chore: 证书支持jks格式

packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts

@@ -30,7 +30,7 @@ export type CertInfo = {
   ic?: string;
   pfx?: string;
   der?: string;
-  p12?: string;
+  jks?: string;
 };
 export type SSLProvider = "letsencrypt" | "google" | "zerossl";
 export type PrivateKeyType = "rsa_1024" | "rsa_2048" | "rsa_3072" | "rsa_4096" | "ec_256" | "ec_384" | "ec_521";

packages/plugins/plugin-cert/src/plugin/cert-plugin/base.ts

@@ -55,7 +55,7 @@ export abstract class CertApplyBasePlugin extends AbstractTaskPlugin {
     },
     required: false,
     order: 100,
-    helper: "PFX、P12格式证书是否需要加密",
+    helper: "PFX、jks格式证书是否加密；jks必须设置密码，不传则默认123456",
   })
   pfxPassword!: string;
 
@@ -150,7 +150,7 @@ export abstract class CertApplyBasePlugin extends AbstractTaskPlugin {
     }
     this._result.pipelinePrivateVars.cert = cert;
 
-    if (cert.pfx == null || cert.der == null || cert.p12 == null) {
+    if (cert.pfx == null || cert.der == null || cert.jks == null) {
       try {
         const converter = new CertConverter({ logger: this.logger });
         const res = await converter.convert({
@@ -160,16 +160,19 @@ export abstract class CertApplyBasePlugin extends AbstractTaskPlugin {
         if (res.pfxPath) {
           const pfxBuffer = fs.readFileSync(res.pfxPath);
           cert.pfx = pfxBuffer.toString("base64");
+          fs.unlinkSync(res.pfxPath);
         }
 
         if (res.derPath) {
           const derBuffer = fs.readFileSync(res.derPath);
           cert.der = derBuffer.toString("base64");
+          fs.unlinkSync(res.derPath);
         }
 
-        if (res.p12Path) {
-          const p12Buffer = fs.readFileSync(res.p12Path);
-          cert.p12 = p12Buffer.toString("base64");
+        if (res.jksPath) {
+          const jksBuffer = fs.readFileSync(res.jksPath);
+          cert.jks = jksBuffer.toString("base64");
+          fs.unlinkSync(res.jksPath);
         }
 
         this.logger.info("转换证书格式成功");
@@ -202,8 +205,8 @@ export abstract class CertApplyBasePlugin extends AbstractTaskPlugin {
     if (cert.der) {
       zip.file("cert.der", Buffer.from(cert.der, "base64"));
     }
-    if (cert.p12) {
-      zip.file("cert.p12", Buffer.from(cert.p12, "base64"));
+    if (cert.jks) {
+      zip.file("cert.jks", Buffer.from(cert.jks, "base64"));
     }
     const content = await zip.generateAsync({ type: "nodebuffer" });
     this.saveFile(filename, content);

packages/plugins/plugin-cert/src/plugin/cert-plugin/cert-reader.ts

@@ -13,6 +13,7 @@ export type CertReaderHandleContext = {
   tmpPfxPath?: string;
   tmpDerPath?: string;
   tmpIcPath?: string;
+  tmpJksPath?: string;
 };
 export type CertReaderHandle = (ctx: CertReaderHandleContext) => Promise<void>;
 export type HandleOpts = { logger: ILogger; handle: CertReaderHandle };
@@ -72,14 +73,14 @@ export class CertReader {
     return domains;
   }
 
-  saveToFile(type: "crt" | "key" | "pfx" | "der" | "ic", filepath?: string) {
+  saveToFile(type: "crt" | "key" | "pfx" | "der" | "ic" | "jks", filepath?: string) {
     if (!this.cert[type]) {
       return;
     }
 
     if (filepath == null) {
       //写入临时目录
-      filepath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + "", `cert.${type}`);
+      filepath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + `_cert.${type}`);
     }
 
     const dir = path.dirname(filepath);
@@ -103,6 +104,7 @@ export class CertReader {
     const tmpIcPath = this.saveToFile("ic");
     logger.info("本地文件写入成功");
     const tmpDerPath = this.saveToFile("der");
+    const tmpJksPath = this.saveToFile("jks");
     try {
       return await opts.handle({
         reader: this,
@@ -111,6 +113,7 @@ export class CertReader {
         tmpPfxPath: tmpPfxPath,
         tmpDerPath: tmpDerPath,
         tmpIcPath: tmpIcPath,
+        tmpJksPath: tmpJksPath,
       });
     } catch (err) {
       throw err;
@@ -127,6 +130,7 @@ export class CertReader {
       removeFile(tmpPfxPath);
       removeFile(tmpDerPath);
       removeFile(tmpIcPath);
+      removeFile(tmpJksPath);
     }
   }
 

packages/plugins/plugin-cert/src/plugin/cert-plugin/convert.ts

@@ -17,12 +17,12 @@ export class CertConverter {
   async convert(opts: { cert: CertInfo; pfxPassword: string }): Promise<{
     pfxPath: string;
     derPath: string;
-    p12Path: string;
+    jksPath: string;
   }> {
     const certReader = new CertReader(opts.cert);
     let pfxPath: string;
     let derPath: string;
-    let p12Path: string;
+    let jksPath: string;
     const handle = async (ctx: CertReaderHandleContext) => {
       // 调用openssl 转pfx
       pfxPath = await this.convertPfx(ctx, opts.pfxPassword);
@@ -30,7 +30,7 @@ export class CertConverter {
       // 转der
       derPath = await this.convertDer(ctx);
 
-      p12Path = await this.convertP12(ctx, opts.pfxPassword);
+      jksPath = await this.convertJks(ctx, pfxPath, opts.pfxPassword);
     };
 
     await certReader.readCertFile({ logger: this.logger, handle });
@@ -38,11 +38,12 @@ export class CertConverter {
     return {
       pfxPath,
       derPath,
-      p12Path,
+      jksPath,
     };
   }
 
   async exec(cmd: string) {
+    process.env.LANG = "zh_CN.GBK";
     await sp.spawn({
       cmd: cmd,
       logger: this.logger,
@@ -52,7 +53,7 @@ export class CertConverter {
   private async convertPfx(opts: CertReaderHandleContext, pfxPassword: string) {
     const { tmpCrtPath, tmpKeyPath } = opts;
 
-    const pfxPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + "", "cert.pfx");
+    const pfxPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + "_cert.pfx");
 
     const dir = path.dirname(pfxPath);
     if (!fs.existsSync(dir)) {
@@ -75,7 +76,7 @@ export class CertConverter {
 
   private async convertDer(opts: CertReaderHandleContext) {
     const { tmpCrtPath } = opts;
-    const derPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + "", `cert.der`);
+    const derPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + `_cert.der`);
 
     const dir = path.dirname(derPath);
     if (!fs.existsSync(dir)) {
@@ -94,21 +95,28 @@ export class CertConverter {
     // this.saveFile(filename, fileBuffer);
   }
 
-  async convertP12(opts: CertReaderHandleContext, pfxPassword: string) {
-    const { tmpCrtPath, tmpKeyPath } = opts;
-    const p12Path = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + "", `cert.p12`);
-
-    const dir = path.dirname(p12Path);
-    if (!fs.existsSync(dir)) {
-      fs.mkdirSync(dir, { recursive: true });
-    }
+  async convertJks(opts: CertReaderHandleContext, pfxPath: string, pfxPassword = "") {
+    const jksPassword = pfxPassword || "123456";
     try {
-      let passwordArg = "-passout pass:";
-      if (pfxPassword) {
-        passwordArg = `-password pass:${pfxPassword}`;
+      const randomStr = Math.floor(Math.random() * 1000000) + "";
+
+      // const p12Path = path.join(os.tmpdir(), "/certd/tmp/", randomStr + `_cert.p12`);
+      // const { tmpCrtPath, tmpKeyPath } = opts;
+      // let passwordArg = "-passout pass:";
+      // if (pfxPassword) {
+      //   passwordArg = `-password pass:${pfxPassword}`;
+      // }
+      // await this.exec(`openssl pkcs12 -export -in ${tmpCrtPath} -inkey ${tmpKeyPath} -out ${p12Path} -name certd ${passwordArg}`);
+
+      const jksPath = path.join(os.tmpdir(), "/certd/tmp/", randomStr + `_cert.jks`);
+      const dir = path.dirname(jksPath);
+      if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
       }
-      await this.exec(`openssl pkcs12 -export -in ${tmpCrtPath} -inkey ${tmpKeyPath} -out ${p12Path} -name certd ${passwordArg}`);
-      return p12Path;
+      await this.exec(
+        `keytool -importkeystore -srckeystore ${pfxPath} -srcstoretype PKCS12 -srcstorepass "${pfxPassword}" -destkeystore ${jksPath} -deststoretype PKCS12 -deststorepass "${jksPassword}" `
+      );
+      return jksPath;
     } catch (e) {
       this.logger.error("转换jks失败", e);
       return;