package encipher import ( "bytes" "crypto/aes" "crypto/cipher" "encoding/base64" "encoding/json" "strings" "time" "git.apinb.com/bsm-sdk/engine/env" "git.apinb.com/bsm-sdk/engine/exception" "git.apinb.com/bsm-sdk/engine/types" "git.apinb.com/bsm-sdk/engine/vars" ) var ( certBytes *types.CertFileBytes = nil JwtSecret []byte JwtSecretLen int ) func New(token string) { JwtSecret = []byte(token) JwtSecretLen = len(env.MeshEnv.JwtSecretKey) } func GenerateTokenAes(id uint, identity, client, role string, owner any, extend map[string]string) (string, error) { if (JwtSecretLen == 16 || JwtSecretLen == 24 || JwtSecretLen == 32) == false { return "", exception.ErrAuthSecret } expireTime := time.Now().Add(vars.JwtExpireDay) claims := types.JwtClaims{ ID: id, Identity: identity, Client: client, Extend: extend, Owner: owner, Role: role, ExpiresAt: expireTime.Unix(), } byte, err := json.Marshal(claims) if err != nil { return "", exception.ErrJsonEncode } token, err := AesEncryptCBC(byte) if err != nil { return "", err } return token, nil } func AesEncryptCBC(plan []byte) (string, error) { // 分组秘钥 // NewCipher该函数限制了输入k的长度必须为16, 24或者32 block, err := aes.NewCipher(JwtSecret) if err != nil { return "", exception.ErrAuthSecret } // 获取秘钥块的长度 blockSize := block.BlockSize() // 补全码 plan = PKCS7Padding(plan, blockSize) // 加密模式 blockMode := cipher.NewCBCEncrypter(block, JwtSecret[:blockSize]) // 创建数组 cryted := make([]byte, len(plan)) // 加密 blockMode.CryptBlocks(cryted, plan) return base64.StdEncoding.EncodeToString(cryted), nil } func AesDecryptCBC(cryted string) (b []byte, err error) { if (JwtSecretLen == 16 || JwtSecretLen == 24 || JwtSecretLen == 32) == false { return nil, exception.ErrAuthSecret } // 转成字节数组 crytedByte, err := base64.StdEncoding.DecodeString(cryted) if err != nil { return nil, exception.ErrBase64Decode } // 分组秘钥 block, err := aes.NewCipher(JwtSecret) if err != nil { return nil, exception.ErrAuthSecret } // 获取秘钥块的长度 blockSize := block.BlockSize() // 加密模式 blockMode := cipher.NewCBCDecrypter(block, JwtSecret[:blockSize]) // 创建数组 orig := make([]byte, len(crytedByte)) // 解密 blockMode.CryptBlocks(orig, crytedByte) // 去补全码 orig = PKCS7UnPadding(orig, blockSize) if orig == nil { return nil, exception.ErrAuthParseFail } return orig, nil } func PKCS7Padding(ciphertext []byte, blocksize int) []byte { padding := blocksize - len(ciphertext)%blocksize padtext := bytes.Repeat([]byte{byte(padding)}, padding) return append(ciphertext, padtext...) } // 去码 // bug:runtime error: slice bounds out of range [:-22] func PKCS7UnPadding(origData []byte, blocksize int) []byte { if blocksize <= 0 { return nil } if origData == nil || len(origData) == 0 { return nil } if len(origData)%blocksize != 0 { return nil } length := len(origData) unpadding := int(origData[length-1]) if length-unpadding <= 0 { return nil } return origData[:(length - unpadding)] } func ParseTokenAes(token string) (*types.JwtClaims, error) { token = strings.TrimSpace(token) data, err := AesDecryptCBC(token) if err != nil { return nil, err } var ac *types.JwtClaims err = json.Unmarshal(data, &ac) if err != nil { return nil, exception.ErrAuthParseFail } expireTime := time.Now().Unix() if expireTime > ac.ExpiresAt { return nil, exception.ErrAuthExpire } return ac, nil }