152 lines
3.4 KiB
Go
152 lines
3.4 KiB
Go
package encipher
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"strings"
|
|
"time"
|
|
|
|
"git.apinb.com/bsm-sdk/engine/env"
|
|
"git.apinb.com/bsm-sdk/engine/exception"
|
|
"git.apinb.com/bsm-sdk/engine/types"
|
|
"git.apinb.com/bsm-sdk/engine/vars"
|
|
)
|
|
|
|
var (
|
|
certBytes *types.CertFileBytes = nil
|
|
JwtSecret []byte
|
|
JwtSecretLen int
|
|
)
|
|
|
|
func New() {
|
|
JwtSecret = []byte(env.MeshEnv.JwtSecretKey)
|
|
JwtSecretLen = len(env.MeshEnv.JwtSecretKey)
|
|
}
|
|
|
|
func GenerateTokenAes(id uint, identity, client, role string, extend map[string]string) (string, error) {
|
|
if (JwtSecretLen == 16 || JwtSecretLen == 24 || JwtSecretLen == 32) == false {
|
|
return "", errors.New("JwtSecret lenght must 16/24/32.")
|
|
}
|
|
expireTime := time.Now().Add(vars.JwtExpireDay)
|
|
claims := types.JwtClaims{
|
|
ID: id,
|
|
Identity: identity,
|
|
Extend: extend,
|
|
Client: client,
|
|
Role: role,
|
|
ExpiresAt: expireTime.Unix(),
|
|
}
|
|
|
|
byte, err := json.Marshal(claims)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
token, err := AesEncryptCBC(byte)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return token, nil
|
|
}
|
|
|
|
func AesEncryptCBC(plan []byte) (string, error) {
|
|
|
|
// 分组秘钥
|
|
// NewCipher该函数限制了输入k的长度必须为16, 24或者32
|
|
block, _ := aes.NewCipher(JwtSecret)
|
|
// 获取秘钥块的长度
|
|
blockSize := block.BlockSize()
|
|
// 补全码
|
|
plan = PKCS7Padding(plan, blockSize)
|
|
// 加密模式
|
|
blockMode := cipher.NewCBCEncrypter(block, JwtSecret[:blockSize])
|
|
// 创建数组
|
|
cryted := make([]byte, len(plan))
|
|
// 加密
|
|
blockMode.CryptBlocks(cryted, plan)
|
|
return base64.StdEncoding.EncodeToString(cryted), nil
|
|
}
|
|
|
|
func AesDecryptCBC(cryted string) (b []byte, err error) {
|
|
if (JwtSecretLen == 16 || JwtSecretLen == 24 || JwtSecretLen == 32) == false {
|
|
return b, errors.New("JwtSecret lenght must 16/24/32.")
|
|
}
|
|
// 转成字节数组
|
|
crytedByte, err := base64.StdEncoding.DecodeString(cryted)
|
|
if err != nil {
|
|
return
|
|
}
|
|
// 分组秘钥
|
|
block, err := aes.NewCipher(JwtSecret)
|
|
if err != nil {
|
|
return
|
|
}
|
|
// 获取秘钥块的长度
|
|
blockSize := block.BlockSize()
|
|
// 加密模式
|
|
blockMode := cipher.NewCBCDecrypter(block, JwtSecret[:blockSize])
|
|
// 创建数组
|
|
orig := make([]byte, len(crytedByte))
|
|
// 解密
|
|
blockMode.CryptBlocks(orig, crytedByte)
|
|
// 去补全码
|
|
orig = PKCS7UnPadding(orig, blockSize)
|
|
if orig == nil {
|
|
return nil, exception.ErrAuthParseFail
|
|
}
|
|
return orig, nil
|
|
}
|
|
|
|
func PKCS7Padding(ciphertext []byte, blocksize int) []byte {
|
|
padding := blocksize - len(ciphertext)%blocksize
|
|
padtext := bytes.Repeat([]byte{byte(padding)}, padding)
|
|
return append(ciphertext, padtext...)
|
|
}
|
|
|
|
// 去码
|
|
// bug:runtime error: slice bounds out of range [:-22]
|
|
func PKCS7UnPadding(origData []byte, blocksize int) []byte {
|
|
if blocksize <= 0 {
|
|
return nil
|
|
}
|
|
if origData == nil || len(origData) == 0 {
|
|
return nil
|
|
}
|
|
if len(origData)%blocksize != 0 {
|
|
return nil
|
|
}
|
|
|
|
length := len(origData)
|
|
unpadding := int(origData[length-1])
|
|
|
|
if length-unpadding <= 0 {
|
|
return nil
|
|
}
|
|
return origData[:(length - unpadding)]
|
|
}
|
|
|
|
func ParseTokenAes(token string) (*types.JwtClaims, error) {
|
|
token = strings.TrimSpace(token)
|
|
data, err := AesDecryptCBC(token)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var ac *types.JwtClaims
|
|
err = json.Unmarshal(data, &ac)
|
|
if err != nil {
|
|
return nil, exception.ErrAuthParseFail
|
|
}
|
|
|
|
expireTime := time.Now().Unix()
|
|
if expireTime > ac.ExpiresAt {
|
|
return nil, exception.ErrAuthExpire
|
|
}
|
|
|
|
return ac, nil
|
|
}
|