From b0acd62ccccd4a489329d7fb5807fede4827a73b Mon Sep 17 00:00:00 2001
From: Hatter Jiang <jht5945@gmail.com>
Date: Fri, 16 Apr 2021 01:25:12 +0800
Subject: [PATCH] feat now can use

---
 .../tools/tinyencrypt/TinyEncryptMain.java    |  5 ++-
 .../encrypt/EncryptedFileUtil.java            |  4 ++-
 .../encrypt/TinyEncryptMetaUtil.java          | 35 +++++++++++++++----
 3 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptMain.java b/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptMain.java
index 72c82c9..9652d50 100644
--- a/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptMain.java
+++ b/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptMain.java
@@ -12,7 +12,6 @@ import me.hatter.tools.commons.security.key.PKType;
 import me.hatter.tools.commons.string.StringUtil;
 import me.hatter.tools.tinyencrypt.config.TinyEncryptConfig;
 import me.hatter.tools.tinyencrypt.encrypt.EncryptedFileUtil;
-import me.hatter.tools.tinyencrypt.encrypt.TinyEncryptMetaUtil;
 import me.hatter.tools.tinyencrypt.util.BCUtil;
 import picocli.CommandLine;
 
@@ -25,7 +24,7 @@ public class TinyEncryptMain {
 
     static {
         BCUtil.init();
-//        LogConfig.initMuteInfoMode();
+        LogConfig.initMuteInfoMode();
         log = LogTools.getLogTool(TinyEncryptMain.class);
     }
 
@@ -109,7 +108,7 @@ public class TinyEncryptMain {
                 if (tinyEncryptArgs.encrypt) {
                     EncryptedFileUtil.encryptFile(config, tinyEncryptArgs.key, f, tinyEncryptArgs.comment);
                 } else {
-                    EncryptedFileUtil.decryptFile(f);
+                    EncryptedFileUtil.decryptFile(config, f);
                 }
                 index++;
             }
diff --git a/src/main/java/me/hatter/tools/tinyencrypt/encrypt/EncryptedFileUtil.java b/src/main/java/me/hatter/tools/tinyencrypt/encrypt/EncryptedFileUtil.java
index 536d160..06f6df1 100644
--- a/src/main/java/me/hatter/tools/tinyencrypt/encrypt/EncryptedFileUtil.java
+++ b/src/main/java/me/hatter/tools/tinyencrypt/encrypt/EncryptedFileUtil.java
@@ -21,7 +21,7 @@ public class EncryptedFileUtil {
         BCUtil.init();
     }
 
-    public static void decryptFile(File file) {
+    public static void decryptFile(TinyEncryptConfig config, File file) {
         File decFile = getDecryptFile(file);
         if (decFile == null) {
             log.warn("File is not tinyenc file, skip: " + decFile);
@@ -35,6 +35,8 @@ public class EncryptedFileUtil {
             try (FileInputStream fis = new FileInputStream(file)) {
                 Tlv tlv = TlvUtil.readTlv(fis);
                 TinyEncryptMeta meta = tlv.getValueAsBytes().asJSONObject(TinyEncryptMeta.class);
+                byte[] dataKey = TinyEncryptMetaUtil.decryptDataKey(config, meta);
+                meta.setDataKey(dataKey);
                 try (FileOutputStream fos = new FileOutputStream(decFile)) {
                     try (OutputStream newOs = getDecryptOutputStream(fos, meta)) {
                         IOUtil.copy(fis, newOs, new CopyRollCounter() {
diff --git a/src/main/java/me/hatter/tools/tinyencrypt/encrypt/TinyEncryptMetaUtil.java b/src/main/java/me/hatter/tools/tinyencrypt/encrypt/TinyEncryptMetaUtil.java
index 6ef610a..8572710 100644
--- a/src/main/java/me/hatter/tools/tinyencrypt/encrypt/TinyEncryptMetaUtil.java
+++ b/src/main/java/me/hatter/tools/tinyencrypt/encrypt/TinyEncryptMetaUtil.java
@@ -8,17 +8,12 @@ import me.hatter.tools.commons.log.LogTool;
 import me.hatter.tools.commons.log.LogTools;
 import me.hatter.tools.commons.network.HttpRequest;
 import me.hatter.tools.commons.os.OSUtil;
-import me.hatter.tools.commons.security.key.KeyPairTool;
 import me.hatter.tools.commons.security.key.KeyUtil;
-import me.hatter.tools.commons.security.key.PKType;
-import me.hatter.tools.commons.security.pem.PEMUtil;
 import me.hatter.tools.commons.security.random.RandomTool;
-import me.hatter.tools.commons.security.rsa.PrivateKeyParseTool;
 import me.hatter.tools.commons.security.sign.Signatures;
 import me.hatter.tools.tinyencrypt.config.TinyEncryptConfig;
 import me.hatter.tools.tinyencrypt.config.TinyEncryptConstant;
 
-import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.util.ArrayList;
@@ -28,6 +23,7 @@ import java.util.List;
 public class TinyEncryptMetaUtil {
     private static final LogTool log = LogTools.getLogTool(TinyEncryptMetaUtil.class);
     private static final String KMS_GET_DATA_KEY = "https://hatter.ink/kms/get_data_key.json";
+    private static final String KMS_DECRYPT_DATA_KEY = "https://hatter.ink/kms/decrypt_data_key_with_sign.json";
 
     public static String toString(TinyEncryptMeta tinyEncryptMeta) {
         return JSON.toJSONString(tinyEncryptMeta);
@@ -37,6 +33,31 @@ public class TinyEncryptMetaUtil {
         return JSON.parseObject(meta, TinyEncryptMeta.class);
     }
 
+    public static byte[] decryptDataKey(TinyEncryptConfig config, TinyEncryptMeta meta) {
+        PrivateKey privateKey = KeyUtil.parsePrivateKeyPEM(config.getLocalPrivateKeyPem());
+        String envelop = meta.getEnvelop();
+
+        String timestamp = String.valueOf(System.currentTimeMillis());
+        String toBeSigned = envelop + "|" + timestamp;
+        Bytes sign = Signatures.sha256(privateKey).sign(toBeSigned);
+
+        List<HttpRequest.KeyValue> keyValues = new ArrayList<>();
+        keyValues.add(new HttpRequest.KeyValue("envelop", envelop));
+        keyValues.add(new HttpRequest.KeyValue("timestamp", timestamp));
+        keyValues.add(new HttpRequest.KeyValue("signature", sign.asBase64()));
+        log.info("Decrypt data key ...");
+        Bytes response = HttpRequest.fromUrl(KMS_DECRYPT_DATA_KEY).post(keyValues);
+        JSONObject responseObject = response.asJSON();
+        if (responseObject.getIntValue("status") != 200) {
+            throw new JumpOutException("Get data key from kms error, status: "
+                    + responseObject.getIntValue("status")
+                    + ", detail: " + responseObject
+            );
+        }
+        JSONObject responseData = responseObject.getJSONObject("data");
+        return Base64.getDecoder().decode(responseData.getString("dataKey"));
+    }
+
     public static TinyEncryptMeta create(TinyEncryptConfig config, String comment) {
         PublicKey publicKey = KeyUtil.parsePublicKeyPEM(config.getLocalPublicKeyPem());
         PrivateKey privateKey = KeyUtil.parsePrivateKeyPEM(config.getLocalPrivateKeyPem());
@@ -51,13 +72,13 @@ public class TinyEncryptMetaUtil {
         keyValues.add(new HttpRequest.KeyValue("timestamp", timestamp));
         keyValues.add(new HttpRequest.KeyValue("dataKeyPublicKey", KeyUtil.serializePublicKeyToPEM(publicKey)));
         keyValues.add(new HttpRequest.KeyValue("dataKeyRequestSign", sign.asBase64()));
-        log.info("Get data key from kms, key name: " + name);
+        log.info("Get data key from kms, key name: " + name + " ...");
         Bytes response = HttpRequest.fromUrl(KMS_GET_DATA_KEY).post(keyValues);
         JSONObject responseObject = response.asJSON();
         if (responseObject.getIntValue("status") != 200) {
             throw new JumpOutException("Get data key from kms error, status: "
                     + responseObject.getIntValue("status")
-                    + "detail: " + responseObject
+                    + ", detail: " + responseObject
             );
         }
         JSONObject responseData = responseObject.getJSONObject("data");