perf: 证书支持旧版RSA，pkcs1

2024-09-23 14:32:57 +08:00 · 2024-09-23 14:32:57 +08:00 · 3d9c3ecb3e
parent f9ff9191a1
commit 3d9c3ecb3e
5 changed files with 29 additions and 12 deletions
--- a/packages/core/acme-client/src/crypto/index.js
+++ b/packages/core/acme-client/src/crypto/index.js
@ -67,11 +67,11 @@ function getKeyInfo(keyPem) {
 * ```
 */

-async function createPrivateRsaKey(modulusLength = 2048) {
+async function createPrivateRsaKey(modulusLength = 2048, encodingType = 'pkcs8') {
    const pair = await generateKeyPair('rsa', {
        modulusLength,
        privateKeyEncoding: {
-            type: 'pkcs8',
+            type: encodingType,
            format: 'pem',
        },
    });
@ -106,11 +106,11 @@ exports.createPrivateKey = createPrivateRsaKey;
 * ```
 */

-exports.createPrivateEcdsaKey = async (namedCurve = 'P-256') => {
+exports.createPrivateEcdsaKey = async (namedCurve = 'P-256', encodingType = 'pkcs8') => {
    const pair = await generateKeyPair('ec', {
        namedCurve,
        privateKeyEncoding: {
-            type: 'pkcs8',
+            type: encodingType,
            format: 'pem',
        },
    });
@ -201,6 +201,9 @@ async function getWebCryptoKeyPair(keyPem) {
    }

    /* Decode PEM and import into CryptoKeyPair */
+    if (encodingType === 'pkcs1') {
+        encodingType = 'pkcs8';
+    }
    const privateKeyDec = x509.PemConverter.decodeFirst(keyPem.toString());
    const privateKey = await crypto.webcrypto.subtle.importKey('pkcs8', privateKeyDec, sigalg, true, ['sign']);
    const publicKey = await crypto.webcrypto.subtle.importKey('jwk', jwk, sigalg, true, ['verify']);
--- a/packages/core/acme-client/src/index.js
+++ b/packages/core/acme-client/src/index.js
@ -32,7 +32,7 @@ exports.directory = {
 */

 exports.crypto = require('./crypto');
-// exports.forge = require('./crypto/forge');
+exports.forge = require('./crypto/forge');

 /**
 * Axios
--- a/packages/core/acme-client/types/index.d.ts
+++ b/packages/core/acme-client/types/index.d.ts
@ -155,16 +155,16 @@ export interface EcdsaPublicJwk {
 }

 export interface CryptoInterface {
-    createPrivateKey(keySize?: number): Promise<PrivateKeyBuffer>;
-    createPrivateRsaKey(keySize?: number): Promise<PrivateKeyBuffer>;
-    createPrivateEcdsaKey(namedCurve?: 'P-256' | 'P-384' | 'P-521'): Promise<PrivateKeyBuffer>;
+    createPrivateKey(keySize?: number,encodingType?:string): Promise<PrivateKeyBuffer>;
+    createPrivateRsaKey(keySize?: number,encodingType?:string): Promise<PrivateKeyBuffer>;
+    createPrivateEcdsaKey(namedCurve?: 'P-256' | 'P-384' | 'P-521',encodingType?:string): Promise<PrivateKeyBuffer>;
    getPublicKey(keyPem: PrivateKeyBuffer | PrivateKeyString | PublicKeyBuffer | PublicKeyString): PublicKeyBuffer;
    getJwk(keyPem: PrivateKeyBuffer | PrivateKeyString | PublicKeyBuffer | PublicKeyString): RsaPublicJwk | EcdsaPublicJwk;
    splitPemChain(chainPem: CertificateBuffer | CertificateString): string[];
    getPemBodyAsB64u(pem: CertificateBuffer | CertificateString): string;
    readCsrDomains(csrPem: CsrBuffer | CsrString): CertificateDomains;
    readCertificateInfo(certPem: CertificateBuffer | CertificateString): CertificateInfo;
-    createCsr(data: CsrOptions, keyPem?: PrivateKeyBuffer | PrivateKeyString): Promise<[PrivateKeyBuffer, CsrBuffer]>;
+    createCsr(data: CsrOptions, keyPem?: PrivateKeyBuffer | PrivateKeyString,encodingType?:string): Promise<[PrivateKeyBuffer, CsrBuffer]>;
    createAlpnCertificate(authz: Authorization, keyAuthorization: string, keyPem?: PrivateKeyBuffer | PrivateKeyString): Promise<[PrivateKeyBuffer, CertificateBuffer]>;
    isAlpnCertificateAuthorizationValid(certPem: CertificateBuffer | CertificateString, keyAuthorization: string): boolean;
 }
--- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts
+++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts
@ -244,13 +244,25 @@ export class AcmeService {
    if (privateKeyArr.length > 1) {
      size = parseInt(privateKeyArr[1]);
    }
+
+    let encodingType = "pkcs8";
+    if (privateKeyArr.length > 2) {
+      encodingType = privateKeyArr[2];
+    }
+
    if (type == "ec") {
      const name: any = "P-" + size;
-      privateKey = await acme.crypto.createPrivateEcdsaKey(name);
+      privateKey = await acme.crypto.createPrivateEcdsaKey(name, encodingType);
    } else {
-      privateKey = await acme.crypto.createPrivateRsaKey(size);
+      privateKey = await acme.crypto.createPrivateRsaKey(size, encodingType);
    }
-    const [key, csr] = await acme.crypto.createCsr(
+
+    let createCsr: any = acme.crypto.createCsr;
+    if (encodingType === "pkcs1") {
+      //兼容老版本
+      createCsr = acme.forge.createCsr;
+    }
+    const [key, csr] = await createCsr(
      {
        commonName,
        ...csrInfo,
@ -258,6 +270,7 @@ export class AcmeService {
      },
      privateKey
    );
+
    if (dnsProvider == null) {
      throw new Error("dnsProvider 不能为空");
    }
--- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
+++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
@ -74,6 +74,7 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
        { value: "rsa_2048", label: "RSA 2048" },
        { value: "rsa_3072", label: "RSA 3072" },
        { value: "rsa_4096", label: "RSA 4096" },
+        { value: "rsa_2048_pkcs1", label: "RSA 2048 pkcs1 (旧版)" },
        { value: "ec_256", label: "EC 256" },
        { value: "ec_384", label: "EC 384" },
        // { value: "ec_521", label: "EC 521" },