Browse Source

REPORT-72595 FR源码中存在加密密钥硬编码,建议放到配置文件中

security/10.0
Lanlan 2 years ago
parent
commit
6a0820c9e8
  1. 22
      designer-base/src/main/java/com/fr/design/login/utils/DesignerLoginUtils.java
  2. 1
      designer-base/src/main/resources/com/fr/design/config/default

22
designer-base/src/main/java/com/fr/design/login/utils/DesignerLoginUtils.java

@ -9,12 +9,16 @@ import com.fr.general.http.HttpToolbox;
import com.fr.general.log.MessageFormatter;
import com.fr.json.JSONObject;
import com.fr.log.FineLoggerFactory;
import com.fr.security.encryption.storage.keys.DefaultKeys;
import com.fr.stable.StringUtils;
import com.fr.third.org.bouncycastle.util.encoders.Hex;
import java.awt.Window;
import java.io.IOException;
import java.io.InputStream;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
@ -28,8 +32,6 @@ public class DesignerLoginUtils {
private static final String PRODUCT_FINEREPORT = "product-finereport";
private static final String KEY = "i7hP48WAcuTrmxfN";
public static Map<String, String> renderMap() {
Map<String, String> map4Tpl = new HashMap<>();
map4Tpl.put("language", GeneralContext.getLocale().toString());
@ -85,8 +87,11 @@ public class DesignerLoginUtils {
jo.put("uid", manager.getDesignerLoginUid());
jo.put("username", manager.getDesignerLoginUsername());
jo.put("source", PRODUCT_FINEREPORT);
Properties properties = read("/default");
byte[] iv = randomIv();
return new String(Hex.encode(iv)) + encrypt(jo.toString(), KEY.getBytes(), iv);
return new String(Hex.encode(iv)) + encrypt(jo.toString(), properties.getProperty("Fine-Designer_Login").getBytes(), iv);
}
private static byte[] randomIv() {
@ -105,4 +110,15 @@ public class DesignerLoginUtils {
byte[] resultBytes = cipher.doFinal(content.getBytes());
return new String(Hex.encode(resultBytes));
}
private static Properties read(String fileName) {
fileName = "com/fr/design/config" + fileName;
Properties properties = new Properties();
try (InputStream inputStream = DefaultKeys.class.getClassLoader().getResourceAsStream(fileName)){
properties.load(inputStream);
} catch (IOException e) {
FineLoggerFactory.getLogger().error(e.getMessage(), e);
}
return properties;
}
}

1
designer-base/src/main/resources/com/fr/design/config/default

@ -0,0 +1 @@
Fine-Designer_Login=i7hP48WAcuTrmxfN
Loading…
Cancel
Save