From 495165a9303de909153006c9b04c9e85a3f80707 Mon Sep 17 00:00:00 2001 From: zyj <2660555181@qq.com> Date: Tue, 8 Jul 2025 09:30:32 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9C=BA=E5=99=A8=E7=AE=A1=E7=90=86=E5=AF=86?= =?UTF-8?q?=E9=92=A5=E3=80=81=E5=AF=86=E9=92=A5=E5=AF=86=E7=A0=81=EF=BC=8C?= =?UTF-8?q?=E5=8A=A0=E5=AF=86/=E8=A7=A3=E5=AF=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../component/WebSocketConnection.java | 4 +- .../module/machine/dal/model/Keypair.java | 26 +++++ .../service/impl/SecretKeyServiceImpl.java | 5 + .../module/machine/utils/CryptogramUtil.java | 109 ++++++++++++++++++ 4 files changed, 143 insertions(+), 1 deletion(-) create mode 100644 modules/module-ci-machine/src/main/java/cd/casic/module/machine/dal/model/Keypair.java create mode 100644 modules/module-ci-machine/src/main/java/cd/casic/module/machine/utils/CryptogramUtil.java diff --git a/modules/module-ci-machine/src/main/java/cd/casic/module/machine/component/WebSocketConnection.java b/modules/module-ci-machine/src/main/java/cd/casic/module/machine/component/WebSocketConnection.java index 16b4d7c2..cc8a63da 100644 --- a/modules/module-ci-machine/src/main/java/cd/casic/module/machine/component/WebSocketConnection.java +++ b/modules/module-ci-machine/src/main/java/cd/casic/module/machine/component/WebSocketConnection.java @@ -6,6 +6,7 @@ import cd.casic.module.machine.enums.AuthenticationType; import cd.casic.module.machine.enums.ConnectionStatus; import cd.casic.module.machine.enums.SSHChanelType; import cd.casic.module.machine.service.SecretKeyService; +import cd.casic.module.machine.utils.CryptogramUtil; import com.jcraft.jsch.Channel; import com.jcraft.jsch.ChannelExec; import com.jcraft.jsch.JSch; @@ -164,7 +165,8 @@ public class WebSocketConnection { if (machineInfo.getSecretKeyId() == null) { throw exception(SECRET_KEY_NULL); } - String pubKeyContent = secretKeyService.getPublicKeyContent(machineInfo.getSecretKeyId()); + //公钥解密 + String pubKeyContent = CryptogramUtil.doDecrypt(secretKeyService.getPublicKeyContent(machineInfo.getSecretKeyId())); // 验证秘钥格式 if (!pubKeyContent.startsWith("-----BEGIN")) { log.error("无效的密钥格式{}", pubKeyContent); diff --git a/modules/module-ci-machine/src/main/java/cd/casic/module/machine/dal/model/Keypair.java b/modules/module-ci-machine/src/main/java/cd/casic/module/machine/dal/model/Keypair.java new file mode 100644 index 00000000..3a58737a --- /dev/null +++ b/modules/module-ci-machine/src/main/java/cd/casic/module/machine/dal/model/Keypair.java @@ -0,0 +1,26 @@ +package cd.casic.module.machine.dal.model; + +/** + * 基于SM2的秘钥对 + * (本项目中配置的,自己使用可根据自己的需求进行更换) + * + */ +public class Keypair { + + /** + * 公钥 + */ + public static String PUBLIC_KEY = "04298364ec840088475eae92a591e01284d1abefcda348b47eb324bb521bb03b0b2a5bc393f6b71dabb8f15c99a0050818b56b23f31743b93df9cf8948f15ddb54"; + + /** + * 私钥 + */ + public static String PRIVATE_KEY = "3037723d47292171677ec8bd7dc9af696c7472bc5f251b2cec07e65fdef22e25"; + + /** + * SM4的对称秘钥(生产环境需要改成自己使用的) + * 16 进制字符串,要求为 128 比特 + */ + public static String KEY = "0123456789abcdeffedcba9876543210"; + +} diff --git a/modules/module-ci-machine/src/main/java/cd/casic/module/machine/service/impl/SecretKeyServiceImpl.java b/modules/module-ci-machine/src/main/java/cd/casic/module/machine/service/impl/SecretKeyServiceImpl.java index c20e31ba..f7eaf377 100644 --- a/modules/module-ci-machine/src/main/java/cd/casic/module/machine/service/impl/SecretKeyServiceImpl.java +++ b/modules/module-ci-machine/src/main/java/cd/casic/module/machine/service/impl/SecretKeyServiceImpl.java @@ -8,6 +8,7 @@ import cd.casic.module.machine.dal.dataobject.SecretKeyDO; import cd.casic.module.machine.dal.mysql.SecretKeyMapper; import cd.casic.module.machine.service.MachineInfoService; import cd.casic.module.machine.service.SecretKeyService; +import cd.casic.module.machine.utils.CryptogramUtil; import com.google.common.annotations.VisibleForTesting; import jakarta.annotation.Resource; import org.springframework.stereotype.Service; @@ -50,6 +51,10 @@ public class SecretKeyServiceImpl implements SecretKeyService { public Long createSecretKey(SecretKeyVO secretKeyVO) { validateSecretKeyAdd(secretKeyVO); SecretKeyDO secretKeyDO = BeanUtils.toBean(secretKeyVO, SecretKeyDO.class); + //密码加密 + secretKeyDO.setPassword(CryptogramUtil.doEncrypt(secretKeyVO.getPassword())); + //公钥加密 + secretKeyDO.setPublicKey(CryptogramUtil.doEncrypt(secretKeyVO.getPublic_key())); secretKeyMapper.insert(secretKeyDO); return secretKeyDO.getId(); } diff --git a/modules/module-ci-machine/src/main/java/cd/casic/module/machine/utils/CryptogramUtil.java b/modules/module-ci-machine/src/main/java/cd/casic/module/machine/utils/CryptogramUtil.java new file mode 100644 index 00000000..ca99dac7 --- /dev/null +++ b/modules/module-ci-machine/src/main/java/cd/casic/module/machine/utils/CryptogramUtil.java @@ -0,0 +1,109 @@ +package cd.casic.module.machine.utils; + +import cd.casic.module.machine.dal.model.Keypair; +import cn.hutool.log.Log; +import com.antherd.smcrypto.sm2.Sm2; +import com.antherd.smcrypto.sm3.Sm3; +import com.antherd.smcrypto.sm4.Sm4; +import com.antherd.smcrypto.sm4.Sm4Options; + +public class CryptogramUtil { + + private static final Log log = Log.get(); + + /** + * 加密方法(Sm2 的专门针对前后端分离,非对称秘钥对的方式,暴露出去的公钥,对传输过程中的密码加个密) + * + * @author yubaoshan + * @param str 待加密数据 + * @return 加密后的密文 + */ + public static String doSm2Encrypt (String str) { + return Sm2.doEncrypt(str, Keypair.PUBLIC_KEY); + } + + /** + * 解密方法 + * 如果采用加密机的方法,用try catch 捕捉异常,返回原文值即可 + * + * @author yubaoshan + * @param str 密文 + * @return 解密后的明文 + */ + public static String doSm2Decrypt (String str) { + // 解密 + return Sm2.doDecrypt(str, Keypair.PRIVATE_KEY); + } + + /** + * 加密方法 + * + * @author yubaoshan + * @param str 待加密数据 + * @return 加密后的密文 + */ + public static String doEncrypt (String str) { + // SM4 加密 cbc模式 + Sm4Options sm4Options4 = new Sm4Options(); + sm4Options4.setMode("cbc"); + sm4Options4.setIv("fedcba98765432100123456789abcdef"); + return Sm4.encrypt(str, Keypair.KEY, sm4Options4); + } + + /** + * 解密方法 + * 如果采用加密机的方法,用try catch 捕捉异常,返回原文值即可 + * + * @author yubaoshan + * @param str 密文 + * @return 解密后的明文 + */ + public static String doDecrypt (String str) { + // 解密,cbc 模式,输出 utf8 字符串 + Sm4Options sm4Options8 = new Sm4Options(); + sm4Options8.setMode("cbc"); + sm4Options8.setIv("fedcba98765432100123456789abcdef"); + String docString = Sm4.decrypt(str, Keypair.KEY, sm4Options8); + if (docString.isEmpty()) { + log.warn(">>> 字段解密失败,返回原文值:{}", str); + return str; + } else { + return docString; + } + } + + /** + * 纯签名 + * + * @author yubaoshan + * @param str 待签名数据 + * @return 签名结果 + */ + public static String doSignature (String str) { + return Sm2.doSignature(str, Keypair.PRIVATE_KEY); + } + + /** + * 验证签名结果 + * + * @author yubaoshan + * @param originalStr 签名原文数据 + * @param str 签名结果 + * @return 是否通过 + */ + public static boolean doVerifySignature (String originalStr, String str) { + return Sm2.doVerifySignature(originalStr, str, Keypair.PUBLIC_KEY); + } + + /** + * 通过杂凑算法取得hash值,用于做数据完整性保护 + * + * @author yubaoshan + * @param str 字符串 + * @return hash 值 + */ + public static String doHashValue (String str) { + return Sm3.sm3(str); + } + +}