Compare commits
3 Commits
ux
...
fb00563dc3
| Author | SHA1 | Date | |
|---|---|---|---|
| fb00563dc3 | |||
| 4e2bc5b8dc | |||
| 9da3df6ad7 |
5
.gitignore
vendored
5
.gitignore
vendored
@@ -9,11 +9,6 @@
|
||||
# Bun build
|
||||
*.bun-build
|
||||
|
||||
# SQLite database files
|
||||
*.db
|
||||
*.db-wal
|
||||
*.db-shm
|
||||
|
||||
# Turborepo
|
||||
.turbo/
|
||||
|
||||
|
||||
@@ -1 +1 @@
|
||||
DATABASE_PATH=data.db
|
||||
DATABASE_URL=postgres://postgres:postgres@localhost:5432/postgres
|
||||
|
||||
@@ -1,12 +1,11 @@
|
||||
import { defineConfig } from 'drizzle-kit'
|
||||
|
||||
const databasePath = process.env.DATABASE_PATH ?? 'data.db'
|
||||
import { env } from '@/env'
|
||||
|
||||
export default defineConfig({
|
||||
out: './drizzle',
|
||||
schema: './src/server/db/schema/index.ts',
|
||||
dialect: 'sqlite',
|
||||
dialect: 'postgresql',
|
||||
dbCredentials: {
|
||||
url: databasePath,
|
||||
url: env.DATABASE_URL,
|
||||
},
|
||||
})
|
||||
|
||||
@@ -14,16 +14,15 @@
|
||||
"compile:linux:x64": "bun compile.ts --target bun-linux-x64",
|
||||
"compile:windows": "bun run compile:windows:x64",
|
||||
"compile:windows:x64": "bun compile.ts --target bun-windows-x64",
|
||||
"db:generate": "bun --bun drizzle-kit generate",
|
||||
"db:migrate": "bun --bun drizzle-kit migrate",
|
||||
"db:push": "bun --bun drizzle-kit push",
|
||||
"db:studio": "bun --bun drizzle-kit studio",
|
||||
"db:generate": "drizzle-kit generate",
|
||||
"db:migrate": "drizzle-kit migrate",
|
||||
"db:push": "drizzle-kit push",
|
||||
"db:studio": "drizzle-kit studio",
|
||||
"dev": "bunx --bun vite dev",
|
||||
"fix": "biome check --write",
|
||||
"typecheck": "tsc --noEmit"
|
||||
},
|
||||
"dependencies": {
|
||||
"@furtherverse/crypto": "workspace:*",
|
||||
"@orpc/client": "catalog:",
|
||||
"@orpc/contract": "catalog:",
|
||||
"@orpc/openapi": "catalog:",
|
||||
@@ -36,11 +35,9 @@
|
||||
"@tanstack/react-router-ssr-query": "catalog:",
|
||||
"@tanstack/react-start": "catalog:",
|
||||
"drizzle-orm": "catalog:",
|
||||
"jszip": "catalog:",
|
||||
"lossless-json": "catalog:",
|
||||
"postgres": "catalog:",
|
||||
"react": "catalog:",
|
||||
"react-dom": "catalog:",
|
||||
"systeminformation": "catalog:",
|
||||
"uuid": "catalog:",
|
||||
"zod": "catalog:"
|
||||
},
|
||||
@@ -57,7 +54,6 @@
|
||||
"drizzle-kit": "catalog:",
|
||||
"nitro": "catalog:",
|
||||
"tailwindcss": "catalog:",
|
||||
"vite": "catalog:",
|
||||
"vite-tsconfig-paths": "catalog:"
|
||||
"vite": "catalog:"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -24,4 +24,30 @@ const getORPCClient = createIsomorphicFn()
|
||||
|
||||
const client: RouterClient = getORPCClient()
|
||||
|
||||
export const orpc = createTanstackQueryUtils(client)
|
||||
export const orpc = createTanstackQueryUtils(client, {
|
||||
experimental_defaults: {
|
||||
todo: {
|
||||
create: {
|
||||
mutationOptions: {
|
||||
onSuccess: (_, __, ___, ctx) => {
|
||||
ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
|
||||
},
|
||||
},
|
||||
},
|
||||
update: {
|
||||
mutationOptions: {
|
||||
onSuccess: (_, __, ___, ctx) => {
|
||||
ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
|
||||
},
|
||||
},
|
||||
},
|
||||
remove: {
|
||||
mutationOptions: {
|
||||
onSuccess: (_, __, ___, ctx) => {
|
||||
ctx.client.invalidateQueries({ queryKey: orpc.todo.list.key() })
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
@@ -3,7 +3,7 @@ import { z } from 'zod'
|
||||
|
||||
export const env = createEnv({
|
||||
server: {
|
||||
DATABASE_PATH: z.string().min(1).default('data.db'),
|
||||
DATABASE_URL: z.url(),
|
||||
},
|
||||
clientPrefix: 'VITE_',
|
||||
client: {
|
||||
|
||||
@@ -16,8 +16,6 @@ const handler = new OpenAPIHandler(router, {
|
||||
info: {
|
||||
title: name,
|
||||
version,
|
||||
description:
|
||||
'UX 授权服务 OpenAPI 文档。该服务用于工具箱侧本地身份初始化与密码学能力调用,覆盖设备授权密文生成、任务二维码解密、摘要信息加密、报告签名打包等流程。\n\n推荐调用顺序:\n1) 写入平台公钥;\n2) 写入已签名 licence JSON;\n3) 写入 OpenPGP 私钥;\n4) 读取本机身份状态进行前置校验;\n5) 执行加密/解密与签名接口。\n\n说明:除文件下载接口外,返回体均为 JSON;字段示例已提供,便于联调和 Mock。',
|
||||
},
|
||||
},
|
||||
docsPath: '/docs',
|
||||
|
||||
@@ -1,21 +1,193 @@
|
||||
import { useMutation, useSuspenseQuery } from '@tanstack/react-query'
|
||||
import { createFileRoute } from '@tanstack/react-router'
|
||||
import type { ChangeEventHandler, SubmitEventHandler } from 'react'
|
||||
import { useState } from 'react'
|
||||
import { orpc } from '@/client/orpc'
|
||||
|
||||
export const Route = createFileRoute('/')({
|
||||
component: Home,
|
||||
component: Todos,
|
||||
loader: async ({ context }) => {
|
||||
await context.queryClient.ensureQueryData(orpc.todo.list.queryOptions())
|
||||
},
|
||||
})
|
||||
|
||||
function Home() {
|
||||
function Todos() {
|
||||
const [newTodoTitle, setNewTodoTitle] = useState('')
|
||||
|
||||
const listQuery = useSuspenseQuery(orpc.todo.list.queryOptions())
|
||||
const createMutation = useMutation(orpc.todo.create.mutationOptions())
|
||||
const updateMutation = useMutation(orpc.todo.update.mutationOptions())
|
||||
const deleteMutation = useMutation(orpc.todo.remove.mutationOptions())
|
||||
|
||||
const handleCreateTodo: SubmitEventHandler<HTMLFormElement> = (e) => {
|
||||
e.preventDefault()
|
||||
if (newTodoTitle.trim()) {
|
||||
createMutation.mutate({ title: newTodoTitle.trim() })
|
||||
setNewTodoTitle('')
|
||||
}
|
||||
}
|
||||
|
||||
const handleInputChange: ChangeEventHandler<HTMLInputElement> = (e) => {
|
||||
setNewTodoTitle(e.target.value)
|
||||
}
|
||||
|
||||
const handleToggleTodo = (id: string, currentCompleted: boolean) => {
|
||||
updateMutation.mutate({
|
||||
id,
|
||||
data: { completed: !currentCompleted },
|
||||
})
|
||||
}
|
||||
|
||||
const handleDeleteTodo = (id: string) => {
|
||||
deleteMutation.mutate({ id })
|
||||
}
|
||||
|
||||
const todos = listQuery.data
|
||||
const completedCount = todos.filter((todo) => todo.completed).length
|
||||
const totalCount = todos.length
|
||||
const progress = totalCount > 0 ? (completedCount / totalCount) * 100 : 0
|
||||
|
||||
return (
|
||||
<div className="min-h-screen bg-slate-50 flex items-center justify-center font-sans">
|
||||
<div className="text-center space-y-4">
|
||||
<h1 className="text-3xl font-bold text-slate-900 tracking-tight">UX Server</h1>
|
||||
<p className="text-slate-500">
|
||||
API Docs:
|
||||
<a href="/api/docs" className="text-indigo-600 hover:text-indigo-700 underline">
|
||||
/api/docs
|
||||
</a>
|
||||
<div className="min-h-screen bg-slate-50 py-12 px-4 sm:px-6 font-sans">
|
||||
<div className="max-w-2xl mx-auto space-y-8">
|
||||
{/* Header */}
|
||||
<div className="flex items-end justify-between">
|
||||
<div>
|
||||
<h1 className="text-3xl font-bold text-slate-900 tracking-tight">我的待办</h1>
|
||||
<p className="text-slate-500 mt-1">保持专注,逐个击破</p>
|
||||
</div>
|
||||
<div className="text-right">
|
||||
<div className="text-2xl font-semibold text-slate-900">
|
||||
{completedCount}
|
||||
<span className="text-slate-400 text-lg">/{totalCount}</span>
|
||||
</div>
|
||||
<div className="text-xs font-medium text-slate-400 uppercase tracking-wider">已完成</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
{/* Add Todo Form */}
|
||||
<form onSubmit={handleCreateTodo} className="relative group z-10">
|
||||
<div className="relative transform transition-all duration-200 focus-within:-translate-y-1">
|
||||
<input
|
||||
type="text"
|
||||
value={newTodoTitle}
|
||||
onChange={handleInputChange}
|
||||
placeholder="添加新任务..."
|
||||
className="w-full pl-6 pr-32 py-5 bg-white rounded-2xl shadow-[0_8px_30px_rgb(0,0,0,0.04)] border-0 ring-1 ring-slate-100 focus:ring-2 focus:ring-indigo-500/50 outline-none transition-all placeholder:text-slate-400 text-lg text-slate-700"
|
||||
disabled={createMutation.isPending}
|
||||
/>
|
||||
<button
|
||||
type="submit"
|
||||
disabled={createMutation.isPending || !newTodoTitle.trim()}
|
||||
className="absolute right-3 top-3 bottom-3 px-6 bg-indigo-600 hover:bg-indigo-700 text-white rounded-xl font-medium transition-all shadow-md shadow-indigo-200 disabled:opacity-50 disabled:shadow-none hover:shadow-lg hover:shadow-indigo-300 active:scale-95"
|
||||
>
|
||||
{createMutation.isPending ? '添加中' : '添加'}
|
||||
</button>
|
||||
</div>
|
||||
</form>
|
||||
|
||||
{/* Progress Bar (Only visible when there are tasks) */}
|
||||
{totalCount > 0 && (
|
||||
<div className="h-1.5 w-full bg-slate-200 rounded-full overflow-hidden">
|
||||
<div
|
||||
className="h-full bg-indigo-500 transition-all duration-500 ease-out rounded-full"
|
||||
style={{ width: `${progress}%` }}
|
||||
/>
|
||||
</div>
|
||||
)}
|
||||
|
||||
{/* Todo List */}
|
||||
<div className="space-y-3">
|
||||
{todos.length === 0 ? (
|
||||
<div className="py-20 text-center">
|
||||
<div className="inline-flex items-center justify-center w-16 h-16 rounded-full bg-slate-100 mb-4">
|
||||
<svg
|
||||
className="w-8 h-8 text-slate-400"
|
||||
fill="none"
|
||||
viewBox="0 0 24 24"
|
||||
stroke="currentColor"
|
||||
aria-hidden="true"
|
||||
>
|
||||
<path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5} d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
|
||||
</svg>
|
||||
</div>
|
||||
<p className="text-slate-500 text-lg font-medium">没有待办事项</p>
|
||||
<p className="text-slate-400 text-sm mt-1">输入上方内容添加您的第一个任务</p>
|
||||
</div>
|
||||
) : (
|
||||
todos.map((todo) => (
|
||||
<div
|
||||
key={todo.id}
|
||||
className={`group relative flex items-center p-4 bg-white rounded-xl border border-slate-100 shadow-sm transition-all duration-200 hover:shadow-md hover:border-slate-200 ${
|
||||
todo.completed ? 'bg-slate-50/50' : ''
|
||||
}`}
|
||||
>
|
||||
<button
|
||||
type="button"
|
||||
onClick={() => handleToggleTodo(todo.id, todo.completed)}
|
||||
className={`flex-shrink-0 w-6 h-6 rounded-full border-2 transition-all duration-200 flex items-center justify-center mr-4 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500 ${
|
||||
todo.completed
|
||||
? 'bg-indigo-500 border-indigo-500'
|
||||
: 'border-slate-300 hover:border-indigo-500 bg-white'
|
||||
}`}
|
||||
>
|
||||
{todo.completed && (
|
||||
<svg
|
||||
className="w-3.5 h-3.5 text-white"
|
||||
fill="none"
|
||||
viewBox="0 0 24 24"
|
||||
stroke="currentColor"
|
||||
strokeWidth={3}
|
||||
aria-hidden="true"
|
||||
>
|
||||
<path strokeLinecap="round" strokeLinejoin="round" d="M5 13l4 4L19 7" />
|
||||
</svg>
|
||||
)}
|
||||
</button>
|
||||
|
||||
<div className="flex-1 min-w-0">
|
||||
<p
|
||||
className={`text-lg transition-all duration-200 truncate ${
|
||||
todo.completed
|
||||
? 'text-slate-400 line-through decoration-slate-300 decoration-2'
|
||||
: 'text-slate-700'
|
||||
}`}
|
||||
>
|
||||
{todo.title}
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<div className="flex items-center opacity-0 group-hover:opacity-100 transition-opacity duration-200 absolute right-4 pl-4 bg-gradient-to-l from-white via-white to-transparent sm:static sm:bg-none">
|
||||
<span className="text-xs text-slate-400 mr-3 hidden sm:inline-block">
|
||||
{new Date(todo.createdAt).toLocaleDateString('zh-CN')}
|
||||
</span>
|
||||
<button
|
||||
type="button"
|
||||
onClick={() => handleDeleteTodo(todo.id)}
|
||||
className="p-2 text-slate-400 hover:text-red-500 hover:bg-red-50 rounded-lg transition-colors focus:outline-none"
|
||||
title="删除"
|
||||
>
|
||||
<svg
|
||||
className="w-5 h-5"
|
||||
fill="none"
|
||||
viewBox="0 0 24 24"
|
||||
stroke="currentColor"
|
||||
strokeWidth={1.5}
|
||||
aria-hidden="true"
|
||||
>
|
||||
<path
|
||||
strokeLinecap="round"
|
||||
strokeLinejoin="round"
|
||||
d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16"
|
||||
/>
|
||||
</svg>
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
))
|
||||
)}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
)
|
||||
}
|
||||
|
||||
@@ -1,127 +0,0 @@
|
||||
import { oc } from '@orpc/contract'
|
||||
import { z } from 'zod'
|
||||
import { licenceEnvelopeSchema } from '@/server/licence'
|
||||
|
||||
const licenceOutput = z
|
||||
.object({
|
||||
licenceId: z.string().describe('验签通过后的 licence 标识'),
|
||||
expireTime: z.string().describe('授权到期日,格式为 YYYY-MM-DD'),
|
||||
isExpired: z.boolean().describe('当前 licence 是否已过期(按 UTC 自然日计算)'),
|
||||
})
|
||||
.describe('当前已安装 licence 的验证后元数据')
|
||||
|
||||
const configOutput = z
|
||||
.object({
|
||||
licence: licenceOutput.nullable().describe('当前本地已验证 licence 的元数据,未设置时为 null'),
|
||||
fingerprint: z.string().describe('UX 本机计算得到的设备特征码(SHA-256)'),
|
||||
hasPlatformPublicKey: z.boolean().describe('是否已配置平台公钥'),
|
||||
hasPgpPrivateKey: z.boolean().describe('是否已配置 OpenPGP 私钥'),
|
||||
})
|
||||
.describe('本地身份配置快照,用于判断设备授权初始化是否完成')
|
||||
.meta({
|
||||
examples: [
|
||||
{
|
||||
licence: {
|
||||
licenceId: 'LIC-20260319-0025',
|
||||
expireTime: '2027-03-19',
|
||||
isExpired: false,
|
||||
},
|
||||
fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
|
||||
hasPlatformPublicKey: true,
|
||||
hasPgpPrivateKey: true,
|
||||
},
|
||||
{
|
||||
licence: null,
|
||||
fingerprint: '9a3b7c1d2e4f5a6b8c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b',
|
||||
hasPlatformPublicKey: false,
|
||||
hasPgpPrivateKey: false,
|
||||
},
|
||||
],
|
||||
})
|
||||
|
||||
export const get = oc
|
||||
.route({
|
||||
method: 'POST',
|
||||
path: '/config/get',
|
||||
operationId: 'configGet',
|
||||
summary: '读取本机身份配置',
|
||||
description:
|
||||
'查询 UX 当前本地身份配置状态。\n\n典型用途:页面初始化时检测授权状态、验签前检查平台公钥、签名前检查私钥是否就绪。\n\n返回内容:\n- licence:当前已验证 licence 的元数据,未设置时为 null;\n- fingerprint:设备特征码(本机自动计算);\n- hasPlatformPublicKey:是否已写入平台公钥;\n- hasPgpPrivateKey:是否已写入 OpenPGP 私钥。',
|
||||
tags: ['Config'],
|
||||
})
|
||||
.input(z.object({}).describe('空请求体,仅触发读取当前配置'))
|
||||
.output(configOutput)
|
||||
|
||||
export const setLicence = oc
|
||||
.route({
|
||||
method: 'POST',
|
||||
path: '/config/set-licence',
|
||||
operationId: 'configSetLicence',
|
||||
summary: '写入本地 licence',
|
||||
description:
|
||||
'写入或更新本机持久化 licence。\n\n调用时机:设备首次激活、授权码变更、授权修复。\n\n约束与行为:\n- 接收 `.lic` 文件内容对应的 JSON 信封,而不是文件上传;\n- 使用已配置的平台公钥对 payload 原始字符串做 SHA256withRSA 验签;\n- 仅在验签通过且 expire_time 未过期时持久化;\n- fingerprint 由本机自动计算,不允许外部覆盖;\n- 成功后返回最新配置快照,便于前端立即刷新授权状态。',
|
||||
tags: ['Config'],
|
||||
})
|
||||
.input(
|
||||
licenceEnvelopeSchema.meta({
|
||||
examples: [
|
||||
{
|
||||
payload: 'eyJsaWNlbmNlX2lkIjoiTElDLTIwMjYwMzE5LTAwMjUiLCJleHBpcmVfdGltZSI6IjIwMjctMDMtMTkifQ==',
|
||||
signature:
|
||||
'aLd+wwpz1W5AS0jgE/IstSNjCAQ5estQYIMqeLXRWMIsnKxjZpCvC8O5q/G5LEBBLJXnbTk8N6IMTUx295nf2HQYlXNtJkWiBeUXQ6/uzs0RbhCeRAWK2Hx4kSsmiEv4AHGLb4ozI2XekTc+40+ApJQYqaWbDu/NU99TmDm3/da1VkKpQxH60BhSQVwBtU67w9Vp3SpWm8y1faQ7ci5WDtJf1JZaS70kPXoGeA5018rPeMFlEzUp10yDlGW6RcrT7Dm+r7zFyrFznLK+evBEvTf9mMGWwZZP3q9vJtC/wFt1t5zNHdkb27cTwc9yyqGMWdelXQAQDnoisn2Jzi06KA==',
|
||||
},
|
||||
],
|
||||
}),
|
||||
)
|
||||
.output(configOutput)
|
||||
|
||||
export const setPgpPrivateKey = oc
|
||||
.route({
|
||||
method: 'POST',
|
||||
path: '/config/set-pgp-private-key',
|
||||
operationId: 'configSetPgpPrivateKey',
|
||||
summary: '写入本地 OpenPGP 私钥',
|
||||
description:
|
||||
'写入或更新本机持久化 OpenPGP 私钥(ASCII armored)。\n\n调用时机:首次导入签名私钥、私钥轮换。\n\n约束与行为:\n- 仅接收 ASCII armored 私钥文本;\n- 私钥保存在本地,后续报告签名接口会自动读取;\n- 成功后返回最新配置快照,可用于确认 hasPgpPrivateKey 状态。',
|
||||
tags: ['Config'],
|
||||
})
|
||||
.input(
|
||||
z
|
||||
.object({
|
||||
pgpPrivateKey: z.string().min(1).describe('OpenPGP 私钥(ASCII armored 格式)'),
|
||||
})
|
||||
.meta({
|
||||
examples: [
|
||||
{
|
||||
pgpPrivateKey: '-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nxcMGBGd...\n-----END PGP PRIVATE KEY BLOCK-----',
|
||||
},
|
||||
],
|
||||
}),
|
||||
)
|
||||
.output(configOutput)
|
||||
|
||||
export const setPlatformPublicKey = oc
|
||||
.route({
|
||||
method: 'POST',
|
||||
path: '/config/set-platform-public-key',
|
||||
operationId: 'configSetPlatformPublicKey',
|
||||
summary: '写入本地平台公钥',
|
||||
description:
|
||||
'写入或更新本机持久化平台公钥(Base64 编码 SPKI DER)。\n\n调用时机:设备授权初始化、平台公钥轮换。\n\n约束与行为:\n- 仅接收可解析的平台 RSA 公钥文本;\n- 公钥保存在本地,设备授权密文接口和 licence 验签都会自动读取,无需每次传参;\n- 若平台公钥发生变化,已安装 licence 会被清空,需要重新安装已签名 licence;\n- 成功后返回最新配置快照,可用于确认 hasPlatformPublicKey 状态。',
|
||||
tags: ['Config'],
|
||||
})
|
||||
.input(
|
||||
z
|
||||
.object({
|
||||
platformPublicKey: z.string().min(1).describe('平台公钥(Base64 编码 SPKI DER)'),
|
||||
})
|
||||
.meta({
|
||||
examples: [
|
||||
{
|
||||
platformPublicKey:
|
||||
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDlZvMDVaL+fjl05Hi182JOAUAaN4gh9rOF+1NhKfO4J6e0HLy8lBuylp3A4xoTiyUejNm22h0dqAgDSPnY/xZR76POFTD1soHr2LaFCN8JAbQ96P8gE7wC9qpoTssVvIVRH7QbVd260J6eD0Szwcx9cg591RSN69pMpe5IVRi8T99Hhql6/wnZHORPr18eESLOY93jRskLzc0q18r68RRoTJiQf+9YC8ub5iKp7rCjVnPi1UbIYmXmL08tk5mksYA0NqWQAa1ofKxx/9tQtB9uTjhTxuTu94XU9jlGU87qaHZs+kpqa8CAbYYJFbSP1xHwoZzpU2jpw2aF22HBYxwIDAQAB',
|
||||
},
|
||||
],
|
||||
}),
|
||||
)
|
||||
.output(configOutput)
|
||||
@@ -1,163 +0,0 @@
|
||||
import { oc } from '@orpc/contract'
|
||||
import { z } from 'zod'
|
||||
|
||||
export const encryptDeviceInfo = oc
|
||||
.route({
|
||||
method: 'POST',
|
||||
path: '/crypto/encrypt-device-info',
|
||||
operationId: 'encryptDeviceInfo',
|
||||
summary: '生成设备授权二维码密文',
|
||||
description:
|
||||
'生成设备授权流程所需的二维码密文。\n\n处理流程:\n- 读取本机已验证的 licenceId、fingerprint 与本地持久化的平台公钥;\n- 组装为授权载荷 JSON;\n- 使用平台公钥执行 RSA-OAEP(SHA-256) 加密;\n- 返回 Base64 密文供前端生成二维码。\n\n适用场景:设备授权申请、重新授权。\n\n前置条件:需先调用 config.setPlatformPublicKey 写入平台公钥,并通过 config.setLicence 安装已签名 licence。',
|
||||
tags: ['Crypto'],
|
||||
})
|
||||
.input(z.object({}).describe('空请求体。平台公钥由本地配置自动读取'))
|
||||
.output(
|
||||
z
|
||||
.object({
|
||||
encrypted: z.string().describe('Base64 密文(可直接用于设备授权二维码内容)'),
|
||||
})
|
||||
.describe('设备授权密文生成结果')
|
||||
.meta({
|
||||
examples: [
|
||||
{
|
||||
encrypted: 'dGhpcyBpcyBhIGJhc2U2NCBlbmNvZGVkIFJTQS1PQUVQIGVuY3J5cHRlZCBkZXZpY2UgaW5mby4uLg==',
|
||||
},
|
||||
],
|
||||
}),
|
||||
)
|
||||
|
||||
export const decryptTask = oc
|
||||
.route({
|
||||
method: 'POST',
|
||||
path: '/crypto/decrypt-task',
|
||||
operationId: 'decryptTask',
|
||||
summary: '解密任务二维码数据',
|
||||
description:
|
||||
'解密 App 下发的任务二维码密文。\n\n处理流程:\n- 基于本机已验证的 licenceId + fingerprint 派生 AES-256-GCM 密钥;\n- 对二维码中的 Base64 密文进行解密;\n- 返回任务明文 JSON 字符串。\n\n适用场景:扫码接收任务后解析任务详情。',
|
||||
tags: ['Crypto'],
|
||||
})
|
||||
.input(
|
||||
z
|
||||
.object({
|
||||
encryptedData: z.string().min(1).describe('Base64 编码的 AES-256-GCM 密文(来自任务二维码扫描结果)'),
|
||||
})
|
||||
.describe('任务二维码解密请求')
|
||||
.meta({
|
||||
examples: [
|
||||
{
|
||||
encryptedData: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
|
||||
},
|
||||
],
|
||||
}),
|
||||
)
|
||||
.output(
|
||||
z
|
||||
.object({
|
||||
decrypted: z.string().describe('解密后的任务信息 JSON 字符串(可进一步反序列化)'),
|
||||
})
|
||||
.describe('任务二维码解密结果')
|
||||
.meta({
|
||||
examples: [
|
||||
{
|
||||
decrypted:
|
||||
'{"taskId":"TASK-20260115-4875","enterpriseId":"1173040813421105152","orgName":"超艺科技有限公司","inspectionId":"702286470691215417","inspectionPerson":"警务通","issuedAt":1734571234567}',
|
||||
},
|
||||
],
|
||||
}),
|
||||
)
|
||||
|
||||
export const encryptSummary = oc
|
||||
.route({
|
||||
method: 'POST',
|
||||
path: '/crypto/encrypt-summary',
|
||||
operationId: 'encryptSummary',
|
||||
summary: '加密摘要信息',
|
||||
description:
|
||||
'加密检查摘要信息并产出二维码密文。\n\n处理流程:\n- 使用已验证的 licenceId + fingerprint 结合 taskId(salt) 通过 HKDF-SHA256 派生密钥;\n- 使用 AES-256-GCM 加密摘要明文;\n- 返回 Base64 密文用于摘要二维码生成。\n\n适用场景:任务执行后提交摘要信息。',
|
||||
tags: ['Crypto'],
|
||||
})
|
||||
.input(
|
||||
z
|
||||
.object({
|
||||
salt: z.string().min(1).describe('HKDF salt(通常为 taskId,需与任务上下文一致)'),
|
||||
plaintext: z.string().min(1).describe('待加密的摘要信息 JSON 明文字符串'),
|
||||
})
|
||||
.describe('摘要信息加密请求')
|
||||
.meta({
|
||||
examples: [
|
||||
{
|
||||
salt: 'TASK-20260115-4875',
|
||||
plaintext:
|
||||
'{"enterpriseId":"1173040813421105152","inspectionId":"702286470691215417","summary":{"orgId":"1","orgName":"超艺科技有限公司","checkId":"1","vcheckId":"1","task":{"startTime":"2022-01-01 00:00:00","endTime":"2022-01-01 00:00:00"},"asset":{"count":183},"weakPwd":{"count":5},"vul":{"emergency":13,"high":34,"medium":45,"low":12,"info":3}},"timestamp":1734571234567}',
|
||||
},
|
||||
],
|
||||
}),
|
||||
)
|
||||
.output(
|
||||
z
|
||||
.object({
|
||||
encrypted: z.string().describe('Base64 密文(用于摘要信息二维码内容)'),
|
||||
})
|
||||
.describe('摘要信息加密结果')
|
||||
.meta({
|
||||
examples: [
|
||||
{
|
||||
encrypted: 'uWUcAmp6UQd0w3G3crdsd4613QCxGLoEgslgXJ4G2hQhpQdjtghtQjCBUZwB/JO+NRgH1vSTr8dqBJRq7Qh4nug==',
|
||||
},
|
||||
],
|
||||
}),
|
||||
)
|
||||
|
||||
export const signAndPackReport = oc
|
||||
.route({
|
||||
method: 'POST',
|
||||
path: '/crypto/sign-and-pack-report',
|
||||
operationId: 'signAndPackReport',
|
||||
summary: '签名并打包检查报告',
|
||||
description:
|
||||
'对原始报告执行设备签名与 OpenPGP 签名并重新打包。\n\n处理流程:\n- 解析上传 ZIP 并提取 summary.json;\n- 用已验证的 licenceId/fingerprint 计算 deviceSignature(HKDF + HMAC-SHA256) 并回写 summary.json;\n- 生成 META-INF/manifest.json;\n- 使用本地 OpenPGP 私钥生成 detached signature(`META-INF/signature.asc`);\n- 返回签名后 ZIP。\n\n适用场景:检查结果归档、可追溯签名分发。',
|
||||
tags: ['Report'],
|
||||
spec: (current) => {
|
||||
const multipartContent =
|
||||
current.requestBody && !('$ref' in current.requestBody)
|
||||
? (current.requestBody.content?.['multipart/form-data'] ?? current.requestBody.content?.['application/json'])
|
||||
: undefined
|
||||
|
||||
return {
|
||||
...current,
|
||||
requestBody:
|
||||
multipartContent && current.requestBody && !('$ref' in current.requestBody)
|
||||
? {
|
||||
...current.requestBody,
|
||||
content: {
|
||||
'multipart/form-data': multipartContent,
|
||||
},
|
||||
}
|
||||
: current.requestBody,
|
||||
}
|
||||
},
|
||||
})
|
||||
.input(
|
||||
z
|
||||
.object({
|
||||
rawZip: z
|
||||
.file()
|
||||
.mime(['application/zip', 'application/x-zip-compressed'])
|
||||
.describe(
|
||||
'原始报告 ZIP 文件(必须包含 summary.json,以及 assets.json、vulnerabilities.json、weakPasswords.json、漏洞评估报告.html 等报告文件)',
|
||||
),
|
||||
outputFileName: z
|
||||
.string()
|
||||
.min(1)
|
||||
.optional()
|
||||
.describe('返回 ZIP 文件名(可选,默认 signed-report.zip)')
|
||||
.meta({ examples: ['signed-report.zip'] }),
|
||||
})
|
||||
.describe('报告签名与打包请求'),
|
||||
)
|
||||
.output(
|
||||
z
|
||||
.file()
|
||||
.describe('签名后报告 ZIP 文件(二进制响应,包含 summary.json、META-INF/manifest.json、META-INF/signature.asc)'),
|
||||
)
|
||||
@@ -1,9 +1,7 @@
|
||||
import * as config from './config.contract'
|
||||
import * as crypto from './crypto.contract'
|
||||
import * as todo from './todo.contract'
|
||||
|
||||
export const contract = {
|
||||
config,
|
||||
crypto,
|
||||
todo,
|
||||
}
|
||||
|
||||
export type Contract = typeof contract
|
||||
|
||||
32
apps/server/src/server/api/contracts/todo.contract.ts
Normal file
32
apps/server/src/server/api/contracts/todo.contract.ts
Normal file
@@ -0,0 +1,32 @@
|
||||
import { oc } from '@orpc/contract'
|
||||
import { createInsertSchema, createSelectSchema, createUpdateSchema } from 'drizzle-orm/zod'
|
||||
import { z } from 'zod'
|
||||
import { generatedFieldKeys } from '@/server/db/fields'
|
||||
import { todoTable } from '@/server/db/schema'
|
||||
|
||||
const selectSchema = createSelectSchema(todoTable)
|
||||
|
||||
const insertSchema = createInsertSchema(todoTable).omit(generatedFieldKeys)
|
||||
|
||||
const updateSchema = createUpdateSchema(todoTable).omit(generatedFieldKeys)
|
||||
|
||||
export const list = oc.input(z.void()).output(z.array(selectSchema))
|
||||
|
||||
export const create = oc.input(insertSchema).output(selectSchema)
|
||||
|
||||
export const update = oc
|
||||
.input(
|
||||
z.object({
|
||||
id: z.uuid(),
|
||||
data: updateSchema,
|
||||
}),
|
||||
)
|
||||
.output(selectSchema)
|
||||
|
||||
export const remove = oc
|
||||
.input(
|
||||
z.object({
|
||||
id: z.uuid(),
|
||||
}),
|
||||
)
|
||||
.output(z.void())
|
||||
@@ -1,81 +0,0 @@
|
||||
import { validatePgpPrivateKey, validateRsaPublicKey } from '@furtherverse/crypto'
|
||||
import { ORPCError } from '@orpc/server'
|
||||
import { isLicenceExpired, verifyAndDecodeLicenceEnvelope } from '@/server/licence'
|
||||
import { ensureUxConfig, setUxLicence, setUxPgpPrivateKey, setUxPlatformPublicKey } from '@/server/ux-config'
|
||||
import { db } from '../middlewares'
|
||||
import { os } from '../server'
|
||||
|
||||
const toConfigOutput = (config: {
|
||||
licenceId: string | null
|
||||
licenceExpireTime: string | null
|
||||
fingerprint: string
|
||||
platformPublicKey: string | null
|
||||
pgpPrivateKey: string | null
|
||||
}) => ({
|
||||
licence:
|
||||
config.licenceId && config.licenceExpireTime
|
||||
? {
|
||||
licenceId: config.licenceId,
|
||||
expireTime: config.licenceExpireTime,
|
||||
isExpired: isLicenceExpired(config.licenceExpireTime),
|
||||
}
|
||||
: null,
|
||||
fingerprint: config.fingerprint,
|
||||
hasPlatformPublicKey: config.platformPublicKey != null,
|
||||
hasPgpPrivateKey: config.pgpPrivateKey != null,
|
||||
})
|
||||
|
||||
export const get = os.config.get.use(db).handler(async ({ context }) => {
|
||||
const config = await ensureUxConfig(context.db)
|
||||
return toConfigOutput(config)
|
||||
})
|
||||
|
||||
export const setLicence = os.config.setLicence.use(db).handler(async ({ context, input }) => {
|
||||
const currentConfig = await ensureUxConfig(context.db)
|
||||
|
||||
if (!currentConfig.platformPublicKey) {
|
||||
throw new ORPCError('PRECONDITION_FAILED', {
|
||||
message: 'Platform public key is not configured. Call config.setPlatformPublicKey first.',
|
||||
})
|
||||
}
|
||||
|
||||
const payload = verifyAndDecodeLicenceEnvelope(input, currentConfig.platformPublicKey)
|
||||
if (isLicenceExpired(payload.expire_time)) {
|
||||
throw new ORPCError('BAD_REQUEST', {
|
||||
message: 'licence has expired',
|
||||
})
|
||||
}
|
||||
|
||||
const config = await setUxLicence(context.db, {
|
||||
payload: input.payload,
|
||||
signature: input.signature,
|
||||
licenceId: payload.licence_id,
|
||||
expireTime: payload.expire_time,
|
||||
})
|
||||
|
||||
return toConfigOutput(config)
|
||||
})
|
||||
|
||||
export const setPgpPrivateKey = os.config.setPgpPrivateKey.use(db).handler(async ({ context, input }) => {
|
||||
await validatePgpPrivateKey(input.pgpPrivateKey).catch((error) => {
|
||||
throw new ORPCError('BAD_REQUEST', {
|
||||
message: `Invalid PGP private key: ${error instanceof Error ? error.message : 'unable to parse'}`,
|
||||
})
|
||||
})
|
||||
|
||||
const config = await setUxPgpPrivateKey(context.db, input.pgpPrivateKey)
|
||||
return toConfigOutput(config)
|
||||
})
|
||||
|
||||
export const setPlatformPublicKey = os.config.setPlatformPublicKey.use(db).handler(async ({ context, input }) => {
|
||||
try {
|
||||
validateRsaPublicKey(input.platformPublicKey)
|
||||
} catch (error) {
|
||||
throw new ORPCError('BAD_REQUEST', {
|
||||
message: `Invalid platform public key: ${error instanceof Error ? error.message : 'unable to parse'}`,
|
||||
})
|
||||
}
|
||||
|
||||
const config = await setUxPlatformPublicKey(context.db, input.platformPublicKey)
|
||||
return toConfigOutput(config)
|
||||
})
|
||||
@@ -1,219 +0,0 @@
|
||||
import {
|
||||
aesGcmDecrypt,
|
||||
aesGcmEncrypt,
|
||||
hkdfSha256,
|
||||
hmacSha256Base64,
|
||||
pgpSignDetached,
|
||||
rsaOaepEncrypt,
|
||||
sha256,
|
||||
sha256Hex,
|
||||
} from '@furtherverse/crypto'
|
||||
import { ORPCError } from '@orpc/server'
|
||||
import JSZip from 'jszip'
|
||||
import {
|
||||
isInteger,
|
||||
isSafeNumber,
|
||||
LosslessNumber,
|
||||
parse as losslessParse,
|
||||
stringify as losslessStringify,
|
||||
} from 'lossless-json'
|
||||
import { z } from 'zod'
|
||||
import { isLicenceExpired } from '@/server/licence'
|
||||
import { extractSafeZipFiles, ZipValidationError } from '@/server/safe-zip'
|
||||
import { getUxConfig } from '@/server/ux-config'
|
||||
import { db } from '../middlewares'
|
||||
import { os } from '../server'
|
||||
|
||||
const safeNumberParser = (value: string): number | string => {
|
||||
if (isSafeNumber(value)) return Number(value)
|
||||
if (isInteger(value)) return value
|
||||
return Number(value)
|
||||
}
|
||||
|
||||
const toLosslessNumber = (value: string): LosslessNumber | string =>
|
||||
value !== '' && /^-?\d+$/.test(value) ? new LosslessNumber(value) : value
|
||||
|
||||
const summaryPayloadSchema = z
|
||||
.object({
|
||||
taskId: z.string().min(1, 'summary.json must contain a non-empty taskId'),
|
||||
checkId: z.union([z.string(), z.number()]).optional(),
|
||||
inspectionId: z.union([z.string(), z.number()]).optional(),
|
||||
orgId: z.union([z.string(), z.number()]).optional(),
|
||||
enterpriseId: z.union([z.string(), z.number()]).optional(),
|
||||
summary: z.string().optional(),
|
||||
})
|
||||
.loose()
|
||||
|
||||
const requireIdentity = async (dbInstance: Parameters<typeof getUxConfig>[0]) => {
|
||||
const config = await getUxConfig(dbInstance)
|
||||
if (!config || !config.licenceId || !config.licenceExpireTime) {
|
||||
throw new ORPCError('PRECONDITION_FAILED', {
|
||||
message: 'Local identity is not initialized. Call config.get and then config.setLicence first.',
|
||||
})
|
||||
}
|
||||
|
||||
if (isLicenceExpired(config.licenceExpireTime)) {
|
||||
throw new ORPCError('PRECONDITION_FAILED', {
|
||||
message: 'Local licence has expired. Install a new signed licence before calling crypto APIs.',
|
||||
})
|
||||
}
|
||||
|
||||
return config as typeof config & { licenceId: string; licenceExpireTime: string }
|
||||
}
|
||||
|
||||
export const encryptDeviceInfo = os.crypto.encryptDeviceInfo.use(db).handler(async ({ context }) => {
|
||||
const config = await requireIdentity(context.db)
|
||||
|
||||
if (!config.platformPublicKey) {
|
||||
throw new ORPCError('PRECONDITION_FAILED', {
|
||||
message: 'Platform public key is not configured. Call config.setPlatformPublicKey first.',
|
||||
})
|
||||
}
|
||||
|
||||
const deviceInfoJson = JSON.stringify({
|
||||
licence: config.licenceId,
|
||||
fingerprint: config.fingerprint,
|
||||
})
|
||||
|
||||
const encrypted = rsaOaepEncrypt(deviceInfoJson, config.platformPublicKey)
|
||||
return { encrypted }
|
||||
})
|
||||
|
||||
export const decryptTask = os.crypto.decryptTask.use(db).handler(async ({ context, input }) => {
|
||||
const config = await requireIdentity(context.db)
|
||||
|
||||
const key = sha256(config.licenceId + config.fingerprint)
|
||||
const decrypted = aesGcmDecrypt(input.encryptedData, key)
|
||||
return { decrypted }
|
||||
})
|
||||
|
||||
export const encryptSummary = os.crypto.encryptSummary.use(db).handler(async ({ context, input }) => {
|
||||
const config = await requireIdentity(context.db)
|
||||
|
||||
const ikm = config.licenceId + config.fingerprint
|
||||
const aesKey = hkdfSha256(ikm, input.salt, 'inspection_report_encryption')
|
||||
const encrypted = aesGcmEncrypt(input.plaintext, aesKey)
|
||||
return { encrypted }
|
||||
})
|
||||
|
||||
export const signAndPackReport = os.crypto.signAndPackReport.use(db).handler(async ({ context, input }) => {
|
||||
const config = await requireIdentity(context.db)
|
||||
|
||||
if (!config.pgpPrivateKey) {
|
||||
throw new ORPCError('PRECONDITION_FAILED', {
|
||||
message: 'PGP private key is not configured. Call config.setPgpPrivateKey first.',
|
||||
})
|
||||
}
|
||||
|
||||
const rawZipBytes = Buffer.from(await input.rawZip.arrayBuffer())
|
||||
|
||||
const zipFiles = await extractSafeZipFiles(rawZipBytes).catch((error) => {
|
||||
if (error instanceof ZipValidationError) {
|
||||
throw new ORPCError('BAD_REQUEST', { message: error.message })
|
||||
}
|
||||
throw error
|
||||
})
|
||||
|
||||
// Extract and validate summary.json from the ZIP
|
||||
const summaryFile = zipFiles.find((f) => f.name === 'summary.json')
|
||||
if (!summaryFile) {
|
||||
throw new ORPCError('BAD_REQUEST', {
|
||||
message: 'rawZip must contain a summary.json file',
|
||||
})
|
||||
}
|
||||
|
||||
let rawJson: unknown
|
||||
try {
|
||||
rawJson = losslessParse(Buffer.from(summaryFile.bytes).toString('utf-8'), undefined, safeNumberParser)
|
||||
} catch {
|
||||
throw new ORPCError('BAD_REQUEST', {
|
||||
message: 'summary.json in the ZIP is not valid JSON',
|
||||
})
|
||||
}
|
||||
|
||||
const parsed = summaryPayloadSchema.safeParse(rawJson)
|
||||
if (!parsed.success) {
|
||||
throw new ORPCError('BAD_REQUEST', {
|
||||
message: `Invalid summary.json: ${z.prettifyError(parsed.error)}`,
|
||||
})
|
||||
}
|
||||
|
||||
const summaryPayload = parsed.data
|
||||
const checkId = String(summaryPayload.checkId ?? summaryPayload.inspectionId ?? '')
|
||||
const orgId = summaryPayload.orgId ?? summaryPayload.enterpriseId ?? ''
|
||||
|
||||
// Helper: find file in ZIP and compute its SHA256 hash
|
||||
const requireFileHash = (name: string): string => {
|
||||
const file = zipFiles.find((f) => f.name === name)
|
||||
if (!file) {
|
||||
throw new ORPCError('BAD_REQUEST', { message: `rawZip must contain ${name}` })
|
||||
}
|
||||
return sha256Hex(Buffer.from(file.bytes))
|
||||
}
|
||||
|
||||
// Compute SHA256 of each content file (fixed order, matching Kotlin reference)
|
||||
const assetsSha256 = requireFileHash('assets.json')
|
||||
const vulnerabilitiesSha256 = requireFileHash('vulnerabilities.json')
|
||||
const weakPasswordsSha256 = requireFileHash('weakPasswords.json')
|
||||
const reportHtmlSha256 = requireFileHash('漏洞评估报告.html')
|
||||
|
||||
// Compute device signature
|
||||
// signPayload = taskId + inspectionId + assetsSha256 + vulnerabilitiesSha256 + weakPasswordsSha256 + reportHtmlSha256
|
||||
// (plain concatenation, no separators, fixed order — matching Kotlin reference)
|
||||
const ikm = config.licenceId + config.fingerprint
|
||||
const signingKey = hkdfSha256(ikm, 'AUTH_V3_SALT', 'device_report_signature')
|
||||
|
||||
const signPayload = `${summaryPayload.taskId}${checkId}${assetsSha256}${vulnerabilitiesSha256}${weakPasswordsSha256}${reportHtmlSha256}`
|
||||
const deviceSignature = hmacSha256Base64(signingKey, signPayload)
|
||||
|
||||
// Build final summary.json with flat structure (matching Kotlin reference)
|
||||
const finalSummary = {
|
||||
orgId: toLosslessNumber(String(orgId)),
|
||||
checkId: toLosslessNumber(checkId),
|
||||
taskId: summaryPayload.taskId,
|
||||
licence: config.licenceId,
|
||||
fingerprint: config.fingerprint,
|
||||
deviceSignature,
|
||||
summary: summaryPayload.summary ?? '',
|
||||
}
|
||||
const summaryJson = losslessStringify(finalSummary)
|
||||
if (!summaryJson) {
|
||||
throw new ORPCError('INTERNAL_SERVER_ERROR', {
|
||||
message: 'Failed to serialize summary.json',
|
||||
})
|
||||
}
|
||||
const summaryBytes = Buffer.from(summaryJson, 'utf-8')
|
||||
|
||||
// Build manifest.json (fixed file list, matching Kotlin reference)
|
||||
const manifestFiles: Record<string, string> = {
|
||||
'summary.json': sha256Hex(summaryBytes),
|
||||
'assets.json': assetsSha256,
|
||||
'vulnerabilities.json': vulnerabilitiesSha256,
|
||||
'weakPasswords.json': weakPasswordsSha256,
|
||||
'漏洞评估报告.html': reportHtmlSha256,
|
||||
}
|
||||
|
||||
const manifestBytes = Buffer.from(JSON.stringify({ files: manifestFiles }, null, 2), 'utf-8')
|
||||
const signatureAsc = await pgpSignDetached(manifestBytes, config.pgpPrivateKey)
|
||||
|
||||
// Pack signed ZIP
|
||||
const signedZip = new JSZip()
|
||||
signedZip.file('summary.json', summaryBytes)
|
||||
for (const item of zipFiles) {
|
||||
if (item.name !== 'summary.json') {
|
||||
signedZip.file(item.name, item.bytes)
|
||||
}
|
||||
}
|
||||
signedZip.file('META-INF/manifest.json', manifestBytes)
|
||||
signedZip.file('META-INF/signature.asc', signatureAsc)
|
||||
|
||||
const signedZipBytes = await signedZip.generateAsync({
|
||||
type: 'uint8array',
|
||||
compression: 'DEFLATE',
|
||||
compressionOptions: { level: 9 },
|
||||
})
|
||||
|
||||
return new File([Buffer.from(signedZipBytes)], input.outputFileName ?? 'signed-report.zip', {
|
||||
type: 'application/zip',
|
||||
})
|
||||
})
|
||||
@@ -1,8 +1,6 @@
|
||||
import { os } from '../server'
|
||||
import * as config from './config.router'
|
||||
import * as crypto from './crypto.router'
|
||||
import * as todo from './todo.router'
|
||||
|
||||
export const router = os.router({
|
||||
config,
|
||||
crypto,
|
||||
todo,
|
||||
})
|
||||
|
||||
40
apps/server/src/server/api/routers/todo.router.ts
Normal file
40
apps/server/src/server/api/routers/todo.router.ts
Normal file
@@ -0,0 +1,40 @@
|
||||
import { ORPCError } from '@orpc/server'
|
||||
import { eq } from 'drizzle-orm'
|
||||
import { todoTable } from '@/server/db/schema'
|
||||
import { db } from '../middlewares'
|
||||
import { os } from '../server'
|
||||
|
||||
export const list = os.todo.list.use(db).handler(async ({ context }) => {
|
||||
const todos = await context.db.query.todoTable.findMany({
|
||||
orderBy: { createdAt: 'desc' },
|
||||
})
|
||||
return todos
|
||||
})
|
||||
|
||||
export const create = os.todo.create.use(db).handler(async ({ context, input }) => {
|
||||
const [newTodo] = await context.db.insert(todoTable).values(input).returning()
|
||||
|
||||
if (!newTodo) {
|
||||
throw new ORPCError('INTERNAL_SERVER_ERROR', { message: 'Failed to create todo' })
|
||||
}
|
||||
|
||||
return newTodo
|
||||
})
|
||||
|
||||
export const update = os.todo.update.use(db).handler(async ({ context, input }) => {
|
||||
const [updatedTodo] = await context.db.update(todoTable).set(input.data).where(eq(todoTable.id, input.id)).returning()
|
||||
|
||||
if (!updatedTodo) {
|
||||
throw new ORPCError('NOT_FOUND')
|
||||
}
|
||||
|
||||
return updatedTodo
|
||||
})
|
||||
|
||||
export const remove = os.todo.remove.use(db).handler(async ({ context, input }) => {
|
||||
const [deleted] = await context.db.delete(todoTable).where(eq(todoTable.id, input.id)).returning({ id: todoTable.id })
|
||||
|
||||
if (!deleted) {
|
||||
throw new ORPCError('NOT_FOUND')
|
||||
}
|
||||
})
|
||||
@@ -1,28 +1,47 @@
|
||||
import { integer, text } from 'drizzle-orm/sqlite-core'
|
||||
import { sql } from 'drizzle-orm'
|
||||
import { timestamp, uuid } from 'drizzle-orm/pg-core'
|
||||
import { v7 as uuidv7 } from 'uuid'
|
||||
|
||||
export const pk = (name = 'id') =>
|
||||
text(name)
|
||||
// id
|
||||
|
||||
const id = (name: string) => uuid(name)
|
||||
export const pk = (name: string, strategy?: 'native' | 'extension') => {
|
||||
switch (strategy) {
|
||||
// PG 18+
|
||||
case 'native':
|
||||
return id(name).primaryKey().default(sql`uuidv7()`)
|
||||
|
||||
// PG 13+ with extension
|
||||
case 'extension':
|
||||
return id(name).primaryKey().default(sql`uuid_generate_v7()`)
|
||||
|
||||
// Any PG version
|
||||
default:
|
||||
return id(name)
|
||||
.primaryKey()
|
||||
.$defaultFn(() => uuidv7())
|
||||
}
|
||||
}
|
||||
|
||||
export const createdAt = (name = 'created_at') =>
|
||||
integer(name, { mode: 'timestamp_ms' })
|
||||
.notNull()
|
||||
.$defaultFn(() => new Date())
|
||||
// timestamp
|
||||
|
||||
export const createdAt = (name = 'created_at') => timestamp(name, { withTimezone: true }).notNull().defaultNow()
|
||||
|
||||
export const updatedAt = (name = 'updated_at') =>
|
||||
integer(name, { mode: 'timestamp_ms' })
|
||||
timestamp(name, { withTimezone: true })
|
||||
.notNull()
|
||||
.$defaultFn(() => new Date())
|
||||
.defaultNow()
|
||||
.$onUpdateFn(() => new Date())
|
||||
|
||||
// generated fields
|
||||
|
||||
export const generatedFields = {
|
||||
id: pk('id'),
|
||||
createdAt: createdAt('created_at'),
|
||||
updatedAt: updatedAt('updated_at'),
|
||||
}
|
||||
|
||||
// Helper to create omit keys from generatedFields
|
||||
const createGeneratedFieldKeys = <T extends Record<string, unknown>>(fields: T): Record<keyof T, true> => {
|
||||
return Object.keys(fields).reduce(
|
||||
(acc, key) => {
|
||||
|
||||
@@ -1,14 +1,12 @@
|
||||
import { Database } from 'bun:sqlite'
|
||||
import { drizzle } from 'drizzle-orm/bun-sqlite'
|
||||
import { drizzle } from 'drizzle-orm/postgres-js'
|
||||
import { env } from '@/env'
|
||||
import { relations } from '@/server/db/relations'
|
||||
|
||||
export const createDB = () => {
|
||||
const sqlite = new Database(env.DATABASE_PATH)
|
||||
sqlite.exec('PRAGMA journal_mode = WAL')
|
||||
sqlite.exec('PRAGMA foreign_keys = ON')
|
||||
return drizzle({ client: sqlite, relations })
|
||||
}
|
||||
export const createDB = () =>
|
||||
drizzle({
|
||||
connection: env.DATABASE_URL,
|
||||
relations,
|
||||
})
|
||||
|
||||
export type DB = ReturnType<typeof createDB>
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import { defineRelations } from 'drizzle-orm'
|
||||
import * as schema from './schema'
|
||||
|
||||
export const relations = defineRelations(schema, () => ({}))
|
||||
export const relations = defineRelations(schema, (_r) => ({}))
|
||||
|
||||
@@ -1 +1 @@
|
||||
export * from './ux-config'
|
||||
export * from './todo'
|
||||
|
||||
8
apps/server/src/server/db/schema/todo.ts
Normal file
8
apps/server/src/server/db/schema/todo.ts
Normal file
@@ -0,0 +1,8 @@
|
||||
import { boolean, pgTable, text } from 'drizzle-orm/pg-core'
|
||||
import { generatedFields } from '../fields'
|
||||
|
||||
export const todoTable = pgTable('todo', {
|
||||
...generatedFields,
|
||||
title: text('title').notNull(),
|
||||
completed: boolean('completed').notNull().default(false),
|
||||
})
|
||||
@@ -1,14 +0,0 @@
|
||||
import { sqliteTable, text } from 'drizzle-orm/sqlite-core'
|
||||
import { generatedFields } from '../fields'
|
||||
|
||||
export const uxConfigTable = sqliteTable('ux_config', {
|
||||
...generatedFields,
|
||||
singletonKey: text('singleton_key').notNull().unique().default('default'),
|
||||
licencePayload: text('licence_payload'),
|
||||
licenceSignature: text('licence_signature'),
|
||||
licenceId: text('licence_id'),
|
||||
licenceExpireTime: text('licence_expire_time'),
|
||||
fingerprint: text('fingerprint').notNull(),
|
||||
platformPublicKey: text('platform_public_key'),
|
||||
pgpPrivateKey: text('pgp_private_key'),
|
||||
})
|
||||
@@ -1,10 +0,0 @@
|
||||
import { sha256Hex } from '@furtherverse/crypto'
|
||||
import { system } from 'systeminformation'
|
||||
|
||||
export const computeDeviceFingerprint = async (): Promise<string> => {
|
||||
const { uuid, serial, model, manufacturer } = await system()
|
||||
const source = [uuid, serial, model, manufacturer].join('|')
|
||||
const hash = sha256Hex(source)
|
||||
|
||||
return hash
|
||||
}
|
||||
@@ -1,32 +0,0 @@
|
||||
import { describe, expect, it } from 'bun:test'
|
||||
import { constants, createSign, generateKeyPairSync } from 'node:crypto'
|
||||
import { decodeLicencePayload, isLicenceExpired, verifyAndDecodeLicenceEnvelope } from './licence'
|
||||
|
||||
describe('licence helpers', () => {
|
||||
it('verifies payload signatures and decodes payload JSON', () => {
|
||||
const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
|
||||
const payloadJson = JSON.stringify({ licence_id: 'LIC-20260319-0025', expire_time: '2027-03-19' })
|
||||
const payload = Buffer.from(payloadJson, 'utf-8').toString('base64')
|
||||
|
||||
const signer = createSign('RSA-SHA256')
|
||||
signer.update(Buffer.from(payload, 'utf-8'))
|
||||
signer.end()
|
||||
|
||||
const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING }).toString('base64')
|
||||
const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
|
||||
|
||||
expect(verifyAndDecodeLicenceEnvelope({ payload, signature }, publicKeyBase64)).toEqual({
|
||||
licence_id: 'LIC-20260319-0025',
|
||||
expire_time: '2027-03-19',
|
||||
})
|
||||
})
|
||||
|
||||
it('treats expire_time as valid through the end of the UTC day', () => {
|
||||
expect(isLicenceExpired('2027-03-19', new Date('2027-03-19T23:59:59.999Z'))).toBe(false)
|
||||
expect(isLicenceExpired('2027-03-19', new Date('2027-03-20T00:00:00.000Z'))).toBe(true)
|
||||
})
|
||||
|
||||
it('rejects malformed payloads', () => {
|
||||
expect(() => decodeLicencePayload('not-base64')).toThrow('payload must be valid Base64')
|
||||
})
|
||||
})
|
||||
@@ -1,94 +0,0 @@
|
||||
import { rsaVerifySignature } from '@furtherverse/crypto'
|
||||
import { z } from 'zod'
|
||||
|
||||
const BASE64_PATTERN = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/
|
||||
const DATE_PATTERN = /^(\d{4})-(\d{2})-(\d{2})$/
|
||||
|
||||
export const licenceEnvelopeSchema = z.object({
|
||||
payload: z.string().min(1).max(8192).describe('Base64 编码的 licence payload 原文'),
|
||||
signature: z.string().min(1).max(8192).describe('对 payload 字符串 UTF-8 字节做 SHA256withRSA 后得到的 Base64 签名'),
|
||||
})
|
||||
|
||||
export const licencePayloadSchema = z
|
||||
.object({
|
||||
licence_id: z.string().min(1).describe('验签通过后的 licence 标识'),
|
||||
expire_time: z
|
||||
.string()
|
||||
.regex(DATE_PATTERN, 'expire_time must use YYYY-MM-DD')
|
||||
.describe('授权到期日,格式为 YYYY-MM-DD(按 UTC 自然日末尾失效)'),
|
||||
})
|
||||
.loose()
|
||||
|
||||
export type LicenceEnvelope = z.infer<typeof licenceEnvelopeSchema>
|
||||
export type LicencePayload = z.infer<typeof licencePayloadSchema>
|
||||
|
||||
const decodeBase64 = (value: string, fieldName: string): Buffer => {
|
||||
if (!BASE64_PATTERN.test(value)) {
|
||||
throw new Error(`${fieldName} must be valid Base64`)
|
||||
}
|
||||
|
||||
return Buffer.from(value, 'base64')
|
||||
}
|
||||
|
||||
const parseUtcDate = (value: string): Date => {
|
||||
const match = DATE_PATTERN.exec(value)
|
||||
if (!match) {
|
||||
throw new Error('expire_time must use YYYY-MM-DD')
|
||||
}
|
||||
|
||||
const [, yearText, monthText, dayText] = match
|
||||
const year = Number(yearText)
|
||||
const month = Number(monthText)
|
||||
const day = Number(dayText)
|
||||
const parsed = new Date(Date.UTC(year, month - 1, day))
|
||||
|
||||
if (
|
||||
Number.isNaN(parsed.getTime()) ||
|
||||
parsed.getUTCFullYear() !== year ||
|
||||
parsed.getUTCMonth() !== month - 1 ||
|
||||
parsed.getUTCDate() !== day
|
||||
) {
|
||||
throw new Error('expire_time is not a valid calendar date')
|
||||
}
|
||||
|
||||
return parsed
|
||||
}
|
||||
|
||||
export const isLicenceExpired = (expireTime: string, now = new Date()): boolean => {
|
||||
const expireDate = parseUtcDate(expireTime)
|
||||
const expiresAt = Date.UTC(expireDate.getUTCFullYear(), expireDate.getUTCMonth(), expireDate.getUTCDate() + 1)
|
||||
|
||||
return now.getTime() >= expiresAt
|
||||
}
|
||||
|
||||
export const decodeLicencePayload = (payloadBase64: string): LicencePayload => {
|
||||
const decodedJson = decodeBase64(payloadBase64, 'payload').toString('utf-8')
|
||||
|
||||
let rawPayload: unknown
|
||||
try {
|
||||
rawPayload = JSON.parse(decodedJson)
|
||||
} catch {
|
||||
throw new Error('payload must decode to valid JSON')
|
||||
}
|
||||
|
||||
const parsedPayload = licencePayloadSchema.safeParse(rawPayload)
|
||||
if (!parsedPayload.success) {
|
||||
throw new Error(z.prettifyError(parsedPayload.error))
|
||||
}
|
||||
|
||||
return parsedPayload.data
|
||||
}
|
||||
|
||||
export const verifyLicenceEnvelopeSignature = (envelope: LicenceEnvelope, publicKeyBase64: string): void => {
|
||||
const signatureBytes = decodeBase64(envelope.signature, 'signature')
|
||||
const isValid = rsaVerifySignature(Buffer.from(envelope.payload, 'utf-8'), signatureBytes, publicKeyBase64)
|
||||
|
||||
if (!isValid) {
|
||||
throw new Error('licence signature is invalid')
|
||||
}
|
||||
}
|
||||
|
||||
export const verifyAndDecodeLicenceEnvelope = (envelope: LicenceEnvelope, publicKeyBase64: string): LicencePayload => {
|
||||
verifyLicenceEnvelopeSignature(envelope, publicKeyBase64)
|
||||
return decodeLicencePayload(envelope.payload)
|
||||
}
|
||||
@@ -1,96 +0,0 @@
|
||||
import type { JSZipObject } from 'jszip'
|
||||
import JSZip from 'jszip'
|
||||
|
||||
export class ZipValidationError extends Error {
|
||||
override name = 'ZipValidationError'
|
||||
}
|
||||
|
||||
export interface ZipFileItem {
|
||||
name: string
|
||||
bytes: Uint8Array
|
||||
}
|
||||
|
||||
export interface SafeZipOptions {
|
||||
maxRawBytes?: number
|
||||
maxEntries?: number
|
||||
maxSingleFileBytes?: number
|
||||
maxTotalUncompressedBytes?: number
|
||||
}
|
||||
|
||||
const DEFAULTS = {
|
||||
maxRawBytes: 50 * 1024 * 1024,
|
||||
maxEntries: 64,
|
||||
maxSingleFileBytes: 20 * 1024 * 1024,
|
||||
maxTotalUncompressedBytes: 60 * 1024 * 1024,
|
||||
} satisfies Required<SafeZipOptions>
|
||||
|
||||
const normalizePath = (name: string): string => name.replaceAll('\\', '/')
|
||||
|
||||
const isUnsafePath = (name: string): boolean => {
|
||||
const normalized = normalizePath(name)
|
||||
const segments = normalized.split('/')
|
||||
|
||||
return (
|
||||
normalized.startsWith('/') ||
|
||||
normalized.includes('\0') ||
|
||||
segments.some((segment) => segment === '..' || segment.trim().length === 0)
|
||||
)
|
||||
}
|
||||
|
||||
export const extractSafeZipFiles = async (
|
||||
rawBytes: Uint8Array | Buffer,
|
||||
options?: SafeZipOptions,
|
||||
): Promise<ZipFileItem[]> => {
|
||||
const opts = { ...DEFAULTS, ...options }
|
||||
|
||||
if (rawBytes.byteLength === 0 || rawBytes.byteLength > opts.maxRawBytes) {
|
||||
throw new ZipValidationError('ZIP is empty or exceeds max size limit')
|
||||
}
|
||||
|
||||
const zip = await JSZip.loadAsync(rawBytes, { checkCRC32: true }).catch(() => {
|
||||
throw new ZipValidationError('Not a valid ZIP file')
|
||||
})
|
||||
|
||||
const entries = Object.values(zip.files) as JSZipObject[]
|
||||
if (entries.length > opts.maxEntries) {
|
||||
throw new ZipValidationError(`ZIP contains too many entries: ${entries.length}`)
|
||||
}
|
||||
|
||||
let totalUncompressedBytes = 0
|
||||
const files: ZipFileItem[] = []
|
||||
const seen = new Set<string>()
|
||||
|
||||
for (const entry of entries) {
|
||||
if (entry.dir) {
|
||||
continue
|
||||
}
|
||||
|
||||
if (isUnsafePath(entry.name)) {
|
||||
throw new ZipValidationError(`ZIP contains unsafe entry path: ${entry.name}`)
|
||||
}
|
||||
|
||||
const normalizedName = normalizePath(entry.name)
|
||||
if (seen.has(normalizedName)) {
|
||||
throw new ZipValidationError(`ZIP contains duplicate entry: ${normalizedName}`)
|
||||
}
|
||||
seen.add(normalizedName)
|
||||
|
||||
const content = await entry.async('uint8array')
|
||||
if (content.byteLength > opts.maxSingleFileBytes) {
|
||||
throw new ZipValidationError(`ZIP entry too large: ${normalizedName}`)
|
||||
}
|
||||
|
||||
totalUncompressedBytes += content.byteLength
|
||||
if (totalUncompressedBytes > opts.maxTotalUncompressedBytes) {
|
||||
throw new ZipValidationError('ZIP total uncompressed content exceeds max size limit')
|
||||
}
|
||||
|
||||
files.push({ name: normalizedName, bytes: content })
|
||||
}
|
||||
|
||||
if (files.length === 0) {
|
||||
throw new ZipValidationError('ZIP has no file entries')
|
||||
}
|
||||
|
||||
return files
|
||||
}
|
||||
@@ -1,99 +0,0 @@
|
||||
import { eq } from 'drizzle-orm'
|
||||
import type { DB } from '@/server/db'
|
||||
import { uxConfigTable } from '@/server/db/schema'
|
||||
import { computeDeviceFingerprint } from './device-fingerprint'
|
||||
|
||||
const UX_CONFIG_KEY = 'default'
|
||||
|
||||
export const getUxConfig = async (db: DB) => {
|
||||
return await db.query.uxConfigTable.findFirst({
|
||||
where: { singletonKey: UX_CONFIG_KEY },
|
||||
})
|
||||
}
|
||||
|
||||
export const ensureUxConfig = async (db: DB) => {
|
||||
const fingerprint = await computeDeviceFingerprint()
|
||||
const existing = await getUxConfig(db)
|
||||
|
||||
if (existing) {
|
||||
if (existing.fingerprint !== fingerprint) {
|
||||
const rows = await db
|
||||
.update(uxConfigTable)
|
||||
.set({ fingerprint })
|
||||
.where(eq(uxConfigTable.id, existing.id))
|
||||
.returning()
|
||||
return rows[0] as (typeof rows)[number]
|
||||
}
|
||||
return existing
|
||||
}
|
||||
|
||||
const rows = await db
|
||||
.insert(uxConfigTable)
|
||||
.values({
|
||||
singletonKey: UX_CONFIG_KEY,
|
||||
fingerprint,
|
||||
licencePayload: null,
|
||||
licenceSignature: null,
|
||||
licenceId: null,
|
||||
licenceExpireTime: null,
|
||||
})
|
||||
.returning()
|
||||
|
||||
return rows[0] as (typeof rows)[number]
|
||||
}
|
||||
|
||||
export const setUxLicence = async (
|
||||
db: DB,
|
||||
licence: {
|
||||
payload: string
|
||||
signature: string
|
||||
licenceId: string
|
||||
expireTime: string
|
||||
},
|
||||
) => {
|
||||
const config = await ensureUxConfig(db)
|
||||
|
||||
const rows = await db
|
||||
.update(uxConfigTable)
|
||||
.set({
|
||||
licencePayload: licence.payload,
|
||||
licenceSignature: licence.signature,
|
||||
licenceId: licence.licenceId,
|
||||
licenceExpireTime: licence.expireTime,
|
||||
})
|
||||
.where(eq(uxConfigTable.id, config.id))
|
||||
.returning()
|
||||
|
||||
return rows[0] as (typeof rows)[number]
|
||||
}
|
||||
|
||||
export const setUxPgpPrivateKey = async (db: DB, pgpPrivateKey: string) => {
|
||||
const config = await ensureUxConfig(db)
|
||||
|
||||
const rows = await db.update(uxConfigTable).set({ pgpPrivateKey }).where(eq(uxConfigTable.id, config.id)).returning()
|
||||
|
||||
return rows[0] as (typeof rows)[number]
|
||||
}
|
||||
|
||||
export const setUxPlatformPublicKey = async (db: DB, platformPublicKey: string) => {
|
||||
const config = await ensureUxConfig(db)
|
||||
const shouldClearLicence = config.platformPublicKey !== platformPublicKey
|
||||
|
||||
const rows = await db
|
||||
.update(uxConfigTable)
|
||||
.set({
|
||||
platformPublicKey,
|
||||
...(shouldClearLicence
|
||||
? {
|
||||
licencePayload: null,
|
||||
licenceSignature: null,
|
||||
licenceId: null,
|
||||
licenceExpireTime: null,
|
||||
}
|
||||
: {}),
|
||||
})
|
||||
.where(eq(uxConfigTable.id, config.id))
|
||||
.returning()
|
||||
|
||||
return rows[0] as (typeof rows)[number]
|
||||
}
|
||||
@@ -4,14 +4,12 @@ import { tanstackStart } from '@tanstack/react-start/plugin/vite'
|
||||
import react from '@vitejs/plugin-react'
|
||||
import { nitro } from 'nitro/vite'
|
||||
import { defineConfig } from 'vite'
|
||||
import tsconfigPaths from 'vite-tsconfig-paths'
|
||||
|
||||
export default defineConfig({
|
||||
clearScreen: false,
|
||||
plugins: [
|
||||
tanstackDevtools(),
|
||||
tailwindcss(),
|
||||
tsconfigPaths(),
|
||||
tanstackStart(),
|
||||
react({
|
||||
babel: {
|
||||
@@ -23,6 +21,9 @@ export default defineConfig({
|
||||
serveStatic: 'inline',
|
||||
}),
|
||||
],
|
||||
resolve: {
|
||||
tsconfigPaths: true,
|
||||
},
|
||||
server: {
|
||||
port: 3000,
|
||||
strictPort: true,
|
||||
|
||||
@@ -1,432 +0,0 @@
|
||||
package top.tangyh.lamp.filing.controller.compress
|
||||
|
||||
import com.fasterxml.jackson.databind.ObjectMapper
|
||||
import io.swagger.annotations.Api
|
||||
import io.swagger.annotations.ApiOperation
|
||||
import io.swagger.annotations.ApiParam
|
||||
import org.springframework.validation.annotation.Validated
|
||||
import org.springframework.web.bind.annotation.*
|
||||
import top.tangyh.basic.annotation.log.WebLog
|
||||
import top.tangyh.basic.base.R
|
||||
import top.tangyh.lamp.filing.dto.management.UploadInspectionFileV2Request
|
||||
import top.tangyh.lamp.filing.utils.AesGcmUtil
|
||||
import top.tangyh.lamp.filing.utils.HkdfUtil
|
||||
import top.tangyh.lamp.filing.utils.PgpSignatureUtil
|
||||
import java.util.*
|
||||
|
||||
/**
|
||||
* 加密测试工具类
|
||||
*
|
||||
* 用于生成加密后的 encrypted 数据,测试 uploadInspectionFileV2Encrypted 接口
|
||||
*
|
||||
* 使用说明:
|
||||
* 1. 调用 /compression/test/generateEncrypted 接口
|
||||
* 2. 传入 licence、fingerprint、taskId 和明文数据
|
||||
* 3. 获取加密后的 Base64 字符串
|
||||
* 4. 使用返回的 encrypted 数据测试 uploadInspectionFileV2Encrypted 接口
|
||||
*/
|
||||
@Validated
|
||||
@RestController
|
||||
@RequestMapping("/compression/test")
|
||||
@Api(value = "EncryptionTest", tags = ["加密测试工具"])
|
||||
class EncryptionTestController {
|
||||
|
||||
private val objectMapper = ObjectMapper()
|
||||
|
||||
companion object {
|
||||
private const val DEFAULT_PGP_PRIVATE_KEY = """-----BEGIN PGP PRIVATE KEY BLOCK-----
|
||||
|
||||
lFgEaSZqXBYJKwYBBAHaRw8BAQdARzZ5JXreuTeTgMFwYcw0Ju7aCWmXuUMmQyff
|
||||
5vmN8RQAAP4nli0R/MTNtgx9+g5ZPyAj8XSAnjHaW9u2UJQxYhMIYw8XtBZpdHRj
|
||||
PGl0dGNAaXR0Yy5zaC5jbj6IkwQTFgoAOxYhBG8IkI1kmkNpEu8iuqWu91t6SEzN
|
||||
BQJpJmpcAhsDBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEKWu91t6SEzN
|
||||
dSQBAPM5llVG0X6SBa4YM90Iqyb2jWvlNjstoF8jjPVny1CiAP4hIOUvb686oSA0
|
||||
OrS3AuICi7X/r+JnSo1Z7pngUA3VC5xdBGkmalwSCisGAQQBl1UBBQEBB0BouQlG
|
||||
hIL0bq7EbaB55s+ygLVFOfhjFA8E4fwFBFJGVAMBCAcAAP98ZXRGgzld1XUa5ZGx
|
||||
cTE+1qGZY4E4BVIeqkVxdg5tqA64iHgEGBYKACAWIQRvCJCNZJpDaRLvIrqlrvdb
|
||||
ekhMzQUCaSZqXAIbDAAKCRClrvdbekhMzcaSAQDB/4pvDuc7SploQg1fBYobFm5P
|
||||
vxguByr8I+PrYWKKOQEAnaeXT4ipi1nICXFiigztsIl2xTth3D77XG6pZUU/Zw8=
|
||||
=/k1H
|
||||
-----END PGP PRIVATE KEY BLOCK-----"""
|
||||
|
||||
private const val DEFAULT_PGP_PASSPHRASE = ""
|
||||
}
|
||||
|
||||
/**
|
||||
* 生成加密数据请求 DTO
|
||||
*/
|
||||
data class GenerateEncryptedRequest(
|
||||
@ApiParam(value = "授权码", required = true)
|
||||
val licence: String,
|
||||
|
||||
@ApiParam(value = "硬件指纹", required = true)
|
||||
val fingerprint: String,
|
||||
|
||||
@ApiParam(value = "任务ID", required = true)
|
||||
val taskId: String,
|
||||
|
||||
@ApiParam(value = "企业ID", required = true)
|
||||
val enterpriseId: Long,
|
||||
|
||||
@ApiParam(value = "检查ID", required = true)
|
||||
val inspectionId: Long,
|
||||
|
||||
@ApiParam(value = "摘要信息", required = true)
|
||||
val summary: String
|
||||
)
|
||||
|
||||
/**
|
||||
* 生成加密数据响应 DTO
|
||||
*/
|
||||
data class GenerateEncryptedResponse(
|
||||
val encrypted: String,
|
||||
val requestBody: UploadInspectionFileV2Request,
|
||||
val plaintext: String,
|
||||
val keyDerivationInfo: KeyDerivationInfo
|
||||
)
|
||||
|
||||
/**
|
||||
* 密钥派生信息
|
||||
*/
|
||||
data class KeyDerivationInfo(
|
||||
val ikm: String,
|
||||
val salt: String,
|
||||
val info: String,
|
||||
val keyLength: Int,
|
||||
val keyHex: String
|
||||
)
|
||||
|
||||
/**
|
||||
* 生成加密数据
|
||||
*
|
||||
* 模拟工具箱端的加密逻辑:
|
||||
* 1. 使用 HKDF-SHA256 派生 AES 密钥
|
||||
* - ikm = licence + fingerprint
|
||||
* - salt = taskId
|
||||
* - info = "inspection_report_encryption"
|
||||
* - length = 32 bytes
|
||||
*
|
||||
* 2. 使用 AES-256-GCM 加密数据
|
||||
* - 格式:IV (12字节) + Ciphertext + Tag (16字节)
|
||||
* - Base64 编码返回
|
||||
*
|
||||
* @param request 生成加密数据请求
|
||||
* @return 加密后的数据和完整的请求体
|
||||
*/
|
||||
@ApiOperation(value = "生成加密数据", notes = "生成加密后的 encrypted 数据,用于测试 uploadInspectionFileV2Encrypted 接口")
|
||||
@PostMapping("/generateEncrypted")
|
||||
@WebLog(value = "'生成加密数据:'", request = false)
|
||||
fun generateEncrypted(
|
||||
@RequestBody request: GenerateEncryptedRequest
|
||||
): R<GenerateEncryptedResponse> {
|
||||
return try {
|
||||
// 1. 组装明文数据(JSON格式)
|
||||
val timestamp = System.currentTimeMillis()
|
||||
val plaintextMap = mapOf(
|
||||
"enterpriseId" to request.enterpriseId.toString(),
|
||||
"inspectionId" to request.inspectionId.toString(),
|
||||
"summary" to request.summary,
|
||||
"timestamp" to timestamp
|
||||
)
|
||||
val plaintext = objectMapper.writeValueAsString(plaintextMap)
|
||||
|
||||
// 2. 使用 HKDF-SHA256 派生 AES 密钥
|
||||
// ikm = licence + fingerprint
|
||||
// salt = taskId(工具箱从二维码获取,平台从请求获取)
|
||||
// info = "inspection_report_encryption"(固定值)
|
||||
// length = 32 bytes
|
||||
val ikm = "${request.licence}${request.fingerprint}"
|
||||
val salt = request.taskId.toString()
|
||||
val info = "inspection_report_encryption"
|
||||
val keyLength = 32
|
||||
|
||||
val aesKey = HkdfUtil.deriveKey(ikm, salt, info, keyLength)
|
||||
|
||||
// 3. 使用 AES-256-GCM 加密数据
|
||||
val encrypted = AesGcmUtil.encrypt(plaintext, aesKey)
|
||||
|
||||
// 4. 组装完整的请求体(appid 需要前端自己赋值)
|
||||
val requestBody = UploadInspectionFileV2Request().apply {
|
||||
this.appid = "test-appid" // 测试用的 appid,实际使用时前端会赋值
|
||||
this.taskId = request.taskId
|
||||
this.encrypted = encrypted
|
||||
}
|
||||
|
||||
// 5. 返回加密数据和密钥派生信息
|
||||
val response = GenerateEncryptedResponse(
|
||||
encrypted = encrypted,
|
||||
requestBody = requestBody,
|
||||
plaintext = plaintext,
|
||||
keyDerivationInfo = KeyDerivationInfo(
|
||||
ikm = ikm,
|
||||
salt = salt,
|
||||
info = info,
|
||||
keyLength = keyLength,
|
||||
keyHex = aesKey.joinToString("") { "%02x".format(it) }
|
||||
)
|
||||
)
|
||||
|
||||
R.success(response, "加密数据生成成功")
|
||||
} catch (e: Exception) {
|
||||
R.fail("生成加密数据失败: ${e.message}")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* 快速生成测试数据(使用默认值)
|
||||
*
|
||||
* @return 加密后的数据和完整的请求体
|
||||
*/
|
||||
@ApiOperation(value = "快速生成测试数据", notes = "使用默认值快速生成加密数据,用于快速测试")
|
||||
@GetMapping("/generateTestData")
|
||||
@WebLog(value = "'快速生成测试数据:'", request = false)
|
||||
fun generateTestData(): R<GenerateEncryptedResponse> {
|
||||
return try {
|
||||
// 使用默认测试数据
|
||||
val request = GenerateEncryptedRequest(
|
||||
licence = "TEST-LICENCE-001",
|
||||
fingerprint = "TEST-FINGERPRINT-001",
|
||||
taskId = "TASK-20260115-4875",
|
||||
enterpriseId = 1173040813421105152L,
|
||||
inspectionId = 702286470691215417L,
|
||||
summary = "测试摘要信息"
|
||||
)
|
||||
|
||||
generateEncrypted(request).data?.let {
|
||||
R.success(it, "测试数据生成成功")
|
||||
} ?: R.fail("生成测试数据失败")
|
||||
} catch (e: Exception) {
|
||||
R.fail("生成测试数据失败: ${e.message}")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* 验证加密数据(解密测试)
|
||||
*
|
||||
* 用于验证生成的加密数据是否能正确解密
|
||||
*
|
||||
* @param encrypted 加密后的 Base64 字符串
|
||||
* @param licence 授权码
|
||||
* @param fingerprint 硬件指纹
|
||||
* @param taskId 任务ID
|
||||
* @return 解密后的明文数据
|
||||
*/
|
||||
@ApiOperation(value = "验证加密数据", notes = "解密加密数据,验证加密是否正确")
|
||||
@PostMapping("/verifyEncrypted")
|
||||
@WebLog(value = "'验证加密数据:'", request = false)
|
||||
fun verifyEncrypted(
|
||||
@ApiParam(value = "加密后的 Base64 字符串", required = true)
|
||||
@RequestParam encrypted: String,
|
||||
|
||||
@ApiParam(value = "授权码", required = true)
|
||||
@RequestParam licence: String,
|
||||
|
||||
@ApiParam(value = "硬件指纹", required = true)
|
||||
@RequestParam fingerprint: String,
|
||||
|
||||
@ApiParam(value = "任务ID", required = true)
|
||||
@RequestParam taskId: String
|
||||
): R<Map<String, Any>> {
|
||||
return try {
|
||||
// 1. 使用相同的密钥派生规则派生密钥
|
||||
val ikm = "$licence$fingerprint"
|
||||
val salt = taskId.toString()
|
||||
val info = "inspection_report_encryption"
|
||||
val aesKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
|
||||
|
||||
// 2. 解密数据
|
||||
val decrypted = AesGcmUtil.decrypt(encrypted, aesKey)
|
||||
|
||||
// 3. 解析 JSON
|
||||
@Suppress("UNCHECKED_CAST")
|
||||
val dataMap = objectMapper.readValue(decrypted, Map::class.java) as Map<String, Any>
|
||||
|
||||
R.success(dataMap, "解密成功")
|
||||
} catch (e: Exception) {
|
||||
R.fail("解密失败: ${e.message}")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* 生成加密报告 ZIP 文件请求 DTO
|
||||
*/
|
||||
data class GenerateEncryptedZipRequest(
|
||||
@ApiParam(value = "授权码", required = true)
|
||||
val licence: String,
|
||||
|
||||
@ApiParam(value = "硬件指纹", required = true)
|
||||
val fingerprint: String,
|
||||
|
||||
@ApiParam(value = "任务ID", required = true)
|
||||
val taskId: String,
|
||||
|
||||
@ApiParam(value = "企业ID", required = true)
|
||||
val enterpriseId: Long,
|
||||
|
||||
@ApiParam(value = "检查ID", required = true)
|
||||
val inspectionId: Long,
|
||||
|
||||
@ApiParam(value = "摘要信息", required = true)
|
||||
val summary: String,
|
||||
|
||||
@ApiParam(value = "资产信息 JSON", required = true)
|
||||
val assetsJson: String,
|
||||
|
||||
@ApiParam(value = "漏洞信息 JSON", required = true)
|
||||
val vulnerabilitiesJson: String,
|
||||
|
||||
@ApiParam(value = "弱密码信息 JSON", required = true)
|
||||
val weakPasswordsJson: String,
|
||||
|
||||
@ApiParam(value = "漏洞评估报告 HTML", required = true)
|
||||
val reportHtml: String,
|
||||
|
||||
@ApiParam(value = "PGP 私钥(可选,不提供则跳过 PGP 签名)", required = false)
|
||||
val pgpPrivateKey: String? = null,
|
||||
|
||||
@ApiParam(value = "PGP 私钥密码(可选)", required = false)
|
||||
val pgpPassphrase: String? = null
|
||||
)
|
||||
|
||||
/**
|
||||
* 生成加密报告 ZIP 文件
|
||||
*
|
||||
* 按照文档《工具箱端-报告加密与签名生成指南.md》生成加密报告 ZIP 文件
|
||||
*
|
||||
* @param request 生成请求
|
||||
* @return ZIP 文件(二进制流)
|
||||
*/
|
||||
@ApiOperation(value = "生成加密报告 ZIP", notes = "生成带设备签名的加密报告 ZIP 文件,可被 uploadInspectionFileV2 接口解密")
|
||||
@PostMapping("/generateEncryptedZip")
|
||||
@WebLog(value = "'生成加密报告 ZIP:'", request = false)
|
||||
fun generateEncryptedZip(
|
||||
@RequestBody request: GenerateEncryptedZipRequest,
|
||||
response: javax.servlet.http.HttpServletResponse
|
||||
) {
|
||||
try {
|
||||
// 1. 准备文件内容
|
||||
val assetsContent = request.assetsJson.toByteArray(Charsets.UTF_8)
|
||||
val vulnerabilitiesContent = request.vulnerabilitiesJson.toByteArray(Charsets.UTF_8)
|
||||
val weakPasswordsContent = request.weakPasswordsJson.toByteArray(Charsets.UTF_8)
|
||||
val reportHtmlContent = request.reportHtml.toByteArray(Charsets.UTF_8)
|
||||
|
||||
// 2. 生成设备签名
|
||||
// 2.1 密钥派生
|
||||
val ikm = "${request.licence}${request.fingerprint}"
|
||||
val salt = "AUTH_V3_SALT"
|
||||
val info = "device_report_signature"
|
||||
val derivedKey = HkdfUtil.deriveKey(ikm, salt, info, 32)
|
||||
|
||||
// 2.2 计算文件 SHA256
|
||||
fun sha256Hex(content: ByteArray): String {
|
||||
val digest = java.security.MessageDigest.getInstance("SHA-256")
|
||||
return digest.digest(content).joinToString("") { "%02x".format(it) }
|
||||
}
|
||||
|
||||
val assetsSha256 = sha256Hex(assetsContent)
|
||||
val vulnerabilitiesSha256 = sha256Hex(vulnerabilitiesContent)
|
||||
val weakPasswordsSha256 = sha256Hex(weakPasswordsContent)
|
||||
val reportHtmlSha256 = sha256Hex(reportHtmlContent)
|
||||
|
||||
// 2.3 组装签名数据(严格顺序)
|
||||
val signPayload = buildString {
|
||||
append(request.taskId)
|
||||
append(request.inspectionId)
|
||||
append(assetsSha256)
|
||||
append(vulnerabilitiesSha256)
|
||||
append(weakPasswordsSha256)
|
||||
append(reportHtmlSha256)
|
||||
}
|
||||
|
||||
// 2.4 计算 HMAC-SHA256
|
||||
val mac = javax.crypto.Mac.getInstance("HmacSHA256")
|
||||
val secretKey = javax.crypto.spec.SecretKeySpec(derivedKey, "HmacSHA256")
|
||||
mac.init(secretKey)
|
||||
val signatureBytes = mac.doFinal(signPayload.toByteArray(Charsets.UTF_8))
|
||||
val deviceSignature = Base64.getEncoder().encodeToString(signatureBytes)
|
||||
|
||||
// 2.5 生成 summary.json
|
||||
val summaryMap = mapOf(
|
||||
"orgId" to request.enterpriseId,
|
||||
"checkId" to request.inspectionId,
|
||||
"taskId" to request.taskId,
|
||||
"licence" to request.licence,
|
||||
"fingerprint" to request.fingerprint,
|
||||
"deviceSignature" to deviceSignature,
|
||||
"summary" to request.summary
|
||||
)
|
||||
val summaryContent = objectMapper.writeValueAsString(summaryMap).toByteArray(Charsets.UTF_8)
|
||||
|
||||
// 3. 生成 manifest.json
|
||||
val filesHashes = mapOf(
|
||||
"summary.json" to sha256Hex(summaryContent),
|
||||
"assets.json" to assetsSha256,
|
||||
"vulnerabilities.json" to vulnerabilitiesSha256,
|
||||
"weakPasswords.json" to weakPasswordsSha256,
|
||||
"漏洞评估报告.html" to reportHtmlSha256
|
||||
)
|
||||
val manifest = mapOf("files" to filesHashes)
|
||||
val manifestContent = objectMapper.writeValueAsString(manifest).toByteArray(Charsets.UTF_8)
|
||||
|
||||
// 4. 生成 signature.asc
|
||||
val privateKey = request.pgpPrivateKey?.takeIf { it.isNotBlank() } ?: DEFAULT_PGP_PRIVATE_KEY
|
||||
val passphrase = request.pgpPassphrase ?: DEFAULT_PGP_PASSPHRASE
|
||||
|
||||
val signatureAsc = try {
|
||||
PgpSignatureUtil.generateDetachedSignature(
|
||||
manifestContent,
|
||||
privateKey,
|
||||
passphrase
|
||||
)
|
||||
} catch (e: Exception) {
|
||||
throw RuntimeException("生成 PGP 签名失败: ${e.message}", e)
|
||||
}
|
||||
|
||||
// 5. 打包 ZIP 文件到内存
|
||||
val baos = java.io.ByteArrayOutputStream()
|
||||
java.util.zip.ZipOutputStream(baos).use { zipOut ->
|
||||
zipOut.putNextEntry(java.util.zip.ZipEntry("summary.json"))
|
||||
zipOut.write(summaryContent)
|
||||
zipOut.closeEntry()
|
||||
|
||||
zipOut.putNextEntry(java.util.zip.ZipEntry("assets.json"))
|
||||
zipOut.write(assetsContent)
|
||||
zipOut.closeEntry()
|
||||
|
||||
zipOut.putNextEntry(java.util.zip.ZipEntry("vulnerabilities.json"))
|
||||
zipOut.write(vulnerabilitiesContent)
|
||||
zipOut.closeEntry()
|
||||
|
||||
zipOut.putNextEntry(java.util.zip.ZipEntry("weakPasswords.json"))
|
||||
zipOut.write(weakPasswordsContent)
|
||||
zipOut.closeEntry()
|
||||
|
||||
zipOut.putNextEntry(java.util.zip.ZipEntry("漏洞评估报告.html"))
|
||||
zipOut.write(reportHtmlContent)
|
||||
zipOut.closeEntry()
|
||||
|
||||
zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/manifest.json"))
|
||||
zipOut.write(manifestContent)
|
||||
zipOut.closeEntry()
|
||||
|
||||
zipOut.putNextEntry(java.util.zip.ZipEntry("META-INF/signature.asc"))
|
||||
zipOut.write(signatureAsc)
|
||||
zipOut.closeEntry()
|
||||
}
|
||||
|
||||
val zipBytes = baos.toByteArray()
|
||||
|
||||
// 6. 设置响应头并输出
|
||||
response.contentType = "application/octet-stream"
|
||||
response.setHeader("Content-Disposition", "attachment; filename=\"report_${request.taskId}.zip\"")
|
||||
response.setHeader("Content-Length", zipBytes.size.toString())
|
||||
response.outputStream.write(zipBytes)
|
||||
response.outputStream.flush()
|
||||
} catch (e: Exception) {
|
||||
response.reset()
|
||||
response.contentType = "application/json; charset=UTF-8"
|
||||
response.writer.write("{\"code\": 500, \"msg\": \"生成 ZIP 文件失败: ${e.message}\"}")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
46
package.json
46
package.json
@@ -22,28 +22,28 @@
|
||||
"typecheck": "turbo run typecheck"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@biomejs/biome": "^2.4.7",
|
||||
"turbo": "^2.8.17",
|
||||
"@biomejs/biome": "^2.4.8",
|
||||
"turbo": "^2.8.20",
|
||||
"typescript": "^5.9.3"
|
||||
},
|
||||
"catalog": {
|
||||
"@orpc/client": "^1.13.7",
|
||||
"@orpc/contract": "^1.13.7",
|
||||
"@orpc/openapi": "^1.13.7",
|
||||
"@orpc/server": "^1.13.7",
|
||||
"@orpc/tanstack-query": "^1.13.7",
|
||||
"@orpc/zod": "^1.13.7",
|
||||
"@orpc/client": "^1.13.9",
|
||||
"@orpc/contract": "^1.13.9",
|
||||
"@orpc/openapi": "^1.13.9",
|
||||
"@orpc/server": "^1.13.9",
|
||||
"@orpc/tanstack-query": "^1.13.9",
|
||||
"@orpc/zod": "^1.13.9",
|
||||
"@t3-oss/env-core": "^0.13.10",
|
||||
"@tailwindcss/vite": "^4.2.1",
|
||||
"@tailwindcss/vite": "^4.2.2",
|
||||
"@tanstack/devtools-vite": "^0.5.5",
|
||||
"@tanstack/react-devtools": "^0.9.13",
|
||||
"@tanstack/react-query": "^5.90.21",
|
||||
"@tanstack/react-query-devtools": "^5.91.3",
|
||||
"@tanstack/react-router": "^1.167.3",
|
||||
"@tanstack/react-router-devtools": "^1.166.9",
|
||||
"@tanstack/react-router-ssr-query": "^1.166.9",
|
||||
"@tanstack/react-start": "^1.166.14",
|
||||
"@types/bun": "^1.3.10",
|
||||
"@tanstack/react-query": "^5.94.4",
|
||||
"@tanstack/react-query-devtools": "^5.94.4",
|
||||
"@tanstack/react-router": "^1.168.1",
|
||||
"@tanstack/react-router-devtools": "^1.166.10",
|
||||
"@tanstack/react-router-ssr-query": "^1.166.10",
|
||||
"@tanstack/react-start": "^1.167.2",
|
||||
"@types/bun": "^1.3.11",
|
||||
"@types/node": "^24.12.0",
|
||||
"@vitejs/plugin-react": "^5.2.0",
|
||||
"babel-plugin-react-compiler": "^1.0.0",
|
||||
@@ -52,19 +52,15 @@
|
||||
"electron": "^34.0.0",
|
||||
"electron-builder": "^26.8.1",
|
||||
"electron-vite": "^5.0.0",
|
||||
"jszip": "^3.10.1",
|
||||
"lossless-json": "^4.3.0",
|
||||
"motion": "^12.36.0",
|
||||
"nitro": "npm:nitro-nightly@3.0.1-20260315-195328-c31268c6",
|
||||
"openpgp": "^6.0.1",
|
||||
"motion": "^12.38.0",
|
||||
"nitro": "npm:nitro-nightly@3.0.1-20260320-182900-2218d454",
|
||||
"postgres": "^3.4.8",
|
||||
"react": "^19.2.4",
|
||||
"react-dom": "^19.2.4",
|
||||
"tailwindcss": "^4.2.1",
|
||||
"tailwindcss": "^4.2.2",
|
||||
"tree-kill": "^1.2.2",
|
||||
"uuid": "^13.0.0",
|
||||
"vite": "^8.0.0",
|
||||
"vite-tsconfig-paths": "^6.1.1",
|
||||
"systeminformation": "^5.31.4",
|
||||
"vite": "^8.0.1",
|
||||
"zod": "^4.3.6"
|
||||
},
|
||||
"overrides": {
|
||||
|
||||
@@ -1,18 +0,0 @@
|
||||
{
|
||||
"name": "@furtherverse/crypto",
|
||||
"version": "1.0.0",
|
||||
"private": true,
|
||||
"type": "module",
|
||||
"exports": {
|
||||
".": "./src/index.ts"
|
||||
},
|
||||
"dependencies": {
|
||||
"node-forge": "^1.3.3",
|
||||
"openpgp": "catalog:"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@furtherverse/tsconfig": "workspace:*",
|
||||
"@types/bun": "catalog:",
|
||||
"@types/node-forge": "^1.3.14"
|
||||
}
|
||||
}
|
||||
@@ -1,53 +0,0 @@
|
||||
import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto'
|
||||
|
||||
const GCM_IV_LENGTH = 12 // 96 bits
|
||||
const GCM_TAG_LENGTH = 16 // 128 bits
|
||||
const ALGORITHM = 'aes-256-gcm'
|
||||
|
||||
/**
|
||||
* AES-256-GCM encrypt.
|
||||
*
|
||||
* Output format (before Base64): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
|
||||
*
|
||||
* @param plaintext - UTF-8 string to encrypt
|
||||
* @param key - 32-byte AES key
|
||||
* @returns Base64-encoded encrypted data
|
||||
*/
|
||||
export const aesGcmEncrypt = (plaintext: string, key: Buffer): string => {
|
||||
const iv = randomBytes(GCM_IV_LENGTH)
|
||||
const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
|
||||
|
||||
const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()])
|
||||
const tag = cipher.getAuthTag()
|
||||
|
||||
// Layout: IV + ciphertext + tag
|
||||
const combined = Buffer.concat([iv, encrypted, tag])
|
||||
return combined.toString('base64')
|
||||
}
|
||||
|
||||
/**
|
||||
* AES-256-GCM decrypt.
|
||||
*
|
||||
* Input format (after Base64 decode): [IV (12 bytes)] + [ciphertext] + [auth tag (16 bytes)]
|
||||
*
|
||||
* @param encryptedBase64 - Base64-encoded encrypted data
|
||||
* @param key - 32-byte AES key
|
||||
* @returns Decrypted UTF-8 string
|
||||
*/
|
||||
export const aesGcmDecrypt = (encryptedBase64: string, key: Buffer): string => {
|
||||
const data = Buffer.from(encryptedBase64, 'base64')
|
||||
|
||||
if (data.length < GCM_IV_LENGTH + GCM_TAG_LENGTH) {
|
||||
throw new Error('Encrypted data too short: must contain IV + tag at minimum')
|
||||
}
|
||||
|
||||
const iv = data.subarray(0, GCM_IV_LENGTH)
|
||||
const tag = data.subarray(data.length - GCM_TAG_LENGTH)
|
||||
const ciphertext = data.subarray(GCM_IV_LENGTH, data.length - GCM_TAG_LENGTH)
|
||||
|
||||
const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: GCM_TAG_LENGTH })
|
||||
decipher.setAuthTag(tag)
|
||||
|
||||
const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
|
||||
return decrypted.toString('utf-8')
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
import { createHash } from 'node:crypto'
|
||||
|
||||
/**
|
||||
* Compute SHA-256 hash and return raw Buffer.
|
||||
*/
|
||||
export const sha256 = (data: string | Buffer): Buffer => {
|
||||
return createHash('sha256').update(data).digest()
|
||||
}
|
||||
|
||||
/**
|
||||
* Compute SHA-256 hash and return lowercase hex string.
|
||||
*/
|
||||
export const sha256Hex = (data: string | Buffer): string => {
|
||||
return createHash('sha256').update(data).digest('hex')
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
import { hkdfSync } from 'node:crypto'
|
||||
|
||||
/**
|
||||
* Derive a key using HKDF-SHA256.
|
||||
*
|
||||
* @param ikm - Input keying material (string, will be UTF-8 encoded)
|
||||
* @param salt - Salt value (string, will be UTF-8 encoded)
|
||||
* @param info - Info/context string (will be UTF-8 encoded)
|
||||
* @param length - Output key length in bytes (default: 32 for AES-256)
|
||||
* @returns Derived key as Buffer
|
||||
*/
|
||||
export const hkdfSha256 = (ikm: string, salt: string, info: string, length = 32): Buffer => {
|
||||
const derived = hkdfSync('sha256', ikm, salt, info, length)
|
||||
return Buffer.from(derived)
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
import { createHmac } from 'node:crypto'
|
||||
|
||||
/**
|
||||
* Compute HMAC-SHA256 and return Base64-encoded signature.
|
||||
*
|
||||
* @param key - HMAC key (Buffer)
|
||||
* @param data - Data to sign (UTF-8 string)
|
||||
* @returns Base64-encoded HMAC-SHA256 signature
|
||||
*/
|
||||
export const hmacSha256Base64 = (key: Buffer, data: string): string => {
|
||||
return createHmac('sha256', key).update(data, 'utf-8').digest('base64')
|
||||
}
|
||||
|
||||
/**
|
||||
* Compute HMAC-SHA256 and return raw Buffer.
|
||||
*
|
||||
* @param key - HMAC key (Buffer)
|
||||
* @param data - Data to sign (UTF-8 string)
|
||||
* @returns HMAC-SHA256 digest as Buffer
|
||||
*/
|
||||
export const hmacSha256 = (key: Buffer, data: string): Buffer => {
|
||||
return createHmac('sha256', key).update(data, 'utf-8').digest()
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
export { aesGcmDecrypt, aesGcmEncrypt } from './aes-gcm'
|
||||
export { sha256, sha256Hex } from './hash'
|
||||
export { hkdfSha256 } from './hkdf'
|
||||
export { hmacSha256, hmacSha256Base64 } from './hmac'
|
||||
export { generatePgpKeyPair, pgpSignDetached, pgpVerifyDetached, validatePgpPrivateKey } from './pgp'
|
||||
export { rsaOaepEncrypt } from './rsa-oaep'
|
||||
export { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'
|
||||
@@ -1,79 +0,0 @@
|
||||
import * as openpgp from 'openpgp'
|
||||
|
||||
/**
|
||||
* Generate an OpenPGP RSA key pair.
|
||||
*
|
||||
* @param name - User name for the key
|
||||
* @param email - User email for the key
|
||||
* @returns ASCII-armored private and public keys
|
||||
*/
|
||||
export const generatePgpKeyPair = async (
|
||||
name: string,
|
||||
email: string,
|
||||
): Promise<{ privateKey: string; publicKey: string }> => {
|
||||
const { privateKey, publicKey } = await openpgp.generateKey({
|
||||
type: 'rsa',
|
||||
rsaBits: 2048,
|
||||
userIDs: [{ name, email }],
|
||||
format: 'armored',
|
||||
})
|
||||
|
||||
return { privateKey, publicKey }
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a detached OpenPGP signature for the given data.
|
||||
*
|
||||
* @param data - Raw data to sign (Buffer or Uint8Array)
|
||||
* @param armoredPrivateKey - ASCII-armored private key
|
||||
* @returns ASCII-armored detached signature (signature.asc content)
|
||||
*/
|
||||
export const validatePgpPrivateKey = async (armoredKey: string): Promise<void> => {
|
||||
await openpgp.readPrivateKey({ armoredKey })
|
||||
}
|
||||
|
||||
export const pgpSignDetached = async (data: Uint8Array, armoredPrivateKey: string): Promise<string> => {
|
||||
const privateKey = await openpgp.readPrivateKey({ armoredKey: armoredPrivateKey })
|
||||
const message = await openpgp.createMessage({ binary: data })
|
||||
|
||||
const signature = await openpgp.sign({
|
||||
message,
|
||||
signingKeys: privateKey,
|
||||
detached: true,
|
||||
format: 'armored',
|
||||
})
|
||||
|
||||
return signature as string
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a detached OpenPGP signature.
|
||||
*
|
||||
* @param data - Original data (Buffer or Uint8Array)
|
||||
* @param armoredSignature - ASCII-armored detached signature
|
||||
* @param armoredPublicKey - ASCII-armored public key
|
||||
* @returns true if signature is valid
|
||||
*/
|
||||
export const pgpVerifyDetached = async (
|
||||
data: Uint8Array,
|
||||
armoredSignature: string,
|
||||
armoredPublicKey: string,
|
||||
): Promise<boolean> => {
|
||||
const publicKey = await openpgp.readKey({ armoredKey: armoredPublicKey })
|
||||
const signature = await openpgp.readSignature({ armoredSignature })
|
||||
const message = await openpgp.createMessage({ binary: data })
|
||||
|
||||
const verificationResult = await openpgp.verify({
|
||||
message,
|
||||
signature,
|
||||
verificationKeys: publicKey,
|
||||
})
|
||||
|
||||
const { verified } = verificationResult.signatures[0]!
|
||||
try {
|
||||
await verified
|
||||
return true
|
||||
} catch {
|
||||
return false
|
||||
}
|
||||
}
|
||||
@@ -1,32 +0,0 @@
|
||||
import forge from 'node-forge'
|
||||
|
||||
/**
|
||||
* RSA-OAEP encrypt with platform public key.
|
||||
*
|
||||
* Matches Java's {@code Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding")}
|
||||
* with **default SunJCE parameters**:
|
||||
*
|
||||
* | Parameter | Value |
|
||||
* |-----------|--------|
|
||||
* | OAEP hash | SHA-256|
|
||||
* | MGF1 hash | SHA-1 |
|
||||
*
|
||||
* Node.js `crypto.publicEncrypt({ oaepHash })` ties both hashes together,
|
||||
* so we use `node-forge` which allows independent configuration.
|
||||
*
|
||||
* @param plaintext - UTF-8 string to encrypt
|
||||
* @param publicKeyBase64 - Platform RSA public key (X.509 / SPKI DER, Base64)
|
||||
* @returns Base64-encoded ciphertext
|
||||
*/
|
||||
export const rsaOaepEncrypt = (plaintext: string, publicKeyBase64: string): string => {
|
||||
const derBytes = forge.util.decode64(publicKeyBase64)
|
||||
const asn1 = forge.asn1.fromDer(derBytes)
|
||||
const publicKey = forge.pki.publicKeyFromAsn1(asn1) as forge.pki.rsa.PublicKey
|
||||
|
||||
const encrypted = publicKey.encrypt(plaintext, 'RSA-OAEP', {
|
||||
md: forge.md.sha256.create(),
|
||||
mgf1: { md: forge.md.sha1.create() },
|
||||
})
|
||||
|
||||
return forge.util.encode64(encrypted)
|
||||
}
|
||||
@@ -1,24 +0,0 @@
|
||||
import { describe, expect, it } from 'bun:test'
|
||||
import { constants, createSign, generateKeyPairSync } from 'node:crypto'
|
||||
import { rsaVerifySignature, validateRsaPublicKey } from './rsa-signature'
|
||||
|
||||
describe('rsaVerifySignature', () => {
|
||||
it('verifies SHA256withRSA signatures over raw payload bytes', () => {
|
||||
const { privateKey, publicKey } = generateKeyPairSync('rsa', { modulusLength: 2048 })
|
||||
const payload = Buffer.from('eyJsaWNlbmNlX2lkIjoiTElDLTAwMSIsImV4cGlyZV90aW1lIjoiMjAyNy0wMy0xOSJ9', 'utf-8')
|
||||
|
||||
const signer = createSign('RSA-SHA256')
|
||||
signer.update(payload)
|
||||
signer.end()
|
||||
|
||||
const signature = signer.sign({ key: privateKey, padding: constants.RSA_PKCS1_PADDING })
|
||||
const publicKeyBase64 = publicKey.export({ format: 'der', type: 'spki' }).toString('base64')
|
||||
|
||||
expect(rsaVerifySignature(payload, signature, publicKeyBase64)).toBe(true)
|
||||
expect(rsaVerifySignature(Buffer.from(`${payload}x`, 'utf-8'), signature, publicKeyBase64)).toBe(false)
|
||||
})
|
||||
|
||||
it('rejects malformed SPKI public keys', () => {
|
||||
expect(() => validateRsaPublicKey('not-a-public-key')).toThrow()
|
||||
})
|
||||
})
|
||||
@@ -1,19 +0,0 @@
|
||||
import { constants, createPublicKey, verify } from 'node:crypto'
|
||||
|
||||
const createSpkiPublicKey = (publicKeyBase64: string) => {
|
||||
return createPublicKey({
|
||||
key: Buffer.from(publicKeyBase64, 'base64'),
|
||||
format: 'der',
|
||||
type: 'spki',
|
||||
})
|
||||
}
|
||||
|
||||
export const validateRsaPublicKey = (publicKeyBase64: string): void => {
|
||||
createSpkiPublicKey(publicKeyBase64)
|
||||
}
|
||||
|
||||
export const rsaVerifySignature = (data: Uint8Array, signature: Uint8Array, publicKeyBase64: string): boolean => {
|
||||
const publicKey = createSpkiPublicKey(publicKeyBase64)
|
||||
|
||||
return verify('RSA-SHA256', data, { key: publicKey, padding: constants.RSA_PKCS1_PADDING }, signature)
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
{
|
||||
"extends": "@furtherverse/tsconfig/bun.json",
|
||||
"compilerOptions": {
|
||||
"rootDir": "src"
|
||||
},
|
||||
"include": ["src"]
|
||||
}
|
||||
Reference in New Issue
Block a user