refactor(core): 前端自动生成AES密钥，通过RSA加密传输

苏青安 · 苏青安 · commit 44a54bdf530d · 2025-08-28T15:25:36.000+08:00
BREAKING CHANGE: 逻辑变更，增强安全性，不对过去进行兼容，因此版本号提升到2.0.0
diff --git a/src/Contracts/DecryptorInterface.php b/src/Contracts/DecryptorInterface.php
@@ -9,8 +9,8 @@ interface DecryptorInterface
      *
      * @param string $data 加密字符串
      * 
-     * @return array 解密后的数组
+     * @return array|string 解密后的数组或字符串
      * @throws \Hejunjie\EncryptedRequest\Exceptions\DecryptionException
      */
-    public function decrypt(string $data): array;
+    public function decrypt(string $data): array|string;
 }
diff --git a/src/Drivers/RsaDecryptor.php b/src/Drivers/RsaDecryptor.php
@@ -0,0 +1,78 @@
+<?php
+
+namespace Hejunjie\EncryptedRequest\Drivers;
+
+use Hejunjie\EncryptedRequest\Contracts\DecryptorInterface;
+use Hejunjie\EncryptedRequest\Exceptions\DecryptionException;
+
+class RsaDecryptor implements DecryptorInterface
+{
+    private mixed $privateKey;
+
+    /**
+     * 构造方法
+     *
+     * @param string $private_key 私钥字符串（包含 -----BEGIN PRIVATE KEY-----）
+     */
+    public function __construct(string $private_key)
+    {
+        $this->privateKey = @openssl_pkey_get_private($private_key);
+        if ($this->privateKey === false) {
+            $errs = [];
+            while ($err = openssl_error_string()) {
+                $errs[] = $err;
+            }
+            $msg = 'Failed to load private key';
+            if (!empty($errs)) {
+                $msg .= ': ' . implode(' | ', $errs);
+            }
+            throw new DecryptionException($msg);
+        }
+    }
+
+    /**
+     * 解密方法
+     *
+     * @param string $data 加密数据
+     * 
+     * @return string 解密后的字符串
+     * @throws DecryptionException
+     */
+    public function decrypt(string $data): string
+    {
+        try {
+            // Base64 解码
+            $ciphertext = base64_decode($data, true);
+            if ($ciphertext === false) {
+                throw new DecryptionException('enc_payload is not valid base64');
+            }
+            // 检查 OpenSSL 扩展是否可用
+            if (!function_exists('openssl_pkey_get_private')) {
+                throw new DecryptionException('OpenSSL extension is not available in PHP');
+            }
+            // 尝试解密
+            $decrypted = '';
+            $success = @openssl_private_decrypt($ciphertext, $decrypted, $this->privateKey, OPENSSL_PKCS1_OAEP_PADDING);
+            if ($success === false) {
+                $errs = [];
+                while ($err = openssl_error_string()) {
+                    $errs[] = $err;
+                }
+                $msg = 'RSA decryption failed';
+                if (!empty($errs)) {
+                    $msg .= ': ' . implode(' | ', $errs);
+                } else {
+                    $msg .= '. No OpenSSL errors captured.';
+                }
+                throw new DecryptionException($msg);
+            }
+            // 额外校验：解密结果不能为空
+            if ($decrypted === '' || $decrypted === null) {
+                throw new DecryptionException('RSA decryption returned empty string');
+            }
+            return $decrypted;
+        } catch (\Throwable $e) {
+            throw new DecryptionException($e->getMessage(), $e->getCode(), $e);
+        }
+    }
+}
diff --git a/src/EncryptedRequestHandler.php b/src/EncryptedRequestHandler.php
@@ -2,25 +2,23 @@
 
 namespace Hejunjie\EncryptedRequest;
 
-use Hejunjie\EncryptedRequest\Contracts\DecryptorInterface;
 use Hejunjie\EncryptedRequest\Config\EnvConfigLoader;
 use Hejunjie\EncryptedRequest\Drivers\AesDecryptor;
+use Hejunjie\EncryptedRequest\Drivers\RsaDecryptor;
 use Hejunjie\EncryptedRequest\Exceptions\DecryptionException;
 use Hejunjie\EncryptedRequest\Exceptions\SignatureException;
 use Hejunjie\EncryptedRequest\Exceptions\TimestampException;
 
 class EncryptedRequestHandler
 {
     private array $config;
-    private DecryptorInterface $decryptor;
 
     /**
      * 构造方法
      *
-     * @param DecryptorInterface $decryptor 解密器
      * @param array|string|null $config 配置数组或.env路径
      */
-    public function __construct(string|DecryptorInterface $decryptorDriver = 'aes', array|string $config = '')
+    public function __construct(array|string $config = '')
     {
         if (is_array($config)) {
             $loader = new EnvConfigLoader($config);
@@ -30,23 +28,9 @@ public function __construct(string|DecryptorInterface $decryptorDriver = 'aes',
             $loader = new EnvConfigLoader();
         }
         $this->config = [
-            'key' => $loader->get('APP_KEY'),
-            'default_timestamp_diff' => $loader->get('DEFAULT_TIMESTAMP_DIFF', 60)
+            'default_timestamp_diff' => $loader->get('DEFAULT_TIMESTAMP_DIFF', 60),
+            'rsa_private_key' => $loader->get('RSA_PRIVATE_KEY', '')
         ];
-        // 判断是字符串还是实例
-        if ($decryptorDriver instanceof DecryptorInterface) {
-            $this->decryptor = $decryptorDriver;
-        } elseif (is_string($decryptorDriver)) {
-            switch (strtolower($decryptorDriver)) {
-                case 'aes':
-                    $this->decryptor = new AesDecryptor($loader->get('AES_KEY'), $loader->get('AES_IV'));
-                    break;
-                default:
-                    throw new DecryptionException("Unsupported decryptor driver: {$decryptorDriver}");
-            }
-        } else {
-            throw new DecryptionException("Invalid decryptor provided");
-        }
     }
 
     /**
@@ -61,24 +45,30 @@ public function __construct(string|DecryptorInterface $decryptorDriver = 'aes',
      * @throws TimestampException 请求时间错误
      * @throws DecryptionException 数据解密错误
      */
-    public function handle(string $en_data, int $timestamp, string $sign): array
+    public function handle(string $en_data, string $enc_payload, int $timestamp, string $sign): array
     {
-        // 1. 签名验证
         if (!isset($timestamp, $sign, $en_data)) {
             throw new SignatureException("Missing required parameters");
         }
-        $expectedSign = md5($this->config['key'] . $timestamp);
-        if ($expectedSign !== $sign) {
-            throw new SignatureException("Invalid signature");
-        }
-        // 2. 时间戳验证
+        // 1. 时间戳验证
         $timestampDiff = $this->config['default_timestamp_diff'];
         $now = time();
         if (abs($now - $timestamp) > $timestampDiff) {
             throw new TimestampException("Timestamp difference too large");
         }
-        // 3. 解密数据
-        $decrypted = $this->decryptor->decrypt($en_data);
+        // 2. 获取签名数据
+        $rsa = new RsaDecryptor($this->config['rsa_private_key']);
+        $enc_payload = $rsa->decrypt($enc_payload);
+        // 3. 签名验证
+        $expectedSign = md5(md5($enc_payload) . $timestamp);
+        if ($expectedSign !== $sign) {
+            throw new SignatureException("Invalid signature");
+        }
+        // 4. 解密数据
+        $aesKeyBase64 = substr($enc_payload, 0, 24);
+        $aesIvBase64  = substr($enc_payload, -24);
+        $aes = new AesDecryptor(base64_decode($aesKeyBase64), base64_decode($aesIvBase64));
+        $decrypted = $aes->decrypt($en_data);
         return $decrypted;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -9,8 +9,8 @@ interface DecryptorInterface`
`9`	`9`	`*`
`10`	`10`	`* @param string $data 加密字符串`
`11`	`11`	`*`
`12`		`- * @return array 解密后的数组`
	`12`	`+ * @return array\|string 解密后的数组或字符串`
`13`	`13`	`* @throws \Hejunjie\EncryptedRequest\Exceptions\DecryptionException`
`14`	`14`	`*/`
`15`		`- public function decrypt(string $data): array;`
	`15`	`+ public function decrypt(string $data): array\|string;`
`16`	`16`	`}`