refactor(plugin): 简化插件签名验证机制

- 移除远程密钥撤销检查功能
- 移除远程公钥列表拉取和缓存机制
- 将官方公钥改为客户端内置固定值
- 简化 GetPublicKeyByID 接口实现
- 移除相关的安全配置初始化代码
- 将插件仓库URL配置改为可配置化设置

pkg/plugin/sign/official.go

@@ -2,217 +2,30 @@ package sign
 
 import (
 	"crypto/ed25519"
-	"encoding/json"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
 	"sync"
-	"time"
 )
 
-// KeyEntry 密钥条目
-type KeyEntry struct {
-	ID        string    `json:"id"`
-	PublicKey string    `json:"public_key"`
-	ValidFrom time.Time `json:"valid_from"`
-	RevokedAt time.Time `json:"revoked_at,omitempty"`
-}
-
-// 官方公钥列表（支持密钥轮换）
-var officialKeys = []KeyEntry{
-	{
-		ID:        "official-v1",
-		PublicKey: "0A0xRthj0wgPg8X8GJZ6/EnNpAUw5v7O//XLty+P5Yw=",
-		ValidFrom: time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
-	},
-	// 添加新密钥时，在此处追加
-}
+// 官方固定公钥（客户端内置）
+const OfficialPublicKeyBase64 = "0A0xRthj0wgPg8X8GJZ6/EnNpAUw5v7O//XLty+P5Yw="
 
 var (
-	keyCache     map[string]ed25519.PublicKey
-	keyCacheOnce sync.Once
-	keyMu        sync.RWMutex
-	remoteKeys   []KeyEntry
+	officialPubKey     ed25519.PublicKey
+	officialPubKeyOnce sync.Once
+	officialPubKeyErr  error
 )
 
-// KeyListConfig 远程公钥列表配置
-type KeyListConfig struct {
-	RemoteURL      string
-	FetchInterval  time.Duration
-	RequestTimeout time.Duration
+// initOfficialKey 初始化官方公钥
+func initOfficialKey() {
+	officialPubKey, officialPubKeyErr = DecodePublicKey(OfficialPublicKeyBase64)
 }
 
-var keyListConfig = KeyListConfig{
-	RemoteURL:      "",
-	FetchInterval:  24 * time.Hour,
-	RequestTimeout: 10 * time.Second,
-}
-
-// SetKeyListConfig 设置远程公钥列表配置
-func SetKeyListConfig(cfg KeyListConfig) {
-	keyMu.Lock()
-	defer keyMu.Unlock()
-	keyListConfig = cfg
-}
-
-// initKeyCache 初始化密钥缓存
-func initKeyCache() {
-	keyCache = make(map[string]ed25519.PublicKey)
-	for _, entry := range officialKeys {
-		if pub, err := DecodePublicKey(entry.PublicKey); err == nil {
-			keyCache[entry.ID] = pub
-		}
-	}
-}
-
-// GetOfficialPublicKey 获取默认官方公钥（兼容旧接口）
+// GetOfficialPublicKey 获取官方公钥
 func GetOfficialPublicKey() (ed25519.PublicKey, error) {
-	return GetPublicKeyByID("official-v1")
+	officialPubKeyOnce.Do(initOfficialKey)
+	return officialPubKey, officialPubKeyErr
 }
 
-// GetPublicKeyByID 根据 ID 获取公钥
+// GetPublicKeyByID 根据 ID 获取公钥（兼容旧接口，忽略 keyID）
 func GetPublicKeyByID(keyID string) (ed25519.PublicKey, error) {
-	keyCacheOnce.Do(initKeyCache)
-
-	keyMu.RLock()
-	pub, ok := keyCache[keyID]
-	keyMu.RUnlock()
-
-	if !ok {
-		return nil, fmt.Errorf("unknown key ID: %s", keyID)
-	}
-	return pub, nil
-}
-
-// IsKeyRevoked 检查密钥是否已吊销
-func IsKeyRevoked(keyID string) bool {
-	// 先检查内置密钥
-	for _, entry := range officialKeys {
-		if entry.ID == keyID {
-			return !entry.RevokedAt.IsZero()
-		}
-	}
-	// 再检查远程密钥
-	keyMu.RLock()
-	defer keyMu.RUnlock()
-	for _, entry := range remoteKeys {
-		if entry.ID == keyID {
-			return !entry.RevokedAt.IsZero()
-		}
-	}
-	return true // 未知密钥视为已吊销
-}
-
-// GetKeyEntry 获取密钥条目
-func GetKeyEntry(keyID string) *KeyEntry {
-	for i := range officialKeys {
-		if officialKeys[i].ID == keyID {
-			return &officialKeys[i]
-		}
-	}
-	keyMu.RLock()
-	defer keyMu.RUnlock()
-	for i := range remoteKeys {
-		if remoteKeys[i].ID == keyID {
-			return &remoteKeys[i]
-		}
-	}
-	return nil
-}
-
-// KeyList 远程公钥列表结构
-type KeyList struct {
-	Version   int        `json:"version"`
-	UpdatedAt int64      `json:"updated_at"`
-	Keys      []KeyEntry `json:"keys"`
-	Signature string     `json:"signature"`
-}
-
-// FetchRemoteKeyList 从远程拉取公钥列表
-func FetchRemoteKeyList() error {
-	keyMu.RLock()
-	cfg := keyListConfig
-	keyMu.RUnlock()
-
-	if cfg.RemoteURL == "" {
-		return nil
-	}
-
-	client := &http.Client{Timeout: cfg.RequestTimeout}
-	resp, err := client.Get(cfg.RemoteURL)
-	if err != nil {
-		return fmt.Errorf("fetch key list: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("fetch key list: status %d", resp.StatusCode)
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return fmt.Errorf("read key list: %w", err)
-	}
-
-	var list KeyList
-	if err := json.Unmarshal(body, &list); err != nil {
-		return fmt.Errorf("parse key list: %w", err)
-	}
-
-	// 验证签名（使用内置公钥验证）
-	if err := verifyKeyListSignature(&list); err != nil {
-		return fmt.Errorf("verify key list: %w", err)
-	}
-
-	return updateKeyCache(&list)
-}
-
-// verifyKeyListSignature 验证公钥列表签名
-func verifyKeyListSignature(list *KeyList) error {
-	if list.Signature == "" {
-		return fmt.Errorf("missing signature")
-	}
-
-	// 使用内置公钥验证（必须用内置密钥签名）
-	pubKey, err := GetOfficialPublicKey()
-	if err != nil {
-		return err
-	}
-
-	signData := struct {
-		Version   int        `json:"version"`
-		UpdatedAt int64      `json:"updated_at"`
-		Keys      []KeyEntry `json:"keys"`
-	}{
-		Version:   list.Version,
-		UpdatedAt: list.UpdatedAt,
-		Keys:      list.Keys,
-	}
-
-	data, err := json.Marshal(signData)
-	if err != nil {
-		return err
-	}
-
-	return VerifyBase64(pubKey, data, list.Signature)
-}
-
-// updateKeyCache 更新公钥缓存
-func updateKeyCache(list *KeyList) error {
-	keyMu.Lock()
-	defer keyMu.Unlock()
-
-	// 保存远程密钥列表
-	remoteKeys = list.Keys
-
-	// 更新缓存
-	for _, entry := range list.Keys {
-		if pub, err := DecodePublicKey(entry.PublicKey); err == nil {
-			keyCache[entry.ID] = pub
-		}
-	}
-
-	log.Printf("[KeyList] Updated with %d keys", len(list.Keys))
-	return nil
+	return GetOfficialPublicKey()
 }

pkg/plugin/sign/revocation.go

@@ -1,242 +0,0 @@
-package sign
-
-import (
-	"encoding/json"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"sync"
-	"time"
-)
-
-// RevocationEntry 撤销条目
-type RevocationEntry struct {
-	PluginName string `json:"plugin_name"`        // 插件名称
-	Version    string `json:"version,omitempty"`  // 特定版本（空表示所有版本）
-	Reason     string `json:"reason"`             // 撤销原因
-	RevokedAt  int64  `json:"revoked_at"`         // 撤销时间戳
-}
-
-// RevocationList 撤销列表
-type RevocationList struct {
-	Version   int               `json:"version"`    // 列表版本
-	UpdatedAt int64             `json:"updated_at"` // 更新时间
-	Entries   []RevocationEntry `json:"entries"`    // 撤销条目
-	Signature string            `json:"signature"`  // 列表签名
-}
-
-// 内置撤销列表（编译时确定，作为 fallback）
-var builtinRevocations = []RevocationEntry{
-	// 示例：{PluginName: "malicious-plugin", Reason: "security vulnerability"}
-}
-
-var (
-	revocationCache     map[string][]RevocationEntry // pluginName -> entries
-	revocationCacheOnce sync.Once
-	revocationMu        sync.RWMutex
-	currentListVersion  int
-	lastFetchTime       time.Time
-)
-
-// RevocationConfig 远程撤销列表配置
-type RevocationConfig struct {
-	RemoteURL       string        // 远程撤销列表 URL
-	FetchInterval   time.Duration // 拉取间隔
-	RequestTimeout  time.Duration // 请求超时
-	VerifySignature bool          // 是否验证签名
-}
-
-var defaultRevocationConfig = RevocationConfig{
-	RemoteURL:       "", // 默认为空，不启用远程拉取
-	FetchInterval:   1 * time.Hour,
-	RequestTimeout:  10 * time.Second,
-	VerifySignature: true,
-}
-
-var revocationConfig = defaultRevocationConfig
-
-// SetRevocationConfig 设置远程撤销列表配置
-func SetRevocationConfig(cfg RevocationConfig) {
-	revocationMu.Lock()
-	defer revocationMu.Unlock()
-	revocationConfig = cfg
-}
-
-// GetRevocationConfig 获取当前配置
-func GetRevocationConfig() RevocationConfig {
-	revocationMu.RLock()
-	defer revocationMu.RUnlock()
-	return revocationConfig
-}
-
-// initRevocationCache 初始化撤销缓存
-func initRevocationCache() {
-	revocationCache = make(map[string][]RevocationEntry)
-	for _, entry := range builtinRevocations {
-		revocationCache[entry.PluginName] = append(
-			revocationCache[entry.PluginName], entry)
-	}
-}
-
-// IsPluginRevoked 检查插件是否被撤销
-func IsPluginRevoked(name, version string) (bool, string) {
-	revocationCacheOnce.Do(initRevocationCache)
-
-	revocationMu.RLock()
-	defer revocationMu.RUnlock()
-
-	entries, ok := revocationCache[name]
-	if !ok {
-		return false, ""
-	}
-
-	for _, entry := range entries {
-		// 空版本表示所有版本都被撤销
-		if entry.Version == "" || entry.Version == version {
-			return true, entry.Reason
-		}
-	}
-	return false, ""
-}
-
-// FetchRemoteRevocationList 从远程拉取撤销列表
-func FetchRemoteRevocationList() error {
-	cfg := GetRevocationConfig()
-	if cfg.RemoteURL == "" {
-		return nil // 未配置远程 URL，跳过
-	}
-
-	// 检查是否需要刷新
-	revocationMu.RLock()
-	if time.Since(lastFetchTime) < cfg.FetchInterval {
-		revocationMu.RUnlock()
-		return nil
-	}
-	revocationMu.RUnlock()
-
-	// 发起 HTTP 请求
-	client := &http.Client{Timeout: cfg.RequestTimeout}
-	resp, err := client.Get(cfg.RemoteURL)
-	if err != nil {
-		return fmt.Errorf("fetch revocation list: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("fetch revocation list: status %d", resp.StatusCode)
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return fmt.Errorf("read revocation list: %w", err)
-	}
-
-	var list RevocationList
-	if err := json.Unmarshal(body, &list); err != nil {
-		return fmt.Errorf("parse revocation list: %w", err)
-	}
-
-	// 验证签名
-	if cfg.VerifySignature {
-		if err := verifyRevocationListSignature(&list); err != nil {
-			return fmt.Errorf("verify revocation list: %w", err)
-		}
-	}
-
-	// 更新缓存
-	return updateRevocationCache(&list)
-}
-
-// verifyRevocationListSignature 验证撤销列表签名
-func verifyRevocationListSignature(list *RevocationList) error {
-	if list.Signature == "" {
-		return fmt.Errorf("missing signature")
-	}
-
-	// 获取官方公钥
-	pubKey, err := GetOfficialPublicKey()
-	if err != nil {
-		return fmt.Errorf("get public key: %w", err)
-	}
-
-	// 构造待签名数据（不含签名字段）
-	signData := struct {
-		Version   int               `json:"version"`
-		UpdatedAt int64             `json:"updated_at"`
-		Entries   []RevocationEntry `json:"entries"`
-	}{
-		Version:   list.Version,
-		UpdatedAt: list.UpdatedAt,
-		Entries:   list.Entries,
-	}
-
-	data, err := json.Marshal(signData)
-	if err != nil {
-		return fmt.Errorf("marshal sign data: %w", err)
-	}
-
-	return VerifyBase64(pubKey, data, list.Signature)
-}
-
-// updateRevocationCache 更新撤销缓存
-func updateRevocationCache(list *RevocationList) error {
-	revocationMu.Lock()
-	defer revocationMu.Unlock()
-
-	// 检查版本号，防止回滚攻击
-	if list.Version < currentListVersion {
-		return fmt.Errorf("revocation list version rollback: %d < %d", list.Version, currentListVersion)
-	}
-
-	// 重建缓存：先加载内置列表，再合并远程列表
-	newCache := make(map[string][]RevocationEntry)
-	for _, entry := range builtinRevocations {
-		newCache[entry.PluginName] = append(newCache[entry.PluginName], entry)
-	}
-	for _, entry := range list.Entries {
-		newCache[entry.PluginName] = append(newCache[entry.PluginName], entry)
-	}
-
-	revocationCache = newCache
-	currentListVersion = list.Version
-	lastFetchTime = time.Now()
-
-	log.Printf("[Revocation] Updated to version %d with %d entries", list.Version, len(list.Entries))
-	return nil
-}
-
-// StartRevocationRefresher 启动后台刷新协程
-func StartRevocationRefresher(stopCh <-chan struct{}) {
-	cfg := GetRevocationConfig()
-	if cfg.RemoteURL == "" {
-		return
-	}
-
-	// 立即执行一次
-	if err := FetchRemoteRevocationList(); err != nil {
-		log.Printf("[Revocation] Initial fetch failed: %v", err)
-	}
-
-	ticker := time.NewTicker(cfg.FetchInterval)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ticker.C:
-			if err := FetchRemoteRevocationList(); err != nil {
-				log.Printf("[Revocation] Refresh failed: %v", err)
-			}
-		case <-stopCh:
-			log.Printf("[Revocation] Refresher stopped")
-			return
-		}
-	}
-}
-
-// GetRevocationListVersion 获取当前撤销列表版本
-func GetRevocationListVersion() int {
-	revocationMu.RLock()
-	defer revocationMu.RUnlock()
-	return currentListVersion
-}