sign

2023-08-20 16:31:33 +08:00
parent e4fe101e4d
commit a2e1407da4
5 changed files with 69 additions and 13 deletions
--- a/config/etc/certs/omc_pri.key_pri.key.aes_en
+++ b/config/etc/certs/omc_pri.key_pri.key.aes_en
--- a/config/etc/certs/omc_pub.key_pub.key
+++ b/config/etc/certs/omc_pub.key_pub.key
@@ -0,0 +1,9 @@
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0BP+WJNddrEd9OskJ9A
 W6QFR4GrU/N82FOSzWlJQi2nHnPXA+0fADZ8B5sD011LmS1wznKl9922fw2S5Sz0
 dc2pCPNCZ4HhkDhlBUkZ07sIswIuoU40vjvQZJgjNHQGIoAADPjcxGWjHibkmioP
 +7Y6Zvot80xZGXzZbdya8zXAEZFrVtYZsmbYt0Vh2cSUJlkpyqKf3JFrBYlR8bWr
 VH4Mf2pM1Z29ouW+UgNZ3/vL4JpTeLjYQs1not2HHYo5VgwX/20zGeNInCRIc/7H
 YHLkRa9YhfpN5TIkbynrBbKV5hx+lJ9iADqWR7Ug1OHx7zgfm1iz25VflDNls+Mp
 JwIDAQAB
 -----END PUBLIC KEY-----
--- a/features/cm/software.go
+++ b/features/cm/software.go
@@ -1,6 +1,7 @@
 package cm
 import (
 	"bytes"
 	"fmt"
 	"net/http"
 	"os"
@@ -22,6 +23,7 @@ const (
 	SoftwareStatusInactive = "Inactive"
 	SoftwareStatusActive   = "Active"
 	DigestsSignOkString    = "digests signatures OK"
 	SoftwareVerifiedOk     = "Verified OK"
 )
 var (
@@ -32,6 +34,23 @@ var (
 	CustomUriSoftwareNE = config.UriPrefix + "/systemManagement/{apiVersion}/{neType}/software/{version}/{neId}"
 )
 // 验证签名
 func verify_signature(public_key_name string, source_cms_file string, source_file string) bytes.Buffer {
 	cmd := exec.Command("/usr/local/omc/run/iv", "verify_signature", public_key_name, source_cms_file, source_file)
 	var out bytes.Buffer
 	cmd.Stdout = &out
 	cmd.Env = append(os.Environ(),
 		"FOO=duplicate_value", // 重复被忽略
 		"FOO=actual_value",    // 实际被使用
 	)
 	err := cmd.Run()
 	if err != nil {
 		log.Error(err)
 	}
 	return out
 }
 func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) {
 	log.Debug("UploadSoftwareFile processing... ")
@@ -77,7 +96,18 @@ func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	filePrefix := fileName[:strings.Index(fileName, ".zip")]
 	filePath := fmt.Sprintf("%s/%s", softwarePath, fileName)
 	cmd := exec.Command("unzip", filePath)
 	cmd.Dir = softwarePath
 	out, err := cmd.CombinedOutput()
 	log.Debugf("Exec outpout:%s", string(out))
 	if err != nil {
 		log.Error("Failed to unzip:", err)
 		services.ResponseInternalServerError500ProcessError(w, err)
 		return
 	}
 	md5File, err := global.GetFileMD5Sum(filePath)
 	if err != nil {
 		log.Error("Faile to GetFileMD5Sum:", err)
@@ -93,20 +123,31 @@ func UploadSoftwareFile(w http.ResponseWriter, r *http.Request) {
 	}
 	if config.GetYamlConfig().OMC.CheckSign {
-		cmd := exec.Command("rpm", "-K", filePath)
+		rpmFileName := filePrefix + ".rpm"
-		out, err := cmd.CombinedOutput()
+		rpmFilePath := softwarePath + "/" + rpmFileName
-		log.Debugf("Exec outpout:%s", string(out))
+		cmsFileName := rpmFileName + ".cms"
-		if err != nil {
+		cmsFilePath := softwarePath + "/" + cmsFileName
-			log.Error("Failed to execute rpm:", err)
+		result := verify_signature(config.GetYamlConfig().Auth.PublicKey, cmsFilePath, rpmFilePath)
-			services.ResponseInternalServerError500ProcessError(w, err)
+		if result.String() != SoftwareVerifiedOk {
 			return
 		}
 		if !strings.Contains(string(out), DigestsSignOkString) {
 			err = global.ErrCMNotMatchSignFile
 			log.Error(err)
 			services.ResponseInternalServerError500ProcessError(w, err)
 			return
 		}
 		// cmd := exec.Command("rpm", "-K", filePath)
 		// out, err := cmd.CombinedOutput()
 		// log.Debugf("Exec outpout:%s", string(out))
 		// if err != nil {
 		// 	log.Error("Failed to execute rpm:", err)
 		// 	services.ResponseInternalServerError500ProcessError(w, err)
 		// 	return
 		// }
 		// if !strings.Contains(string(out), DigestsSignOkString) {
 		// 	err = global.ErrCMNotMatchSignFile
 		// 	log.Error(err)
 		// 	services.ResponseInternalServerError500ProcessError(w, err)
 		// 	return
 		// }
 	}
 	//neBackup := dborm.NeBackup{NeType: neType, NeId: neId, Md5Sum: md5Sum}
--- a/restagent/config/config.go
+++ b/restagent/config/config.go
@@ -60,6 +60,7 @@ type YamlConfig struct {
 		CheckContentType bool   `yaml:"checkContentType"`
 		TestMode         bool   `yaml:"testMode"`
 		RBACMode         bool   `yaml:"rbacMode"`
 		RunDir           string `yaml:"runDir"`
 	} `yaml:"omc"`
 	Alarm struct {
@@ -98,10 +99,12 @@ type YamlConfig struct {
 	} `yaml:"ne"`
 	Auth struct {
-		Crypt   string `yaml:"crypt"`
+		Crypt      string `yaml:"crypt"`
-		Token   bool   `yaml:"token"`
+		Token      bool   `yaml:"token"`
-		Expires uint32 `yaml:"expires"`
+		Expires    uint32 `yaml:"expires"`
-		Session string `yaml:"session"`
+		Session    string `yaml:"session"`
 		PublicKey  string `yaml:"publicKey"`
 		PrivateKey string `yaml:"privateKey"`
 	} `yaml:"auth"`
 	Params struct {
--- a/restagent/etc/restconf.yaml
+++ b/restagent/etc/restconf.yaml
@@ -63,6 +63,7 @@ omc:
  checkContentType: false
  testMode: true
  rbacMode: true
  runDir: 
 # Alarm module setting
 # Forward interface:
@@ -91,6 +92,8 @@ auth:
  token: true
  expires: 1800
  session: multiple
  publicKey: /usr/local/omc/etc/certs/omc_pub.key
  privateKey: /usr/local/omc/etc/certs/omc_pri.key
 # Parameter for limit number 
 # rmuid_maxnum: the max number of rmUID, default: 50