flik/GoTunnel
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(plugin): 简化插件签名验证机制
Some checks failed
Build Multi-Platform Binaries / build-frontend (push) Failing after 13m34s
Details
Build Multi-Platform Binaries / build-binaries (amd64, darwin, server, false) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (amd64, linux, client, true) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (amd64, linux, server, true) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (amd64, windows, client, true) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (amd64, windows, server, true) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (arm, 7, linux, client, true) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (arm, 7, linux, server, true) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (arm64, darwin, server, false) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (arm64, linux, client, true) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (arm64, linux, server, true) (push) Has been cancelled
Details
Build Multi-Platform Binaries / build-binaries (arm64, windows, server, false) (push) Has been cancelled
Details

Browse Source 
- 移除远程密钥撤销检查功能
- 移除远程公钥列表拉取和缓存机制
- 将官方公钥改为客户端内置固定值
- 简化 GetPublicKeyByID 接口实现
- 移除相关的安全配置初始化代码
- 将插件仓库URL配置改为可配置化设置
This commit is contained in:
Flik
2025-12-31 21:29:16 +08:00
parent 42e11e0aca
commit 07c8f18761
7 changed files with 25 additions and 546 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
cmd/server/main.go
View File

@@ -59,9 +59,6 @@ func main() {
log.Printf("[Server] TLS enabled")
}
// 初始化安全配置(撤销列表和公钥列表)
initSecurityConfig()
// 初始化插件系统
registry := plugin.NewRegistry()
if err := registry.RegisterAllServer(builtin.GetServerPlugins()); err != nil {
@@ -167,16 +164,6 @@ func verifyPluginSignature(name, source, signature string) error {
return fmt.Errorf("decode signature: %w", err)
}
// 检查插件是否被撤销
if revoked, reason := sign.IsPluginRevoked(name, signed.Payload.Version); revoked {
return fmt.Errorf("plugin revoked: %s", reason)
}
// 检查密钥是否已吊销
if sign.IsKeyRevoked(signed.Payload.KeyID) {
return fmt.Errorf("signing key revoked: %s", signed.Payload.KeyID)
}
// 获取公钥
pubKey, err := sign.GetPublicKeyByID(signed.Payload.KeyID)
if err != nil {
@@ -191,32 +178,3 @@ func verifyPluginSignature(name, source, signature string) error {
// 验证签名
return sign.VerifyPlugin(pubKey, signed, source)
}
// initSecurityConfig 初始化安全配置
func initSecurityConfig() {
// 配置撤销列表
sign.SetRevocationConfig(sign.RevocationConfig{
RemoteURL: config.OfficialRevocationURL,
FetchInterval: 1 * time.Hour,
RequestTimeout: 10 * time.Second,
VerifySignature: true,
})
// 配置公钥列表
sign.SetKeyListConfig(sign.KeyListConfig{
RemoteURL: config.OfficialKeyListURL,
FetchInterval: 24 * time.Hour,
RequestTimeout: 10 * time.Second,
})
// 启动后台刷新
stopCh := make(chan struct{})
go sign.StartRevocationRefresher(stopCh)
// 立即拉取一次公钥列表
if err := sign.FetchRemoteKeyList(); err != nil {
log.Printf("[Security] Fetch key list failed: %v", err)
}
log.Printf("[Security] Initialized with remote revocation and key list")
}