From a2e1407da4ed4fb81fa4ec9c65bc2082f117d908 Mon Sep 17 00:00:00 2001 From: simonzhangsz Date: Sun, 20 Aug 2023 16:31:33 +0800 Subject: [PATCH] sign --- config/etc/certs/omc_pri.key_pri.key.aes_en | Bin 0 -> 1680 bytes config/etc/certs/omc_pub.key_pub.key | 9 +++ features/cm/software.go | 59 +++++++++++++++++--- restagent/config/config.go | 11 ++-- restagent/etc/restconf.yaml | 3 + 5 files changed, 69 insertions(+), 13 deletions(-) create mode 100644 config/etc/certs/omc_pri.key_pri.key.aes_en create mode 100644 config/etc/certs/omc_pub.key_pub.key diff --git a/config/etc/certs/omc_pri.key_pri.key.aes_en b/config/etc/certs/omc_pri.key_pri.key.aes_en new file mode 100644 index 0000000000000000000000000000000000000000..9ed848ec7bc94dba83898dce14c53ac5edb528ba GIT binary patch literal 1680 zcmV;B25O-qd=_Qt1KdzMNvT1Zb7G~+PeeYIUFBf3|qJUYn$M8{6Td;hAkt#Ff zEzF#6@mY<{9siY0D_$uo8DfMSeour*&|za`U-ar0`-7FyA?F8{wt$DhY8+-w-_&D} z#d&*`J^K|2m(|RH$$Xh42Vo;+wM)!tc!Z{hnGW&8B7jvVi8j|k?|wj|H_V~%E=4eS zD>IWW;X|Z806I>Eh6bkRVzSzQsSEMQP!yaB6Ve4JSFIb-hQ5X$QVO%kO=|P0}G3k9bN&| zx#lw->(|3=TxhpmqRVH`K4g*at3RanNN{&qT`9&7PipYP5}~s1#lvJ7dR?6!$9hh_ z9;54F>he2&N8yK^|NC_wPydC}ivpPn5CUZExKlEOoe_-Y@D^ZOjl3}+o$+rJ>&Vq4 z|Bf!)oRqaB1c`3~HQETriM(Q5Ak%3|;KIMhe|PtWiN!%w0{1qiJy!{Sjo zb4W3f5!u2Ij~=nZeiI@ACWEXEarotn-gCbLWP1yq_7scya{8%RK*pJPo%&c1<4$F= z$bb)mSz}wEBM$;k<`k2oQQ-~Y$Htvin+*JN1ApIK@m6-H?$eS^0>sSp4nMtRVWDof zmoter8xj7Owr{w(x5{Fj0jBLy4=kt|rV_uBM3l=%?vsC+mfRZl5-rUM^tEUd73GWw z3^6>0h}0FVtFWlR$St&(wIJx|pG$pxd8CXX009DqRI^MmO&QIW3uPD%1*L?a5JRPd z%Yh6N3D7APYXzg|HuU{1{%=0t1)V1}l9)WJl<#Lf3$IMEx>;c;Op|zJ<4t=V$Iw+) z)v9EQlGt->EnKO^aaXoTZS>8K4&c3>?e$Jf^ZI-bjmMtt>^)45Nd=;(`+5I(Y^jl- zPnNG|vIANvnojcdj?a+x)P&Qr-EBp&h$+`g!WtONv83?(;$yk`0L2Xr=D&xGo0bAqGA}bU^ zIfTM;Zv>VBI2e54sP@98h%tzi%;LDW+)&D^G+rwN1uGkatnp3ZT_gapo|NwH#3sBcZRwF4TrCbCJ&bxY?XSPMhh;$ zc?(%Az#a2UUcIaLz(?F2QMiF5vgHhdbp_{txtDb@dL+BmE}{_ERZFCB49j(W^xYdh z$}tGPpnY5%@2v5063&iLg0QwGV^FX{C1sOhhf#X0^+Pz{GCE76-Fwsu(q8;l#@YU_ ze+AR$@TkSfby27=R9_#`p+@Wc3F%?LZ%-)H{m5;YIiktdt%|qbxlDTgRt~CzO_?tf z!78CqEYMFko6U;=dzteBk2^ahqe@Ao1(e(}rXx~Xf%Nq2>Kncl ar?zZizb61*JnuG-KzqbaNJ-rZHD6xlO*}II literal 0 HcmV?d00001 diff --git a/config/etc/certs/omc_pub.key_pub.key b/config/etc/certs/omc_pub.key_pub.key new file mode 100644 index 00000000..8e7ecc5c --- /dev/null +++ b/config/etc/certs/omc_pub.key_pub.key @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0BP+WJNddrEd9OskJ9A +W6QFR4GrU/N82FOSzWlJQi2nHnPXA+0fADZ8B5sD011LmS1wznKl9922fw2S5Sz0 +dc2pCPNCZ4HhkDhlBUkZ07sIswIuoU40vjvQZJgjNHQGIoAADPjcxGWjHibkmioP ++7Y6Zvot80xZGXzZbdya8zXAEZFrVtYZsmbYt0Vh2cSUJlkpyqKf3JFrBYlR8bWr +VH4Mf2pM1Z29ouW+UgNZ3/vL4JpTeLjYQs1not2HHYo5VgwX/20zGeNInCRIc/7H +YHLkRa9YhfpN5TIkbynrBbKV5hx+lJ9iADqWR7Ug1OHx7zgfm1iz25VflDNls+Mp +JwIDAQAB +-----END PUBLIC KEY----- diff --git a/features/cm/software.go b/features/cm/software.go index 81ad080e..d8657399 100644 --- a/features/cm/software.go +++ b/features/cm/software.go @@ -1,6 +1,7 @@ package cm import ( + "bytes" "fmt" "net/http" "os" @@ -22,6 +23,7 @@ const ( SoftwareStatusInactive = "Inactive" SoftwareStatusActive = "Active" DigestsSignOkString = "digests signatures OK" + SoftwareVerifiedOk = "Verified OK" ) var ( @@ -32,6 +34,23 @@ var ( CustomUriSoftwareNE = config.UriPrefix + "/systemManagement/{apiVersion}/{neType}/software/{version}/{neId}" ) +// 验证签名 +func verify_signature(public_key_name string, source_cms_file string, source_file string) bytes.Buffer { + cmd := exec.Command("/usr/local/omc/run/iv", "verify_signature", public_key_name, source_cms_file, source_file) + var out bytes.Buffer + cmd.Stdout = &out + cmd.Env = append(os.Environ(), + "FOO=duplicate_value", // 重复被忽略 + "FOO=actual_value", // 实际被使用 + ) + err := cmd.Run() + if err != nil { + log.Error(err) + } + + return out +} + func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) { log.Debug("UploadSoftwareFile processing... ") @@ -77,7 +96,18 @@ func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) { return } + filePrefix := fileName[:strings.Index(fileName, ".zip")] + filePath := fmt.Sprintf("%s/%s", softwarePath, fileName) + cmd := exec.Command("unzip", filePath) + cmd.Dir = softwarePath + out, err := cmd.CombinedOutput() + log.Debugf("Exec outpout:%s", string(out)) + if err != nil { + log.Error("Failed to unzip:", err) + services.ResponseInternalServerError500ProcessError(w, err) + return + } md5File, err := global.GetFileMD5Sum(filePath) if err != nil { log.Error("Faile to GetFileMD5Sum:", err) @@ -93,20 +123,31 @@ func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) { } if config.GetYamlConfig().OMC.CheckSign { - cmd := exec.Command("rpm", "-K", filePath) - out, err := cmd.CombinedOutput() - log.Debugf("Exec outpout:%s", string(out)) - if err != nil { - log.Error("Failed to execute rpm:", err) - services.ResponseInternalServerError500ProcessError(w, err) - return - } - if !strings.Contains(string(out), DigestsSignOkString) { + rpmFileName := filePrefix + ".rpm" + rpmFilePath := softwarePath + "/" + rpmFileName + cmsFileName := rpmFileName + ".cms" + cmsFilePath := softwarePath + "/" + cmsFileName + result := verify_signature(config.GetYamlConfig().Auth.PublicKey, cmsFilePath, rpmFilePath) + if result.String() != SoftwareVerifiedOk { err = global.ErrCMNotMatchSignFile log.Error(err) services.ResponseInternalServerError500ProcessError(w, err) return } + // cmd := exec.Command("rpm", "-K", filePath) + // out, err := cmd.CombinedOutput() + // log.Debugf("Exec outpout:%s", string(out)) + // if err != nil { + // log.Error("Failed to execute rpm:", err) + // services.ResponseInternalServerError500ProcessError(w, err) + // return + // } + // if !strings.Contains(string(out), DigestsSignOkString) { + // err = global.ErrCMNotMatchSignFile + // log.Error(err) + // services.ResponseInternalServerError500ProcessError(w, err) + // return + // } } //neBackup := dborm.NeBackup{NeType: neType, NeId: neId, Md5Sum: md5Sum} diff --git a/restagent/config/config.go b/restagent/config/config.go index e26ddabe..a1191a28 100644 --- a/restagent/config/config.go +++ b/restagent/config/config.go @@ -60,6 +60,7 @@ type YamlConfig struct { CheckContentType bool `yaml:"checkContentType"` TestMode bool `yaml:"testMode"` RBACMode bool `yaml:"rbacMode"` + RunDir string `yaml:"runDir"` } `yaml:"omc"` Alarm struct { @@ -98,10 +99,12 @@ type YamlConfig struct { } `yaml:"ne"` Auth struct { - Crypt string `yaml:"crypt"` - Token bool `yaml:"token"` - Expires uint32 `yaml:"expires"` - Session string `yaml:"session"` + Crypt string `yaml:"crypt"` + Token bool `yaml:"token"` + Expires uint32 `yaml:"expires"` + Session string `yaml:"session"` + PublicKey string `yaml:"publicKey"` + PrivateKey string `yaml:"privateKey"` } `yaml:"auth"` Params struct { diff --git a/restagent/etc/restconf.yaml b/restagent/etc/restconf.yaml index 31c2a66d..1b312829 100644 --- a/restagent/etc/restconf.yaml +++ b/restagent/etc/restconf.yaml @@ -63,6 +63,7 @@ omc: checkContentType: false testMode: true rbacMode: true + runDir: # Alarm module setting # Forward interface: @@ -91,6 +92,8 @@ auth: token: true expires: 1800 session: multiple + publicKey: /usr/local/omc/etc/certs/omc_pub.key + privateKey: /usr/local/omc/etc/certs/omc_pri.key # Parameter for limit number # rmuid_maxnum: the max number of rmUID, default: 50