Go與Nginx(lua-resty-string)跨語言加解密

需求

用戶登錄後，go服務端把身份、IP信息等加密放到cookie中。Nginx（基於openresty構建）lua解密，比較訪問的IP與cookie中記錄的IP是否一致，不一致則進行攔截。
以下采用CBC模式實現，跨語言的AES加解密，關鍵還是使用一致的模式、填充和向量。

Nginx lua AES加解密

環境構建：openresty docker
依賴：lua-resty-string
lua-resty-string中調用的是openssl的庫，所以加的padding用的是openssl默認的PKCS7填充方式

-- user_decrypt.lua
local user_decrypt = {}

local aes = require "resty.aes"

user_decrypt.aesCoder = nil

local function isCoderOk()
    return user_decrypt.aesCoder
end

-- 初始化加密器
function user_decrypt.initCoder(key, iv)
    if isCoderOk() then
        return
    end
    -- 當前使用AES256， 若修改爲128，使用aes.cipher(128,"cbc"), key修改爲16位
    user_decrypt.aesCoder = aes:new(key, nil, aes.cipher(256,"cbc"), {iv=iv, method=nil})
    if not isCoderOk() then
        ngx.log(ngx.ERR, "init encryption coder failed...")
    end
end

function user_decrypt.encrypt(msg)
    if not isCoderOk() then
        ngx.log(ngx.ERR, "encrypt failed, coder are nil")
    end

    -- aes encrypt
    local encrypted = user_decrypt.aesCoder:encrypt(msg)
    local encryptedBase64 = ngx.encode_base64(encrypted)
    ngx.log(ngx.INFO, "encrypted msg base64: ", encryptedBase64)
    return encryptedBase64
end

function user_decrypt.decrypt(msgEncrypted)
    if not isCoderOk() then
        ngx.log(ngx.ERR, "decrypt failed, coders are nil")
        return nil
    end

    -- 解密
    local msg = user_decrypt.aesCoder:decrypt(ngx.decode_base64(msgEncrypted))
    ngx.log(ngx.INFO, "msg: ", msg)

    return msg
end

return user_decrypt

-- user_access.lua
-- call user decrypt
local key = "" -- 32位或16位
local iv = "" -- 16位
local userDecrypt = require("user_decrypt")
userDecrypt.initCoder(key, iv)

-- 解密cookie
local origin = "username|ip"
local userCookie = userDecrypt.encrypt(origin)

ngx.log(ngx.INFO, "userCookie decrypt:", userDecrypt.decrypt(userCookie))

Golang對應的加解密

與nginx加解密時使用一樣的key和iv即可。

package aes

import (
	"bytes"
	"crypto/aes"
	"crypto/cipher"
	"encoding/base64"
	"errors"
)

// CBCEncryptWithPKCS7 CBC模式PKCS7填充AES加密
func CBCEncryptWithPKCS7(encodeStr, key, iv string) (cryptedStr string, err error) {
    if len(encodeStr) == 0 || len(key) == 0 || len(iv) == 0 {
        return
    }
	// 根據key 生成密文
	block, err := aes.NewCipher([]byte(key))
	if err != nil {
		return
	}

	// padding
	blockSize := block.BlockSize()

	// blockSize必須等於len(iv)
	if blockSize != len(iv) {
		err = errors.New("IV length must equal block size")
		return
	}
	encodeBytes := []byte(encodeStr)
	encodeBytes = pKCS7Padding(encodeBytes, blockSize)

	// 加密
	blockMode := cipher.NewCBCEncrypter(block, []byte(iv))
	crypted := make([]byte, len(encodeBytes))
	blockMode.CryptBlocks(crypted, encodeBytes)

	// base64編碼
	cryptedStr = base64.StdEncoding.EncodeToString(crypted)
	return
}

func pKCS7Padding(cipherText []byte, blockSize int) []byte {
	padding := blockSize - len(cipherText)%blockSize
	// 填充
	padText := bytes.Repeat([]byte{byte(padding)}, padding)
	return append(cipherText, padText...)
}

// CBCDecryptWithPKCS7 CBC模式PKCS7填充AES解密
func CBCDecryptWithPKCS7(decodeStr, key, iv string) (origDataStr string, err error) {
    if len(decodeStr) == 0 || len(key) == 0 || len(iv) == 0 {
        return
    }
	// 先解密base64
	decodeBytes, err := base64.StdEncoding.DecodeString(decodeStr)
	if err != nil {
		return
	}

	block, err := aes.NewCipher([]byte(key))
	if err != nil {
		return
	}

	// blockSize必須等於len(iv)
	if block.BlockSize() != len(iv) {
		err = errors.New("IV length must equal block size")
		return
	}
	blockMode := cipher.NewCBCDecrypter(block, []byte(iv))
	origData := make([]byte, len(decodeBytes))
	blockMode.CryptBlocks(origData, decodeBytes)
	origData = pKCS7UnPadding(origData)

	origDataStr = string(origData)
	return
}

func pKCS7UnPadding(origData []byte) []byte {
	length := len(origData)
	unPadding := int(origData[length-1])
	return origData[:(length - unPadding)]
}

參考：
python與nginx aes加解密對接
客戶端與服務端數據加密傳輸方案
pycrypto 和 lua-resty-rsa 進行跨語言的RSA加密解密