merge

2026-04-07 15:45:41 +08:00
parent 0120fa9ce3
commit 46fa58f6f8
27 changed files with 527 additions and 2818 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -93,22 +93,18 @@ set(LIBRARY_OUTPUT_PATH ${PROJECT_BINARY_DIR}/lib)
 set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS}" )
 message(${CMAKE_MODULE_PATH})
 file(GLOB_RECURSE Cpp_Files RELATIVE ${CMAKE_CURRENT_SOURCE_DIR}  "src/encryptsql/*.cpp" )  
 file(GLOB_RECURSE C_Files RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "src/encryptsql/*.c")
 # file(GLOB_RECURSE KMS_Cpp_Files RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "src/KMS/*.cpp")
 file(GLOB_RECURSE DEK_Cpp_Files RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "src/KMSAdapter/*.cpp")
 add_subdirectory(src/KMS)
 # file(GLOB_RECURSE UtilsFiles RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "src/utils/*.cpp")  
 #set(Files "${Cpp_Files};${C_Files};src/utils/cryptoUtils.cpp;src/utils/cryptoCaller.cpp;src/utils/utils.cpp;src/utils/base64.c;src/utils/opensslUtils.cpp"
 #        src/KMS/KeyManagementService.cpp
 #        src/KMS/json.hpp)
 # set(Files "${Cpp_Files};${C_Files};${KMS_Cpp_Files};${DEK_Cpp_Files};src/utils/cryptoUtils.cpp;src/utils/cryptoCaller.cpp;src/utils/utils.cpp;src/utils/base64.c;src/utils/opensslUtils.cpp")
 set(Files "${Cpp_Files};${C_Files};${DEK_Cpp_Files};src/utils/cryptoUtils.cpp;src/utils/cryptoCaller.cpp;src/utils/utils.cpp;src/utils/base64.c;src/utils/opensslUtils.cpp")
 list(REMOVE_ITEM Files "src/crypto/symmetria_2/symmetria_2/Interface_c.c")
@@ -177,11 +173,6 @@ filter_regex(EXCLUDE "Interface_c" Files ${Files})
 filter_regex(EXCLUDE "symmetria" Files ${Files})
 # message(STATUS  ${SOURCES})
 # find_package(PkgConfig REQUIRED)
 # pkg_search_module(OPENSSL REQUIRED openssl)
 # pkg_search_module(GMP REQUIRED gmp)
 find_package(jsoncpp REQUIRED)
 find_package(GMP REQUIRED)
 find_package(LOG4CPP REQUIRED)
@@ -206,8 +197,10 @@ set(jsoncpp_LIBRARY jsoncpp_lib)
 set(jsoncpp_STATIC_LIBRARY jsoncpp_lib_static)
 SET(CryptoLib src/crypto/cryptolib)
-set(PG_LIB_PATH "/usr/local/postgresql/lib")
+# TODO UPDATE
-set(PG_INCLUDE_PATH "/usr/local/postgresql/include")
+set(PG_INSTALL_DIR "/usr/local/postgresql" CACHE PATH "PostgreSQL install dir")
 set(PG_LIB_PATH "${PG_INSTALL_DIR}/lib")
 set(PG_INCLUDE_PATH "${PG_INSTALL_DIR}/include")
 include_directories(src/utils ${OPENSSL_INCLUDE_DIR} ${GMP_INCLUDE_DIR}  ${CryptoLib}/symmetria ${jsoncpp_INCLUDE} ${PG_INCLUDE_PATH})
@@ -216,7 +209,6 @@ SET(SYM_Lib symmetria)
 SET(HE_Lib he)
 SET(ORE_Lib ore)
 add_subdirectory(${CryptoLib})
 # add_subdirectory(src/Server)
 add_subdirectory(src/KeyDistribution)
 if(${CMAKE_BUILD_TYPE} EQUAL "Debug")
@@ -224,15 +216,29 @@ if(${CMAKE_BUILD_TYPE} EQUAL "Debug")
 endif()
 # add_subdirectory(tests)
 add_library(${TARGET} SHARED ${Files})
-# target_link_libraries(${TARGET}  ${OPENSSL_LIBRARIES} ${jsoncpp_LIBRARY} ${KMS_LIBRARY} -L${PG_LIB_PATH})
+target_link_libraries(${TARGET}  
-target_link_libraries(${TARGET}  ${OPENSSL_LIBRARIES} ${jsoncpp_LIBRARY} ${KMS_LIBRARY} -L${PG_LIB_PATH} keydistribution_client tls_server_host)
+    ${OPENSSL_LIBRARIES} 
    ${jsoncpp_LIBRARY} 
    ${KMS_LIBRARY} 
    -L${PG_LIB_PATH} 
    keydistribution_client tls_server_host)
 if(NO_ENCRYPTSQL_USE_RECOVERY)
    target_compile_definitions(your_target PRIVATE NO_ENCRYPTSQL_USE_RECOVERY)
 endif()
 # TODO UPDATE 
 target_link_libraries(encryptsql
    /new_enc/postgresql-14.2/src/port/libpgport.a
    /new_enc/postgresql-14.2/src/common/libpgcommon.a
 )
 target_link_libraries(${TARGET} -Wl,--no-as-needed /usr/local/lib/libgmssl.so -Wl,--as-needed)
 target_link_libraries(${TARGET}  ${SYM_Lib})
-target_include_directories(${TARGET} PRIVATE include pg_include ${KMS_INCLUDE_DIRS} src)
+
 target_include_directories(${TARGET} PRIVATE 
    include 
    pg_include 
    ${KMS_INCLUDE_DIRS} src)
 # if(${USE_SGX})
 #     add_custom_target( genKey ALL
@@ -248,4 +254,34 @@ add_executable(restore src/bkup/restore.cpp)
 # 链接 stdc++fs（GCC 8/9 必需）
 target_link_libraries(backup stdc++fs)
-target_link_libraries(restore stdc++fs)
+target_link_libraries(restore stdc++fs)
 set(ENCRYPTSQL_INSTALL_DIR "/usr/local/postgresql" CACHE PATH "PostgreSQL install prefix (e.g., /usr/local/postgresql)")
 set(ENCRYPTSQL_CONFIG_DIR "/etc/encryptsql" CACHE PATH "Directory for encryptsql config files (e.g., map.json)")
 set(DK_SERVER_HOST "127.0.0.1" CACHE STRING "DK server host")
 set(DK_SERVER_PORT "9443" CACHE STRING "DK server port")
 if(NOT ENCRYPTSQL_INSTALL_DIR)
    message(FATAL_ERROR "ENCRYPTSQL_INSTALL_DIR must be specified via -DENCRYPTSQL_INSTALL_DIR=...")
 endif()
 configure_file(en_config.h.in ../include/en_config.h @ONLY)
 configure_file(en_config.h.in ../src/utils/en_config.h @ONLY)
 target_include_directories(${TARGET} PRIVATE ${CMAKE_CURRENT_BINARY_DIR})
 install(FILES
    createudf.sql
    mask_funcs.sql
    DESTINATION ${ENCRYPTSQL_INSTALL_DIR}
    PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
 install(FILES
    config.json
    map.json
    DESTINATION ${ENCRYPTSQL_CONFIG_DIR}
    PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ)
 install(TARGETS backup restore
    RUNTIME DESTINATION ${ENCRYPTSQL_INSTALL_DIR}/bin)
--- a/1
+++ b/1
@@ -53,6 +53,7 @@ install: all
 	$(INSTALL_DATA) build/lib/libencryptsql.so '$(DESTDIR)$(libdir)'
 	$(INSTALL_DATA) build/lib/libudf.so '$(DESTDIR)$(libdir)'
 	cp build/lib/enclave.signed.so /etc/encryptsql/
 # 	cp src/encryptsql/enclave.signed.so /etc/encryptsql/
 # ./config no-autoalginit no-autoerrinit no-comp no-ct  no-dso no-ec no-ec2m no-engine no-err no-gost  no-pic no-pinshared no-posix-io  no-psk no-rdrand  no-shared no-sock no-sse2 no-stdio CFLAGS="-nostdinc" CXXFLAGS="-nostdinc++" LDFLAGS="-Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles"
--- a/en_config.h.in
+++ b/en_config.h.in
@@ -0,0 +1,28 @@
 #ifndef ENCRYPTSQL_CONFIG_H
 #define ENCRYPTSQL_CONFIG_H
 // 安装路径（由 -DENCRYPTSQL_INSTALL_DIR=... 指定）
 #define ENCRYPTSQL_INSTALL_DIR      "@ENCRYPTSQL_INSTALL_DIR@"
 #define ENCRYPTSQL_CONFIG_DIR       "@ENCRYPTSQL_CONFIG_DIR@"
 #define DK_SERVER_HOST              "@DK_SERVER_HOST@"
 #define DK_SERVER_PORT              "@DK_SERVER_PORT@"
 #define CREATEUDF_SQL_PATH          ENCRYPTSQL_INSTALL_DIR "/createudf.sql"
 #define MASK_FUNCS_SQL_PATH         ENCRYPTSQL_INSTALL_DIR "/mask_funcs.sql"
 #define MAP_JSON_PATH               ENCRYPTSQL_CONFIG_DIR "/map.json"
 #define MAP_JSON_BACKUP_PATH        ENCRYPTSQL_CONFIG_DIR "/map.json.backup"
 #define CMK_FILE_PATH               ENCRYPTSQL_CONFIG_DIR "/output.json"
 #define CMK_FILE_BACKUP_PATH        ENCRYPTSQL_CONFIG_DIR "/output.json.backup"
 #define CMK_KEY_PATH                ENCRYPTSQL_CONFIG_DIR "/domainkey"
 #define CMK_ROTATE_STATUS_PATH      ENCRYPTSQL_CONFIG_DIR "/CMK_auto_rotate_status.json"
 #define ROOT_KEY_GEN_PATH           ENCRYPTSQL_CONFIG_DIR "/kms_root"
 #define BACKUP_BIN_PATH             ENCRYPTSQL_INSTALL_DIR "/bin/backup"
 #define RESTORE_BIN_PATH            ENCRYPTSQL_INSTALL_DIR "/bin/restore"
 #endif /* ENCRYPTSQL_CONFIG_H */
--- a/encryptsql.zip
+++ b/encryptsql.zip
--- a/include/en_config.h
+++ b/include/en_config.h
@@ -0,0 +1,28 @@
 #ifndef ENCRYPTSQL_CONFIG_H
 #define ENCRYPTSQL_CONFIG_H
 // 安装路径（由 -DENCRYPTSQL_INSTALL_DIR=... 指定）
 #define ENCRYPTSQL_INSTALL_DIR      "/usr/local/postgresql"
 #define ENCRYPTSQL_CONFIG_DIR       "/etc/encryptsql"
 #define DK_SERVER_HOST              "127.0.0.1"
 #define DK_SERVER_PORT              "9443"
 #define CREATEUDF_SQL_PATH          ENCRYPTSQL_INSTALL_DIR "/createudf.sql"
 #define MASK_FUNCS_SQL_PATH         ENCRYPTSQL_INSTALL_DIR "/mask_funcs.sql"
 #define MAP_JSON_PATH               ENCRYPTSQL_CONFIG_DIR "/map.json"
 #define MAP_JSON_BACKUP_PATH        ENCRYPTSQL_CONFIG_DIR "/map.json.backup"
 #define CMK_FILE_PATH               ENCRYPTSQL_CONFIG_DIR "/output.json"
 #define CMK_FILE_BACKUP_PATH        ENCRYPTSQL_CONFIG_DIR "/output.json.backup"
 #define CMK_KEY_PATH                ENCRYPTSQL_CONFIG_DIR "/domainkey"
 #define CMK_ROTATE_STATUS_PATH      ENCRYPTSQL_CONFIG_DIR "/CMK_auto_rotate_status.json"
 #define ROOT_KEY_GEN_PATH           ENCRYPTSQL_CONFIG_DIR "/kms_root"
 #define BACKUP_BIN_PATH             ENCRYPTSQL_INSTALL_DIR "/bin/backup"
 #define RESTORE_BIN_PATH            ENCRYPTSQL_INSTALL_DIR "/bin/restore"
 #endif /* ENCRYPTSQL_CONFIG_H */
--- a/include/kms/ikms_core.hpp
+++ b/include/kms/ikms_core.hpp
@@ -1,4 +1,4 @@
-#ifndef I_KMS_CORE_HPP
+#ifndef IKMS_CORE_HPP
 #define IKMS_CORE_HPP
 #include "kms_common.hpp"
@@ -11,7 +11,7 @@ public:
    virtual ~IKmsCore() = default;
    /**
-     * @brief 自定义初始化逻辑
+     * @brief 自定义初始化逻辑，不需要手动调用，会在单例第一次被创建时自动调用
     * local：解析json, 随后LoadCmkByUsername
     * tencent：或许可以是从配置文件中读取参数
     */
--- a/include/kms/kms_common.hpp
+++ b/include/kms/kms_common.hpp
@@ -5,7 +5,7 @@
 #include <string>
 #include <queue>
 #include <unordered_map>
-
+#include <openssl/crypto.h>
 #define AES_BLOCK_SIZE 16
@@ -105,19 +105,45 @@ public:
    std::string getType() const override { return "local"; }
 };
-// Tencent KMS 配置
+// Huawei KMS 配置
-class TencentKmsConfig : public IKmsConfig {
+class HuaweiKmsConfig : public IKmsConfig {
 public:
-    std::string access_key;
+    // 必需参数
-    std::string secret_key;
+    std::string accessKey;
    std::string secretKey;
    std::string projectId;
    std::string region;
    std::string endpoint;
    // ... 自定义
-    TencentKmsConfig(const std::string& ak, const std::string& sk, const std::string& r)
+    // 可选参数
-        : access_key(ak), secret_key(sk), region(r) {}
+    std::string endpoint = "";
    std::string keyAlias = "default-key";
-    std::string getType() const override { return "tencent"; }
+    // 实现 getType() 方法
    std::string getType() const override {
        return "huawei";
    }
    // 有参构造函数
    HuaweiKmsConfig(const std::string& ak, const std::string& sk,
                   const std::string& pid, const std::string& reg,
                   const std::string& ep = "", const std::string& alias = "")
        : accessKey(ak), secretKey(sk), projectId(pid), 
          region(reg), endpoint(ep), keyAlias(alias) {}
    // 安全清除敏感信息
    void ClearSensitiveData() {
        OverwriteString(accessKey);
        OverwriteString(secretKey);
    }
 private:
    void OverwriteString(std::string& str) {
        if (!str.empty()) {
            // 使用OpenSSL安全清除内存
            OPENSSL_cleanse(&str[0], str.size());
            str.clear();
        }
    }
 };
 #endif // KMS_COMMON_HPP
--- a/include/kms/kms_core_local.hpp
+++ b/include/kms/kms_core_local.hpp
@@ -48,7 +48,6 @@ private:
    std::map<std::string, pid_t> cmk_auto_rotate_pids; // 自动轮转进程 ID
    std::map<std::string, bool> cmk_auto_rotate_status; // 自动轮转状态
    std::vector<unsigned char> readBinaryFile(const std::string& path);
    std::vector<unsigned char> xorBuffers(const std::vector<unsigned char>& a, const std::vector<unsigned char>& b);
    std::vector<unsigned char> hmac_sha256(const std::vector<unsigned char>& key, const std::vector<unsigned char>& message);
--- a/readme.md
+++ b/readme.md
@@ -76,14 +76,18 @@ sudo cp config.json /etc/encryptsql/
 ln -s ../../../include db_include
 rm -rf build
-mkdir build
+mkdir build && cd build
-cd build
+cmake .. \
-cmake ..
+  -DENCRYPTSQL_INSTALL_DIR=/usr/local/postgresql \
  -DENCRYPTSQL_CONFIG_DIR=/etc/encryptsql \
  -DDK_SERVER_HOST=127.0.0.1 \
  -DDK_SERVER_PORT=9443
 sudo make -j `nproc`
 cd ../../../../../
-sudo touch src/interfaces/libpq/encryptsql/build/lib/enclave.signed.so
+cmake --build src/interfaces/libpq/encryptsql/build --target enclave.signed.so -j"$(nproc)"
-sudo make install
+cp /etc/encryptsql/enclave.signed.so src/interfaces/libpq/encryptsql/build/lib/enclave.signed.so
 make install
 sudo rm /usr/local/postgresql/lib/libudf.so
 sudo cp src/interfaces/libpq/encryptsql/build/lib/libudf.so /usr/local/postgresql/lib
@@ -99,15 +103,16 @@ sudo cp src/interfaces/libpq/encryptsql/build/bin/backup /usr/local/postgresql/b
 sudo cp src/interfaces/libpq/encryptsql/build/bin/restore /usr/local/postgresql/bin/
 # 创建cmk存储路径
-sudo mkdir -p /new_enc/kms_test
+sudo mkdir -p /etc/encryptsql/kms_test
-sudo cp src/interfaces/libpq/encryptsql/src/KMS/domainkey /new_enc/kms_test/
+sudo cp src/interfaces/libpq/encryptsql/src/KMS/domainkey /etc/encryptsql/kms_test/
 cd /etc/encryptsql
 sudo chmod 777 map.json
 # 创建kms_root根密钥相关文件
-sudo mkdir -p /new_enc/kms_root
+sudo mkdir -p /etc/encryptsql/kms_root
-cd /new_enc/kms_root
+
 cd /etc/encryptsql/kms_root
 sudo head -c 16 /dev/urandom > frag_a
 sudo head -c 16 /dev/urandom > frag_b
 sudo head -c 16 /dev/urandom > frag_c
@@ -135,6 +140,14 @@ source ~/.bashrc
 initdb
 vim /usr/local/postgresql/data/postgresql.conf
 # vim 打开后，将下面内容加入到尾部
 shared_preload_libraries = 'keydist_receiver'
 keydist.listen_host = '127.0.0.1'
 keydist.listen_port = '9443'
 keydist.enclave_signed_path = '/new_enc/postgresql-14.2/src/interfaces/libpq/encryptsql/build/bin/tls_server_enclave.signed'
 pg_ctl start
 su root
--- a/rebuild.sh
+++ b/rebuild.sh
@@ -1,9 +1,11 @@
-rm /usr/local/postgresql/lib/libudf.so
+mkdir -p /usr/local/postgresql/lib
 cd /new_enc/postgresql-14.2/src/interfaces/libpq/encryptsql
 make clean
-mkdir build && cd build && cmake ..
+mkdir build && cd build
 cmake .. -DENCRYPTSQL_INSTALL_DIR=/usr/local/postgresql
 make -j `nproc`
-cp /new_enc/postgresql-14.2/src/interfaces/libpq/encryptsql/build/lib/libudf.so /usr/local/postgresql/lib
+rm -f /usr/local/postgresql/lib/libudf.so
-rm /usr/local/postgresql/lib/libencryptsql.so
+cp /new_enc/postgresql-14.2/src/interfaces/libpq/encryptsql/build/lib/libudf.so /usr/local/postgresql/lib/
-cp /new_enc/postgresql-14.2/src/interfaces/libpq/encryptsql/build/lib/libencryptsql.so /usr/local/postgresql/lib
+rm -f /usr/local/postgresql/lib/libencryptsql.so
 cp /new_enc/postgresql-14.2/src/interfaces/libpq/encryptsql/build/lib/libencryptsql.so /usr/local/postgresql/lib/
--- a/replaced_file/fe-exec.14.c
+++ b/replaced_file/fe-exec.14.c
@@ -2350,7 +2350,7 @@ PQexecStart(PGconn *conn)
 	return true;
 }
 extern void decryptResult(int, int, void *, void **);
-#ifdef USE_BACKUP_ENCRYPT
+#ifdef ENCRYPTSQL_USE_RECOVERY
 extern void delete_backup(bool is_transaction);
 #endif
 /*
--- a/src/KMS/CMakeLists.txt
+++ b/src/KMS/CMakeLists.txt
@@ -2,20 +2,24 @@
 cmake_minimum_required(VERSION 3.0)
 # 设置KMS库项目
-set(KMS_TARGET kms_lib)
+set(KMS_TARGET kms)
 # 收集KMS相关的源文件
 file(GLOB_RECURSE KMS_Sources 
-    "*.cpp"
+    CONFIGURE_DEPENDS
-    "*.c"
+    "*.cpp" "*.c"
 )
 # 移除不需要的文件（如果有的话）
-# list(REMOVE_ITEM KMS_Sources "unwanted_file.cpp")
+list(REMOVE_ITEM KMS_Sources "${CMAKE_CURRENT_SOURCE_DIR}/kms_core_huawei.cpp")
 # 创建静态库
 add_library(${KMS_TARGET} STATIC ${KMS_Sources})
 # 查找必要的依赖包
 find_package(jsoncpp REQUIRED)
 find_package(OpenSSL REQUIRED)
 # 设置包含目录
 target_include_directories(${KMS_TARGET} 
    PUBLIC 
@@ -29,9 +33,6 @@ target_include_directories(${KMS_TARGET}
        ${CMAKE_CURRENT_SOURCE_DIR}/../crypto          # crypto目录
 )
 # 查找必要的依赖包
 find_package(jsoncpp REQUIRED)
 find_package(OpenSSL REQUIRED)
 # 链接必要的库
 target_link_libraries(${KMS_TARGET} 
@@ -39,12 +40,11 @@ target_link_libraries(${KMS_TARGET}
        ${OPENSSL_LIBRARIES}
        jsoncpp_lib
    PRIVATE
        # 如果需要其他内部库，可以在这里添加
 )
 # 设置编译选项
 target_compile_options(${KMS_TARGET} PRIVATE
-    -std=c++11
+    -std=c++14
    -fvisibility=hidden
    -fPIC # 位置无关代码选项，应用于静态库链接到共享库
 )
@@ -66,4 +66,26 @@ set(KMS_INCLUDE_DIRS
    ${CMAKE_CURRENT_SOURCE_DIR}/../../include/kms
    PARENT_SCOPE)
-message(STATUS "KMS library configured: ${KMS_TARGET}")
+message(STATUS "KMS library configured: ${KMS_TARGET}")
 # --------------------------------------
 # kms_cli 工具
 # 可执行文件
 # add_executable(kms_cli
 #     main.cpp
 # )
 # target_include_directories(kms_cli
 #     PRIVATE
 #         ${CMAKE_CURRENT_SOURCE_DIR}/../../include
 #         ${CMAKE_CURRENT_SOURCE_DIR}
 # )
 # set(PQ_LIB /usr/local/postgresql/lib/libpq.so)
 # target_link_libraries(kms_cli
 #     PRIVATE
 #         ${KMS_TARGET}
 #         ${PQ_LIB}
 # )
--- a/src/KMS/KeyManagementService.cpp.bk
+++ b/src/KMS/KeyManagementService.cpp.bk
--- a/src/KMS/KeyManagementService.hpp.bk
+++ b/src/KMS/KeyManagementService.hpp.bk
@@ -1,346 +0,0 @@
 //
 // Created by 曲晓阳 on 24-11-18.
 //
 #ifndef KMS_KEYMANAGEMENTSERVICE_HPP
 #define KMS_KEYMANAGEMENTSERVICE_HPP
 #pragma once
 #include <string>
 #include <vector>
 #include <queue>
 #include <iostream>
 #include <ctime>
 #include <fstream>
 #include <random>
 #include <openssl/aes.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/sha.h>
 #include <sstream>
 #include <iomanip>
 #include <algorithm>
 //#include <libpq-fe.h>
 #include "json.hpp"
 #include <thread>
 #include <chrono>
 #include <mutex>
 #include <sys/types.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include <map>
 #define AES_BLOCK_SIZE 16
 using json = nlohmann::json;
 //  密钥类型
 typedef enum {
    KEY_TYPE_AES,
    KEY_TYPE_ORE,
    KEY_TYPE_SAHE,
    KEY_TYPE_SMHE
 } KeyType;
 //  编码结构
 typedef enum {
    RAW
 } KeyStruct;
 //  加密算法
 typedef enum {
    SM4,
    AES128
 } AlgorithmType;
 //  CMK结构体
 typedef struct {
    std::uint32_t _key_id;      //密钥id
    std::string _user_name;     //数据库用户名
    std::string _cmk_data;      //cmk数据）
    time_t _create_time;        //创建时间
    int _length;                //密钥长度
    KeyStruct _struct;          //编码结构
    AlgorithmType _alg;         //加密算法
    int _rotate_period;         //轮换周期（天数）
    bool _is_rotated;           //是否被轮转
    bool _is_primary_version;   //是否是主版本
    bool _auto_rotate;          //自动轮转状态
 } CMK;
 //  DEK数据库存储结构体
 typedef struct {
    std::string _user_name;     //数据库用户名
    std::string _table;         //数据库表名
    std::string _column;        //数据库列名
    KeyType _type;              //密钥类型（必须有吗）
    std::string _dek_cipher;    //dek密文数据
    bool _status;               //是否启用（轮换）
    time_t _create_time;        //创建时间（必须自动轮换吗，这个可不可以只手动轮换，合同里没写要不只允许手动轮换）
    int _rotate_time;           //轮换周期（如果不是自动是不是可以没有）
    int _length;                //密钥长度（需要吗）
    KeyStruct _struct;          //编码结构（需要吗）
    AlgorithmType _alg;         //被加密算法（安全性）
 } DEK;
 //  DEK缓存结构体（存的东西越少越好）
 typedef struct {
    std::string _user_name;     //数据库用户名
    std::string _table;         //数据库表名
    std::string _column;        //数据库列名
    KeyType _type;              //密钥类型（必须有吗）
    std::string _dek_plain;     //dek明文数据
    time_t _find_time;          //缓存创建时间
    int _cache_time;            //缓存时间
    int _length;                //密钥长度（必须有吗）
    KeyStruct _struct;          //编码结构（必须有吗）
 } DEK_CACHE;
 //表信息(user -> db -> table -> col?)
 typedef struct {
    std::string user_name;
    std::string db_name;
    std::string table_name;
    std::queue<std::string> col_name;
    std::unordered_map<std::string, std::string> dek_store_tmp;
    std::unordered_map<std::string, std::string> dek_store_tmp_for_update;
    std::string dek_table_level_tmp;
    std::string dek_table_level_for_update;
 } DbInfo;
 class KeyManagerS {
 private:
    json _data;             //解析出的json数据
    std::string _path;      //cmk信息，json文件位置
    std::string _key_path;  //加密cmk所用密钥的位置
    std::string _cmk;       //当前用户的cmk（以sql为单位）
    DbInfo _info;
    std::queue<std::string> _dek_only_for_ore;
    std::map<std::string, std::string> _dek_tmp;    //用于临时存储解密后DEK
    std::string deriveKey(const std::string& master_key, const std::string& column_name);
    std::vector<unsigned char> sha256(const std::string& input);
    std::string generateSalt(const std::string& column_name);
    bool createDerivedDek(std::string& dek, const std::string& column_name);
 	std::string _cmk_auto_rotate_status_path;  //CMK自动轮转状态存储文件路径
    //用于存储CMK自动轮转的进程 ID 和状态
    std::map<std::string, pid_t> cmk_auto_rotate_pids;
    std::map<std::string, bool> cmk_auto_rotate_status;
 public:
    KeyManagerS(const std::string &file_path, const std::string &key_path, const std::string &cmk_auto_rotate_status_path);
    ~KeyManagerS();
    bool init();
    std::vector<unsigned char> readBinaryFile(const std::string &path);
    std::vector<unsigned char> xorBuffers(const std::vector<unsigned char> &a, const std::vector<unsigned char> &b);
    std::vector<unsigned char> hmac_sha256(const std::vector<unsigned char> &key,
                                           const std::vector<unsigned char> &message);
    std::vector<unsigned char> getSystemIDHash16();
    void getRootKey(unsigned char *key, size_t len);
    bool setPath(const char *path);
    bool setKeyPath(const char *key_path);
    void setInfoUser(const std::string &user_name);
    void setInfoDb(const std::string &db_name);
    void setInfoTable(const std::string &table_name);
    void setInfoCol(const std::string &col_name);
    void setInfoDekTmp(const std::string &col_name, const std::string &dek_tmp);
    void clearDek();
    void clearDekForUpdate();
    std::string getInfoUser();
    std::string getInfoDb();
    std::string getInfoTable();
    std::string getInfoCol();
    void getDekByCol(const std::string &col_name, std::string &dek_tmp);
    bool createDek(std::string &col_dek, const std::string &column_name);
    bool storeCmk(CMK &cmk, bool rotate);
    bool save();
    bool hasCmk(const std::string &user_name) const;
    bool createCmk(const std::string &user_name, int rotate_period, CMK &new_cmk, KeyStruct ks = RAW,
        AlgorithmType alg = AES128);
    bool deleteCmk(const std::string &user_name);
    bool getRandomCmk(std::string &_cmk_data, AlgorithmType alg, int &length);
    bool getRandomDek(std::string &_dek_data);
    void setCurrentCmk(std::string &cur_cmk);
    void _rand(std::string &rand, int length_in_bytes);
    //TODO：在合适的地方加入加密和解密CMK
    //加密CMK
    bool encryptKey(std::string &ori_key);
    bool encryptDek(std::string &ori_key, const std::string &cmk);
    bool decryptDek(std::string &ori_key, const std::string &cmk);
    //解密CMK
    bool decryptKey(std::string &ori_key);
    bool getCmkByUsername(const std::string &user_name, std::string &new_cmk);
    std::string base64_encode(const unsigned char *data, size_t length);
    std::string base64_decode(const std::string &encoded);
    void setDekOnlyForOre(const std::string &dek);
    void clearDekOnlyForOre();
    char *getDekOnlyForOre();
    void setDekTableLevel(const std::string &dek);
    void getDekTableLevel(std::string &dek);
    //手动轮转函数
    bool rotateCmkNow(const std::string &user_name);
    //加载CMK自动轮转状态
    void loadAutoRotateStatus();
    //保存CMK自动轮转状态
    void saveAutoRotateStatus();
    //CMK自动轮转进程函数
    void autoRotateProcess(const std::string &user_name);
    //CMK自动轮转命令处理
    bool handleAutoRotateCmd(std::string *auto_rotate_action, const std::string &user_name);
    //根据用户名获取CMK自动轮转状态
    bool getCmkAutoRotateStatusByUsername(const std::string &user_name);
    bool describeCmk(const std::string &user_name, json &result, bool decrypt);
    void setDekTableLevelForUpdate(const std::string &dek);
    void getDekTableLevelForUpdate(std::string &dek);
    void setDekStoreTmpForUpdate(const std::string &col_name, const std::string &dek_tmp);
    void getDekStoreTmpForUpdate(const std::string &col_name, std::string &dek_tmp);
    std::string getCurrentCmk();
    void getAllDekStoreTmpForUpdate(std::unordered_map<std::string, std::string> &column_deks);
    bool isRotateCmd();
 };
 void cmk_mapperInit(const char *file_path, const char *key_path, const char *cmk_auto_rotate_status_path);
 bool cmk_mapperHasCmk(const std::string &user_name);
 bool cmk_mapperCreateCmk(const std::string &user_name, int rotate_period, CMK &new_cmk);
 bool cmk_mapperDeleteCmk(const std::string &user_name);
 bool cmk_mapperStoreCmk(CMK &cmk);
 bool cmk_mapperGetCmkByUsername(const std::string &user_name, std::string &new_cmk);
 void cmk_mapperSetCurrentCmk(std::string &cur_cmk);
 void cmk_mapperSetInfoUser(const std::string &user_name);
 void cmk_mapperSetInfoDb(const std::string &db_name);
 void cmk_mapperSetInfoTable(const std::string &table_name);
 void cmk_mapperSetInfoCol(const std::string &col_name);
 void cmk_mapperSetInfoDekTmp(const std::string &col_name, const std::string &dek_tmp);
 void cmk_mapperGetDekByCol(const std::string &col_name, std::string &dek_tmp);
 void cmk_mapperClearDek();
 void cmk_mapperClearDekForUpdate();
 void cmk_mapperEncryptDek(std::string &ori_key, const std::string &cmk);
 void cmk_mapperDecryptDek(std::string &ori_key, const std::string &cmk);
 std::string cmk_mapperGetInfoUser();
 std::string cmk_mapperGetInfoDb();
 std::string cmk_mapperGetInfoTable();
 std::string cmk_mapperGetInfoCol();
 bool cmk_mapperCreateDek(std::string &col_dek, const std::string &column_name);
 bool cmk_mapperNewConnectionTest();
 void cmk_mapperSetDekOnlyForOre(const std::string &dek);
 void cmk_mapperClearDekOnlyForOre();
 char *cmk_mapperGetDekOnlyForOre();
 void cmk_mapperSetDekTableLevel(const std::string &dek);
 void cmk_mapperGetDekTableLevel(std::string &dek);
 //(封装)手动轮转
 bool cmk_mapperRotateCmkNow(const std::string &user_name);
 //(封装)CMK自动轮转命令处理
 bool cmk_mapperHandleAutoRotateCmd(std::string *auto_rotate_action, const std::string &user_name);
 //(封装)根据用户名获取CMK自动轮转状态
 bool cmk_mapperGetCmkAutoRotateStatusByUsername(const std::string &user_name);
 bool cmk_mapperDescribeCmk(const std::string &user_name, json &result, bool decrypt);
 void cmk_mapperSetDekTableLevelForUpdate(const std::string &dek);
 void cmk_mapperGetDekTableLevelForUpdate(std::string &dek);
 void cmk_mapperSetDekStoreTmpForUpdate(const std::string &col_name, const std::string &dek_tmp);
 void cmk_mapperGetDekStoreTmpForUpdate(const std::string &col_name, std::string &dek_tmp);
 std::string cmk_mapperGetCurrentCmk();
 void cmk_mapperGetAllDekStoreTmpForUpdate(std::unordered_map<std::string, std::string> &column_deks);
 bool cmk_mapperIsRotateCmd();
 #endif //KMS_KEYMANAGEMENTSERVICE_HPP
--- a/src/KMS/PGconnectForDEK.cpp.bk
+++ b/src/KMS/PGconnectForDEK.cpp.bk
--- a/src/KMS/PGconnectForDEK.h.bk
+++ b/src/KMS/PGconnectForDEK.h.bk
@@ -1,126 +0,0 @@
 #ifndef CRYPTOKEY_SERVICE_H
 #define CRYPTOKEY_SERVICE_H
 #ifdef __cplusplus
 extern "C"
 {
 #endif
 #include "postgres.h" // 与 #include <iomanip> 冲突
 //为了解决和libintl.h冲突的问题undef以下4个
 #undef gettext
 #undef dgettext
 #undef ngettext
 #undef dngettext
 #include "utils/palloc.h"
 #include "utils/memutils.h"
 #include "nodes/nodes.h"
 #include "nodes/parsenodes.h"
 #include "nodes/value.h"
 #include "base64.h"
 #include <string.h>
 #ifdef __cplusplus
 }
 #endif
 #include "encryptsql/fieldmap.h"
 #include "kms/KeyManagementService.hpp"
 #include <assert.h>
 #include <stdexcept>
 #include <set>
 #include <vector>
 #include <string>
 #include "libpq-fe.h"  // 改为使用引号包含
 #include "crypto/crypto.h"
 #include "crypto/openssl.h"
 #include "encryptsql.h"
 // 因为缺头文件所以直接复制过来了，肯定有很多用不上的
 #include <regex>
 #include <iostream>
 #include <unordered_set>
 // 数据库连接信息
 #define DB_CONNINFO "dbname=dekmaster user=dekmaster password=secure_password hostaddr=127.0.0.1 port=5432"
 #define BACKUP_TABLE_NAME "dek_store_backup"
 #define ORIGINAL_TABLE_NAME "dek_store"
 // 定义轮换类型枚举
 enum RotationType {
    ROTATE_ALL,      // 轮换表级和所有列级密钥
    ROTATE_TABLE,    // 只轮换表级密钥
    ROTATE_COLUMNS   // 只轮换指定列的密钥
 };
 // 轮换命令解析结果结构
 struct RotateCommandResult {
    bool valid;                  // 命令是否有效
    RotationType type;           // 轮换类型
    std::string tableName;       // 表名
    std::string enc_tableName;   // 加密表名
    std::set<std::string> cols_set; // 命令涉及的列名列表 用于快速检索轮换命令中是否有这个列
    std::unordered_set<std::string> enc_cols_set; // 需要更新的密钥的密文列名
    std::unordered_map<std::string, std::string> col_map; // 明文列名 和 密文列名的映射
    std::unordered_map<std::string, std::string> col_type; // 列的类型
    std::string errorMessage;    // 错误信息
 };
 RotateCommandResult parseRotateCommand(const std::string& command,const std::string &user_name,const std::string &db_name);
 // test
 void printRotateCommandResult(const RotateCommandResult& result);
 void connectionDelete();
 void connectionUpdateDek(RotateCommandResult &result);
 void connectionUpdateDek_Init(RotateCommandResult &result);
 void connectionUpdateDek_Update(RotateCommandResult& result);
 void connectionUpdateDek_Final(RotateCommandResult& result);
 void connectionInsertTest();
 void connectionSelectTest();
 void connectionSelect();
 using json = nlohmann::json;
 // 读取 JSON 文件
 json read_json_from_file(const std::string& file_path);
 // 获取表中所有列
 std::vector<std::string> get_columns(const std::string& table_name, const json& j);
 // 获取表中所有列
 std::set<std::string> get_all_columns(const std::string& table_name, const json& j);
 // 获取表中列的映射关系
 std::unordered_map<std::string, std::string> get_column_mapping(const std::string& table_name, const json& j);
 // 获取列的数据类型
 std::string get_column_type(const std::string& table_name, const std::string& column_name, const json& j);
 static int executeSQL(const char *sql, const char *errorMsg);
 static int tableExists(const char *tableName);
 int backupDekStore();
 int deleteDekStoreBackup();
 int restoreDekStore();
 #endif // CRYPTOKEY_SERVICE_H
--- a/src/KMS/kms_core_local.cpp
+++ b/src/KMS/kms_core_local.cpp
@@ -38,12 +38,11 @@ extern "C"
 #include "encryptsql.h"
 // 因为缺头文件所以直接复制过来了，肯定有很多用不上的
 #include <regex>
 #include <iostream>
 #include <unordered_set>
-
+#include "en_config.h"
 #include "kms/kms_core_local.hpp"
 #include "kms/kms_factory.hpp"
@@ -89,9 +88,9 @@ std::vector<unsigned char> LocalKmsCore::getSystemIDHash16() {
 }
 void LocalKmsCore::getRootKey(unsigned char *key, size_t len) {
-    auto A = readBinaryFile("/new_enc/kms_root/frag_a");
+    auto A = readBinaryFile(ROOT_KEY_GEN_PATH "/frag_a");
-    auto B = readBinaryFile("/new_enc/kms_root/frag_b");
+    auto B = readBinaryFile(ROOT_KEY_GEN_PATH "/frag_b");
-    auto C = readBinaryFile("/new_enc/kms_root/frag_c");
+    auto C = readBinaryFile(ROOT_KEY_GEN_PATH "/frag_c");
    if (A.size() != B.size() || A.size() != C.size() || A.size() != 16)
        throw std::runtime_error("All key fragments must be 16 bytes.");
@@ -655,6 +654,8 @@ bool LocalKmsCore::encryptData(std::string &ori_key) {
    std::string base64_encrypted = base64_encode(reinterpret_cast<const unsigned char *>(encrypted.c_str()),
                                                 encrypted.size());
    ori_key = base64_encrypted;
    return true;
 }
 bool LocalKmsCore::decryptData(std::string &ori_key) {
--- a/src/KMS/kms_interface.cpp
+++ b/src/KMS/kms_interface.cpp
@@ -72,4 +72,4 @@ bool KMSInterface::decryptData(std::string& dek) {
 bool KMSInterface::createDek(std::string &col_dek, const std::string &column_name){
    return instance_ && instance_->createDek(col_dek, column_name);
-}
+}
--- a/src/KMS/main.cpp
+++ b/src/KMS/main.cpp
@@ -0,0 +1,198 @@
 #include "kms/kms_interface.hpp"
 #include "kms/kms_core_local.hpp"
 #include "en_config.h"
 #include <iostream>
 #include <string>
 #include <fstream>
 #include <chrono>
 #include <vector>
 using namespace std;
 // 默认数据库名
 const string DEFAULT_DBNAME = "default_db";
 void print_usage() {
    cout << "Usage: KMS <command> <username> [args...] [--time]\n";
    cout << "Commands:\n";
    cout << "  hasCmk <username>\n";
    cout << "  createCmk <username> <rotate_period>\n";
    cout << "  deleteCmk <username>\n";
    cout << "  describeCmk <username> [decrypt]\n";
    cout << "  rotateCmkNow <username>\n";
    cout << "  CMK_auto_rotate <username> on/off/status\n";
    cout << "  encryptData <username> <data>\n";
    cout << "  decryptData <username> <data>\n";
    cout << "  createDek <username> <column_name>\n";
 }
 bool init_and_get_instance(const string& username) {
    LocalKmsCore::registerLocalKms();
    LocalKmsConfig config(
        CMK_FILE_PATH,
        CMK_KEY_PATH,
        CMK_ROTATE_STATUS_PATH,
        username.c_str(),
        DEFAULT_DBNAME.c_str()
    );
    if (!KMSInterface::initialize(config)) {
        cerr << "ERROR: KMS initialization failed\n";
        return false;
    }
    if (!KMSInterface::getInstance()) {
        cerr << "ERROR: KMS instance not available\n";
        return false;
    }
    return true;
 }
 int main(int argc, char* argv[]) {
    if (argc < 3) {
        print_usage();
        return 1;
    }
    // ======== 解析参数，处理 --time =========
    bool measure_time = false;
    vector<string> args;
    args.reserve(argc);
    for (int i = 1; i < argc; ++i) {
        if (string(argv[i]) == "--time") {
            measure_time = true;
        } else {
            args.push_back(argv[i]); // 保留非 --time 参数
        }
    }
    if (args.size() < 2) {
        print_usage();
        return 1;
    }
    string cmd = args[0];
    string username = args[1];
    if (cmd == "--help" || cmd == "-h") {
        print_usage();
        return 0;
    }
    // ======== 初始化 KMS =========
    if (!init_and_get_instance(username)) {
        return 1;
    }
    bool ok = false;
    string result;
    // ======== 计时开始 =========
    auto start = std::chrono::high_resolution_clock::now();
    // ========= KMS 命令处理 =========
    if (cmd == "hasCmk") {
        ok = KMSInterface::hasCmk(username);
        cout << (ok ? "true" : "false") << "\n";
    }
    else if (cmd == "createCmk" && args.size() == 3) {
        int rotate_period = stoi(args[2]);
        ok = KMSInterface::createCmk(username, rotate_period);
        cout << (ok ? "OK" : "ERROR") << "\n";
    }
    else if (cmd == "deleteCmk") {
        ok = KMSInterface::deleteCmk(username);
        cout << (ok ? "OK" : "ERROR") << "\n";
    }
    else if (cmd == "describeCmk") {
        bool decrypt = (args.size() == 3 && args[2] == "decrypt");
        ok = KMSInterface::describeCmk(username, result, decrypt);
        cout << (ok ? result : "ERROR") << "\n";
    }
    else if (cmd == "rotateCmkNow") {
        ok = KMSInterface::rotateCmkNow(username);
        cout << (ok ? "OK" : "ERROR") << "\n";
    }
    else if (cmd == "CMK_auto_rotate" && args.size() == 3) {
        string action = args[2];
        ok = KMSInterface::handleAutoRotateCmd(&action, username);
        cout << (ok ? action : "ERROR") << "\n";
    }
    else if (cmd == "encryptData" && args.size() == 3) {
        string input = args[2];
        ifstream infile(input);
        if (infile.good()) {
            string output_file = input + ".enc";
            ofstream outfile(output_file);
            string line;
            while (getline(infile, line)) {
                if (line.empty()) continue;
                string line_result = line;
                ok = KMSInterface::encryptData(line_result);
                outfile << (ok ? line_result : "ERROR") << "\n";
            }
            cout << "Encrypted result written to: " << output_file << "\n";
        } else {
            string str_result = input;
            ok = KMSInterface::encryptData(str_result);
            cout << (ok ? str_result : "ERROR") << "\n";
        }
    }
    else if (cmd == "decryptData" && args.size() == 3) {
        string input = args[2];
        ifstream infile(input);
        if (infile.good()) {
            string output_file = input + ".dec";
            ofstream outfile(output_file);
            string line;
            while (getline(infile, line)) {
                string line_result = line;
                ok = KMSInterface::decryptData(line_result);
                outfile << (ok ? line_result : "ERROR") << "\n";
            }
            cout << "Decryption results written to " << output_file << "\n";
        } else {
            string str_result = input;
            ok = KMSInterface::decryptData(str_result);
            cout << (ok ? str_result : "ERROR") << "\n";
        }
    }
    else if (cmd == "createDek" && args.size() == 3) {
        string input = args[2];
        ifstream infile(input);
        if (infile.good()) {
            string output_file = input + ".dek";
            ofstream outfile(output_file);
            string line;
            while (getline(infile, line)) {
                if (line.empty()) continue;
                string col_dek;
                ok = KMSInterface::createDek(col_dek, line);
                outfile << line << " : " << (ok ? col_dek : "ERROR") << "\n";
            }
            cout << "DEK creation results written to " << output_file << "\n";
        } else {
            string col_dek;
            ok = KMSInterface::createDek(col_dek, input);
            cout << (ok ? (input + " : " + col_dek) : "ERROR") << "\n";
        }
    }
    else {
        print_usage();
        return 1;
    }
    // ======== 计时结束 =========
    auto end = std::chrono::high_resolution_clock::now();
    auto duration = chrono::duration_cast<chrono::microseconds>(end - start);
    if (measure_time) {
        cout << "[Time used]: " << duration.count() << " us\n";
    }
    return ok ? 0 : 1;
 }
--- a/src/KMSAdapter/dek_interface.cpp
+++ b/src/KMSAdapter/dek_interface.cpp
@@ -9,12 +9,7 @@ RotateCommandResult parseRotateCommand(const std::string& command,const std::str
    result.valid = false;
    std::string current_cmk;
-    //得到当前用户的cmk
+
    // cmk_mapperGetCmkByUsername(user_name, current_cmk);
    //存储当前cmk
    // cmk_mapperSetCurrentCmk(current_cmk);
    // cmk_mapperSetInfoUser(user_name);
    // cmk_mapperSetInfoDb(db_name);
    DekInterface::setInfoUser(user_name);
    DekInterface::setInfoDb(db_name);
@@ -147,9 +142,6 @@ void connectionDelete() {
    // 构建删除查询
    std::string query = "DELETE FROM dek_store WHERE ";
    // query.append("username = '").append(cmk_mapperGetInfoUser()).append("' AND ")
    //      .append("db = '").append(cmk_mapperGetInfoDb()).append("' AND ")
    //      .append("t = '").append(cmk_mapperGetInfoTable()).append("'");
    query.append("username = '").append(DekInterface::getInfoUser()).append("' AND ")
         .append("db = '").append(DekInterface::getInfoDb()).append("' AND ")
         .append("t = '").append(DekInterface::getInfoTable()).append("'");
@@ -273,8 +265,6 @@ void connectionUpdateDek_Init(RotateCommandResult &cmd) {
        // 判断 如果是 NULL 则为表级密钥 && （轮换表级||轮换全部） -> 需要轮换表密钥
        if (PQgetisnull(res1, i, 0)) { // 如果列名是NULL，表示这是表级密钥
            // 创建新密钥
            // if (cmk_mapperCreateDek(dek_for_update, "")) { // 表级密钥使用空列名
            //     cmk_mapperDecryptDek(dek_for_update, cmk);
            if (KMSInterface::createDek(dek_for_update, "")) { // 表级密钥使用空列名, 也可以DekAPI::getInfoTable())
                KMSInterface::decryptData(dek_for_update);
            } else {
@@ -282,10 +272,8 @@ void connectionUpdateDek_Init(RotateCommandResult &cmd) {
            }
            if(cmd.type == ROTATE_TABLE || cmd.type == ROTATE_ALL) {
                // cmk_mapperSetDekTableLevelForUpdate(dek_for_update);
                DekInterface::setDekTableLevelForUpdate(dek_for_update);
            }else{
                // cmk_mapperSetDekTableLevelForUpdate(dek);
                DekInterface::setDekTableLevelForUpdate(dek);
            }
        }else{
@@ -294,8 +282,6 @@ void connectionUpdateDek_Init(RotateCommandResult &cmd) {
            plain = plain.substr(0,plain.rfind('_'));
            // 创建新密钥，使用加密后的列名
            // if (cmk_mapperCreateDek(dek_for_update, col_name)) { // 使用加密后的列名
            //     cmk_mapperDecryptDek(dek_for_update, cmk);
            if (KMSInterface::createDek(dek_for_update, col_name)) { // 使用加密后的列名
                KMSInterface::decryptData(dek_for_update);
            } else {
@@ -304,19 +290,15 @@ void connectionUpdateDek_Init(RotateCommandResult &cmd) {
            if(cmd.type == ROTATE_TABLE){ // 轮换表级密钥
                all_columns.erase(plain);
                // cmk_mapperSetDekStoreTmpForUpdate(col_name, dek); // 这些列使用旧密钥
                DekInterface::setDekColLevelForUpdate(col_name, dek);
            } else if(cmd.type == ROTATE_ALL){ // 轮换所有密钥 
                cmd.enc_cols_set.insert(col_name); // 存储密文列名
                // cmk_mapperSetDekStoreTmpForUpdate(col_name, dek_for_update); // dek_store中的所有密钥都要轮换
                DekInterface::setDekColLevelForUpdate(col_name, dek_for_update);
            } else if(cmd.type == ROTATE_COLUMNS){ // 轮换指定列密钥
                if(cmd.cols_set.find(plain) != cmd.cols_set.end()){ // 判断dek_store中的列是否在命令中，是的话用新密钥，不是则用旧密钥
                    cmd.enc_cols_set.insert(col_name); // 存储密文列名
                    // cmk_mapperSetDekStoreTmpForUpdate(col_name,dek_for_update);
                    DekInterface::setDekColLevelForUpdate(col_name, dek_for_update);
                }else{
                    // cmk_mapperSetDekStoreTmpForUpdate(col_name,dek);
                    DekInterface::setDekColLevelForUpdate(col_name, dek);
                }
            }
@@ -542,16 +524,13 @@ void connectionUpdateDek_Final(RotateCommandResult &cmd) {
    // 获取待更新的表级密钥
    std::string table_dek_for_update;
    // cmk_mapperGetDekTableLevelForUpdate(table_dek_for_update);
    DekInterface::getDekTableLevelForUpdate(table_dek_for_update);
    // 获取CMK
    // std::string cmk = cmk_mapperGetCurrentCmk();
    // 如果有表级密钥需要更新
    if (cmd.type != ROTATE_COLUMNS && !table_dek_for_update.empty()) {
        // 加密表级密钥
        // cmk_mapperEncryptDek(table_dek_for_update, cmk);
        KMSInterface::encryptData(table_dek_for_update);
        if (table_dek_for_update.empty()) {
            fprintf(stderr, "Encrypt table DEK failed\n");
@@ -580,7 +559,6 @@ void connectionUpdateDek_Final(RotateCommandResult &cmd) {
    if(!cmd.cols_set.empty() && cmd.type != ROTATE_TABLE){
        // 获取所有待更新的列级密钥
        std::unordered_map<std::string, std::string> column_deks;
        // cmk_mapperGetAllDekStoreTmpForUpdate(column_deks);
        DekInterface::getAllDekColLevelForUpdate(column_deks);
        // 更新列级密钥
@@ -642,19 +620,9 @@ void connectionInsertTest() {
    }
    std::string table_dek;
    // 获取CMK
    // std::string cmk = cmk_mapperGetCurrentCmk();
    // cmk_mapperGetCmkByUsername(cmk_mapperGetInfoUser(), cmk);
    // if (cmk_mapperCreateDek(table_dek, "")) { // 表级密钥使用空列名
    if (KMSInterface::createDek(table_dek, "")) { // 表级密钥使用空列名
        // cmk_mapperEncryptDek(table_dek, cmk); // 加密表级密钥，create里写了加密所以不需要
        std::string query1 = "insert into dek_store values";
        std::string tuple1 = "(";
        // tuple1.append("'").append(cmk_mapperGetInfoUser()).append("',")
        //     .append("'").append(cmk_mapperGetInfoDb()).append("',")
        //     .append("'").append(cmk_mapperGetInfoTable()).append("',")
        //     .append("NULL,") 
        //     .append("'").append(table_dek).append("')");
        tuple1.append("'").append(DekInterface::getInfoUser()).append("',")
            .append("'").append(DekInterface::getInfoDb()).append("',")
@@ -672,15 +640,8 @@ void connectionInsertTest() {
        // 处理所有列密钥
        while (!tmp1.empty()) {
            std::string col_dek;
            // if (cmk_mapperCreateDek(col_dek, tmp1)) { // 使用当前列名作为参数
            if(KMSInterface::createDek(col_dek, tmp1)) {
                // cmk_mapperEncryptDek(col_dek, cmk); // 加密列级密钥
                std::string tuple_col = "(";
                // tuple_col.append("'").append(cmk_mapperGetInfoUser()).append("',")
                //     .append("'").append(cmk_mapperGetInfoDb()).append("',")
                //     .append("'").append(cmk_mapperGetInfoTable()).append("',")
                //     .append("'").append(tmp1).append("',")
                //     .append("'").append(col_dek).append("')");
                tuple_col.append("'").append(DekInterface::getInfoUser()).append("',")
                    .append("'").append(DekInterface::getInfoDb()).append("',")
                    .append("'").append(DekInterface::getInfoTable()).append("',")
@@ -768,23 +729,17 @@ void connectionSelect() {
    int nrows = PQntuples(res1);    
    // 获取CMK
    // std::string cmk = cmk_mapperGetCurrentCmk();
    // cmk_mapperGetCmkByUsername(cmk_mapperGetInfoUser(), cmk);
    for (int i = 0; i < nrows; i++) { // 遍历每一行
        std::string col_name(PQgetvalue(res1, i, 0)); // 列名
        std::string dek(PQgetvalue(res1, i, 1));      // 对应的密钥
        // 解密密钥
        // cmk_mapperDecryptDek(dek, cmk);
        KMSInterface::decryptData(dek);
        if (PQgetisnull(res1, i, 0)) { // 如果列名是NULL，表示这是表级密钥
            // cmk_mapperSetDekTableLevel(dek);
            DekInterface::setDekTableLevel(dek);
            // dek_for_decrypt = dek;
        } else { // 否则是列级密钥
            // cmk_mapperSetInfoDekTmp(col_name, dek);
            DekInterface::setDekColLevel(col_name, dek);
    }
    }
--- a/src/crypto/cryptolib/libudf/decider/udfDispatch.cpp
+++ b/src/crypto/cryptolib/libudf/decider/udfDispatch.cpp
@@ -25,6 +25,7 @@ using namespace util;
 #ifndef NDEBUG  // DEBUG
 #include <fstream>
 #include "en_config.h"
 extern "C"
 {
@@ -36,7 +37,7 @@ class CalledCounter {
 public:
    CalledCounter() {
        char buf[64];
-        sprintf(buf, "/etc/encryptsql/UDFcalled_by%d.count", (int) getpid());
+        sprintf(buf, ENCRYPTSQL_CONFIG_DIR "/UDFcalled_by%d.count", (int) getpid());
        ofstream fout(buf);
        fout.close();
--- a/src/encryptsql/encryptstmt.cpp
+++ b/src/encryptsql/encryptstmt.cpp
@@ -40,7 +40,7 @@ extern "C"
 #include "crypto/openssl.h"
 #include "encryptsql.h"
-
+#include "en_config.h"
 #include "kms/kms_interface.hpp"
 #include "kmsAdapter/dek_interface.hpp"
 #include "KeyDistribution/non_enc_client/client_interface.h"
@@ -49,8 +49,8 @@ namespace {
 bool SendDekViaTls(const std::string& dek_plain)
 {
    kd::client::ClientConfig cfg;
-    cfg.server_host = "127.0.0.1";  // 或者 "localhost"
+    cfg.server_host = DK_SERVER_HOST;  // 或者 "localhost"
-    cfg.server_port = "9443";       // 只要服务器宿主端监听同一个端口即可
+    cfg.server_port = DK_SERVER_PORT;       // 只要服务器宿主端监听同一个端口即可
    cfg.dek.assign(dek_plain.begin(), dek_plain.end());
    kd::client::ClientResult result;
@@ -65,14 +65,6 @@ bool SendDekViaTls(const std::string& dek_plain)
 }
 } // anonymous namespace
 // 文件路径定义
 #define MAP_FILE_PATH "/etc/encryptsql/map.json"
 #define KMS_FILE_PATH "/new_enc/kms_test/output.json"
 #define MAP_BACKUP_PATH "/etc/encryptsql/map.json.backup"
 #define KMS_BACKUP_PATH "/new_enc/kms_test/output.json.backup"
 extern thread_local std::string dek_for_decrypt;
 static List *encryptValuesLists(List *valuesLists, List *cols, EncryptInfo *info);
@@ -1950,18 +1942,18 @@ cleanup:
 * 开始事务 
 * 在事务开始时调用，为原文件和数据库表创建备份副本
 */
-#ifdef USE_BACKUP_ENCRYPT
+#ifdef ENCRYPTSQL_USE_RECOVERY
 static void create_backup(bool is_transaction) {
    int mapResult = 0, kmsResult = 0, dbResult = 0;
-    const char* map_path = MAP_FILE_PATH;
+    const char* map_path = MAP_JSON_PATH;
    const char* map_backup;
-    if(is_transaction) map_backup = MAP_BACKUP_PATH".t";
+    if(is_transaction) map_backup = MAP_JSON_BACKUP_PATH".t";
-    else map_backup = MAP_BACKUP_PATH; 
+    else map_backup = MAP_JSON_BACKUP_PATH; 
-    const char* kms_path = KMS_FILE_PATH;
+    const char* kms_path = CMK_FILE_PATH;
    const char* kms_backup;
-    if(is_transaction) kms_backup = KMS_BACKUP_PATH".t";
+    if(is_transaction) kms_backup = CMK_FILE_BACKUP_PATH".t";
-    else kms_backup = KMS_BACKUP_PATH;
+    else kms_backup = CMK_FILE_BACKUP_PATH;
    char* msg;
    // 备份映射文件
@@ -1977,7 +1969,7 @@ static void create_backup(bool is_transaction) {
    }
    #ifndef NDEBUG
-        std::cout << msg << std::endl;
+        // std::cout << msg << std::endl;
    #endif
    // 备份密钥文件
@@ -1993,21 +1985,21 @@ static void create_backup(bool is_transaction) {
    }
    #ifndef NDEBUG
-        std::cout << msg << std::endl;
+       // std::cout << msg << std::endl;
    #endif
    // 备份数据库表
    // dbResult = backupDekStore();
    dbResult = DekInterface::backupDekStore();
    #ifndef NDEBUG
-    // 如果任一备份失败，记录错误但不阻止事务继续
+    // // 如果任一备份失败，记录错误但不阻止事务继续
-    if (mapResult != 0 || kmsResult != 0 || dbResult != 0) {
+    // if (mapResult != 0 || kmsResult != 0 || dbResult != 0) {
-        fprintf(stderr, "Warning: Some backups failed, transaction may not be fully recoverable\n");
+    //     fprintf(stderr, "Warning: Some backups failed, transaction may not be fully recoverable\n");
-    } else {
+    // } else {
-        printf("All backups completed successfully\n");
+    //     printf("All backups completed successfully\n");
-    }
+    // }
    #endif
 }
 /**
@@ -2024,14 +2016,14 @@ void delete_backup(bool is_transaction) {
    }
    int mapResult = 0, kmsResult = 0, dbResult = 0;
-    const char* map_path = MAP_FILE_PATH;
+    const char* map_path = MAP_JSON_PATH;
    const char* map_backup;
-    if(is_transaction) map_backup = MAP_BACKUP_PATH".t";
+    if(is_transaction) map_backup = MAP_JSON_BACKUP_PATH".t";
-    else map_backup = MAP_BACKUP_PATH; 
+    else map_backup = MAP_JSON_BACKUP_PATH; 
-    const char* kms_path = KMS_FILE_PATH;
+    const char* kms_path = CMK_FILE_PATH;
    const char* kms_backup;
-    if(is_transaction) kms_backup = KMS_BACKUP_PATH".t";
+    if(is_transaction) kms_backup = CMK_FILE_BACKUP_PATH".t";
-    else kms_backup = KMS_BACKUP_PATH;
+    else kms_backup = CMK_FILE_BACKUP_PATH;
    char* msg;
    // 删除映射文件备份
@@ -2048,7 +2040,7 @@ void delete_backup(bool is_transaction) {
    }
    #ifndef NDEBUG
-        std::cout << msg << std::endl;
+       // std::cout << msg << std::endl;
    #endif
    // 删除密钥文件备份
@@ -2065,19 +2057,18 @@ void delete_backup(bool is_transaction) {
    }
    #ifndef NDEBUG
-        std::cout << msg << std::endl;
+       // std::cout << msg << std::endl;
    #endif
    // 删除数据库备份表
    // dbResult = deleteDekStoreBackup();
    dbResult = DekInterface::deleteDekStoreBackup();
    #ifndef NDEBUG
-        if (mapResult == 0 && kmsResult == 0 && dbResult == 0) {
+        // if (mapResult == 0 && kmsResult == 0 && dbResult == 0) {
-            printf("Transaction committed successfully - all backups cleaned up\n");
+        //     printf("Transaction committed successfully - all backups cleaned up\n");
-        } else {
+        // } else {
-            fprintf(stderr, "Warning: Failed to clean up some backup files or database tables\n");
+        //     fprintf(stderr, "Warning: Failed to clean up some backup files or database tables\n");
-        }
+        // }
    #endif
 }
@@ -2089,14 +2080,14 @@ void delete_backup(bool is_transaction) {
 void recovery_backup(bool is_transaction) {
    int mapResult = 0, kmsResult = 0, dbResult = 0;
-    const char* map_path = MAP_FILE_PATH;
+    const char* map_path = MAP_JSON_PATH;
    const char* map_backup;
-    if(is_transaction) map_backup = MAP_BACKUP_PATH".t";
+    if(is_transaction) map_backup = MAP_JSON_BACKUP_PATH".t";
-    else map_backup = MAP_BACKUP_PATH; 
+    else map_backup = MAP_JSON_BACKUP_PATH; 
-    const char* kms_path = KMS_FILE_PATH;
+    const char* kms_path = CMK_FILE_PATH;
    const char* kms_backup;
-    if(is_transaction) kms_backup = KMS_BACKUP_PATH".t";
+    if(is_transaction) kms_backup = CMK_FILE_BACKUP_PATH".t";
-    else kms_backup = KMS_BACKUP_PATH;
+    else kms_backup = CMK_FILE_BACKUP_PATH;
    char* msg;
    // 恢复映射文件
@@ -2115,7 +2106,7 @@ void recovery_backup(bool is_transaction) {
        msg = "No map backup file found for rollback\n";
    }
    #ifndef NDEBUG
-        std::cout << msg << std::endl;
+       // std::cout << msg << std::endl;
    #endif
    // 恢复密钥文件
@@ -2135,19 +2126,18 @@ void recovery_backup(bool is_transaction) {
    }
    #ifndef NDEBUG
-        std::cout << msg << std::endl;
+       // std::cout << msg << std::endl;
    #endif
    // 恢复数据库表
    // dbResult = restoreDekStore();
    dbResult = DekInterface::restoreDekStore();
    #ifndef NDEBUG
-        if (mapResult == 0 && kmsResult == 0 && dbResult == 0) {
+        // if (mapResult == 0 && kmsResult == 0 && dbResult == 0) {
-            printf("Transaction rolled back successfully - all data restored\n");
+        //     printf("Transaction rolled back successfully - all data restored\n");
-        } else {
+        // } else {
-            fprintf(stderr, "Error: Failed to completely rollback transaction\n");
+        //     fprintf(stderr, "Error: Failed to completely rollback transaction\n");
-        }
+        // }
    #endif
 }
--- a/src/encryptsql/main.cpp
+++ b/src/encryptsql/main.cpp
@@ -39,17 +39,18 @@ extern "C"
 // #include "kms/KeyManagementService.hpp"
 // #include "kms/PGconnectForDEK.h"
 #include "en_config.h"
 #include "kms/kms_interface.hpp"
 #include "kms/kms_core_local.hpp"
 #include "kmsAdapter/dek_interface.hpp"
-#ifndef MAPPERPATH
+// #ifndef MAPPERPATH
-#define MAPPERPATH "/etc/encryptsql/map.json"
+// #define MAPPERPATH "/etc/encryptsql/map.json"
-#endif
+// #endif
-#define CMKFILEPATH "/new_enc/kms_test/output.json"
+// #define CMKFILEPATH "/new_enc/kms_test/output.json"
-#define CMKKEYPATH "/new_enc/kms_test/domainkey"
+// #define CMKKEYPATH "/new_enc/kms_test/domainkey"
-// 持久化文件路径
+// // 持久化文件路径
-#define CMK_AUTO_ROTATE_STATUS_PATH "/new_enc/kms_test/CMK_auto_rotate_status.json"
+// #define CMK_AUTO_ROTATE_STATUS_PATH "/new_enc/kms_test/CMK_auto_rotate_status.json"
 extern void LogInfo(const char *fmt, ...);
@@ -223,21 +224,29 @@ encryptOneSql(const char *sql, char **err_msg, const char *user_name, const char
                                               ALLOCSET_DEFAULT_INITSIZE,
                                               ALLOCSET_DEFAULT_MAXSIZE);
        //初始化映射表
-        mapperInit(MAPPERPATH);
+        mapperInit(MAP_JSON_PATH);
        //注册kms
        LocalKmsCore::registerLocalKms();
-
+        LocalKmsConfig config(CMK_FILE_PATH, CMK_KEY_PATH, CMK_ROTATE_STATUS_PATH, user_name, db_name);
        //初始化CMK
        // cmk_mapperInit(CMKFILEPATH, CMKKEYPATH, CMK_AUTO_ROTATE_STATUS_PATH);
        LocalKmsConfig config(CMKFILEPATH, CMKKEYPATH, CMK_AUTO_ROTATE_STATUS_PATH, user_name, db_name);
        KMSInterface::initialize(config);
-        
+
 #if 0
        HuaweiKmsCore::registerHuaweiKms();
        HuaweiKmsConfig hwConfig(
            "HPUAI1XPW4U0CPJCSE7C",      // AK
            "qSOZjbqKxffaqFm3FG7KrqV4MtAKYgsAVACB0ZLs",  // SK
            "d8aadaf24bde4314bf2789fb87f4ad83",  // projectId
            "cn-north-4",                 // region
            "",                           // endpoint (可选)
            "my-app-key"                  // keyAlias (可选)
        );
        KMSInterface::initialize(hwConfig);
 #endif 
        //初始化DEK
        DekInterface::initialize(user_name, db_name);
        // InitializeKeyDistribution();  // 启动 DEK 接收服务
        // std::atexit(ShutdownKeyDistribution);
 #ifdef USE_LRU
        // HECache.setName("Client HE");           // for RandNum(id)
--- a/src/utils/LogBase.cpp
+++ b/src/utils/LogBase.cpp
@@ -1,5 +1,6 @@
 #include "LogBase.h"
 #include "config.h"
 #include <iostream>
 namespace util {
@@ -19,7 +20,7 @@ namespace util {
        m_enabled[log::timer] = false;
        int pid = getpid();
        char logPath[64] = {0};
-        sprintf(logPath, "/etc/encryptsql/encryptsql.%d.log", pid);
+        sprintf(logPath, ENCRYPTSQL_CONFIG_DIR "/encryptsql.%d.log", pid);
        this->appender = new log4cpp::FileAppender("fileAppender", logPath, false);
        auto pLayout = new log4cpp::PatternLayout();
--- a/src/utils/TimeCounter.h
+++ b/src/utils/TimeCounter.h
@@ -2,6 +2,7 @@
 #pragma once
 #include "Timer.h"
 #include "en_config.h"
 #include <unordered_map>
 #include <string>
@@ -115,8 +116,8 @@ public:
 #endif
        char path1[64] = {0};
        char path2[64] = {0};
-        sprintf(path1, "/etc/encryptsql/counter_%d.log", pid);
+        sprintf(path1, ENCRYPTSQL_CONFIG_DIR "/counter_%d.log", pid);
-        sprintf(path2, "/etc/encryptsql/counter_%d.json", pid);
+        sprintf(path2, ENCRYPTSQL_CONFIG_DIR "/counter_%d.json", pid);
        FILE *fp = fopen(path1, "w");
        FILE *jsonFp = fopen(path2, "w");
        if (!fp || !jsonFp) {
--- a/src/utils/en_config.h
+++ b/src/utils/en_config.h
@@ -0,0 +1,28 @@
 #ifndef ENCRYPTSQL_CONFIG_H
 #define ENCRYPTSQL_CONFIG_H
 // 安装路径（由 -DENCRYPTSQL_INSTALL_DIR=... 指定）
 #define ENCRYPTSQL_INSTALL_DIR      "/usr/local/postgresql"
 #define ENCRYPTSQL_CONFIG_DIR       "/etc/encryptsql"
 #define DK_SERVER_HOST              "127.0.0.1"
 #define DK_SERVER_PORT              "9443"
 #define CREATEUDF_SQL_PATH          ENCRYPTSQL_INSTALL_DIR "/createudf.sql"
 #define MASK_FUNCS_SQL_PATH         ENCRYPTSQL_INSTALL_DIR "/mask_funcs.sql"
 #define MAP_JSON_PATH               ENCRYPTSQL_CONFIG_DIR "/map.json"
 #define MAP_JSON_BACKUP_PATH        ENCRYPTSQL_CONFIG_DIR "/map.json.backup"
 #define CMK_FILE_PATH               ENCRYPTSQL_CONFIG_DIR "/output.json"
 #define CMK_FILE_BACKUP_PATH        ENCRYPTSQL_CONFIG_DIR "/output.json.backup"
 #define CMK_KEY_PATH                ENCRYPTSQL_CONFIG_DIR "/domainkey"
 #define CMK_ROTATE_STATUS_PATH      ENCRYPTSQL_CONFIG_DIR "/CMK_auto_rotate_status.json"
 #define ROOT_KEY_GEN_PATH           ENCRYPTSQL_CONFIG_DIR "/kms_root"
 #define BACKUP_BIN_PATH             ENCRYPTSQL_INSTALL_DIR "/bin/backup"
 #define RESTORE_BIN_PATH            ENCRYPTSQL_INSTALL_DIR "/bin/restore"
 #endif /* ENCRYPTSQL_CONFIG_H */
--- a/src/utils/settings.h
+++ b/src/utils/settings.h
@@ -1,13 +1,16 @@
 #pragma once
 #include "en_config.h"
 // 明文的数据类型， 依据不同的数据类型选择加密方案。
 #define MAX_PLAIN_STRING_TYPE 4
 #define NOEXIST "NNnoexistNN" // table or column not found in mapper
-constexpr char CONFIG_PATH[] = "/etc/encryptsql/config.json";
+// constexpr char CONFIG_PATH[] = "/etc/encryptsql/config.json";
 constexpr char CONFIG_PATH[] = ENCRYPTSQL_CONFIG_DIR "/config.json";
 constexpr double Float_Scale = 10000.0;
-constexpr char ENCLAVE_FILENAME[] = "/etc/encryptsql/enclave.signed.so";
+constexpr char ENCLAVE_FILENAME[] = ENCRYPTSQL_CONFIG_DIR "/enclave.signed.so";
 // crypto.h things
 #define DEFALUT_ENCRYPT_CIPHER CIPHER_AES     // select target默认的加密列