in agent/taskengine/signature/signature.go [91:158]
func VerifyTaskSign(logger logrus.FieldLogger, task models.RunTaskInfo) (bool, error) {
loadCertsOnce.Do(func() {
if err := loadCertMp(logger); err != nil {
logger.WithError(err).Error("Load certs from local failed")
} else {
logger.Info("Load certs from local successd")
}
})
fields := strings.SplitN(task.Signature, "#", 3)
if len(fields) != 3 {
return false, ErrorUnknownSignatureFormat
}
if fields[0] == "" || fields[1] == "" || fields[2] == "" {
return false, ErrorUnknownSignatureFormat
}
signVer, err := strconv.Atoi(fields[0])
if err != nil {
return false, ErrorUnknownSignatureFormat
}
keypairVer, err := strconv.Atoi(fields[1])
if err != nil {
return false, ErrorUnknownSignatureFormat
}
signature := fields[2]
signatureByte, err := base64.StdEncoding.DecodeString(signature)
if err != nil {
return false, err
}
key := fmt.Sprintf("%d-%d", signVer, keypairVer)
var c *Cert
if value, ok := certs_.Load(key); ok {
c, _ = value.(*Cert)
} else {
c, err = updateCertsMp(logger, key, signVer, keypairVer)
if err != nil {
return false, err
}
}
var dataList []string
for _, field := range c.SignatureFields {
switch field {
case "userId":
dataList = append(dataList, task.UserId)
case "instanceId":
instanceId := util.GetInstanceId()
if instanceId == "unknown" {
return false, ErrorUnknownInstanceId
}
dataList = append(dataList, instanceId)
case "commandContent":
dataList = append(dataList, task.Content)
}
}
data := strings.Join(dataList, "#")
logger.Info("dataList: ", data)
switch c.Algorithm {
case algorithm_sha256withrsa:
return verifyWithSha256withrsa(c.PublicKeyRsa, data, signatureByte)
case algorithm_sm3withsm2:
return verifyWithSm3withsm2(c.PublicKeySm2, data, signatureByte)
default:
return false, ErrorUnknownSignAlgorithm
}
}