package encipher
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"encoding/json"
"strings"
"time"
"git.apinb.com/bsm-sdk/core/env"
"git.apinb.com/bsm-sdk/core/errcode"
"git.apinb.com/bsm-sdk/core/types"
"git.apinb.com/bsm-sdk/core/vars"
)
var (
certBytes *types.CertFileBytes = nil
JwtSecret []byte
JwtSecretLen int
)
func New(secret string) {
JwtSecret = []byte(secret)
JwtSecretLen = len(env.Runtime.JwtSecretKey)
}
func GenerateTokenAes(id uint, identity, client, role string, owner any, extend map[string]string) (string, error) {
if !(JwtSecretLen == 16 || JwtSecretLen == 24 || JwtSecretLen == 32) {
return "", errcode.ErrJWTSecretKey
}
expireTime := time.Now().Add(vars.JwtExpireDay)
claims := types.JwtClaims{
ID: id,
Identity: identity,
Client: client,
Extend: extend,
Owner: owner,
Role: role,
ExpiresAt: expireTime.Unix(),
}
byte, err := json.Marshal(claims)
if err != nil {
return "", errcode.ErrJWTJsonEncode
}
token, err := AesEncryptCBC(byte)
if err != nil {
return "", err
}
return token, nil
}
func AesEncryptCBC(plan []byte) (string, error) {
// 分组秘钥
// NewCipher该函数限制了输入k的长度必须为16, 24或者32
block, err := aes.NewCipher(JwtSecret)
if err != nil {
return "", errcode.ErrJWTSecretKey
}
// 获取秘钥块的长度
blockSize := block.BlockSize()
// 补全码
plan = PKCS7Padding(plan, blockSize)
// 加密模式
blockMode := cipher.NewCBCEncrypter(block, JwtSecret[:blockSize])
// 创建数组
cryted := make([]byte, len(plan))
// 加密
blockMode.CryptBlocks(cryted, plan)
return base64.StdEncoding.EncodeToString(cryted), nil
}
func AesDecryptCBC(cryted string) (b []byte, err error) {
if (JwtSecretLen == 16 || JwtSecretLen == 24 || JwtSecretLen == 32) == false {
return nil, errcode.ErrJWTSecretKey
}
// 转成字节数组
crytedByte, err := base64.StdEncoding.DecodeString(cryted)
if err != nil {
return nil, errcode.ErrJWTBase64Decode
}
// 分组秘钥
block, err := aes.NewCipher(JwtSecret)
if err != nil {
return nil, errcode.ErrJWTSecretKey
}
// 获取秘钥块的长度
blockSize := block.BlockSize()
// 加密模式
blockMode := cipher.NewCBCDecrypter(block, JwtSecret[:blockSize])
// 创建数组
orig := make([]byte, len(crytedByte))
// 解密
blockMode.CryptBlocks(orig, crytedByte)
// 去补全码
orig = PKCS7UnPadding(orig, blockSize)
if orig == nil {
return nil, errcode.ErrJWTAuthParseFail
}
return orig, nil
}
func PKCS7Padding(ciphertext []byte, blocksize int) []byte {
padding := blocksize - len(ciphertext)%blocksize
padtext := bytes.Repeat([]byte{byte(padding)}, padding)
return append(ciphertext, padtext...)
}
// 去码
// bug:runtime error: slice bounds out of range [:-22]
func PKCS7UnPadding(origData []byte, blocksize int) []byte {
if blocksize <= 0 {
return nil
}
if origData == nil || len(origData) == 0 {
return nil
}
if len(origData)%blocksize != 0 {
return nil
}
length := len(origData)
unpadding := int(origData[length-1])
if length-unpadding <= 0 {
return nil
}
return origData[:(length - unpadding)]
}
func ParseTokenAes(token string) (*types.JwtClaims, error) {
token = strings.TrimSpace(token)
data, err := AesDecryptCBC(token)
if err != nil {
return nil, err
}
var ac *types.JwtClaims
err = json.Unmarshal(data, &ac)
if err != nil {
return nil, errcode.ErrJWTAuthParseFail
}
expireTime := time.Now().Unix()
if expireTime > ac.ExpiresAt {
return nil, errcode.ErrJWTAuthExpire
}
return ac, nil
}