liuyu/nofx
1
0
Fork 0
mirror of https://github.com/NoFxAiOS/nofx.git synced 2026-06-06 05:51:19 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
f1f24ad1fa5e732b13f4f76445addfccdd57d897
nofx/api/crypto_handler.go
ZhouYongyou feeaa14050 feat(security): add end-to-end encryption for sensitive data 
## Summary
Add comprehensive encryption system to protect private keys and API secrets.
## Core Components
- `crypto/encryption.go`: RSA-4096 + AES-256-GCM encryption manager
- `crypto/secure_storage.go`: Database encryption layer + audit logs
- `crypto/aliyun_kms.go`: Optional Aliyun KMS integration
- `api/crypto_handler.go`: Encryption API endpoints
- `web/src/lib/crypto.ts`: Frontend two-stage encryption
- `scripts/migrate_encryption.go`: Data migration tool
- `deploy_encryption.sh`: One-click deployment
## Security Architecture
```
Frontend: Two-stage input + clipboard obfuscation
    ↓
Transport: RSA-4096 + AES-256-GCM hybrid encryption
    ↓
Storage: Database encryption + audit logs
```
## Features
 Zero breaking changes (backward compatible)
 Automatic migration of existing data
 <25ms overhead per operation
 Complete audit trail
 Optional cloud KMS support
## Migration
```bash
./deploy_encryption.sh  # 5 minutes, zero downtime
```
## Testing
```bash
go test ./crypto -v
```
Related-To: security-enhancement
2025-11-06 23:55:33 +08:00

128 lines
3.2 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

package api
import (
"encoding/json"
"log"
"net/http"
"nofx/crypto"
)
// CryptoHandler 加密 API 處理器
type CryptoHandler struct {
em *crypto.EncryptionManager
ss *crypto.SecureStorage
}
// NewCryptoHandler 創建加密處理器
func NewCryptoHandler(ss *crypto.SecureStorage) (*CryptoHandler, error) {
em, err := crypto.GetEncryptionManager()
if err != nil {
return nil, err
}
return &CryptoHandler{
em: em,
ss: ss,
}, nil
}
// ==================== 公鑰端點 ====================
// HandleGetPublicKey 獲取伺服器公鑰
func (h *CryptoHandler) HandleGetPublicKey(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
publicKey := h.em.GetPublicKeyPEM()
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"public_key": publicKey,
"algorithm": "RSA-OAEP-4096",
})
}
// ==================== 加密數據解密端點 ====================
// HandleDecryptPrivateKey 解密客戶端傳送的加密私鑰
func (h *CryptoHandler) HandleDecryptPrivateKey(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
EncryptedKey string `json:"encrypted_key"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
// 解密
decrypted, err := h.em.DecryptWithPrivateKey(req.EncryptedKey)
if err != nil {
log.Printf("❌ 解密失敗: %v", err)
http.Error(w, "Decryption failed", http.StatusInternalServerError)
return
}
// 驗證私鑰格式
if !isValidPrivateKey(decrypted) {
http.Error(w, "Invalid private key format", http.StatusBadRequest)
return
}
// ⚠️ 注意:實際生產中,這裡不應該直接返回明文私鑰
// 應該立即使用主密鑰加密後存入數據庫,然後返回成功狀態
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"status": "success",
"message": "私鑰已成功解密並驗證",
})
}
// ==================== 審計日誌查詢端點 ====================
// HandleGetAuditLogs 查詢審計日誌
func (h *CryptoHandler) HandleGetAuditLogs(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// 從請求中獲取用戶 ID應該從 JWT token 中提取)
userID := r.Header.Get("X-User-ID")
if userID == "" {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
logs, err := h.ss.GetAuditLogs(userID, 100)
if err != nil {
http.Error(w, "Failed to fetch audit logs", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"logs": logs,
"count": len(logs),
})
}
// ==================== 工具函數 ====================
// isValidPrivateKey 驗證私鑰格式
func isValidPrivateKey(key string) bool {
// EVM 私鑰: 64 位十六進制 (可選 0x 前綴)
if len(key) == 64 || (len(key) == 66 && key[:2] == "0x") {
return true
}
// TODO: 添加其他鏈的驗證
return false
}
Reference in New Issue View Git Blame Copy Permalink