val salt = "AUTH_V3_SALT"
val info = "device_report_signature"
val derivedKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
// 2.2 计算文件 SHA256
fun sha256Hex(content: ByteArray): String {
val digest = java.security.MessageDigest.getInstance("SHA-256")
return digest.digest(content).joinToString("") { "%02x".format(it) }
}
val assetsSha256 = sha256Hex(assetsContent)
val vulnerabilitiesSha256 = sha256Hex(vulnerabilitiesContent)
val weakPasswordsSha256 = sha256Hex(weakPasswordsContent)
val reportHtmlSha256 = sha256Hex(reportHtmlContent)
// 2.3 组装签名数据(严格顺序)
val signPayload = buildString {
append(request.taskId)
append(request.inspectionId)
append(assetsSha256)
append(vulnerabilitiesSha256)
append(weakPasswordsSha256)
append(reportHtmlSha256)
}
// 2.4 计算 HMAC-SHA256
val mac = javax.crypto.Mac.getInstance("HmacSHA256")
val secretKey = javax.crypto.spec.SecretKeySpec(derivedKey, "HmacSHA256")
mac.init(secretKey)
val signatureBytes = mac.doFinal(signPayload.toByteArray(Charsets.UTF_8))
val deviceSignature = Base64.getEncoder().encodeToString(signatureBytes)
// 2.5 生成 summary.json
val summaryMap = mapOf(
"orgId" to request.enterpriseId,
"checkId" to request.inspectionId,
"taskId" to request.taskId,
"licence" to request.licence,
"fingerprint" to request.fingerprint,
"deviceSignature" to deviceSignature,
"summary" to request.summary
)
val summaryContent = objectMapper.writeValueAsString(summaryMap).toByteArray(Charsets.UTF_8)
// 3. 生成 manifest.json
val filesHashes = mapOf(
"summary.json" to sha256Hex(summaryContent),
"assets.json" to assetsSha256,
"vulnerabilities.json" to vulnerabilitiesSha256,
"weakPasswords.json" to weakPasswordsSha256,
"漏洞评估报告.html" to reportHtmlSha256
)
val manifest = mapOf("files" to filesHashes)
val manifestContent = objectMapper.writeValueAsString(manifest).toByteArray(Charsets.UTF_8)
// 4. 生成 signature.asc
val privateKey = request.pgpPrivateKey?.takeIf { it.isNotBlank() } ?: DEFAULT_PGP_PRIVATE_KEY
val passphrase = request.pgpPassphrase ?: DEFAULT_PGP_PASSPHRASE
val signatureAsc = try {
PgpSignatureUtil.generateDetachedSignature(
manifestContent,
privateKey,
passphrase
)
} catch (e: Exception) {
throw RuntimeException("生成 PGP 签名失败: ${e.message}", e)
}
// 5. 打包 ZIP 文件到内存
val baos = java.io.ByteArrayOutputStream()
java.util.zip.ZipOutputStream(baos).use { zipOut ->
zipOut.putNextEntry(java.util.zip.ZipEntry("summary.json"))
zipOut.write(summaryContent)
zipOut.closeEntry()
zipOut.putNextEntry(java.util.zip.ZipEntry("assets.json"))
zipOut.write(assetsContent)
zipOut.closeEntry()
zipOut.putNextEntry(java.util.zip.ZipEntry("vulnerabilities.json"))
zipOut.write(vulnerabilitiesContent)
zipOut.closeEntry()
zipOut.putNextEntry(java.util.zip.ZipEntry("weakPasswords.json"))
zipOut.write(weakPasswordsContent)
zipOut.closeEntry()
zipOut.putNextEntry(java.util.zip.ZipEntry("漏洞评估报告.html"))
zipOut.write(reportHtmlContent)
zipOut.closeEntry()
zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/manifest.json"))
zipOut.write(manifestContent)
zipOut.closeEntry()
zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/signature.asc"))
zipOut.write(signatureAsc)
zipOut.closeEntry()
}
val zipBytes = baos.toByteArray()
// 6. 设置响应头并输出
response.contentType = "application/octet-stream"
response.setHeader("Content-Disposition", "attachment; filename=\"report_${request.taskId}.zip\"")
response.setHeader("Content-Length", zipBytes.size.toString())
response.outputStream.write(zipBytes)
response.outputStream.flush()
} catch (e: Exception) {
response.reset()
response.contentType = "application/json; charset=UTF-8"
response.writer.write("{\"code\": 500, \"msg\": \"生成 ZIP 文件失败: ${e.message}\"}")
}
}
}

46
package.json
View File

@@ -22,28 +22,28 @@
"typecheck": "turbo run typecheck" "typecheck": "turbo run typecheck"
}, },
"devDependencies": { "devDependencies": {
"@biomejs/biome": "^2.4.8", "@biomejs/biome": "^2.4.7",
"turbo": "^2.8.20", "turbo": "^2.8.17",
"typescript": "^5.9.3" "typescript": "^5.9.3"
}, },
"catalog": { "catalog": {
"@orpc/client": "^1.13.9", "@orpc/client": "^1.13.7",
"@orpc/contract": "^1.13.9", "@orpc/contract": "^1.13.7",
"@orpc/openapi": "^1.13.9", "@orpc/openapi": "^1.13.7",
"@orpc/server": "^1.13.9", "@orpc/server": "^1.13.7",
"@orpc/tanstack-query": "^1.13.9", "@orpc/tanstack-query": "^1.13.7",
"@orpc/zod": "^1.13.9", "@orpc/zod": "^1.13.7",
"@t3-oss/env-core": "^0.13.10", "@t3-oss/env-core": "^0.13.10",
"@tailwindcss/vite": "^4.2.2", "@tailwindcss/vite": "^4.2.1",
"@tanstack/devtools-vite": "^0.5.5", "@tanstack/devtools-vite": "^0.5.5",
"@tanstack/react-devtools": "^0.9.13", "@tanstack/react-devtools": "^0.9.13",
"@tanstack/react-query": "^5.94.4", "@tanstack/react-query": "^5.90.21",
"@tanstack/react-query-devtools": "^5.94.4", "@tanstack/react-query-devtools": "^5.91.3",
"@tanstack/react-router": "^1.168.1", "@tanstack/react-router": "^1.167.3",
"@tanstack/react-router-devtools": "^1.166.10", "@tanstack/react-router-devtools": "^1.166.9",
"@tanstack/react-router-ssr-query": "^1.166.10", "@tanstack/react-router-ssr-query": "^1.166.9",
"@tanstack/react-start": "^1.167.2", "@tanstack/react-start": "^1.166.14",
"@types/bun": "^1.3.11", "@types/bun": "^1.3.10",
"@types/node": "^24.12.0", "@types/node": "^24.12.0",
"@vitejs/plugin-react": "^5.2.0", "@vitejs/plugin-react": "^5.2.0",
"babel-plugin-react-compiler": "^1.0.0", "babel-plugin-react-compiler": "^1.0.0",
@@ -52,15 +52,19 @@
"electron": "^34.0.0", "electron": "^34.0.0",
"electron-builder": "^26.8.1", "electron-builder": "^26.8.1",
"electron-vite": "^5.0.0", "electron-vite": "^5.0.0",
"motion": "^12.38.0", "jszip": "^3.10.1",
"nitro": "npm:nitro-nightly@3.0.1-20260320-182900-2218d454", "lossless-json": "^4.3.0",
"postgres": "^3.4.8", "motion": "^12.36.0",
"nitro": "npm:nitro-nightly@3.0.1-20260315-195328-c31268c6",
"openpgp": "^6.0.1",
"react": "^19.2.4", "react": "^19.2.4",
"react-dom": "^19.2.4", "react-dom": "^19.2.4",
"tailwindcss": "^4.2.2", "tailwindcss": "^4.2.1",
"tree-kill": "^1.2.2", "tree-kill": "^1.2.2",
"uuid": "^13.0.0", "uuid": "^13.0.0",
"vite": "^8.0.1", "vite": "^8.0.0",
"vite-tsconfig-paths": "^6.1.1",
"systeminformation": "^5.31.4",
"zod": "^4.3.6" "zod": "^4.3.6"
}, },
"overrides": { "overrides": {

18
packages/crypto/package.json Normal file
View File

@@ -0,0 +1,18 @@
{
"name": "@furtherverse/crypto",
"version": "1.0.0",
"private": true,
"type": "module",
"exports": {
".": "./src/index.ts"
},
"dependencies": {
"node-forge": "^1.3.3",
"openpgp": "catalog:"
},
"devDependencies": {
"@furtherverse/tsconfig": "workspace:*",
"@types/bun": "catalog:",
"@types/node-forge": "^1.3.14"
}
}

53
packages/crypto/src/aes-gcm.ts Normal file
View File

@@ -0,0 +1,53 @@
import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'
const GCM_IV_LENGTH = 12 // 96 bits
const GCM_TAG_LENGTH = 16 // 128 bits
const ALGORITHM = 'aes-256-gcm'
/**
* AES-256-GCM encrypt.
*
* Output format (before Base64): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
*
* @param plaintext - UTF-8 string to encrypt
* @param key - 32-byte AES key
* @returns Base64-encoded encrypted data
*/
export const aesGcmEncrypt = (plaintext: string, key: Buffer): string => {
const iv = randomBytes(GCM_IV_LENGTH)
const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()])
const tag = cipher.getAuthTag()
// Layout: IV + ciphertext + tag
const combined = Buffer.concat([iv, encrypted, tag])
return combined.toString('base64')
}
/**
* AES-256-GCM decrypt.
*
* Input format (after Base64 decode): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
*
* @param encryptedBase64 - Base64-encoded encrypted data
* @param key - 32-byte AES key
* @returns Decrypted UTF-8 string
*/
export const aesGcmDecrypt = (encryptedBase64: string, key: Buffer): string => {
const data = Buffer.from(encryptedBase64, 'base64')
if (data.length < GCM_IV_LENGTH + GCM_TAG_LENGTH) {
throw new Error('Encrypted data too short: must contain IV + tag at minimum')
}
const iv = data.subarray(0, GCM_IV_LENGTH)
const tag = data.subarray(data.length - GCM_TAG_LENGTH)
const ciphertext = data.subarray(GCM_IV_LENGTH, data.length - GCM_TAG_LENGTH)
const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
decipher.setAuthTag(tag)
const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
return decrypted.toString('utf-8')
}

15
packages/crypto/src/hash.ts Normal file
View File

@@ -0,0 +1,15 @@
import { createHash } from 'node:crypto'
/**
* Compute SHA-256 hash and return raw Buffer.
*/
export const sha256 = (data: string | Buffer): Buffer => {
return createHash('sha256').update(data).digest()
}
/**
* Compute SHA-256 hash and return lowercase hex string.
*/
export const sha256Hex = (data: string | Buffer): string => {
return createHash('sha256').update(data).digest('hex')
}

15
packages/crypto/src/hkdf.ts Normal file
View File

@@ -0,0 +1,15 @@
import { hkdfSync } from 'node:crypto'
/**
* Derive a key using HKDF-SHA256.
*
* @param ikm - Input keying material (string, will be UTF-8 encoded)
* @param salt - Salt value (string, will be UTF-8 encoded)
* @param info - Info/context string (will be UTF-8 encoded)
* @param length - Output key length in bytes (default: 32 for AES-256)
* @returns Derived key as Buffer
*/
export const hkdfSha256 = (ikm: string, salt: string, info: string, length = 32): Buffer => {
const derived = hkdfSync('sha256', ikm, salt, info, length)
return Buffer.from(derived)
}

23
packages/crypto/src/hmac.ts Normal file
View File

@@ -0,0 +1,23 @@
import { createHmac } from 'node:crypto'
/**
* Compute HMAC-SHA256 and return Base64-encoded signature.
*
* @param key - HMAC key (Buffer)
* @param data - Data to sign (UTF-8 string)
* @returns Base64-encoded HMAC-SHA256 signature
*/
export const hmacSha256Base64 = (key: Buffer, data: string): string => {
return createHmac('sha256', key).update(data, 'utf-8').digest('base64')
}
/**
* Compute HMAC-SHA256 and return raw Buffer.
*
* @param key - HMAC key (Buffer)
* @param data - Data to sign (UTF-8 string)
* @returns HMAC-SHA256 digest as Buffer
*/
export const hmacSha256 = (key: Buffer, data: string): Buffer => {
return createHmac('sha256', key).update(data, 'utf-8').digest()
}

7
packages/crypto/src/index.ts Normal file
View File

@@ -0,0 +1,7 @@
export { aesGcmDecrypt, aesGcmEncrypt } from './aes-gcm'
export { sha256, sha256Hex } from './hash'
export { hkdfSha256 } from './hkdf'
export { hmacSha256, hmacSha256Base64 } from './hmac'
export { generatePgpKeyPair, pgpSignDetached, pgpVerifyDetached, validatePgpPrivateKey } from './pgp'
export { rsaOaepEncrypt } from './rsa-oaep'
export { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'

79
packages/crypto/src/pgp.ts Normal file
View File

@@ -0,0 +1,79 @@
import * as openpgp from 'openpgp'
/**
* Generate an OpenPGP RSA key pair.
*
* @param name - User name for the key
* @param email - User email for the key
* @returns ASCII-armored private and public keys
*/
export const generatePgpKeyPair = async (
name: string,
email: string,
): Promise<{ privateKey: string; publicKey: string }> => {
const { privateKey, publicKey } = await openpgp.generateKey({
type: 'rsa',
rsaBits: 2048,
userIDs: [{ name, email }],
format: 'armored',
})
return { privateKey, publicKey }
}
/**
* Create a detached OpenPGP signature for the given data.
*
* @param data - Raw data to sign (Buffer or Uint8Array)
* @param armoredPrivateKey - ASCII-armored private key
* @returns ASCII-armored detached signature (signature.asc content)
*/
export const validatePgpPrivateKey = async (armoredKey: string): Promise<void> => {
await openpgp.readPrivateKey({ armoredKey })
}
export const pgpSignDetached = async (data: Uint8Array, armoredPrivateKey: string): Promise<string> => {
const privateKey = await openpgp.readPrivateKey({ armoredKey: armoredPrivateKey })
const message = await openpgp.createMessage({ binary: data })
const signature = await openpgp.sign({
message,
signingKeys: privateKey,
detached: true,
format: 'armored',
})
return signature as string
}
/**
* Verify a detached OpenPGP signature.
*
* @param data - Original data (Buffer or Uint8Array)
* @param armoredSignature - ASCII-armored detached signature
* @param armoredPublicKey - ASCII-armored public key
* @returns true if signature is valid
*/
export const pgpVerifyDetached = async (
data: Uint8Array,
armoredSignature: string,
armoredPublicKey: string,
): Promise<boolean> => {
const publicKey = await openpgp.readKey({ armoredKey: armoredPublicKey })
const signature = await openpgp.readSignature({ armoredSignature })
const message = await openpgp.createMessage({ binary: data })
const verificationResult = await openpgp.verify({
message,
signature,
verificationKeys: publicKey,
})
const { verified } = verificationResult.signatures[0]!
try {
await verified
return true
} catch {
return false
}
}

32
packages/crypto/src/rsa-oaep.ts Normal file
View File

@@ -0,0 +1,32 @@
import forge from 'node-forge'
/**
* RSA-OAEP encrypt with platform public key.
*
* Matches Java's {@code Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding")}
* with **default SunJCE parameters**:
*
* | Parameter | Value |
* |-----------|--------|
* | OAEP hash | SHA-256|
* | MGF1 hash | SHA-1 |
*
* Node.js `crypto.publicEncrypt({ oaepHash })` ties both hashes together,
* so we use `node-forge` which allows independent configuration.
*
* @param plaintext - UTF-8 string to encrypt
* @param publicKeyBase64 - Platform RSA public key (X.509 / SPKI DER, Base64)
* @returns Base64-encoded ciphertext
*/
export const rsaOaepEncrypt = (plaintext: string, publicKeyBase64: string): string => {
const derBytes = forge.util.decode64(publicKeyBase64)
const asn1 = forge.asn1.fromDer(derBytes)
const publicKey = forge.pki.publicKeyFromAsn1(asn1) as forge.pki.rsa.PublicKey
const encrypted = publicKey.encrypt(plaintext, 'RSA-OAEP', {
md: forge.md.sha256.create(),
mgf1: { md: forge.md.sha1.create() },
})
return forge.util.encode64(encrypted)
}

24
packages/crypto/src/rsa-signature.test.ts Normal file
View File

@@ -0,0 +1,24 @@
import { describe, expect, it } from 'bun:test'
import { constants, createSign, generateKeyPairSync } from 'node:crypto'
import { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'
describe('rsaVerifySignature', () => {
it('verifies SHA256withRSA signatures over raw payload bytes', () => {
const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
const payload = Buffer.from('eyJsaWNlbmNlX2lkIjoiTElDLTAwMSIsImV4cGlyZV90aW1lIjoiMjAyNy0wMy0xOSJ9', 'utf-8')
const signer = createSign('RSA-SHA256')
signer.update(payload)
signer.end()
const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING })
const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
expect(rsaVerifySignature(payload, signature, publicKeyBase64)).toBe(true)
expect(rsaVerifySignature(Buffer.from(`${payload}x`, 'utf-8'), signature, publicKeyBase64)).toBe(false)
})
it('rejects malformed SPKI public keys', () => {
expect(() => validateRsaPublicKey('not-a-public-key')).toThrow()
})
})

19
packages/crypto/src/rsa-signature.ts Normal file
View File

@@ -0,0 +1,19 @@
import { constants, createPublicKey, verify } from 'node:crypto'
const createSpkiPublicKey = (publicKeyBase64: string) => {
return createPublicKey({
key: Buffer.from(publicKeyBase64, 'base64'),
format: 'der',
type: 'spki',
})
}
export const validateRsaPublicKey = (publicKeyBase64: string): void => {
createSpkiPublicKey(publicKeyBase64)
}
export const rsaVerifySignature = (data: Uint8Array, signature: Uint8Array, publicKeyBase64: string): boolean => {
const publicKey = createSpkiPublicKey(publicKeyBase64)
return verify('RSA-SHA256', data, { key: publicKey, padding: constants.RSA_PKCS1_PADDING }, signature)
}

7
packages/crypto/tsconfig.json Normal file
View File

@@ -0,0 +1,7 @@
{
"extends": "@furtherverse/tsconfig/bun.json",
"compilerOptions": {
"rootDir": "src"
},
"include": ["src"]
}