lian/encryptsql
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

merge

Browse Source
This commit is contained in:
blue-lemon0104
2026-04-07 15:45:41 +08:00
parent 0120fa9ce3
commit 46fa58f6f8
27 changed files with 527 additions and 2818 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/KMS/CMakeLists.txt
View File

@@ -2,20 +2,24 @@
cmake_minimum_required(VERSION 3.0)
# 设置KMS库项目
set(KMS_TARGET kms_lib)
set(KMS_TARGET kms)
# 收集KMS相关的源文件
file(GLOB_RECURSE KMS_Sources
"*.cpp"
"*.c"
CONFIGURE_DEPENDS
"*.cpp" "*.c"
)
# 移除不需要的文件(如果有的话)
# list(REMOVE_ITEM KMS_Sources "unwanted_file.cpp")
list(REMOVE_ITEM KMS_Sources "${CMAKE_CURRENT_SOURCE_DIR}/kms_core_huawei.cpp")
# 创建静态库
add_library(${KMS_TARGET} STATIC ${KMS_Sources})
# 查找必要的依赖包
find_package(jsoncpp REQUIRED)
find_package(OpenSSL REQUIRED)
# 设置包含目录
target_include_directories(${KMS_TARGET}
PUBLIC
@@ -29,9 +33,6 @@ target_include_directories(${KMS_TARGET}
${CMAKE_CURRENT_SOURCE_DIR}/../crypto # crypto目录
)
# 查找必要的依赖包
find_package(jsoncpp REQUIRED)
find_package(OpenSSL REQUIRED)
# 链接必要的库
target_link_libraries(${KMS_TARGET}
@@ -39,12 +40,11 @@ target_link_libraries(${KMS_TARGET}
${OPENSSL_LIBRARIES}
jsoncpp_lib
PRIVATE
# 如果需要其他内部库,可以在这里添加
)
# 设置编译选项
target_compile_options(${KMS_TARGET} PRIVATE
-std=c++11
-std=c++14
-fvisibility=hidden
-fPIC # 位置无关代码选项,应用于静态库链接到共享库
)
@@ -66,4 +66,26 @@ set(KMS_INCLUDE_DIRS
${CMAKE_CURRENT_SOURCE_DIR}/../../include/kms
PARENT_SCOPE)
message(STATUS "KMS library configured: ${KMS_TARGET}")
message(STATUS "KMS library configured: ${KMS_TARGET}")
# --------------------------------------
# kms_cli 工具
# 可执行文件
# add_executable(kms_cli
# main.cpp
# )
# target_include_directories(kms_cli
# PRIVATE
# ${CMAKE_CURRENT_SOURCE_DIR}/../../include
# ${CMAKE_CURRENT_SOURCE_DIR}
# )
# set(PQ_LIB /usr/local/postgresql/lib/libpq.so)
# target_link_libraries(kms_cli
# PRIVATE
# ${KMS_TARGET}
# ${PQ_LIB}
# )

1072
src/KMS/KeyManagementService.cpp.bk
View File

File diff suppressed because it is too large Load Diff

346
src/KMS/KeyManagementService.hpp.bk
View File

@@ -1,346 +0,0 @@
//
// Created by 曲晓阳 on 24-11-18.
//
#ifndef KMS_KEYMANAGEMENTSERVICE_HPP
#define KMS_KEYMANAGEMENTSERVICE_HPP
#pragma once
#include <string>
#include <vector>
#include <queue>
#include <iostream>
#include <ctime>
#include <fstream>
#include <random>
#include <openssl/aes.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/sha.h>
#include <sstream>
#include <iomanip>
#include <algorithm>
//#include <libpq-fe.h>
#include "json.hpp"
#include <thread>
#include <chrono>
#include <mutex>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <map>
#define AES_BLOCK_SIZE 16
using json = nlohmann::json;
// 密钥类型
typedef enum {
KEY_TYPE_AES,
KEY_TYPE_ORE,
KEY_TYPE_SAHE,
KEY_TYPE_SMHE
} KeyType;
// 编码结构
typedef enum {
RAW
} KeyStruct;
// 加密算法
typedef enum {
SM4,
AES128
} AlgorithmType;
// CMK结构体
typedef struct {
std::uint32_t _key_id; //密钥id
std::string _user_name; //数据库用户名
std::string _cmk_data; //cmk数据
time_t _create_time; //创建时间
int _length; //密钥长度
KeyStruct _struct; //编码结构
AlgorithmType _alg; //加密算法
int _rotate_period; //轮换周期(天数)
bool _is_rotated; //是否被轮转
bool _is_primary_version; //是否是主版本
bool _auto_rotate; //自动轮转状态
} CMK;
// DEK数据库存储结构体
typedef struct {
std::string _user_name; //数据库用户名
std::string _table; //数据库表名
std::string _column; //数据库列名
KeyType _type; //密钥类型(必须有吗)
std::string _dek_cipher; //dek密文数据
bool _status; //是否启用(轮换)
time_t _create_time; //创建时间(必须自动轮换吗,这个可不可以只手动轮换,合同里没写要不只允许手动轮换)
int _rotate_time; //轮换周期(如果不是自动是不是可以没有)
int _length; //密钥长度(需要吗)
KeyStruct _struct; //编码结构(需要吗)
AlgorithmType _alg; //被加密算法(安全性)
} DEK;
// DEK缓存结构体存的东西越少越好
typedef struct {
std::string _user_name; //数据库用户名
std::string _table; //数据库表名
std::string _column; //数据库列名
KeyType _type; //密钥类型(必须有吗)
std::string _dek_plain; //dek明文数据
time_t _find_time; //缓存创建时间
int _cache_time; //缓存时间
int _length; //密钥长度(必须有吗)
KeyStruct _struct; //编码结构(必须有吗)
} DEK_CACHE;
//表信息(user -> db -> table -> col?)
typedef struct {
std::string user_name;
std::string db_name;
std::string table_name;
std::queue<std::string> col_name;
std::unordered_map<std::string, std::string> dek_store_tmp;
std::unordered_map<std::string, std::string> dek_store_tmp_for_update;
std::string dek_table_level_tmp;
std::string dek_table_level_for_update;
} DbInfo;
class KeyManagerS {
private:
json _data; //解析出的json数据
std::string _path; //cmk信息json文件位置
std::string _key_path; //加密cmk所用密钥的位置
std::string _cmk; //当前用户的cmk以sql为单位
DbInfo _info;
std::queue<std::string> _dek_only_for_ore;
std::map<std::string, std::string> _dek_tmp; //用于临时存储解密后DEK
std::string deriveKey(const std::string& master_key, const std::string& column_name);
std::vector<unsigned char> sha256(const std::string& input);
std::string generateSalt(const std::string& column_name);
bool createDerivedDek(std::string& dek, const std::string& column_name);
std::string _cmk_auto_rotate_status_path; //CMK自动轮转状态存储文件路径
//用于存储CMK自动轮转的进程 ID 和状态
std::map<std::string, pid_t> cmk_auto_rotate_pids;
std::map<std::string, bool> cmk_auto_rotate_status;
public:
KeyManagerS(const std::string &file_path, const std::string &key_path, const std::string &cmk_auto_rotate_status_path);
~KeyManagerS();
bool init();
std::vector<unsigned char> readBinaryFile(const std::string &path);
std::vector<unsigned char> xorBuffers(const std::vector<unsigned char> &a, const std::vector<unsigned char> &b);
std::vector<unsigned char> hmac_sha256(const std::vector<unsigned char> &key,
const std::vector<unsigned char> &message);
std::vector<unsigned char> getSystemIDHash16();
void getRootKey(unsigned char *key, size_t len);
bool setPath(const char *path);
bool setKeyPath(const char *key_path);
void setInfoUser(const std::string &user_name);
void setInfoDb(const std::string &db_name);
void setInfoTable(const std::string &table_name);
void setInfoCol(const std::string &col_name);
void setInfoDekTmp(const std::string &col_name, const std::string &dek_tmp);
void clearDek();
void clearDekForUpdate();
std::string getInfoUser();
std::string getInfoDb();
std::string getInfoTable();
std::string getInfoCol();
void getDekByCol(const std::string &col_name, std::string &dek_tmp);
bool createDek(std::string &col_dek, const std::string &column_name);
bool storeCmk(CMK &cmk, bool rotate);
bool save();
bool hasCmk(const std::string &user_name) const;
bool createCmk(const std::string &user_name, int rotate_period, CMK &new_cmk, KeyStruct ks = RAW,
AlgorithmType alg = AES128);
bool deleteCmk(const std::string &user_name);
bool getRandomCmk(std::string &_cmk_data, AlgorithmType alg, int &length);
bool getRandomDek(std::string &_dek_data);
void setCurrentCmk(std::string &cur_cmk);
void _rand(std::string &rand, int length_in_bytes);
//TODO在合适的地方加入加密和解密CMK
//加密CMK
bool encryptKey(std::string &ori_key);
bool encryptDek(std::string &ori_key, const std::string &cmk);
bool decryptDek(std::string &ori_key, const std::string &cmk);
//解密CMK
bool decryptKey(std::string &ori_key);
bool getCmkByUsername(const std::string &user_name, std::string &new_cmk);
std::string base64_encode(const unsigned char *data, size_t length);
std::string base64_decode(const std::string &encoded);
void setDekOnlyForOre(const std::string &dek);
void clearDekOnlyForOre();
char *getDekOnlyForOre();
void setDekTableLevel(const std::string &dek);
void getDekTableLevel(std::string &dek);
//手动轮转函数
bool rotateCmkNow(const std::string &user_name);
//加载CMK自动轮转状态
void loadAutoRotateStatus();
//保存CMK自动轮转状态
void saveAutoRotateStatus();
//CMK自动轮转进程函数
void autoRotateProcess(const std::string &user_name);
//CMK自动轮转命令处理
bool handleAutoRotateCmd(std::string *auto_rotate_action, const std::string &user_name);
//根据用户名获取CMK自动轮转状态
bool getCmkAutoRotateStatusByUsername(const std::string &user_name);
bool describeCmk(const std::string &user_name, json &result, bool decrypt);
void setDekTableLevelForUpdate(const std::string &dek);
void getDekTableLevelForUpdate(std::string &dek);
void setDekStoreTmpForUpdate(const std::string &col_name, const std::string &dek_tmp);
void getDekStoreTmpForUpdate(const std::string &col_name, std::string &dek_tmp);
std::string getCurrentCmk();
void getAllDekStoreTmpForUpdate(std::unordered_map<std::string, std::string> &column_deks);
bool isRotateCmd();
};
void cmk_mapperInit(const char *file_path, const char *key_path, const char *cmk_auto_rotate_status_path);
bool cmk_mapperHasCmk(const std::string &user_name);
bool cmk_mapperCreateCmk(const std::string &user_name, int rotate_period, CMK &new_cmk);
bool cmk_mapperDeleteCmk(const std::string &user_name);
bool cmk_mapperStoreCmk(CMK &cmk);
bool cmk_mapperGetCmkByUsername(const std::string &user_name, std::string &new_cmk);
void cmk_mapperSetCurrentCmk(std::string &cur_cmk);
void cmk_mapperSetInfoUser(const std::string &user_name);
void cmk_mapperSetInfoDb(const std::string &db_name);
void cmk_mapperSetInfoTable(const std::string &table_name);
void cmk_mapperSetInfoCol(const std::string &col_name);
void cmk_mapperSetInfoDekTmp(const std::string &col_name, const std::string &dek_tmp);
void cmk_mapperGetDekByCol(const std::string &col_name, std::string &dek_tmp);
void cmk_mapperClearDek();
void cmk_mapperClearDekForUpdate();
void cmk_mapperEncryptDek(std::string &ori_key, const std::string &cmk);
void cmk_mapperDecryptDek(std::string &ori_key, const std::string &cmk);
std::string cmk_mapperGetInfoUser();
std::string cmk_mapperGetInfoDb();
std::string cmk_mapperGetInfoTable();
std::string cmk_mapperGetInfoCol();
bool cmk_mapperCreateDek(std::string &col_dek, const std::string &column_name);
bool cmk_mapperNewConnectionTest();
void cmk_mapperSetDekOnlyForOre(const std::string &dek);
void cmk_mapperClearDekOnlyForOre();
char *cmk_mapperGetDekOnlyForOre();
void cmk_mapperSetDekTableLevel(const std::string &dek);
void cmk_mapperGetDekTableLevel(std::string &dek);
//(封装)手动轮转
bool cmk_mapperRotateCmkNow(const std::string &user_name);
//(封装)CMK自动轮转命令处理
bool cmk_mapperHandleAutoRotateCmd(std::string *auto_rotate_action, const std::string &user_name);
//(封装)根据用户名获取CMK自动轮转状态
bool cmk_mapperGetCmkAutoRotateStatusByUsername(const std::string &user_name);
bool cmk_mapperDescribeCmk(const std::string &user_name, json &result, bool decrypt);
void cmk_mapperSetDekTableLevelForUpdate(const std::string &dek);
void cmk_mapperGetDekTableLevelForUpdate(std::string &dek);
void cmk_mapperSetDekStoreTmpForUpdate(const std::string &col_name, const std::string &dek_tmp);
void cmk_mapperGetDekStoreTmpForUpdate(const std::string &col_name, std::string &dek_tmp);
std::string cmk_mapperGetCurrentCmk();
void cmk_mapperGetAllDekStoreTmpForUpdate(std::unordered_map<std::string, std::string> &column_deks);
bool cmk_mapperIsRotateCmd();
#endif //KMS_KEYMANAGEMENTSERVICE_HPP

1089
src/KMS/PGconnectForDEK.cpp.bk
View File

File diff suppressed because it is too large Load Diff

126
src/KMS/PGconnectForDEK.h.bk
View File

@@ -1,126 +0,0 @@
#ifndef CRYPTOKEY_SERVICE_H
#define CRYPTOKEY_SERVICE_H
#ifdef __cplusplus
extern "C"
{
#endif
#include "postgres.h" // 与 #include <iomanip> 冲突
//为了解决和libintl.h冲突的问题undef以下4个
#undef gettext
#undef dgettext
#undef ngettext
#undef dngettext
#include "utils/palloc.h"
#include "utils/memutils.h"
#include "nodes/nodes.h"
#include "nodes/parsenodes.h"
#include "nodes/value.h"
#include "base64.h"
#include <string.h>
#ifdef __cplusplus
}
#endif
#include "encryptsql/fieldmap.h"
#include "kms/KeyManagementService.hpp"
#include <assert.h>
#include <stdexcept>
#include <set>
#include <vector>
#include <string>
#include "libpq-fe.h" // 改为使用引号包含
#include "crypto/crypto.h"
#include "crypto/openssl.h"
#include "encryptsql.h"
// 因为缺头文件所以直接复制过来了,肯定有很多用不上的
#include <regex>
#include <iostream>
#include <unordered_set>
// 数据库连接信息
#define DB_CONNINFO "dbname=dekmaster user=dekmaster password=secure_password hostaddr=127.0.0.1 port=5432"
#define BACKUP_TABLE_NAME "dek_store_backup"
#define ORIGINAL_TABLE_NAME "dek_store"
// 定义轮换类型枚举
enum RotationType {
ROTATE_ALL, // 轮换表级和所有列级密钥
ROTATE_TABLE, // 只轮换表级密钥
ROTATE_COLUMNS // 只轮换指定列的密钥
};
// 轮换命令解析结果结构
struct RotateCommandResult {
bool valid; // 命令是否有效
RotationType type; // 轮换类型
std::string tableName; // 表名
std::string enc_tableName; // 加密表名
std::set<std::string> cols_set; // 命令涉及的列名列表 用于快速检索轮换命令中是否有这个列
std::unordered_set<std::string> enc_cols_set; // 需要更新的密钥的密文列名
std::unordered_map<std::string, std::string> col_map; // 明文列名 和 密文列名的映射
std::unordered_map<std::string, std::string> col_type; // 列的类型
std::string errorMessage; // 错误信息
};
RotateCommandResult parseRotateCommand(const std::string& command,const std::string &user_name,const std::string &db_name);
// test
void printRotateCommandResult(const RotateCommandResult& result);
void connectionDelete();
void connectionUpdateDek(RotateCommandResult &result);
void connectionUpdateDek_Init(RotateCommandResult &result);
void connectionUpdateDek_Update(RotateCommandResult& result);
void connectionUpdateDek_Final(RotateCommandResult& result);
void connectionInsertTest();
void connectionSelectTest();
void connectionSelect();
using json = nlohmann::json;
// 读取 JSON 文件
json read_json_from_file(const std::string& file_path);
// 获取表中所有列
std::vector<std::string> get_columns(const std::string& table_name, const json& j);
// 获取表中所有列
std::set<std::string> get_all_columns(const std::string& table_name, const json& j);
// 获取表中列的映射关系
std::unordered_map<std::string, std::string> get_column_mapping(const std::string& table_name, const json& j);
// 获取列的数据类型
std::string get_column_type(const std::string& table_name, const std::string& column_name, const json& j);
static int executeSQL(const char *sql, const char *errorMsg);
static int tableExists(const char *tableName);
int backupDekStore();
int deleteDekStoreBackup();
int restoreDekStore();
#endif // CRYPTOKEY_SERVICE_H

11
src/KMS/kms_core_local.cpp
View File

@@ -38,12 +38,11 @@ extern "C"
#include "encryptsql.h"
// 因为缺头文件所以直接复制过来了,肯定有很多用不上的
#include <regex>
#include <iostream>
#include <unordered_set>
#include "en_config.h"
#include "kms/kms_core_local.hpp"
#include "kms/kms_factory.hpp"
@@ -89,9 +88,9 @@ std::vector<unsigned char> LocalKmsCore::getSystemIDHash16() {
}
void LocalKmsCore::getRootKey(unsigned char *key, size_t len) {
auto A = readBinaryFile("/new_enc/kms_root/frag_a");
auto B = readBinaryFile("/new_enc/kms_root/frag_b");
auto C = readBinaryFile("/new_enc/kms_root/frag_c");
auto A = readBinaryFile(ROOT_KEY_GEN_PATH "/frag_a");
auto B = readBinaryFile(ROOT_KEY_GEN_PATH "/frag_b");
auto C = readBinaryFile(ROOT_KEY_GEN_PATH "/frag_c");
if (A.size() != B.size() || A.size() != C.size() || A.size() != 16)
throw std::runtime_error("All key fragments must be 16 bytes.");
@@ -655,6 +654,8 @@ bool LocalKmsCore::encryptData(std::string &ori_key) {
std::string base64_encrypted = base64_encode(reinterpret_cast<const unsigned char *>(encrypted.c_str()),
encrypted.size());
ori_key = base64_encrypted;
return true;
}
bool LocalKmsCore::decryptData(std::string &ori_key) {

2
src/KMS/kms_interface.cpp
View File

@@ -72,4 +72,4 @@ bool KMSInterface::decryptData(std::string& dek) {
bool KMSInterface::createDek(std::string &col_dek, const std::string &column_name){
return instance_ && instance_->createDek(col_dek, column_name);
}
}

198
src/KMS/main.cpp Normal file
View File

@@ -0,0 +1,198 @@
#include "kms/kms_interface.hpp"
#include "kms/kms_core_local.hpp"
#include "en_config.h"
#include <iostream>
#include <string>
#include <fstream>
#include <chrono>
#include <vector>
using namespace std;
// 默认数据库名
const string DEFAULT_DBNAME = "default_db";
void print_usage() {
cout << "Usage: KMS <command> <username> [args...] [--time]\n";
cout << "Commands:\n";
cout << " hasCmk <username>\n";
cout << " createCmk <username> <rotate_period>\n";
cout << " deleteCmk <username>\n";
cout << " describeCmk <username> [decrypt]\n";
cout << " rotateCmkNow <username>\n";
cout << " CMK_auto_rotate <username> on/off/status\n";
cout << " encryptData <username> <data>\n";
cout << " decryptData <username> <data>\n";
cout << " createDek <username> <column_name>\n";
}
bool init_and_get_instance(const string& username) {
LocalKmsCore::registerLocalKms();
LocalKmsConfig config(
CMK_FILE_PATH,
CMK_KEY_PATH,
CMK_ROTATE_STATUS_PATH,
username.c_str(),
DEFAULT_DBNAME.c_str()
);
if (!KMSInterface::initialize(config)) {
cerr << "ERROR: KMS initialization failed\n";
return false;
}
if (!KMSInterface::getInstance()) {
cerr << "ERROR: KMS instance not available\n";
return false;
}
return true;
}
int main(int argc, char* argv[]) {
if (argc < 3) {
print_usage();
return 1;
}
// ======== 解析参数,处理 --time =========
bool measure_time = false;
vector<string> args;
args.reserve(argc);
for (int i = 1; i < argc; ++i) {
if (string(argv[i]) == "--time") {
measure_time = true;
} else {
args.push_back(argv[i]); // 保留非 --time 参数
}
}
if (args.size() < 2) {
print_usage();
return 1;
}
string cmd = args[0];
string username = args[1];
if (cmd == "--help" || cmd == "-h") {
print_usage();
return 0;
}
// ======== 初始化 KMS =========
if (!init_and_get_instance(username)) {
return 1;
}
bool ok = false;
string result;
// ======== 计时开始 =========
auto start = std::chrono::high_resolution_clock::now();
// ========= KMS 命令处理 =========
if (cmd == "hasCmk") {
ok = KMSInterface::hasCmk(username);
cout << (ok ? "true" : "false") << "\n";
}
else if (cmd == "createCmk" && args.size() == 3) {
int rotate_period = stoi(args[2]);
ok = KMSInterface::createCmk(username, rotate_period);
cout << (ok ? "OK" : "ERROR") << "\n";
}
else if (cmd == "deleteCmk") {
ok = KMSInterface::deleteCmk(username);
cout << (ok ? "OK" : "ERROR") << "\n";
}
else if (cmd == "describeCmk") {
bool decrypt = (args.size() == 3 && args[2] == "decrypt");
ok = KMSInterface::describeCmk(username, result, decrypt);
cout << (ok ? result : "ERROR") << "\n";
}
else if (cmd == "rotateCmkNow") {
ok = KMSInterface::rotateCmkNow(username);
cout << (ok ? "OK" : "ERROR") << "\n";
}
else if (cmd == "CMK_auto_rotate" && args.size() == 3) {
string action = args[2];
ok = KMSInterface::handleAutoRotateCmd(&action, username);
cout << (ok ? action : "ERROR") << "\n";
}
else if (cmd == "encryptData" && args.size() == 3) {
string input = args[2];
ifstream infile(input);
if (infile.good()) {
string output_file = input + ".enc";
ofstream outfile(output_file);
string line;
while (getline(infile, line)) {
if (line.empty()) continue;
string line_result = line;
ok = KMSInterface::encryptData(line_result);
outfile << (ok ? line_result : "ERROR") << "\n";
}
cout << "Encrypted result written to: " << output_file << "\n";
} else {
string str_result = input;
ok = KMSInterface::encryptData(str_result);
cout << (ok ? str_result : "ERROR") << "\n";
}
}
else if (cmd == "decryptData" && args.size() == 3) {
string input = args[2];
ifstream infile(input);
if (infile.good()) {
string output_file = input + ".dec";
ofstream outfile(output_file);
string line;
while (getline(infile, line)) {
string line_result = line;
ok = KMSInterface::decryptData(line_result);
outfile << (ok ? line_result : "ERROR") << "\n";
}
cout << "Decryption results written to " << output_file << "\n";
} else {
string str_result = input;
ok = KMSInterface::decryptData(str_result);
cout << (ok ? str_result : "ERROR") << "\n";
}
}
else if (cmd == "createDek" && args.size() == 3) {
string input = args[2];
ifstream infile(input);
if (infile.good()) {
string output_file = input + ".dek";
ofstream outfile(output_file);
string line;
while (getline(infile, line)) {
if (line.empty()) continue;
string col_dek;
ok = KMSInterface::createDek(col_dek, line);
outfile << line << " : " << (ok ? col_dek : "ERROR") << "\n";
}
cout << "DEK creation results written to " << output_file << "\n";
} else {
string col_dek;
ok = KMSInterface::createDek(col_dek, input);
cout << (ok ? (input + " : " + col_dek) : "ERROR") << "\n";
}
}
else {
print_usage();
return 1;
}
// ======== 计时结束 =========
auto end = std::chrono::high_resolution_clock::now();
auto duration = chrono::duration_cast<chrono::microseconds>(end - start);
if (measure_time) {
cout << "[Time used]: " << duration.count() << " us\n";
}
return ok ? 0 : 1;
}

47
src/KMSAdapter/dek_interface.cpp
View File

@@ -9,12 +9,7 @@ RotateCommandResult parseRotateCommand(const std::string& command,const std::str
result.valid = false;
std::string current_cmk;
//得到当前用户的cmk
// cmk_mapperGetCmkByUsername(user_name, current_cmk);
//存储当前cmk
// cmk_mapperSetCurrentCmk(current_cmk);
// cmk_mapperSetInfoUser(user_name);
// cmk_mapperSetInfoDb(db_name);
DekInterface::setInfoUser(user_name);
DekInterface::setInfoDb(db_name);
@@ -147,9 +142,6 @@ void connectionDelete() {
// 构建删除查询
std::string query = "DELETE FROM dek_store WHERE ";
// query.append("username = '").append(cmk_mapperGetInfoUser()).append("' AND ")
// .append("db = '").append(cmk_mapperGetInfoDb()).append("' AND ")
// .append("t = '").append(cmk_mapperGetInfoTable()).append("'");
query.append("username = '").append(DekInterface::getInfoUser()).append("' AND ")
.append("db = '").append(DekInterface::getInfoDb()).append("' AND ")
.append("t = '").append(DekInterface::getInfoTable()).append("'");
@@ -273,8 +265,6 @@ void connectionUpdateDek_Init(RotateCommandResult &cmd) {
// 判断 如果是 NULL 则为表级密钥 && (轮换表级||轮换全部) -> 需要轮换表密钥
if (PQgetisnull(res1, i, 0)) { // 如果列名是NULL表示这是表级密钥
// 创建新密钥
// if (cmk_mapperCreateDek(dek_for_update, "")) { // 表级密钥使用空列名
// cmk_mapperDecryptDek(dek_for_update, cmk);
if (KMSInterface::createDek(dek_for_update, "")) { // 表级密钥使用空列名, 也可以DekAPI::getInfoTable())
KMSInterface::decryptData(dek_for_update);
} else {
@@ -282,10 +272,8 @@ void connectionUpdateDek_Init(RotateCommandResult &cmd) {
}
if(cmd.type == ROTATE_TABLE || cmd.type == ROTATE_ALL) {
// cmk_mapperSetDekTableLevelForUpdate(dek_for_update);
DekInterface::setDekTableLevelForUpdate(dek_for_update);
}else{
// cmk_mapperSetDekTableLevelForUpdate(dek);
DekInterface::setDekTableLevelForUpdate(dek);
}
}else{
@@ -294,8 +282,6 @@ void connectionUpdateDek_Init(RotateCommandResult &cmd) {
plain = plain.substr(0,plain.rfind('_'));
// 创建新密钥,使用加密后的列名
// if (cmk_mapperCreateDek(dek_for_update, col_name)) { // 使用加密后的列名
// cmk_mapperDecryptDek(dek_for_update, cmk);
if (KMSInterface::createDek(dek_for_update, col_name)) { // 使用加密后的列名
KMSInterface::decryptData(dek_for_update);
} else {
@@ -304,19 +290,15 @@ void connectionUpdateDek_Init(RotateCommandResult &cmd) {
if(cmd.type == ROTATE_TABLE){ // 轮换表级密钥
all_columns.erase(plain);
// cmk_mapperSetDekStoreTmpForUpdate(col_name, dek); // 这些列使用旧密钥
DekInterface::setDekColLevelForUpdate(col_name, dek);
} else if(cmd.type == ROTATE_ALL){ // 轮换所有密钥
cmd.enc_cols_set.insert(col_name); // 存储密文列名
// cmk_mapperSetDekStoreTmpForUpdate(col_name, dek_for_update); // dek_store中的所有密钥都要轮换
DekInterface::setDekColLevelForUpdate(col_name, dek_for_update);
} else if(cmd.type == ROTATE_COLUMNS){ // 轮换指定列密钥
if(cmd.cols_set.find(plain) != cmd.cols_set.end()){ // 判断dek_store中的列是否在命令中是的话用新密钥不是则用旧密钥
cmd.enc_cols_set.insert(col_name); // 存储密文列名
// cmk_mapperSetDekStoreTmpForUpdate(col_name,dek_for_update);
DekInterface::setDekColLevelForUpdate(col_name, dek_for_update);
}else{
// cmk_mapperSetDekStoreTmpForUpdate(col_name,dek);
DekInterface::setDekColLevelForUpdate(col_name, dek);
}
}
@@ -542,16 +524,13 @@ void connectionUpdateDek_Final(RotateCommandResult &cmd) {
// 获取待更新的表级密钥
std::string table_dek_for_update;
// cmk_mapperGetDekTableLevelForUpdate(table_dek_for_update);
DekInterface::getDekTableLevelForUpdate(table_dek_for_update);
// 获取CMK
// std::string cmk = cmk_mapperGetCurrentCmk();
// 如果有表级密钥需要更新
if (cmd.type != ROTATE_COLUMNS && !table_dek_for_update.empty()) {
// 加密表级密钥
// cmk_mapperEncryptDek(table_dek_for_update, cmk);
KMSInterface::encryptData(table_dek_for_update);
if (table_dek_for_update.empty()) {
fprintf(stderr, "Encrypt table DEK failed\n");
@@ -580,7 +559,6 @@ void connectionUpdateDek_Final(RotateCommandResult &cmd) {
if(!cmd.cols_set.empty() && cmd.type != ROTATE_TABLE){
// 获取所有待更新的列级密钥
std::unordered_map<std::string, std::string> column_deks;
// cmk_mapperGetAllDekStoreTmpForUpdate(column_deks);
DekInterface::getAllDekColLevelForUpdate(column_deks);
// 更新列级密钥
@@ -642,19 +620,9 @@ void connectionInsertTest() {
}
std::string table_dek;
// 获取CMK
// std::string cmk = cmk_mapperGetCurrentCmk();
// cmk_mapperGetCmkByUsername(cmk_mapperGetInfoUser(), cmk);
// if (cmk_mapperCreateDek(table_dek, "")) { // 表级密钥使用空列名
if (KMSInterface::createDek(table_dek, "")) { // 表级密钥使用空列名
// cmk_mapperEncryptDek(table_dek, cmk); // 加密表级密钥create里写了加密所以不需要
std::string query1 = "insert into dek_store values";
std::string tuple1 = "(";
// tuple1.append("'").append(cmk_mapperGetInfoUser()).append("',")
// .append("'").append(cmk_mapperGetInfoDb()).append("',")
// .append("'").append(cmk_mapperGetInfoTable()).append("',")
// .append("NULL,")
// .append("'").append(table_dek).append("')");
tuple1.append("'").append(DekInterface::getInfoUser()).append("',")
.append("'").append(DekInterface::getInfoDb()).append("',")
@@ -672,15 +640,8 @@ void connectionInsertTest() {
// 处理所有列密钥
while (!tmp1.empty()) {
std::string col_dek;
// if (cmk_mapperCreateDek(col_dek, tmp1)) { // 使用当前列名作为参数
if(KMSInterface::createDek(col_dek, tmp1)) {
// cmk_mapperEncryptDek(col_dek, cmk); // 加密列级密钥
std::string tuple_col = "(";
// tuple_col.append("'").append(cmk_mapperGetInfoUser()).append("',")
// .append("'").append(cmk_mapperGetInfoDb()).append("',")
// .append("'").append(cmk_mapperGetInfoTable()).append("',")
// .append("'").append(tmp1).append("',")
// .append("'").append(col_dek).append("')");
tuple_col.append("'").append(DekInterface::getInfoUser()).append("',")
.append("'").append(DekInterface::getInfoDb()).append("',")
.append("'").append(DekInterface::getInfoTable()).append("',")
@@ -768,23 +729,17 @@ void connectionSelect() {
int nrows = PQntuples(res1);
// 获取CMK
// std::string cmk = cmk_mapperGetCurrentCmk();
// cmk_mapperGetCmkByUsername(cmk_mapperGetInfoUser(), cmk);
for (int i = 0; i < nrows; i++) { // 遍历每一行
std::string col_name(PQgetvalue(res1, i, 0)); // 列名
std::string dek(PQgetvalue(res1, i, 1)); // 对应的密钥
// 解密密钥
// cmk_mapperDecryptDek(dek, cmk);
KMSInterface::decryptData(dek);
if (PQgetisnull(res1, i, 0)) { // 如果列名是NULL表示这是表级密钥
// cmk_mapperSetDekTableLevel(dek);
DekInterface::setDekTableLevel(dek);
// dek_for_decrypt = dek;
} else { // 否则是列级密钥
// cmk_mapperSetInfoDekTmp(col_name, dek);
DekInterface::setDekColLevel(col_name, dek);
}
}

3
src/crypto/cryptolib/libudf/decider/udfDispatch.cpp
View File

@@ -25,6 +25,7 @@ using namespace util;
#ifndef NDEBUG // DEBUG
#include <fstream>
#include "en_config.h"
extern "C"
{
@@ -36,7 +37,7 @@ class CalledCounter {
public:
CalledCounter() {
char buf[64];
sprintf(buf, "/etc/encryptsql/UDFcalled_by%d.count", (int) getpid());
sprintf(buf, ENCRYPTSQL_CONFIG_DIR "/UDFcalled_by%d.count", (int) getpid());
ofstream fout(buf);
fout.close();

100
src/encryptsql/encryptstmt.cpp
View File

@@ -40,7 +40,7 @@ extern "C"
#include "crypto/openssl.h"
#include "encryptsql.h"
#include "en_config.h"
#include "kms/kms_interface.hpp"
#include "kmsAdapter/dek_interface.hpp"
#include "KeyDistribution/non_enc_client/client_interface.h"
@@ -49,8 +49,8 @@ namespace {
bool SendDekViaTls(const std::string& dek_plain)
{
kd::client::ClientConfig cfg;
cfg.server_host = "127.0.0.1"; // 或者 "localhost"
cfg.server_port = "9443"; // 只要服务器宿主端监听同一个端口即可
cfg.server_host = DK_SERVER_HOST; // 或者 "localhost"
cfg.server_port = DK_SERVER_PORT; // 只要服务器宿主端监听同一个端口即可
cfg.dek.assign(dek_plain.begin(), dek_plain.end());
kd::client::ClientResult result;
@@ -65,14 +65,6 @@ bool SendDekViaTls(const std::string& dek_plain)
}
} // anonymous namespace
// 文件路径定义
#define MAP_FILE_PATH "/etc/encryptsql/map.json"
#define KMS_FILE_PATH "/new_enc/kms_test/output.json"
#define MAP_BACKUP_PATH "/etc/encryptsql/map.json.backup"
#define KMS_BACKUP_PATH "/new_enc/kms_test/output.json.backup"
extern thread_local std::string dek_for_decrypt;
static List *encryptValuesLists(List *valuesLists, List *cols, EncryptInfo *info);
@@ -1950,18 +1942,18 @@ cleanup:
* 开始事务
* 在事务开始时调用,为原文件和数据库表创建备份副本
*/
#ifdef USE_BACKUP_ENCRYPT
#ifdef ENCRYPTSQL_USE_RECOVERY
static void create_backup(bool is_transaction) {
int mapResult = 0, kmsResult = 0, dbResult = 0;
const char* map_path = MAP_FILE_PATH;
const char* map_path = MAP_JSON_PATH;
const char* map_backup;
if(is_transaction) map_backup = MAP_BACKUP_PATH".t";
else map_backup = MAP_BACKUP_PATH;
const char* kms_path = KMS_FILE_PATH;
if(is_transaction) map_backup = MAP_JSON_BACKUP_PATH".t";
else map_backup = MAP_JSON_BACKUP_PATH;
const char* kms_path = CMK_FILE_PATH;
const char* kms_backup;
if(is_transaction) kms_backup = KMS_BACKUP_PATH".t";
else kms_backup = KMS_BACKUP_PATH;
if(is_transaction) kms_backup = CMK_FILE_BACKUP_PATH".t";
else kms_backup = CMK_FILE_BACKUP_PATH;
char* msg;
// 备份映射文件
@@ -1977,7 +1969,7 @@ static void create_backup(bool is_transaction) {
}
#ifndef NDEBUG
std::cout << msg << std::endl;
// std::cout << msg << std::endl;
#endif
// 备份密钥文件
@@ -1993,21 +1985,21 @@ static void create_backup(bool is_transaction) {
}
#ifndef NDEBUG
std::cout << msg << std::endl;
// std::cout << msg << std::endl;
#endif
// 备份数据库表
// dbResult = backupDekStore();
dbResult = DekInterface::backupDekStore();
#ifndef NDEBUG
// 如果任一备份失败,记录错误但不阻止事务继续
if (mapResult != 0 || kmsResult != 0 || dbResult != 0) {
fprintf(stderr, "Warning: Some backups failed, transaction may not be fully recoverable\n");
} else {
printf("All backups completed successfully\n");
}
// // 如果任一备份失败,记录错误但不阻止事务继续
// if (mapResult != 0 || kmsResult != 0 || dbResult != 0) {
// fprintf(stderr, "Warning: Some backups failed, transaction may not be fully recoverable\n");
// } else {
// printf("All backups completed successfully\n");
// }
#endif
}
/**
@@ -2024,14 +2016,14 @@ void delete_backup(bool is_transaction) {
}
int mapResult = 0, kmsResult = 0, dbResult = 0;
const char* map_path = MAP_FILE_PATH;
const char* map_path = MAP_JSON_PATH;
const char* map_backup;
if(is_transaction) map_backup = MAP_BACKUP_PATH".t";
else map_backup = MAP_BACKUP_PATH;
const char* kms_path = KMS_FILE_PATH;
if(is_transaction) map_backup = MAP_JSON_BACKUP_PATH".t";
else map_backup = MAP_JSON_BACKUP_PATH;
const char* kms_path = CMK_FILE_PATH;
const char* kms_backup;
if(is_transaction) kms_backup = KMS_BACKUP_PATH".t";
else kms_backup = KMS_BACKUP_PATH;
if(is_transaction) kms_backup = CMK_FILE_BACKUP_PATH".t";
else kms_backup = CMK_FILE_BACKUP_PATH;
char* msg;
// 删除映射文件备份
@@ -2048,7 +2040,7 @@ void delete_backup(bool is_transaction) {
}
#ifndef NDEBUG
std::cout << msg << std::endl;
// std::cout << msg << std::endl;
#endif
// 删除密钥文件备份
@@ -2065,19 +2057,18 @@ void delete_backup(bool is_transaction) {
}
#ifndef NDEBUG
std::cout << msg << std::endl;
// std::cout << msg << std::endl;
#endif
// 删除数据库备份表
// dbResult = deleteDekStoreBackup();
dbResult = DekInterface::deleteDekStoreBackup();
#ifndef NDEBUG
if (mapResult == 0 && kmsResult == 0 && dbResult == 0) {
printf("Transaction committed successfully - all backups cleaned up\n");
} else {
fprintf(stderr, "Warning: Failed to clean up some backup files or database tables\n");
}
// if (mapResult == 0 && kmsResult == 0 && dbResult == 0) {
// printf("Transaction committed successfully - all backups cleaned up\n");
// } else {
// fprintf(stderr, "Warning: Failed to clean up some backup files or database tables\n");
// }
#endif
}
@@ -2089,14 +2080,14 @@ void delete_backup(bool is_transaction) {
void recovery_backup(bool is_transaction) {
int mapResult = 0, kmsResult = 0, dbResult = 0;
const char* map_path = MAP_FILE_PATH;
const char* map_path = MAP_JSON_PATH;
const char* map_backup;
if(is_transaction) map_backup = MAP_BACKUP_PATH".t";
else map_backup = MAP_BACKUP_PATH;
const char* kms_path = KMS_FILE_PATH;
if(is_transaction) map_backup = MAP_JSON_BACKUP_PATH".t";
else map_backup = MAP_JSON_BACKUP_PATH;
const char* kms_path = CMK_FILE_PATH;
const char* kms_backup;
if(is_transaction) kms_backup = KMS_BACKUP_PATH".t";
else kms_backup = KMS_BACKUP_PATH;
if(is_transaction) kms_backup = CMK_FILE_BACKUP_PATH".t";
else kms_backup = CMK_FILE_BACKUP_PATH;
char* msg;
// 恢复映射文件
@@ -2115,7 +2106,7 @@ void recovery_backup(bool is_transaction) {
msg = "No map backup file found for rollback\n";
}
#ifndef NDEBUG
std::cout << msg << std::endl;
// std::cout << msg << std::endl;
#endif
// 恢复密钥文件
@@ -2135,19 +2126,18 @@ void recovery_backup(bool is_transaction) {
}
#ifndef NDEBUG
std::cout << msg << std::endl;
// std::cout << msg << std::endl;
#endif
// 恢复数据库表
// dbResult = restoreDekStore();
dbResult = DekInterface::restoreDekStore();
#ifndef NDEBUG
if (mapResult == 0 && kmsResult == 0 && dbResult == 0) {
printf("Transaction rolled back successfully - all data restored\n");
} else {
fprintf(stderr, "Error: Failed to completely rollback transaction\n");
}
// if (mapResult == 0 && kmsResult == 0 && dbResult == 0) {
// printf("Transaction rolled back successfully - all data restored\n");
// } else {
// fprintf(stderr, "Error: Failed to completely rollback transaction\n");
// }
#endif
}

41
src/encryptsql/main.cpp
View File

@@ -39,17 +39,18 @@ extern "C"
// #include "kms/KeyManagementService.hpp"
// #include "kms/PGconnectForDEK.h"
#include "en_config.h"
#include "kms/kms_interface.hpp"
#include "kms/kms_core_local.hpp"
#include "kmsAdapter/dek_interface.hpp"
#ifndef MAPPERPATH
#define MAPPERPATH "/etc/encryptsql/map.json"
#endif
#define CMKFILEPATH "/new_enc/kms_test/output.json"
#define CMKKEYPATH "/new_enc/kms_test/domainkey"
// 持久化文件路径
#define CMK_AUTO_ROTATE_STATUS_PATH "/new_enc/kms_test/CMK_auto_rotate_status.json"
// #ifndef MAPPERPATH
// #define MAPPERPATH "/etc/encryptsql/map.json"
// #endif
// #define CMKFILEPATH "/new_enc/kms_test/output.json"
// #define CMKKEYPATH "/new_enc/kms_test/domainkey"
// // 持久化文件路径
// #define CMK_AUTO_ROTATE_STATUS_PATH "/new_enc/kms_test/CMK_auto_rotate_status.json"
extern void LogInfo(const char *fmt, ...);
@@ -223,21 +224,29 @@ encryptOneSql(const char *sql, char **err_msg, const char *user_name, const char
ALLOCSET_DEFAULT_INITSIZE,
ALLOCSET_DEFAULT_MAXSIZE);
//初始化映射表
mapperInit(MAPPERPATH);
mapperInit(MAP_JSON_PATH);
//注册kms
LocalKmsCore::registerLocalKms();
//初始化CMK
// cmk_mapperInit(CMKFILEPATH, CMKKEYPATH, CMK_AUTO_ROTATE_STATUS_PATH);
LocalKmsConfig config(CMKFILEPATH, CMKKEYPATH, CMK_AUTO_ROTATE_STATUS_PATH, user_name, db_name);
LocalKmsConfig config(CMK_FILE_PATH, CMK_KEY_PATH, CMK_ROTATE_STATUS_PATH, user_name, db_name);
KMSInterface::initialize(config);
#if 0
HuaweiKmsCore::registerHuaweiKms();
HuaweiKmsConfig hwConfig(
"HPUAI1XPW4U0CPJCSE7C", // AK
"qSOZjbqKxffaqFm3FG7KrqV4MtAKYgsAVACB0ZLs", // SK
"d8aadaf24bde4314bf2789fb87f4ad83", // projectId
"cn-north-4", // region
"", // endpoint (可选)
"my-app-key" // keyAlias (可选)
);
KMSInterface::initialize(hwConfig);
#endif
//初始化DEK
DekInterface::initialize(user_name, db_name);
// InitializeKeyDistribution(); // 启动 DEK 接收服务
// std::atexit(ShutdownKeyDistribution);
#ifdef USE_LRU
// HECache.setName("Client HE"); // for RandNum(id)

3
src/utils/LogBase.cpp
View File

@@ -1,5 +1,6 @@
#include "LogBase.h"
#include "config.h"
#include <iostream>
namespace util {
@@ -19,7 +20,7 @@ namespace util {
m_enabled[log::timer] = false;
int pid = getpid();
char logPath[64] = {0};
sprintf(logPath, "/etc/encryptsql/encryptsql.%d.log", pid);
sprintf(logPath, ENCRYPTSQL_CONFIG_DIR "/encryptsql.%d.log", pid);
this->appender = new log4cpp::FileAppender("fileAppender", logPath, false);
auto pLayout = new log4cpp::PatternLayout();

5
src/utils/TimeCounter.h
View File

@@ -2,6 +2,7 @@
#pragma once
#include "Timer.h"
#include "en_config.h"
#include <unordered_map>
#include <string>
@@ -115,8 +116,8 @@ public:
#endif
char path1[64] = {0};
char path2[64] = {0};
sprintf(path1, "/etc/encryptsql/counter_%d.log", pid);
sprintf(path2, "/etc/encryptsql/counter_%d.json", pid);
sprintf(path1, ENCRYPTSQL_CONFIG_DIR "/counter_%d.log", pid);
sprintf(path2, ENCRYPTSQL_CONFIG_DIR "/counter_%d.json", pid);
FILE *fp = fopen(path1, "w");
FILE *jsonFp = fopen(path2, "w");
if (!fp || !jsonFp) {

28
src/utils/en_config.h Normal file
View File

@@ -0,0 +1,28 @@
#ifndef ENCRYPTSQL_CONFIG_H
#define ENCRYPTSQL_CONFIG_H
// 安装路径(由 -DENCRYPTSQL_INSTALL_DIR=... 指定)
#define ENCRYPTSQL_INSTALL_DIR "/usr/local/postgresql"
#define ENCRYPTSQL_CONFIG_DIR "/etc/encryptsql"
#define DK_SERVER_HOST "127.0.0.1"
#define DK_SERVER_PORT "9443"
#define CREATEUDF_SQL_PATH ENCRYPTSQL_INSTALL_DIR "/createudf.sql"
#define MASK_FUNCS_SQL_PATH ENCRYPTSQL_INSTALL_DIR "/mask_funcs.sql"
#define MAP_JSON_PATH ENCRYPTSQL_CONFIG_DIR "/map.json"
#define MAP_JSON_BACKUP_PATH ENCRYPTSQL_CONFIG_DIR "/map.json.backup"
#define CMK_FILE_PATH ENCRYPTSQL_CONFIG_DIR "/output.json"
#define CMK_FILE_BACKUP_PATH ENCRYPTSQL_CONFIG_DIR "/output.json.backup"
#define CMK_KEY_PATH ENCRYPTSQL_CONFIG_DIR "/domainkey"
#define CMK_ROTATE_STATUS_PATH ENCRYPTSQL_CONFIG_DIR "/CMK_auto_rotate_status.json"
#define ROOT_KEY_GEN_PATH ENCRYPTSQL_CONFIG_DIR "/kms_root"
#define BACKUP_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/backup"
#define RESTORE_BIN_PATH ENCRYPTSQL_INSTALL_DIR "/bin/restore"
#endif /* ENCRYPTSQL_CONFIG_H */

7
src/utils/settings.h
View File

@@ -1,13 +1,16 @@
#pragma once
#include "en_config.h"
// 明文的数据类型, 依据不同的数据类型选择加密方案。
#define MAX_PLAIN_STRING_TYPE 4
#define NOEXIST "NNnoexistNN" // table or column not found in mapper
constexpr char CONFIG_PATH[] = "/etc/encryptsql/config.json";
// constexpr char CONFIG_PATH[] = "/etc/encryptsql/config.json";
constexpr char CONFIG_PATH[] = ENCRYPTSQL_CONFIG_DIR "/config.json";
constexpr double Float_Scale = 10000.0;
constexpr char ENCLAVE_FILENAME[] = "/etc/encryptsql/enclave.signed.so";
constexpr char ENCLAVE_FILENAME[] = ENCRYPTSQL_CONFIG_DIR "/enclave.signed.so";
// crypto.h things
#define DEFALUT_ENCRYPT_CIPHER CIPHER_AES // select target默认的加密列