Skip to content

Commit

Permalink
feat: 敏感信息存储支持国密 TencentBlueKing#2055
Browse files Browse the repository at this point in the history
升级SDK版本,支持非对称加密
  • Loading branch information
jsonwan committed Jul 15, 2023
1 parent 43c6944 commit a4c192f
Show file tree
Hide file tree
Showing 16 changed files with 154 additions and 52 deletions.
4 changes: 2 additions & 2 deletions src/backend/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ ext {
set('jcommanderVersion', "1.71")
set('kubernetesJavaClientVersion', "11.0.4")
set('springCloudKubernetesVersion', "2.0.6")
set('gmJavaSDKVersion', "0.0.4")
set('cryptoJavaSDKVersion', "0.0.6")
if (System.getProperty("bkjobVersion")) {
set('bkjobVersion', System.getProperty("bkjobVersion"))
println "bkjobVersion:" + bkjobVersion
Expand Down Expand Up @@ -321,7 +321,7 @@ subprojects {
entry "hibernate-validator"
}
dependency "com.beust:jcommander:$jcommanderVersion"
dependency "com.tencent.bk.sdk:gm-java-sdk:$gmJavaSDKVersion"
dependency "com.tencent.bk.sdk:crypto-java-sdk:$cryptoJavaSDKVersion"
}
}
dependencies {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,22 @@
import org.apache.commons.lang3.StringUtils;

import javax.crypto.Cipher;
import java.io.*;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.security.*;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
Expand Down Expand Up @@ -140,15 +153,39 @@ public static boolean verify(PublicKey publicKey, String message,
}

public static String encrypt(String rawText, PublicKey publicKey) throws IOException, GeneralSecurityException {
return encrypt(rawText.getBytes(CHARSET_NAME), publicKey);
}

public static String encrypt(byte[] messageBytes,
PublicKey publicKey) throws GeneralSecurityException {
Cipher cipher = Cipher.getInstance(KEY_ALGORITHM);
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
return Base64.encodeBase64String(cipher.doFinal(rawText.getBytes(CHARSET_NAME)));
return Base64.encodeBase64String(cipher.doFinal(messageBytes));
}

public static String decrypt(String cipherText,
public static byte[] encryptToBytes(byte[] messageBytes,
PublicKey publicKey) throws GeneralSecurityException {
Cipher cipher = Cipher.getInstance(KEY_ALGORITHM);
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
return cipher.doFinal(messageBytes);
}

public static String decrypt(String cipherBase64Text,
PrivateKey privateKey) throws IOException, GeneralSecurityException {
return decrypt(Base64.decodeBase64(cipherBase64Text), privateKey);
}

public static String decrypt(byte[] cipherBytes,
PrivateKey privateKey) throws IOException, GeneralSecurityException {
Cipher cipher = Cipher.getInstance(KEY_ALGORITHM);
cipher.init(Cipher.DECRYPT_MODE, privateKey);
return new String(cipher.doFinal(cipherBytes), CHARSET_NAME);
}

public static byte[] decryptToBytes(byte[] cipherBytes,
PrivateKey privateKey) throws IOException, GeneralSecurityException {
Cipher cipher = Cipher.getInstance(KEY_ALGORITHM);
cipher.init(Cipher.DECRYPT_MODE, privateKey);
return new String(cipher.doFinal(Base64.decodeBase64(cipherText)), CHARSET_NAME);
return cipher.doFinal(cipherBytes);
}
}
2 changes: 1 addition & 1 deletion src/backend/commons/common/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ dependencies {
implementation 'com.cronutils:cron-utils'
implementation 'commons-validator:commons-validator'
implementation 'org.springframework.cloud:spring-cloud-sleuth-instrumentation'
implementation 'com.tencent.bk.sdk:gm-java-sdk'
implementation 'com.tencent.bk.sdk:crypto-java-sdk'
compileOnly 'org.springframework:spring-web'
compileOnly 'org.projectlombok:lombok'
annotationProcessor 'org.projectlombok:lombok'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,22 +24,30 @@

package com.tencent.bk.job.common.encrypt;

import com.tencent.bk.job.common.exception.CryptoException;
import com.tencent.bk.job.common.util.crypto.AESUtils;
import com.tencent.bk.sdk.gm.annotation.Cryptor;
import com.tencent.bk.sdk.gm.annotation.CryptorTypeEnum;
import com.tencent.bk.sdk.gm.cryptor.AbstractSymmetricCryptor;
import com.tencent.bk.sdk.crypto.annotation.Cryptor;
import com.tencent.bk.sdk.crypto.annotation.CryptorTypeEnum;
import com.tencent.bk.sdk.crypto.cryptor.AbstractSymmetricCryptor;
import org.slf4j.helpers.FormattingTuple;
import org.slf4j.helpers.MessageFormatter;

/**
* 使用AES/CBC/PKCS5Padding的加密实现
*/
@Cryptor(name = CryptorNames.AES, type = CryptorTypeEnum.SYMMETRIC)
@Cryptor(name = JobCryptorNames.AES, type = CryptorTypeEnum.SYMMETRIC)
public class AESCryptor extends AbstractSymmetricCryptor {
@Override
public byte[] encrypt(byte[] key, byte[] message) {
try {
return AESUtils.encrypt(message, key);
} catch (Exception e) {
throw new RuntimeException(e);
FormattingTuple msg = MessageFormatter.format(
"Fail to encrypt using AES, key.len={}, message.len={}",
key.length,
message.length
);
throw new CryptoException(msg.getMessage(), e);
}
}

Expand All @@ -48,7 +56,12 @@ public byte[] decrypt(byte[] key, byte[] encryptedMessage) {
try {
return AESUtils.decrypt(encryptedMessage, key);
} catch (Exception e) {
throw new RuntimeException(e);
FormattingTuple msg = MessageFormatter.format(
"Fail to decrypt using AES, key.len={}, encryptedMessage.len={}",
key.length,
encryptedMessage.length
);
throw new CryptoException(msg.getMessage(), e);
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
package com.tencent.bk.job.common.encrypt;

import com.tencent.bk.job.common.util.json.JsonUtils;
import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
import lombok.Getter;
import lombok.Setter;
import lombok.ToString;
Expand All @@ -49,7 +50,7 @@ public class EncryptConfig {

private String defaultSymmetricAlgorithm = CryptorNames.NONE;

private String defaultAsymmetricAlgorithm = CryptorNames.RSA;
private String defaultAsymmetricAlgorithm = JobCryptorNames.RSA;

/**
* 各个场景下使用的加密算法,不配置则使用默认算法
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,9 @@

package com.tencent.bk.job.common.encrypt;

public class CryptorNames {
// 不加密
public static final String NONE = "None";
public class JobCryptorNames {
// 对称加密
public static final String AES = "AES";
public static final String SM4 = "SM4";
// 非对称加密
public static final String RSA = "RSA";
public static final String SM2 = "SM2";
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
/*
* Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available.
*
* Copyright (C) 2021 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-JOB蓝鲸智云作业平台 is licensed under the MIT License.
*
* License for BK-JOB蓝鲸智云作业平台:
* --------------------------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and
* to permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of
* the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
* THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
* CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/

package com.tencent.bk.job.common.encrypt;

import com.tencent.bk.job.common.exception.CryptoException;
import com.tencent.bk.job.common.util.crypto.RSAUtils;
import com.tencent.bk.sdk.crypto.annotation.Cryptor;
import com.tencent.bk.sdk.crypto.annotation.CryptorTypeEnum;
import com.tencent.bk.sdk.crypto.cryptor.AbstractASymmetricCryptor;
import org.slf4j.helpers.FormattingTuple;
import org.slf4j.helpers.MessageFormatter;

import java.security.PrivateKey;
import java.security.PublicKey;

/**
* 使用RSA的加密实现
*/
@Cryptor(name = JobCryptorNames.RSA, type = CryptorTypeEnum.ASYMMETRIC)
public class RSACryptor extends AbstractASymmetricCryptor {
@Override
public byte[] encrypt(PublicKey publicKey, byte[] message) {
try {
return RSAUtils.encryptToBytes(message, publicKey);
} catch (Exception e) {
FormattingTuple msg = MessageFormatter.format(
"Fail to encrypt using RSA, publicKey.len={}, message.len={}",
publicKey.getEncoded().length,
message.length
);
throw new CryptoException(msg.getMessage(), e);
}
}

@Override
public byte[] decrypt(PrivateKey privateKey, byte[] encryptedMessage) {
try {
return RSAUtils.decryptToBytes(encryptedMessage, privateKey);
} catch (Exception e) {
FormattingTuple msg = MessageFormatter.format(
"Fail to decrypt using RSA, privateKey.len={}, encryptedMessage.len={}",
privateKey.getEncoded().length,
encryptedMessage.length
);
throw new CryptoException(msg.getMessage(), e);
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@

package com.tencent.bk.job.common.encrypt;

import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor;
import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptorFactory;
import com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptor;
import com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptorFactory;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@

import com.tencent.bk.job.common.constant.TaskVariableTypeEnum;
import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum;
import com.tencent.bk.job.common.encrypt.CryptorNames;
import com.tencent.bk.job.common.encrypt.SymmetricCryptoService;
import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@

import com.tencent.bk.job.common.constant.AccountCategoryEnum;
import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum;
import com.tencent.bk.job.common.encrypt.CryptorNames;
import com.tencent.bk.job.common.encrypt.SymmetricCryptoService;
import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@
package com.tencent.bk.job.common.encrypt.scenario;

import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum;
import com.tencent.bk.job.common.encrypt.CryptorNames;
import com.tencent.bk.job.common.encrypt.SymmetricCryptoService;
import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,34 +22,19 @@
* IN THE SOFTWARE.
*/

package com.tencent.bk.job.common.encrypt;
package com.tencent.bk.job.common.exception;


import com.tencent.bk.sdk.gm.annotation.Cryptor;
import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor;
import lombok.Getter;
import lombok.ToString;

/**
* 不做任何加密操作,直接返回明文的加密实现
* 加解密异常
*/
@Cryptor(name = CryptorNames.NONE)
public class NoneCryptor implements SymmetricCryptor {
@Override
public byte[] encrypt(byte[] key, byte[] message) {
return message;
}

@Override
public byte[] decrypt(byte[] key, byte[] encryptedMessage) {
return encryptedMessage;
}

@Override
public String encrypt(String key, String message) {
return message;
}
@Getter
@ToString
public class CryptoException extends RuntimeException {

@Override
public String decrypt(String key, String base64EncodedEncryptedMessage) {
return base64EncodedEncryptedMessage;
public CryptoException(String message, Throwable cause) {
super(message, cause);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
com.tencent.bk.job.common.encrypt.RSACryptor
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
com.tencent.bk.job.common.encrypt.AESCryptor

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
package com.tencent.bk.job.crontab.dao.impl;

import com.tencent.bk.job.common.constant.TaskVariableTypeEnum;
import com.tencent.bk.job.common.encrypt.CryptorNames;
import com.tencent.bk.job.common.model.BaseSearchCondition;
import com.tencent.bk.job.common.model.PageData;
import com.tencent.bk.job.common.model.dto.UserRoleInfoDTO;
Expand All @@ -35,6 +34,7 @@
import com.tencent.bk.job.crontab.model.dto.CronJobInfoDTO;
import com.tencent.bk.job.crontab.model.dto.CronJobVariableDTO;
import com.tencent.bk.job.crontab.util.CronExpressionUtil;
import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
Expand Down

0 comments on commit a4c192f

Please sign in to comment.