Go与Nginx(lua-resty-string)跨语言加解密
需求
用户登录后,go服务端把身份、IP信息等加密放到cookie中。Nginx(基于openresty构建)lua解密,比较访问的IP与cookie中记录的IP是否一致,不一致则进行拦截。
以下采用CBC模式实现,跨语言的AES加解密,关键还是使用一致的模式、填充和向量。
Nginx lua AES加解密
环境构建:openresty docker
依赖:lua-resty-string
lua-resty-string中调用的是openssl的库,所以加的padding用的是openssl默认的PKCS7填充方式
-- user_decrypt.lua
local user_decrypt = {}
local aes = require "resty.aes"
user_decrypt.aesCoder = nil
local function isCoderOk()
return user_decrypt.aesCoder
end
-- 初始化加密器
function user_decrypt.initCoder(key, iv)
if isCoderOk() then
return
end
-- 当前使用AES256, 若修改为128,使用aes.cipher(128,"cbc"), key修改为16位
user_decrypt.aesCoder = aes:new(key, nil, aes.cipher(256,"cbc"), {iv=iv, method=nil})
if not isCoderOk() then
ngx.log(ngx.ERR, "init encryption coder failed...")
end
end
function user_decrypt.encrypt(msg)
if not isCoderOk() then
ngx.log(ngx.ERR, "encrypt failed, coder are nil")
end
-- aes encrypt
local encrypted = user_decrypt.aesCoder:encrypt(msg)
local encryptedBase64 = ngx.encode_base64(encrypted)
ngx.log(ngx.INFO, "encrypted msg base64: ", encryptedBase64)
return encryptedBase64
end
function user_decrypt.decrypt(msgEncrypted)
if not isCoderOk() then
ngx.log(ngx.ERR, "decrypt failed, coders are nil")
return nil
end
-- 解密
local msg = user_decrypt.aesCoder:decrypt(ngx.decode_base64(msgEncrypted))
ngx.log(ngx.INFO, "msg: ", msg)
return msg
end
return user_decrypt
-- user_access.lua
-- call user decrypt
local key = "" -- 32位或16位
local iv = "" -- 16位
local userDecrypt = require("user_decrypt")
userDecrypt.initCoder(key, iv)
-- 解密cookie
local origin = "username|ip"
local userCookie = userDecrypt.encrypt(origin)
ngx.log(ngx.INFO, "userCookie decrypt:", userDecrypt.decrypt(userCookie))
Golang对应的加解密
与nginx加解密时使用一样的key和iv即可。
package aes
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"errors"
)
// CBCEncryptWithPKCS7 CBC模式PKCS7填充AES加密
func CBCEncryptWithPKCS7(encodeStr, key, iv string) (cryptedStr string, err error) {
if len(encodeStr) == 0 || len(key) == 0 || len(iv) == 0 {
return
}
// 根据key 生成密文
block, err := aes.NewCipher([]byte(key))
if err != nil {
return
}
// padding
blockSize := block.BlockSize()
// blockSize必须等于len(iv)
if blockSize != len(iv) {
err = errors.New("IV length must equal block size")
return
}
encodeBytes := []byte(encodeStr)
encodeBytes = pKCS7Padding(encodeBytes, blockSize)
// 加密
blockMode := cipher.NewCBCEncrypter(block, []byte(iv))
crypted := make([]byte, len(encodeBytes))
blockMode.CryptBlocks(crypted, encodeBytes)
// base64编码
cryptedStr = base64.StdEncoding.EncodeToString(crypted)
return
}
func pKCS7Padding(cipherText []byte, blockSize int) []byte {
padding := blockSize - len(cipherText)%blockSize
// 填充
padText := bytes.Repeat([]byte{byte(padding)}, padding)
return append(cipherText, padText...)
}
// CBCDecryptWithPKCS7 CBC模式PKCS7填充AES解密
func CBCDecryptWithPKCS7(decodeStr, key, iv string) (origDataStr string, err error) {
if len(decodeStr) == 0 || len(key) == 0 || len(iv) == 0 {
return
}
// 先解密base64
decodeBytes, err := base64.StdEncoding.DecodeString(decodeStr)
if err != nil {
return
}
block, err := aes.NewCipher([]byte(key))
if err != nil {
return
}
// blockSize必须等于len(iv)
if block.BlockSize() != len(iv) {
err = errors.New("IV length must equal block size")
return
}
blockMode := cipher.NewCBCDecrypter(block, []byte(iv))
origData := make([]byte, len(decodeBytes))
blockMode.CryptBlocks(origData, decodeBytes)
origData = pKCS7UnPadding(origData)
origDataStr = string(origData)
return
}
func pKCS7UnPadding(origData []byte) []byte {
length := len(origData)
unPadding := int(origData[length-1])
return origData[:(length - unPadding)]
}
参考:
python与nginx aes加解密对接
客户端与服务端数据加密传输方案
pycrypto 和 lua-resty-rsa 进行跨语言的RSA加密解密