sign

2023-08-20 16:31:33 +08:00
parent e4fe101e4d
commit a2e1407da4
5 changed files with 69 additions and 13 deletions
--- a/config/etc/certs/omc_pri.key_pri.key.aes_en
+++ b/config/etc/certs/omc_pri.key_pri.key.aes_en
--- a/config/etc/certs/omc_pub.key_pub.key
+++ b/config/etc/certs/omc_pub.key_pub.key
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0BP+WJNddrEd9OskJ9A
+W6QFR4GrU/N82FOSzWlJQi2nHnPXA+0fADZ8B5sD011LmS1wznKl9922fw2S5Sz0
+dc2pCPNCZ4HhkDhlBUkZ07sIswIuoU40vjvQZJgjNHQGIoAADPjcxGWjHibkmioP
+7Y6Zvot80xZGXzZbdya8zXAEZFrVtYZsmbYt0Vh2cSUJlkpyqKf3JFrBYlR8bWr
+VH4Mf2pM1Z29ouW+UgNZ3/vL4JpTeLjYQs1not2HHYo5VgwX/20zGeNInCRIc/7H
+YHLkRa9YhfpN5TIkbynrBbKV5hx+lJ9iADqWR7Ug1OHx7zgfm1iz25VflDNls+Mp
+JwIDAQAB
+-----END PUBLIC KEY-----
--- a/features/cm/software.go
+++ b/features/cm/software.go
@@ -1,6 +1,7 @@
 package cm

 import (
+	"bytes"
 	"fmt"
 	"net/http"
 	"os"
@@ -22,6 +23,7 @@ const (
 	SoftwareStatusInactive = "Inactive"
 	SoftwareStatusActive   = "Active"
 	DigestsSignOkString    = "digests signatures OK"
+	SoftwareVerifiedOk     = "Verified OK"
 )

 var (
@@ -32,6 +34,23 @@ var (
 	CustomUriSoftwareNE = config.UriPrefix + "/systemManagement/{apiVersion}/{neType}/software/{version}/{neId}"
 )

+// 验证签名
+func verify_signature(public_key_name string, source_cms_file string, source_file string) bytes.Buffer {
+	cmd := exec.Command("/usr/local/omc/run/iv", "verify_signature", public_key_name, source_cms_file, source_file)
+	var out bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Env = append(os.Environ(),
+		"FOO=duplicate_value", // 重复被忽略
+		"FOO=actual_value",    // 实际被使用
+	)
+	err := cmd.Run()
+	if err != nil {
+		log.Error(err)
+	}
+
+	return out
+}
+
 func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) {
 	log.Debug("UploadSoftwareFile processing... ")

@@ -77,7 +96,18 @@ func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	filePrefix := fileName[:strings.Index(fileName, ".zip")]
+
 	filePath := fmt.Sprintf("%s/%s", softwarePath, fileName)
+	cmd := exec.Command("unzip", filePath)
+	cmd.Dir = softwarePath
+	out, err := cmd.CombinedOutput()
+	log.Debugf("Exec outpout:%s", string(out))
+	if err != nil {
+		log.Error("Failed to unzip:", err)
+		services.ResponseInternalServerError500ProcessError(w, err)
+		return
+	}
 	md5File, err := global.GetFileMD5Sum(filePath)
 	if err != nil {
 		log.Error("Faile to GetFileMD5Sum:", err)
@@ -93,20 +123,31 @@ func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) {
 	}

 	if config.GetYamlConfig().OMC.CheckSign {
-		cmd := exec.Command("rpm", "-K", filePath)
-		out, err := cmd.CombinedOutput()
-		log.Debugf("Exec outpout:%s", string(out))
-		if err != nil {
-			log.Error("Failed to execute rpm:", err)
-			services.ResponseInternalServerError500ProcessError(w, err)
-			return
-		}
-		if !strings.Contains(string(out), DigestsSignOkString) {
+		rpmFileName := filePrefix + ".rpm"
+		rpmFilePath := softwarePath + "/" + rpmFileName
+		cmsFileName := rpmFileName + ".cms"
+		cmsFilePath := softwarePath + "/" + cmsFileName
+		result := verify_signature(config.GetYamlConfig().Auth.PublicKey, cmsFilePath, rpmFilePath)
+		if result.String() != SoftwareVerifiedOk {
 			err = global.ErrCMNotMatchSignFile
 			log.Error(err)
 			services.ResponseInternalServerError500ProcessError(w, err)
 			return
 		}
+		// cmd := exec.Command("rpm", "-K", filePath)
+		// out, err := cmd.CombinedOutput()
+		// log.Debugf("Exec outpout:%s", string(out))
+		// if err != nil {
+		// 	log.Error("Failed to execute rpm:", err)
+		// 	services.ResponseInternalServerError500ProcessError(w, err)
+		// 	return
+		// }
+		// if !strings.Contains(string(out), DigestsSignOkString) {
+		// 	err = global.ErrCMNotMatchSignFile
+		// 	log.Error(err)
+		// 	services.ResponseInternalServerError500ProcessError(w, err)
+		// 	return
+		// }
 	}

 	//neBackup := dborm.NeBackup{NeType: neType, NeId: neId, Md5Sum: md5Sum}
--- a/restagent/config/config.go
+++ b/restagent/config/config.go
@@ -60,6 +60,7 @@ type YamlConfig struct {
 		CheckContentType bool   `yaml:"checkContentType"`
 		TestMode         bool   `yaml:"testMode"`
 		RBACMode         bool   `yaml:"rbacMode"`
+		RunDir           string `yaml:"runDir"`
 	} `yaml:"omc"`

 	Alarm struct {
@@ -98,10 +99,12 @@ type YamlConfig struct {
 	} `yaml:"ne"`

 	Auth struct {
-		Crypt   string `yaml:"crypt"`
-		Token   bool   `yaml:"token"`
-		Expires uint32 `yaml:"expires"`
-		Session string `yaml:"session"`
+		Crypt      string `yaml:"crypt"`
+		Token      bool   `yaml:"token"`
+		Expires    uint32 `yaml:"expires"`
+		Session    string `yaml:"session"`
+		PublicKey  string `yaml:"publicKey"`
+		PrivateKey string `yaml:"privateKey"`
 	} `yaml:"auth"`

 	Params struct {
--- a/restagent/etc/restconf.yaml
+++ b/restagent/etc/restconf.yaml
@@ -63,6 +63,7 @@ omc:
  checkContentType: false
  testMode: true
  rbacMode: true
+  runDir: 

 # Alarm module setting
 # Forward interface:
@@ -91,6 +92,8 @@ auth:
  token: true
  expires: 1800
  session: multiple
+  publicKey: /usr/local/omc/etc/certs/omc_pub.key
+  privateKey: /usr/local/omc/etc/certs/omc_pri.key

 # Parameter for limit number 
 # rmuid_maxnum: the max number of rmUID, default: 50