ocdp v1

backend/internal/pkg/crypto/crypto.go

@@ -0,0 +1,128 @@
+package crypto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"errors"
+	"io"
+)
+
+// Encryptor 加密器接口
+type Encryptor interface {
+	Encrypt(plaintext string) (string, error)
+	Decrypt(ciphertext string) (string, error)
+}
+
+// AESEncryptor AES 加密器
+type AESEncryptor struct {
+	key []byte
+}
+
+// NewAESEncryptor 创建 AES 加密器
+// key: 加密密钥（会自动派生为32字节密钥）
+func NewAESEncryptor(key string) *AESEncryptor {
+	// 使用 SHA256 派生固定长度的密钥
+	hash := sha256.Sum256([]byte(key))
+	return &AESEncryptor{
+		key: hash[:],
+	}
+}
+
+// Encrypt 加密字符串
+// 返回 Base64 编码的密文
+func (e *AESEncryptor) Encrypt(plaintext string) (string, error) {
+	if plaintext == "" {
+		return "", nil
+	}
+
+	block, err := aes.NewCipher(e.key)
+	if err != nil {
+		return "", err
+	}
+
+	// 创建 GCM 模式
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	// 生成随机 nonce
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return "", err
+	}
+
+	// 加密（nonce 会自动附加到密文前面）
+	ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
+
+	// Base64 编码
+	return base64.StdEncoding.EncodeToString(ciphertext), nil
+}
+
+// Decrypt 解密字符串
+// 输入为 Base64 编码的密文
+func (e *AESEncryptor) Decrypt(ciphertext string) (string, error) {
+	if ciphertext == "" {
+		return "", nil
+	}
+
+	// Base64 解码
+	data, err := base64.StdEncoding.DecodeString(ciphertext)
+	if err != nil {
+		return "", err
+	}
+
+	block, err := aes.NewCipher(e.key)
+	if err != nil {
+		return "", err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	nonceSize := gcm.NonceSize()
+	if len(data) < nonceSize {
+		return "", errors.New("ciphertext too short")
+	}
+
+	// 提取 nonce 和实际密文
+	nonce, cipherBytes := data[:nonceSize], data[nonceSize:]
+
+	// 解密
+	plaintext, err := gcm.Open(nil, nonce, cipherBytes, nil)
+	if err != nil {
+		return "", err
+	}
+
+	return string(plaintext), nil
+}
+
+// MaskSensitiveData 脱敏显示敏感数据
+// 如果数据为空或已加密标记，返回掩码
+func MaskSensitiveData(data string) string {
+	if data == "" {
+		return ""
+	}
+	return "••••••••" // 统一返回8个点，不泄露长度信息
+}
+
+// IsEncrypted 检查字符串是否已加密
+// 简单检查：加密后的数据是 Base64 格式且长度较长
+func IsEncrypted(data string) bool {
+	if data == "" {
+		return false
+	}
+	// 加密后的数据至少有 nonce(12) + tag(16) + 内容，Base64后会更长
+	if len(data) < 40 {
+		return false
+	}
+	// 尝试 Base64 解码
+	_, err := base64.StdEncoding.DecodeString(data)
+	return err == nil
+}
+

backend/internal/pkg/crypto/crypto_test.go

@@ -0,0 +1,124 @@
+package crypto
+
+import (
+	"testing"
+)
+
+func TestAESEncryptor(t *testing.T) {
+	encryptor := NewAESEncryptor("test-secret-key")
+
+	tests := []struct {
+		name      string
+		plaintext string
+	}{
+		{"simple password", "password123"},
+		{"harbor password", "BWGDIP@ssw0rd1401#"},
+		{"empty string", ""},
+		{"long certificate", "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pP"},
+		{"unicode", "密码123!@#"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// 测试加密
+			encrypted, err := encryptor.Encrypt(tt.plaintext)
+			if err != nil {
+				t.Fatalf("Encrypt failed: %v", err)
+			}
+
+			// 空字符串应该返回空
+			if tt.plaintext == "" {
+				if encrypted != "" {
+					t.Errorf("Expected empty encrypted string, got %s", encrypted)
+				}
+				return
+			}
+
+			// 加密后应该不同
+			if encrypted == tt.plaintext {
+				t.Errorf("Encrypted text should differ from plaintext")
+			}
+
+			// 测试解密
+			decrypted, err := encryptor.Decrypt(encrypted)
+			if err != nil {
+				t.Fatalf("Decrypt failed: %v", err)
+			}
+
+			// 解密后应该相同
+			if decrypted != tt.plaintext {
+				t.Errorf("Decrypted text mismatch: got %s, want %s", decrypted, tt.plaintext)
+			}
+		})
+	}
+}
+
+func TestMaskSensitiveData(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{"normal password", "password123", "••••••••"},
+		{"empty string", "", ""},
+		{"long string", "very-long-password-with-many-characters", "••••••••"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := MaskSensitiveData(tt.input)
+			if result != tt.expected {
+				t.Errorf("MaskSensitiveData(%s) = %s, want %s", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestIsEncrypted(t *testing.T) {
+	encryptor := NewAESEncryptor("test-key")
+
+	plaintext := "password123"
+	encrypted, _ := encryptor.Encrypt(plaintext)
+
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{"encrypted data", encrypted, true},
+		{"plaintext", "password123", false},
+		{"empty string", "", false},
+		{"short string", "abc", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsEncrypted(tt.input)
+			if result != tt.expected {
+				t.Errorf("IsEncrypted(%s) = %v, want %v", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestEncryptionConsistency(t *testing.T) {
+	encryptor := NewAESEncryptor("consistent-key")
+	plaintext := "test-password"
+
+	// 多次加密同一内容，结果应该不同（因为使用随机 nonce）
+	encrypted1, _ := encryptor.Encrypt(plaintext)
+	encrypted2, _ := encryptor.Encrypt(plaintext)
+
+	if encrypted1 == encrypted2 {
+		t.Error("Multiple encryptions of same plaintext should produce different ciphertexts")
+	}
+
+	// 但解密结果应该相同
+	decrypted1, _ := encryptor.Decrypt(encrypted1)
+	decrypted2, _ := encryptor.Decrypt(encrypted2)
+
+	if decrypted1 != plaintext || decrypted2 != plaintext {
+		t.Error("Decryption should produce original plaintext")
+	}
+}
+