feat: 敏感信息存储支持国密 TencentBlueKing#2055

升级SDK版本，支持非对称加密

src/backend/build.gradle

@@ -130,7 +130,7 @@ ext {
     set('jcommanderVersion', "1.71")
     set('kubernetesJavaClientVersion', "11.0.4")
     set('springCloudKubernetesVersion', "2.0.6")
-    set('gmJavaSDKVersion', "0.0.4")
+    set('cryptoJavaSDKVersion', "0.0.6")
     if (System.getProperty("bkjobVersion")) {
         set('bkjobVersion', System.getProperty("bkjobVersion"))
         println "bkjobVersion:" + bkjobVersion
@@ -321,7 +321,7 @@ subprojects {
                 entry "hibernate-validator"
             }
             dependency "com.beust:jcommander:$jcommanderVersion"
-            dependency "com.tencent.bk.sdk:gm-java-sdk:$gmJavaSDKVersion"
+            dependency "com.tencent.bk.sdk:crypto-java-sdk:$cryptoJavaSDKVersion"
         }
     }
     dependencies {

src/backend/commons/common-utils/src/main/java/com/tencent/bk/job/common/util/crypto/RSAUtils.java

@@ -30,9 +30,22 @@
 import org.apache.commons.lang3.StringUtils;
 
 import javax.crypto.Cipher;
-import java.io.*;
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.StringReader;
+import java.io.UnsupportedEncodingException;
 import java.nio.charset.StandardCharsets;
-import java.security.*;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.PKCS8EncodedKeySpec;
@@ -140,15 +153,39 @@ public static boolean verify(PublicKey publicKey, String message,
     }
 
     public static String encrypt(String rawText, PublicKey publicKey) throws IOException, GeneralSecurityException {
+        return encrypt(rawText.getBytes(CHARSET_NAME), publicKey);
+    }
+
+    public static String encrypt(byte[] messageBytes,
+                                 PublicKey publicKey) throws GeneralSecurityException {
         Cipher cipher = Cipher.getInstance(KEY_ALGORITHM);
         cipher.init(Cipher.ENCRYPT_MODE, publicKey);
-        return Base64.encodeBase64String(cipher.doFinal(rawText.getBytes(CHARSET_NAME)));
+        return Base64.encodeBase64String(cipher.doFinal(messageBytes));
     }
 
-    public static String decrypt(String cipherText,
+    public static byte[] encryptToBytes(byte[] messageBytes,
+                                        PublicKey publicKey) throws GeneralSecurityException {
+        Cipher cipher = Cipher.getInstance(KEY_ALGORITHM);
+        cipher.init(Cipher.ENCRYPT_MODE, publicKey);
+        return cipher.doFinal(messageBytes);
+    }
+
+    public static String decrypt(String cipherBase64Text,
                                  PrivateKey privateKey) throws IOException, GeneralSecurityException {
+        return decrypt(Base64.decodeBase64(cipherBase64Text), privateKey);
+    }
+
+    public static String decrypt(byte[] cipherBytes,
+                                 PrivateKey privateKey) throws IOException, GeneralSecurityException {
+        Cipher cipher = Cipher.getInstance(KEY_ALGORITHM);
+        cipher.init(Cipher.DECRYPT_MODE, privateKey);
+        return new String(cipher.doFinal(cipherBytes), CHARSET_NAME);
+    }
+
+    public static byte[] decryptToBytes(byte[] cipherBytes,
+                                        PrivateKey privateKey) throws IOException, GeneralSecurityException {
         Cipher cipher = Cipher.getInstance(KEY_ALGORITHM);
         cipher.init(Cipher.DECRYPT_MODE, privateKey);
-        return new String(cipher.doFinal(Base64.decodeBase64(cipherText)), CHARSET_NAME);
+        return cipher.doFinal(cipherBytes);
     }
 }

src/backend/commons/common/build.gradle

@@ -45,7 +45,7 @@ dependencies {
     implementation 'com.cronutils:cron-utils'
     implementation 'commons-validator:commons-validator'
     implementation 'org.springframework.cloud:spring-cloud-sleuth-instrumentation'
-    implementation 'com.tencent.bk.sdk:gm-java-sdk'
+    implementation 'com.tencent.bk.sdk:crypto-java-sdk'
     compileOnly 'org.springframework:spring-web'
     compileOnly 'org.projectlombok:lombok'
     annotationProcessor 'org.projectlombok:lombok'

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/AESCryptor.java

@@ -24,22 +24,30 @@
 
 package com.tencent.bk.job.common.encrypt;
 
+import com.tencent.bk.job.common.exception.CryptoException;
 import com.tencent.bk.job.common.util.crypto.AESUtils;
-import com.tencent.bk.sdk.gm.annotation.Cryptor;
-import com.tencent.bk.sdk.gm.annotation.CryptorTypeEnum;
-import com.tencent.bk.sdk.gm.cryptor.AbstractSymmetricCryptor;
+import com.tencent.bk.sdk.crypto.annotation.Cryptor;
+import com.tencent.bk.sdk.crypto.annotation.CryptorTypeEnum;
+import com.tencent.bk.sdk.crypto.cryptor.AbstractSymmetricCryptor;
+import org.slf4j.helpers.FormattingTuple;
+import org.slf4j.helpers.MessageFormatter;
 
 /**
  * 使用AES/CBC/PKCS5Padding的加密实现
  */
-@Cryptor(name = CryptorNames.AES, type = CryptorTypeEnum.SYMMETRIC)
+@Cryptor(name = JobCryptorNames.AES, type = CryptorTypeEnum.SYMMETRIC)
 public class AESCryptor extends AbstractSymmetricCryptor {
     @Override
     public byte[] encrypt(byte[] key, byte[] message) {
         try {
             return AESUtils.encrypt(message, key);
         } catch (Exception e) {
-            throw new RuntimeException(e);
+            FormattingTuple msg = MessageFormatter.format(
+                "Fail to encrypt using AES, key.len={}, message.len={}",
+                key.length,
+                message.length
+            );
+            throw new CryptoException(msg.getMessage(), e);
         }
     }
 
@@ -48,7 +56,12 @@ public byte[] decrypt(byte[] key, byte[] encryptedMessage) {
         try {
             return AESUtils.decrypt(encryptedMessage, key);
         } catch (Exception e) {
-            throw new RuntimeException(e);
+            FormattingTuple msg = MessageFormatter.format(
+                "Fail to decrypt using AES, key.len={}, encryptedMessage.len={}",
+                key.length,
+                encryptedMessage.length
+            );
+            throw new CryptoException(msg.getMessage(), e);
         }
     }
 }

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/EncryptConfig.java

@@ -25,6 +25,7 @@
 package com.tencent.bk.job.common.encrypt;
 
 import com.tencent.bk.job.common.util.json.JsonUtils;
+import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
 import lombok.Getter;
 import lombok.Setter;
 import lombok.ToString;
@@ -49,7 +50,7 @@ public class EncryptConfig {
 
     private String defaultSymmetricAlgorithm = CryptorNames.NONE;
 
-    private String defaultAsymmetricAlgorithm = CryptorNames.RSA;
+    private String defaultAsymmetricAlgorithm = JobCryptorNames.RSA;
 
     /**
      * 各个场景下使用的加密算法，不配置则使用默认算法

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/CryptorNames.java → src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/JobCryptorNames.java

@@ -24,13 +24,9 @@
 
 package com.tencent.bk.job.common.encrypt;
 
-public class CryptorNames {
-    // 不加密
-    public static final String NONE = "None";
+public class JobCryptorNames {
     // 对称加密
     public static final String AES = "AES";
-    public static final String SM4 = "SM4";
     // 非对称加密
     public static final String RSA = "RSA";
-    public static final String SM2 = "SM2";
 }

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/RSACryptor.java

@@ -0,0 +1,70 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-JOB蓝鲸智云作业平台 available.
+ *
+ * Copyright (C) 2021 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-JOB蓝鲸智云作业平台 is licensed under the MIT License.
+ *
+ * License for BK-JOB蓝鲸智云作业平台:
+ * --------------------------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and
+ * to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
+ * THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
+ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+package com.tencent.bk.job.common.encrypt;
+
+import com.tencent.bk.job.common.exception.CryptoException;
+import com.tencent.bk.job.common.util.crypto.RSAUtils;
+import com.tencent.bk.sdk.crypto.annotation.Cryptor;
+import com.tencent.bk.sdk.crypto.annotation.CryptorTypeEnum;
+import com.tencent.bk.sdk.crypto.cryptor.AbstractASymmetricCryptor;
+import org.slf4j.helpers.FormattingTuple;
+import org.slf4j.helpers.MessageFormatter;
+
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
+/**
+ * 使用RSA的加密实现
+ */
+@Cryptor(name = JobCryptorNames.RSA, type = CryptorTypeEnum.ASYMMETRIC)
+public class RSACryptor extends AbstractASymmetricCryptor {
+    @Override
+    public byte[] encrypt(PublicKey publicKey, byte[] message) {
+        try {
+            return RSAUtils.encryptToBytes(message, publicKey);
+        } catch (Exception e) {
+            FormattingTuple msg = MessageFormatter.format(
+                "Fail to encrypt using RSA, publicKey.len={}, message.len={}",
+                publicKey.getEncoded().length,
+                message.length
+            );
+            throw new CryptoException(msg.getMessage(), e);
+        }
+    }
+
+    @Override
+    public byte[] decrypt(PrivateKey privateKey, byte[] encryptedMessage) {
+        try {
+            return RSAUtils.decryptToBytes(encryptedMessage, privateKey);
+        } catch (Exception e) {
+            FormattingTuple msg = MessageFormatter.format(
+                "Fail to decrypt using RSA, privateKey.len={}, encryptedMessage.len={}",
+                privateKey.getEncoded().length,
+                encryptedMessage.length
+            );
+            throw new CryptoException(msg.getMessage(), e);
+        }
+    }
+}

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/SymmetricCryptoService.java

@@ -24,8 +24,8 @@
 
 package com.tencent.bk.job.common.encrypt;
 
-import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor;
-import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptorFactory;
+import com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptor;
+import com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptorFactory;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/CipherVariableService.java

@@ -26,8 +26,8 @@
 
 import com.tencent.bk.job.common.constant.TaskVariableTypeEnum;
 import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum;
-import com.tencent.bk.job.common.encrypt.CryptorNames;
 import com.tencent.bk.job.common.encrypt.SymmetricCryptoService;
+import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/DbPasswordService.java

@@ -26,8 +26,8 @@
 
 import com.tencent.bk.job.common.constant.AccountCategoryEnum;
 import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum;
-import com.tencent.bk.job.common.encrypt.CryptorNames;
 import com.tencent.bk.job.common.encrypt.SymmetricCryptoService;
+import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/scenario/SensitiveParamService.java

@@ -25,8 +25,8 @@
 package com.tencent.bk.job.common.encrypt.scenario;
 
 import com.tencent.bk.job.common.encrypt.CryptoScenarioEnum;
-import com.tencent.bk.job.common.encrypt.CryptorNames;
 import com.tencent.bk.job.common.encrypt.SymmetricCryptoService;
+import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;

src/backend/commons/common/src/main/java/com/tencent/bk/job/common/encrypt/NoneCryptor.java → src/backend/commons/common/src/main/java/com/tencent/bk/job/common/exception/CryptoException.java

@@ -22,34 +22,19 @@
  * IN THE SOFTWARE.
  */
 
-package com.tencent.bk.job.common.encrypt;
+package com.tencent.bk.job.common.exception;
 
-
-import com.tencent.bk.sdk.gm.annotation.Cryptor;
-import com.tencent.bk.sdk.gm.cryptor.SymmetricCryptor;
+import lombok.Getter;
+import lombok.ToString;
 
 /**
- * 不做任何加密操作，直接返回明文的加密实现
+ * 加解密异常
  */
-@Cryptor(name = CryptorNames.NONE)
-public class NoneCryptor implements SymmetricCryptor {
-    @Override
-    public byte[] encrypt(byte[] key, byte[] message) {
-        return message;
-    }
-
-    @Override
-    public byte[] decrypt(byte[] key, byte[] encryptedMessage) {
-        return encryptedMessage;
-    }
-
-    @Override
-    public String encrypt(String key, String message) {
-        return message;
-    }
+@Getter
+@ToString
+public class CryptoException extends RuntimeException {
 
-    @Override
-    public String decrypt(String key, String base64EncodedEncryptedMessage) {
-        return base64EncodedEncryptedMessage;
+    public CryptoException(String message, Throwable cause) {
+        super(message, cause);
     }
 }

src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.ASymmetricCryptor

@@ -0,0 +1 @@
+com.tencent.bk.job.common.encrypt.RSACryptor

src/backend/commons/common/src/main/resources/META-INF/services/com.tencent.bk.sdk.crypto.cryptor.SymmetricCryptor

@@ -0,0 +1 @@
+com.tencent.bk.job.common.encrypt.AESCryptor

src/backend/job-crontab/boot-job-crontab/src/test/java/com/tencent/bk/job/crontab/dao/impl/CronJobDAOImplIntegrationTest.java

@@ -25,7 +25,6 @@
 package com.tencent.bk.job.crontab.dao.impl;
 
 import com.tencent.bk.job.common.constant.TaskVariableTypeEnum;
-import com.tencent.bk.job.common.encrypt.CryptorNames;
 import com.tencent.bk.job.common.model.BaseSearchCondition;
 import com.tencent.bk.job.common.model.PageData;
 import com.tencent.bk.job.common.model.dto.UserRoleInfoDTO;
@@ -35,6 +34,7 @@
 import com.tencent.bk.job.crontab.model.dto.CronJobInfoDTO;
 import com.tencent.bk.job.crontab.model.dto.CronJobVariableDTO;
 import com.tencent.bk.job.crontab.util.CronExpressionUtil;
+import com.tencent.bk.sdk.crypto.cryptor.consts.CryptorNames;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;