feat: 【破坏性更新】插件改为metadata加载模式，plugin-cert、plugin-lib包部分代码转移到certd-server中，影响自定义插件，需要修改相关import引用

ssh、aliyun、tencent、qiniu、oss等 access和client需要转移import
2026-04-22 10:57:25 +08:00 · 2025-12-31 17:01:37 +08:00
parent 9c26598831
commit a3fb24993d
312 changed files with 14321 additions and 597 deletions
@@ -0,0 +1,256 @@
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { CertificateInfo, crypto } from "@certd/acme-client";
+import { ILogger } from "@certd/basic";
+import dayjs from "dayjs";
+import { uniq } from "lodash-es";
+
+export type CertInfo = {
+  crt: string; //fullchain证书
+  key: string; //私钥
+  csr: string; //csr
+  oc?: string; //仅证书，非fullchain证书
+  ic?: string; //中间证书
+  pfx?: string;
+  der?: string;
+  jks?: string;
+  one?: string;
+  p7b?: string;
+};
+
+export type CertReaderHandleContext = {
+  reader: CertReader;
+  tmpCrtPath: string;
+  tmpKeyPath: string;
+  tmpOcPath?: string;
+  tmpPfxPath?: string;
+  tmpDerPath?: string;
+  tmpIcPath?: string;
+  tmpJksPath?: string;
+  tmpOnePath?: string;
+  tmpP7bPath?: string;
+};
+export type CertReaderHandle = (ctx: CertReaderHandleContext) => Promise<void>;
+export type HandleOpts = { logger: ILogger; handle: CertReaderHandle };
+
+const formats = {
+  pem: ["crt", "key", "ic"],
+  one: ["one"],
+  pfx: ["pfx"],
+  der: ["der"],
+  jks: ["jks"],
+  p7b: ["p7b", "key"],
+};
+export class CertReader {
+  cert: CertInfo;
+
+  detail: CertificateInfo;
+  //毫秒时间戳
+  effective: number;
+  //毫秒时间戳
+  expires: number;
+  constructor(certInfo: CertInfo) {
+    this.cert = certInfo;
+
+    if (!certInfo.ic) {
+      this.cert.ic = this.getIc();
+    }
+
+    if (!certInfo.oc) {
+      this.cert.oc = this.getOc();
+    }
+
+    if (!certInfo.one) {
+      this.cert.one = this.cert.crt + "\n" + this.cert.key;
+    }
+
+    try {
+      const { detail, effective, expires } = this.getCrtDetail(this.cert.crt);
+      this.detail = detail;
+      this.effective = effective.getTime();
+      this.expires = expires.getTime();
+    } catch (e) {
+      throw new Error("证书解析失败:" + e.message);
+    }
+  }
+
+  getIc() {
+    //中间证书ic， 就是crt的第一个 -----END CERTIFICATE----- 之后的内容
+    const endStr = "-----END CERTIFICATE-----";
+    const firstBlockEndIndex = this.cert.crt.indexOf(endStr);
+
+    const start = firstBlockEndIndex + endStr.length + 1;
+    if (this.cert.crt.length <= start) {
+      return "";
+    }
+    const ic = this.cert.crt.substring(start);
+    if (ic == null) {
+      return "";
+    }
+    return ic?.trim();
+  }
+
+  getOc() {
+    //原始证书 就是crt的第一个 -----END CERTIFICATE----- 之前的内容
+    const endStr = "-----END CERTIFICATE-----";
+    const arr = this.cert.crt.split(endStr);
+    return arr[0] + endStr;
+  }
+
+  toCertInfo(format?: string): CertInfo {
+    if (!format) {
+      return this.cert;
+    }
+
+    const formatArr = formats[format];
+    const res: any = {};
+    formatArr.forEach((key: string) => {
+      res[key] = this.cert[key];
+    });
+    return res;
+  }
+
+  getCrtDetail(crt: string = this.cert.crt) {
+    return CertReader.readCertDetail(crt);
+  }
+
+  static readCertDetail(crt: string) {
+    const detail = crypto.readCertificateInfo(crt.toString());
+    const effective = detail.notBefore;
+    const expires = detail.notAfter;
+    return { detail, effective, expires };
+  }
+
+  getAllDomains() {
+    const { detail } = this.getCrtDetail();
+    const domains = [];
+    if (detail.domains?.commonName) {
+      domains.push(detail.domains.commonName);
+    }
+    domains.push(...detail.domains.altNames);
+    //去重
+    return uniq(domains);
+  }
+
+  getAltNames() {
+    const { detail } = this.getCrtDetail();
+    return detail.domains.altNames;
+  }
+
+  static getMainDomain(crt: string) {
+    const { detail } = CertReader.readCertDetail(crt);
+    return CertReader.getMainDomainFromDetail(detail);
+  }
+
+  getMainDomain() {
+    const { detail } = this.getCrtDetail();
+    return CertReader.getMainDomainFromDetail(detail);
+  }
+
+  static getMainDomainFromDetail(detail: CertificateInfo) {
+    let domain = detail?.domains?.commonName;
+    if (domain == null) {
+      domain = detail?.domains?.altNames?.[0];
+    }
+    if (domain == null) {
+      domain = "unknown";
+    }
+    return domain;
+  }
+
+  saveToFile(type: "crt" | "key" | "pfx" | "der" | "oc" | "one" | "ic" | "jks" | "p7b", filepath?: string) {
+    if (!this.cert[type]) {
+      return;
+    }
+
+    if (filepath == null) {
+      //写入临时目录
+      filepath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + `_cert.${type}`);
+    }
+
+    const dir = path.dirname(filepath);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    if (type === "crt" || type === "key" || type === "ic" || type === "oc" || type === "one" || type === "p7b") {
+      fs.writeFileSync(filepath, this.cert[type]);
+    } else {
+      fs.writeFileSync(filepath, Buffer.from(this.cert[type], "base64"));
+    }
+    return filepath;
+  }
+
+  async readCertFile(opts: HandleOpts) {
+    const logger = opts.logger;
+    logger.info("将证书写入本地缓存文件");
+    const tmpCrtPath = this.saveToFile("crt");
+    const tmpKeyPath = this.saveToFile("key");
+    const tmpPfxPath = this.saveToFile("pfx");
+    const tmpIcPath = this.saveToFile("ic");
+    const tmpOcPath = this.saveToFile("oc");
+    const tmpDerPath = this.saveToFile("der");
+    const tmpJksPath = this.saveToFile("jks");
+    const tmpOnePath = this.saveToFile("one");
+    const tmpP7bPath = this.saveToFile("p7b");
+    logger.info("本地文件写入成功");
+    try {
+      return await opts.handle({
+        reader: this,
+        tmpCrtPath,
+        tmpKeyPath,
+        tmpPfxPath,
+        tmpDerPath,
+        tmpIcPath,
+        tmpJksPath,
+        tmpOcPath,
+        tmpP7bPath,
+        tmpOnePath,
+      });
+    } catch (err) {
+      logger.error("处理失败", err);
+      throw err;
+    } finally {
+      //删除临时文件
+      logger.info("清理临时文件");
+      function removeFile(filepath?: string) {
+        if (filepath) {
+          fs.unlinkSync(filepath);
+        }
+      }
+      removeFile(tmpCrtPath);
+      removeFile(tmpKeyPath);
+      removeFile(tmpPfxPath);
+      removeFile(tmpOcPath);
+      removeFile(tmpDerPath);
+      removeFile(tmpIcPath);
+      removeFile(tmpJksPath);
+      removeFile(tmpOnePath);
+      removeFile(tmpP7bPath);
+    }
+  }
+
+  buildCertFileName(suffix: string, applyTime: any, prefix = "cert") {
+    let domain = this.getMainDomain();
+    domain = domain.replaceAll(".", "_").replaceAll("*", "_");
+    const timeStr = dayjs(applyTime).format("YYYYMMDDHHmmss");
+    return `${prefix}_${domain}_${timeStr}.${suffix}`;
+  }
+
+  buildCertName(prefix: string = "") {
+    let domain = this.getMainDomain();
+    domain = domain.replaceAll(".", "_").replaceAll("*", "_");
+    return `${prefix}_${domain}_${dayjs().format("YYYYMMDDHHmmssSSS")}`;
+  }
+
+  static appendTimeSuffix(name?: string) {
+    if (name == null) {
+      name = "certd";
+    }
+    return name + "_" + dayjs().format("YYYYMMDDHHmmssSSS");
+  }
+
+  static buildCertName(cert: any) {
+    return new CertReader(cert).buildCertName();
+  }
+}
@@ -0,0 +1,2 @@
+export const CertApplyPluginNames = [":cert:"];
+export const EVENT_CERT_APPLY_SUCCESS = "CertApply.success";
@@ -0,0 +1,147 @@
+import { ILogger, sp } from "@certd/basic";
+import type { CertInfo } from "./cert-reader.js";
+import { CertReader, CertReaderHandleContext } from "./cert-reader.js";
+import path from "path";
+import os from "os";
+import fs from "fs";
+
+export class CertConverter {
+  logger: ILogger;
+
+  constructor(opts: { logger: ILogger }) {
+    this.logger = opts.logger;
+  }
+  async convert(opts: { cert: CertInfo; pfxPassword: string; pfxArgs: string }): Promise<{
+    pfx: string;
+    der: string;
+    jks: string;
+    p7b: string;
+  }> {
+    const certReader = new CertReader(opts.cert);
+    let pfx: string;
+    let der: string;
+    let jks: string;
+    let p7b: string;
+    const handle = async (ctx: CertReaderHandleContext) => {
+      // 调用openssl 转pfx
+      pfx = await this.convertPfx(ctx, opts.pfxPassword, opts.pfxArgs);
+
+      // 转der
+      der = await this.convertDer(ctx);
+
+      jks = await this.convertJks(ctx, opts.pfxPassword);
+
+      p7b = await this.convertP7b(ctx);
+    };
+
+    await certReader.readCertFile({ logger: this.logger, handle });
+
+    return {
+      pfx,
+      der,
+      jks,
+      p7b,
+    };
+  }
+
+  async exec(cmd: string) {
+    process.env.LANG = "zh_CN.GBK";
+    await sp.spawn({
+      cmd: cmd,
+      logger: this.logger,
+    });
+  }
+
+  private async convertPfx(opts: CertReaderHandleContext, pfxPassword: string, pfxArgs: string) {
+    const { tmpCrtPath, tmpKeyPath } = opts;
+
+    const pfxPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + "_cert.pfx");
+
+    const dir = path.dirname(pfxPath);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+
+    let passwordArg = "-passout pass:";
+    if (pfxPassword) {
+      passwordArg = `-password pass:${pfxPassword}`;
+    }
+    // 兼容server 2016，旧版本不能用sha256
+    const oldPfxCmd = `openssl pkcs12 ${pfxArgs} -export -out ${pfxPath} -inkey ${tmpKeyPath} -in ${tmpCrtPath} ${passwordArg}`;
+    // const newPfx = `openssl pkcs12 -export -out ${pfxPath} -inkey ${tmpKeyPath} -in ${tmpCrtPath} ${passwordArg}`;
+    await this.exec(oldPfxCmd);
+    const fileBuffer = fs.readFileSync(pfxPath);
+    const pfxCert = fileBuffer.toString("base64");
+    fs.unlinkSync(pfxPath);
+    return pfxCert;
+
+    //
+    // const applyTime = new Date().getTime();
+    // const filename = reader.buildCertFileName("pfx", applyTime);
+    // this.saveFile(filename, fileBuffer);
+  }
+
+  private async convertDer(opts: CertReaderHandleContext) {
+    const { tmpCrtPath } = opts;
+    const derPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + `_cert.der`);
+
+    const dir = path.dirname(derPath);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+
+    await this.exec(`openssl x509 -outform der -in ${tmpCrtPath} -out ${derPath}`);
+    const fileBuffer = fs.readFileSync(derPath);
+    const derCert = fileBuffer.toString("base64");
+    fs.unlinkSync(derPath);
+    return derCert;
+  }
+
+  async convertP7b(opts: CertReaderHandleContext) {
+    const { tmpCrtPath } = opts;
+    const p7bPath = path.join(os.tmpdir(), "/certd/tmp/", Math.floor(Math.random() * 1000000) + `_cert.p7b`);
+    const dir = path.dirname(p7bPath);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    //openssl crl2pkcs7 -nocrl \
+    //     -certfile your_domain.crt \
+    //     -certfile intermediate.crt \
+    //     -out chain.p7b
+    await this.exec(`openssl crl2pkcs7 -nocrl -certfile ${tmpCrtPath} -out ${p7bPath}`);
+    const fileBuffer = fs.readFileSync(p7bPath);
+    const p7bCert = fileBuffer.toString();
+    fs.unlinkSync(p7bPath);
+    return p7bCert;
+  }
+  async convertJks(opts: CertReaderHandleContext, pfxPassword = "") {
+    const jksPassword = pfxPassword || "123456";
+    try {
+      const randomStr = Math.floor(Math.random() * 1000000) + "";
+
+      const p12Path = path.join(os.tmpdir(), "/certd/tmp/", randomStr + `_cert.p12`);
+      const { tmpCrtPath, tmpKeyPath } = opts;
+      let passwordArg = "-passout pass:";
+      if (jksPassword) {
+        passwordArg = `-password pass:${jksPassword}`;
+      }
+      await this.exec(`openssl pkcs12 -export -in ${tmpCrtPath} -inkey ${tmpKeyPath} -out ${p12Path} -name certd ${passwordArg}`);
+
+      const jksPath = path.join(os.tmpdir(), "/certd/tmp/", randomStr + `_cert.jks`);
+      const dir = path.dirname(jksPath);
+      if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+      }
+      await this.exec(`keytool -importkeystore -srckeystore ${p12Path} -srcstoretype PKCS12 -srcstorepass "${jksPassword}" -destkeystore ${jksPath} -deststoretype PKCS12 -deststorepass "${jksPassword}" `);
+      fs.unlinkSync(p12Path);
+
+      const fileBuffer = fs.readFileSync(jksPath);
+      const certBase64 = fileBuffer.toString("base64");
+      fs.unlinkSync(jksPath);
+      return certBase64;
+    } catch (e) {
+      this.logger.error("转换jks失败", e);
+      return;
+    }
+  }
+}
@@ -0,0 +1,97 @@
+import { HttpClient, ILogger, utils } from "@certd/basic";
+import { IAccess, IServiceGetter, Registrable } from "@certd/pipeline";
+
+export type DnsProviderDefine = Registrable & {
+  accessType: string;
+  icon?: string;
+};
+
+export type CreateRecordOptions = {
+  domain: string;
+  fullRecord: string;
+  hostRecord: string;
+  type: string;
+  value: any;
+};
+export type RemoveRecordOptions<T> = {
+  recordReq: CreateRecordOptions;
+  // 本次创建的dns解析记录，实际上就是createRecord接口的返回值
+  recordRes: T;
+};
+
+export type DnsProviderContext = {
+  access: IAccess;
+  logger: ILogger;
+  http: HttpClient;
+  utils: typeof utils;
+  domainParser: IDomainParser;
+  serviceGetter: IServiceGetter;
+};
+
+export interface IDnsProvider<T = any> {
+  onInstance(): Promise<void>;
+
+  /**
+   * 中文转英文
+   * @param domain
+   */
+  punyCodeEncode(domain: string): string;
+
+  /**
+   * 转中文域名
+   * @param domain
+   */
+  punyCodeDecode(domain: string): string;
+
+  createRecord(options: CreateRecordOptions): Promise<T>;
+
+  removeRecord(options: RemoveRecordOptions<T>): Promise<void>;
+
+  setCtx(ctx: DnsProviderContext): void;
+
+  //中文域名是否需要punycode转码，如果返回True，则使用punycode来添加解析记录，否则使用中文域名添加解析记录
+  usePunyCode(): boolean;
+}
+
+export interface ISubDomainsGetter {
+  getSubDomains(): Promise<string[]>;
+}
+
+export interface IDomainParser {
+  parse(fullDomain: string): Promise<string>;
+}
+
+export type DnsVerifier = {
+  // dns直接校验
+  dnsProviderType?: string;
+  dnsProviderAccessId?: number;
+};
+
+export type CnameVerifier = {
+  hostRecord: string;
+  domain: string;
+  recordValue: string;
+};
+
+export type HttpVerifier = {
+  // http校验
+  httpUploaderType: string;
+  httpUploaderAccess: number;
+  httpUploadRootDir: string;
+};
+export type DomainVerifier = {
+  domain: string;
+  mainDomain: string;
+  type: string;
+  dns?: DnsVerifier;
+  cname?: CnameVerifier;
+  http?: HttpVerifier;
+};
+
+export type DomainVerifiers = {
+  [key: string]: DomainVerifier;
+};
+
+export interface IDomainVerifierGetter {
+  getVerifiers(domains: string[]): Promise<DomainVerifiers>;
+}
@@ -0,0 +1,62 @@
+import { CreateRecordOptions, DnsProviderContext, DnsProviderDefine, IDnsProvider, RemoveRecordOptions } from "./api.js";
+import { dnsProviderRegistry } from "./registry.js";
+import { HttpClient, ILogger } from "@certd/basic";
+import punycode from "punycode.js";
+export abstract class AbstractDnsProvider<T = any> implements IDnsProvider<T> {
+  ctx!: DnsProviderContext;
+  http!: HttpClient;
+  logger!: ILogger;
+
+  usePunyCode(): boolean {
+    //是否使用punycode来添加解析记录
+    //默认都使用原始中文域名来添加
+    return false;
+  }
+
+  /**
+   * 中文转英文
+   * @param domain
+   */
+  punyCodeEncode(domain: string) {
+    return punycode.toASCII(domain);
+  }
+
+  /**
+   * 转中文域名
+   * @param domain
+   */
+  punyCodeDecode(domain: string) {
+    return punycode.toUnicode(domain);
+  }
+
+  setCtx(ctx: DnsProviderContext) {
+    this.ctx = ctx;
+    this.logger = ctx.logger;
+    this.http = ctx.http;
+  }
+
+  async parseDomain(fullDomain: string) {
+    return await this.ctx.domainParser.parse(fullDomain);
+  }
+
+  abstract createRecord(options: CreateRecordOptions): Promise<T>;
+
+  abstract onInstance(): Promise<void>;
+
+  abstract removeRecord(options: RemoveRecordOptions<T>): Promise<void>;
+}
+
+export async function createDnsProvider(opts: { dnsProviderType: string; context: DnsProviderContext }): Promise<IDnsProvider> {
+  const { dnsProviderType, context } = opts;
+  const dnsProviderPlugin = dnsProviderRegistry.get(dnsProviderType);
+  const DnsProviderClass = await dnsProviderPlugin.target();
+  const dnsProviderDefine = dnsProviderPlugin.define as DnsProviderDefine;
+  if (dnsProviderDefine.deprecated) {
+    context.logger.warn(dnsProviderDefine.deprecated);
+  }
+  // @ts-ignore
+  const dnsProvider: IDnsProvider = new DnsProviderClass();
+  dnsProvider.setCtx(context);
+  await dnsProvider.onInstance();
+  return dnsProvider;
+}
@@ -0,0 +1,26 @@
+import { dnsProviderRegistry } from "./registry.js";
+import { DnsProviderDefine } from "./api.js";
+import { Decorator } from "@certd/pipeline";
+import * as _ from "lodash-es";
+
+// 提供一个唯一 key
+export const DNS_PROVIDER_CLASS_KEY = "pipeline:dns-provider";
+
+export function IsDnsProvider(define: DnsProviderDefine): ClassDecorator {
+  return (target: any) => {
+    if (process.env.certd_plugin_loadmode === "metadata") {
+      return;
+    }
+    target = Decorator.target(target);
+
+    Reflect.defineMetadata(DNS_PROVIDER_CLASS_KEY, define, target);
+
+    target.define = define;
+    dnsProviderRegistry.register(define.name, {
+      define,
+      target: async () => {
+        return target;
+      },
+    });
+  };
+}
@@ -0,0 +1,71 @@
+import { IDomainParser, ISubDomainsGetter } from "./api";
+//@ts-ignore
+import psl from "psl";
+import { ILogger, utils, logger as globalLogger } from "@certd/basic";
+import { resolveDomainBySoaRecord } from "@certd/acme-client";
+
+export class DomainParser implements IDomainParser {
+  subDomainsGetter: ISubDomainsGetter;
+  logger: ILogger;
+  constructor(subDomainsGetter: ISubDomainsGetter, logger?: ILogger) {
+    this.subDomainsGetter = subDomainsGetter;
+    this.logger = logger || globalLogger;
+  }
+
+  parseDomainByPsl(fullDomain: string) {
+    const parsed = psl.parse(fullDomain) as psl.ParsedDomain;
+    if (parsed.error) {
+      throw new Error(`解析${fullDomain}域名失败:` + JSON.stringify(parsed.error));
+    }
+    return parsed.domain as string;
+  }
+
+  async parse(fullDomain: string) {
+    //如果是ip
+    if (utils.domain.isIp(fullDomain)) {
+      return fullDomain;
+    }
+
+    this.logger.info(`查找主域名:${fullDomain}`);
+    const cacheKey = `domain_parse:${fullDomain}`;
+    const value = utils.cache.get(cacheKey);
+    if (value) {
+      this.logger.info(`从缓存获取到主域名:${fullDomain}->${value}`);
+      return value;
+    }
+
+    const subDomains = await this.subDomainsGetter.getSubDomains();
+    if (subDomains && subDomains.length > 0) {
+      const fullDomainDot = "." + fullDomain;
+      for (const subDomain of subDomains) {
+        if (fullDomainDot.endsWith("." + subDomain)) {
+          //找到子域名托管
+          utils.cache.set(cacheKey, subDomain, {
+            ttl: 60 * 1000,
+          });
+          this.logger.info(`获取到子域名托管域名:${fullDomain}->${subDomain}`);
+          return subDomain;
+        }
+      }
+    }
+
+    const res = this.parseDomainByPsl(fullDomain);
+    this.logger.info(`从psl获取主域名:${fullDomain}->${res}`);
+
+    let soaManDomain = null;
+    try {
+      const mainDomain = await resolveDomainBySoaRecord(fullDomain);
+      if (mainDomain) {
+        this.logger.info(`从SOA获取到主域名:${fullDomain}->${mainDomain}`);
+        soaManDomain = mainDomain;
+      }
+    } catch (e) {
+      this.logger.error("从SOA获取主域名失败", e.message);
+    }
+    if (soaManDomain && soaManDomain !== res) {
+      this.logger.warn(`SOA获取的主域名（${soaManDomain}）和psl获取的主域名(${res})不一致，请确认是否有设置子域名托管`);
+    }
+
+    return res;
+  }
+}
@@ -0,0 +1,5 @@
+export * from "./api.js";
+export * from "./registry.js";
+export * from "./decorator.js";
+export * from "./base.js";
+export * from "./domain-parser.js";
@@ -0,0 +1,3 @@
+import { createRegistry } from "@certd/pipeline";
+
+export const dnsProviderRegistry = createRegistry("dnsProvider");
@@ -0,0 +1,4 @@
+export * from "./convert.js";
+export * from "./cert-reader.js";
+export * from "./consts.js";
+export * from "./dns-provider/index.js";