npm - @tmsfe/tms-core - Versions diffs - 0.0.172 → 0.0.174 - Mend

@tmsfe/tms-core 0.0.172 → 0.0.174

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/package.json +1 -1
package/src/encrypt/encrypt-util.ts +586 -0
package/src/encrypt/index.ts +180 -0
package/src/encrypt/md5.js +2 -0
package/src/encrypt/nacl-util.min.js +2 -0
package/src/encrypt/nacl.min.js +2 -0
package/src/encrypt/traceUtils.js +24 -0
package/src/index.js +1 -2
package/src/md5.js +1 -1
package/src/report/helper.ts +1 -8
package/src/report/types.ts +0 -4
package/src/request.js +60 -175
package/src/runtime/login.ts +0 -2
package/src/aes.js +0 -84
package/src/encrypt.js +0 -327
package/src/jsencrypt.min.js +0 -2
package/src/traceUtils.js +0 -23

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@tmsfe/tms-core",
-  "version": "0.0.172",
+  "version": "0.0.174",
   "description": "tms运行时框架",
   "repository": {
     "type": "git",

package/src/encrypt/encrypt-util.ts ADDED Viewed

@@ -0,0 +1,586 @@
+/**
+ * 加密相关的原子工具能力
+ * 暴露出来的工具函数封装原则：不可以向外throw错误，返回执行结果统一格式：{ success: boolean, msg: string, res: any }
+ * https://iwiki.woa.com/p/4013041987#1.-RSA+AES-%E5%88%87%E6%8D%A2-Curve25519+XSalsa20%EF%BC%9A
+ */
+import md5 from './md5';
+/* eslint-disable @typescript-eslint/no-require-imports */
+const ecc = require('./nacl.min.js');
+const base64Util = require('./nacl-util.min.js');
+/* eslint-enable @typescript-eslint/no-require-imports */
+const logger = wx.getLogManager({});
+interface BaseResp<T> {
+  success: boolean,
+  msg: string,
+  res: T,
+}
+interface CryptoKeyInfo {
+  sharedByte: Uint8Array,
+  clientPublicKey: string,
+  serverPubId: string,
+}
+// 出行接口域名
+const SERVER_HOST_MAP = {
+  production: 'https://tim.map.qq.com',               // 出行服务正式环境域名
+  test: 'https://tim.sparta.html5.qq.com',            // 出行服务测试环境域名
+  development: 'https://tim.sparta.html5.qq.com/dev', // 出行服务开发环境域名
+  predist: 'https://tim.sparta.html5.qq.com/pre',     // 出行服务灰度环境域名
+  mock: 'http://localhost:8003',                      // 本地mock环境
+};
+// 基础工具
+const baseUtil = {
+  _isObject: (obj: any): boolean => Object.prototype.toString.call(obj) === '[object Object]',
+  // 统一格式化日志输出
+  _formatLog(args: any[]): any[] {
+    // 小程序日志管理器都只是精确到秒，我们补上毫秒方便分析
+    const time = new Date()
+      .toISOString()
+      .replace('T', ' ')
+      .substring(0, 19)
+      .replace(/-/g, '-')
+      .replace(/:/g, ':');
+    args.unshift(time);
+    return args;
+  },
+  logInfo: (...args) => {
+    args.unshift('request_encrypt_log');
+    const items = baseUtil._formatLog(args);
+    // console.log(...items);
+    logger.log(...items);
+  },
+  // Uint8Array转为url安全的base64编码
+  encUrl: (input: Uint8Array): string => {
+    let base64 = base64Util.encode(input);
+    base64 = base64
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+      .replace(/=+$/, '');
+    return base64;
+  },
+  // url安全的base64解码
+  decUrl: (input: string): Uint8Array => {
+    let base64 = input.replace(/-/g, '+').replace(/_/g, '/');
+    while (base64.length % 4) {
+      base64 += '=';
+    }
+    return base64Util.decode(base64);
+  },
+  // header格式化，将header的key转换为小写
+  formatHeader: (header): any => {
+    if (!header || !baseUtil._isObject(header)) {
+      return {};
+    }
+    const formatHeader = {};
+    Object.keys(header).forEach((key) => {
+      formatHeader[key.toLocaleLowerCase()] = header[key];
+    });
+    return formatHeader;
+  },
+  formatGetData: (params: any): string => {
+    if (!params || !baseUtil._isObject(params)) {
+      return '';
+    }
+    return Object.keys(params)
+      .map(key => `${encodeURIComponent(key)}=${encodeURIComponent(params[key])}`)
+      .join('&');
+  },
+  getSinanHost: (): string => {
+    if (wx.$_encryptEnvInfo) {
+      return SERVER_HOST_MAP[wx.$_encryptEnvInfo.envName];
+    }
+    return '';
+  },
+  getClientEncryptOpen: (): boolean => wx.$_encryptEnvInfo?.requestEncryptOpen,
+  BaseRespFac: class BaseRespFac<T> implements BaseResp<T> {
+    success: boolean;
+    msg: string;
+    res: T;
+    constructor(res: T, success?: boolean, msg?: string) {
+      this.success = success === undefined ? true : success;
+      this.msg = msg === undefined ? '' : msg;
+      this.res = res;
+    }
+  },
+};
+let composeParamsFunc = null; // 请求参数处理函数，加密初始化调用后之后会赋值
+// 加密工具
+const eccUtil = {
+  _refreshPromise: null,
+  _refreshPubKeyInfo: async (forceRefresh: boolean): Promise<boolean> => {
+    // 未完成初始化，则不支持秘钥刷新
+    if (!composeParamsFunc) {
+      return false;
+    }
+    if (!wx.$_publicKey || forceRefresh) {
+      // eslint-disable-next-line
+      eccUtil._refreshPromise = new Promise(async (resolve) => {
+        const url =  `${baseUtil.getSinanHost()}/basic/crypto/lastkey2`;
+        const data = await composeParamsFunc({});
+        wx.request({
+          url,
+          method: 'POST',
+          data,
+          enableHttp2: true,
+          success: () => {
+            resolve(true);
+          },
+          fail: () => {
+            resolve(false);
+          },
+        });
+      });
+    }
+    return eccUtil._refreshPromise;
+  },
+  // 解析resHeader详情，更新全局公钥信息
+  _updateGlobalPublicKeyInfo: (clear: boolean, resHeader?: {[key: string]: any}): BaseResp<boolean> => {
+    if (clear) {
+      wx.$_publicKey = null;
+      return;
+    }
+    const header = baseUtil.formatHeader(resHeader);
+    const {
+      'x-gateway-code': code,
+      'x-crypto-pub-id': pubId, 'x-crypto-pub-key': pubKey, 'x-crypto-pub-exp': pubExp, 'x-crypto-path': pathRule,
+    } = header;
+    const success = !code && pubId;  // login接口会出现接口成功，但是不返回publicKeyInfo的情况
+    wx.$_publicKey = success ? { pubId, pubKey, pubExp, pathRule } : null;
+    return new baseUtil.BaseRespFac(success);
+  },
+  _privateKeyInfo: null,
+  getPrivateKeyInfo: (forceUpdate = false): CryptoKeyInfo => {
+    if (!wx.$_publicKey) return null;
+    const serverPubInfo = wx.$_publicKey;
+    if (forceUpdate || !eccUtil._privateKeyInfo || eccUtil._privateKeyInfo.serverPubId !== serverPubInfo.pubId) {
+      const keyPair = ecc.box.keyPair();  // 生成客户端公钥私钥
+      eccUtil._privateKeyInfo = {
+        serverPubId: serverPubInfo.pubId,                       // 服务端公钥id
+        sharedByte: ecc.box.before(baseUtil.decUrl(serverPubInfo.pubKey), keyPair.secretKey),  // 共享秘钥
+        clientPublicKey: baseUtil.encUrl(keyPair.publicKey),    // base64 url safe 编码后的客户端公钥
+      };
+    }
+    return eccUtil._privateKeyInfo;
+  },
+  // 解析gwCode
+  /* eslint-disable complexity */
+  resolveGwCode: async (codeStr: string): Promise<{ retry: boolean, success: boolean }> => {
+    if (!codeStr) return { retry: false, success: true };
+    const code = parseInt(codeStr, 10);
+    switch (code) {
+      case 0:
+        return { retry: false, success: true };
+      case 11305:    // 公钥id无效
+      case 11306:  { // 公钥过期
+        // 1. 获取公钥
+        eccUtil._refreshPubKeyInfo(true).then((genPubSuccess) => {
+          genPubSuccess && eccUtil.getPrivateKeyInfo();   // 2. 生成私钥
+        });
+        return { retry: true, success: false };
+      }
+      case 11308:  { // 密钥对有问题
+        eccUtil.getPrivateKeyInfo(true);                   // 重新生成私钥
+        return { retry: true, success: false };
+      }
+      case 11300:  // 解密失败
+      case 11301:
+      case 11302:
+      case 11303:
+      case 11304:
+      case 11307:  // 加密未开启
+        return { retry: true, success: false };
+      case 11309:
+        return { retry: false, success: false };
+      default:     // 其他网关错误码
+        return { retry: false, success: true };
+    }
+  },
+  _getSignSharedByte: () => baseUtil.decUrl('mEufQpM1n5J8-OZZoJE7ucYMC2suTjfsHUq_6z5cyh8'),
+  // 计算客户端加密签名
+  getClientCryptoSign: (data = {}, header = {}, sharedByte): string => {
+    const obj = baseUtil.formatHeader(Object.assign({}, data, header));
+    // 1. 生成签名前的字符串
+    const str = Object.keys(obj).filter(item => obj[item])
+      .sort()
+      .reduce((pre, cur) => {
+        pre.push(`${cur}=${obj[cur]}`);
+        return pre;
+      }, [])
+      .join('&');
+    baseUtil.logInfo('---客户端签名---:before', str);
+    // 2. md5
+    const md5Str = md5(str);
+    const nonce = ecc.randomBytes(ecc.box.nonceLength);
+    const encrypted = ecc.box.after(md5Str, nonce, sharedByte);
+    const combined = new Uint8Array(nonce.length + encrypted.length);
+    combined.set(nonce);
+    combined.set(encrypted, nonce.length);
+    return baseUtil.encUrl(combined);
+  },
+  // 验证服务端加密签名
+  verifyServerCryptoSign: (traceId: string, resHeader = {}): { verified: boolean; msg: string; } => {
+    try {
+      const formatHeader = baseUtil.formatHeader(resHeader);
+      const signStr = formatHeader['x-crypto-sign'];
+      if (!signStr) {
+        return { verified: false, msg: '服务端无签名信息' };
+      }
+      const obj = {
+        'x-encrypt-key': formatHeader['x-encrypt-key'],
+        'x-encrypt-response': formatHeader['x-encrypt-response'],
+        'x-response-header-name': formatHeader['x-response-header-name'],
+        'x-encrypted-headers': formatHeader['x-encrypted-headers'],
+        'x-crypto-enable': formatHeader['x-crypto-enable'],
+        // 'content-type': formatHeader['content-type'],
+        'x-gateway-code': formatHeader['x-gateway-code'],
+        'x-crypto-pub-id': formatHeader['x-crypto-pub-id'],
+        'x-crypto-pub-key': formatHeader['x-crypto-pub-key'],
+        'x-crypto-pub-exp': formatHeader['x-crypto-pub-exp'],
+        'x-crypto-path': formatHeader['x-crypto-path'],
+        'x-trace-id': traceId,
+      };
+      const msg = baseUtil.decUrl(signStr);
+      const decrypted = ecc.sign.open(msg, eccUtil._getSignSharedByte());
+      const str = Object.keys(obj).filter(item => obj[item])
+        .sort()
+        .reduce((pre, cur) => {
+          pre.push(`${cur}=${obj[cur]}`);
+          return pre;
+        }, [])
+        .join('&');
+      const preHashArr = md5(str);
+      const verified = preHashArr.length === decrypted.length && preHashArr.every((v, i) => v === decrypted[i]);
+      return { verified, msg: `客户端验证签名before:${str}` };
+    } catch (e) {
+      return { verified: false, msg: e.message };
+    }
+  },
+  /* eslint-enable complexity */
+  execEncrypt: (input: string, ignoreNull = false): BaseResp<{
+    cryptoKeyInfo: CryptoKeyInfo,
+    encryptedContent: any } | null> => {
+    try {
+      const eccKeyInfo = eccUtil.getPrivateKeyInfo();
+      if (!eccKeyInfo) {
+        return new baseUtil.BaseRespFac(null, false, '加密失败：无加密秘钥信息');
+      }
+      const cryptoKeyInfo = Object.assign({}, eccKeyInfo);  // 因为这里的加密数据要在后续流程中复用，所以需要值拷贝
+      if (ignoreNull && (!input || input === '{}')) {       // 如果需要忽略空值
+        return new baseUtil.BaseRespFac({ cryptoKeyInfo, encryptedContent: '' });
+      }
+      const { sharedByte } = cryptoKeyInfo;
+      const nonce = ecc.randomBytes(ecc.box.nonceLength);
+      const encrypted = ecc.box.after(base64Util.decodeUTF8(input), nonce, sharedByte);
+      const combined = new Uint8Array(nonce.length + encrypted.length);
+      combined.set(nonce);
+      combined.set(encrypted, nonce.length);
+      const encryptedStr = baseUtil.encUrl(combined);
+      return new baseUtil.BaseRespFac({
+        cryptoKeyInfo,
+        encryptedContent: encryptedStr,
+      });
+    } catch (e) {
+      return new baseUtil.BaseRespFac(null, false, `execEncrypt失败：${JSON.stringify(e)}`);
+    }
+  },
+  execDecrypt: (msg: Uint8Array, cryptoKeyInfo: CryptoKeyInfo): BaseResp<string> => {
+    try {
+      const { sharedByte } = cryptoKeyInfo;
+      const nonce = msg.slice(0, ecc.box.nonceLength);
+      const encrypted = msg.slice(ecc.box.nonceLength);
+      const decrypted = ecc.box.open.after(encrypted, nonce, sharedByte);
+      const decryptedStr = base64Util.encodeUTF8(decrypted);
+      return new baseUtil.BaseRespFac(decryptedStr);
+    } catch (err) {
+      return new baseUtil.BaseRespFac('', false, `execDecrypt失败：${JSON.stringify(err)}`);;
+    }
+  },
+  checkCryptoOpen: (): boolean => !!eccUtil._privateKeyInfo,
+  closeCrypto: () => {
+    eccUtil._privateKeyInfo = null;
+    eccUtil._updateGlobalPublicKeyInfo(true);
+  },
+  openCrypto: async (): Promise<boolean> => {
+    const genPubSuccess = await eccUtil._refreshPubKeyInfo(false); // 1. 获取公钥
+    if (!genPubSuccess) return false;
+    eccUtil.getPrivateKeyInfo();                              // 2. 生成私钥
+    return true;
+  },
+};
+// 加密规则判断工具
+const cryptRuleUtil = {
+  // 远程加密服务是否开启
+  isServerOpen: (): boolean => !!wx.$_publicKey,
+  // 检查path是否符合下发的路由前缀
+  pathInEnablePrefix: (path: string): boolean => {
+    if (!wx.$_publicKey) {
+      return false;
+    }
+    const { pathRule } = wx.$_publicKey;
+    if (pathRule === '*') {
+      return true;
+    }
+    const prefixArr = pathRule.split(',').map(item => item.trim());
+    for (let i = 0, len = prefixArr.length; i < len; i++) {
+      if (path.indexOf(prefixArr[i]) > -1) {
+        return true;
+      }
+    }
+    return false;
+  },
+  // 判断是否是性能埋点上报接口
+  isPerformanceReport: (path: string, params: any): boolean => {
+    // 如果是日志上报接口，需要过滤性能日志，不需要加密
+    if (path.indexOf('basic/event/upload') > -1) {
+      if (params.batch?.length === 1 && params.batch[0]?.[31] === 'tms-performance-log') {
+        return true;
+      }
+      return false;
+    }
+    return false;
+  },
+  // 不参与加密的请求路径规则: { 允许的域名： 不需要加密的path }
+  _encryptPathRule: {
+    'tim.map.qq.com': ['^/user/login', '^/api/getClientConfigs', '^/basic/crypto/lastkey2'],
+    'tim.sparta.html5.qq.com': [
+      '^/user/login',
+      '^/cnabroad', '^~/ReChargeCard/', '^/gasolinerecharge/v2/', '^/gasolinerecharge/rechargecard/',
+      '^/tde', '^/basic/crypto/lastkey2',
+    ],
+  },
+  isHostValid: (url) => {
+    // 使用正则表达式解析URL
+    const urlPattern = /^(https?:\/\/)?([^/?#]+)([/?#].*)?$/;
+    const matches = url.match(urlPattern);
+    if (!matches) {
+      console.error('Invalid URL:', url);
+      return false; // 如果URL无效，默认返回false
+    }
+    const domain = matches[2];
+    const path = matches[3] || '/';
+    if (cryptRuleUtil._encryptPathRule[domain]) {
+      const pathRules = cryptRuleUtil._encryptPathRule[domain];
+      for (const rule of pathRules) {
+        const regex = new RegExp(rule);
+        if (regex.test(path)) {
+          return false; // 匹配到规则，不需要加密
+        }
+      }
+      return true;      // 此域名下，默认需要加密
+    }
+    return false; // 没有匹配到规则，不需要加密
+  },
+};
+// 初始化加密工具
+const init = (composeFunc: Function): BaseResp<null> => {
+  composeParamsFunc = (...args) => composeFunc(...args);            // 加密服务器公共参数
+  return new baseUtil.BaseRespFac(null);
+};
+// 判断是否满足加密规则
+const isCryptoRuleMath = (path: string, reqData: any): BaseResp<boolean> => {
+  if (!wx.$_encryptEnvInfo.requestEncryptOpen) {
+    return new baseUtil.BaseRespFac(false, false, '本地加密未开启');
+  }
+  // 如果服务端下发的加密开关关闭，不走加密
+  if (!cryptRuleUtil.isServerOpen()) {
+    return new baseUtil.BaseRespFac(false, false, '服务端加密未开启');
+  }
+  // 请求路由不满足服务端下发的加密规则，不走加密
+  if (!cryptRuleUtil.pathInEnablePrefix(path)) {
+    return new baseUtil.BaseRespFac(false, false, '未命中服务端加密规则');
+  }
+  // 请求接口是加密性能埋点上报接口，不加密
+  if (cryptRuleUtil.isPerformanceReport(path, reqData)) {
+    return new baseUtil.BaseRespFac(false, false, '性能埋点');
+  }
+  // 请求路由不走sinan网关，不加密
+  if (!cryptRuleUtil.isHostValid(path)) {
+    return new baseUtil.BaseRespFac(false, false, '非sinan网关加密接口');
+  }
+  return new baseUtil.BaseRespFac(true);;
+};
+// 请求加密
+const reqEncrypt = (method: string, data: any, header: {
+  [key: string]: any }, encryptedResponseHeaderName: string): BaseResp<{
+  cryptoKeyInfo: CryptoKeyInfo,
+  header: any,
+  data: any,
+} | null> => {
+  const reqHeader = baseUtil.formatHeader(header);
+  if (reqHeader.contentType) {
+    return new baseUtil.BaseRespFac(null, false, '户自定义了请求contentType');
+  }
+  let finalData = {};
+  // 1. 处理请求参数
+  if (method.toUpperCase() === 'GET') {
+    const searchParams = baseUtil.formatGetData(data);
+    if (!searchParams) {
+      return new baseUtil.BaseRespFac(null, false, `GET请求参数不满足加密的规则: ${JSON.stringify(data)}`);
+    }
+    const { success, msg, res } = eccUtil.execEncrypt(searchParams);
+    if (!success) {
+      return new baseUtil.BaseRespFac(null, false, `GET请求参数加密失败: ${msg}`);
+    }
+    finalData = { tmsec: res.encryptedContent };
+  } else {
+    const { success, msg, res } = eccUtil.execEncrypt(JSON.stringify(data));
+    if (!success) {
+      return new baseUtil.BaseRespFac(null, false, `${method}请求参数加密失败: ${msg}`);
+    }
+    finalData = res.encryptedContent;
+  }
+  // 2. 处理Headers
+  const { success, msg, res } = eccUtil.execEncrypt(JSON.stringify(header), true);
+  if (!success) {
+    return new baseUtil.BaseRespFac(null, false, `请求Header加密失败: ${msg}`);
+  }
+  const cryptoHeader = {
+    'X-Crypto-Mode': '2',  // ecc加密模式
+    'X-Encrypted-Headers': res.encryptedContent,
+    'X-Encrypt-Pub': res.cryptoKeyInfo.serverPubId,
+    'X-Encrypt-Key': res.cryptoKeyInfo.clientPublicKey,
+    'X-Encrypt-Response': '3',                 // 加密，二进制
+    'X-Response-Header-Name': encryptedResponseHeaderName,
+  };
+  const cryptoSign = eccUtil.getClientCryptoSign(baseUtil._isObject(finalData) ? finalData : {
+    body: finalData,
+  }, cryptoHeader, res.cryptoKeyInfo.sharedByte);
+  return new baseUtil.BaseRespFac({
+    cryptoKeyInfo: res.cryptoKeyInfo,
+    data: finalData,
+    header: {
+      ...cryptoHeader,
+      'Content-Type': 'text/plain',
+      'X-Crypto-Sign': cryptoSign,
+    },
+  });
+};
+// 解密请求结果
+const resDecrypt = async (requestTraceId: string, header, data, cryptoKeyInfo: CryptoKeyInfo): Promise<BaseResp<{
+  retry: boolean,  // 是否需要明文重试
+  header: any,
+  data: any,
+}>> => {
+  try {
+    const formatHeader = baseUtil.formatHeader(header);
+    const {
+      // 'x-encrypt-key': clientPublicKey,                    // base64 url safe编码后的客户端公钥
+      'x-encrypt-response': encryptResponseMode,              // 期望的响应加密模式 2: 加密、不压缩 3: 加密、二进制
+      'x-response-header-name': encryptedResponseHeaderName,  // 需要加密的响应Header: X-Header1,X-Header2
+      'x-encrypted-headers': encryptedHeaders,                // 加密后的Header信息
+      'x-gateway-code': gatewayCode,                          // 网关返回的错误码
+      'content-type': contentType,                            // 响应内容类型
+    } = formatHeader;
+    if (!encryptResponseMode || encryptResponseMode === '0') { // 不需要解密，直接返回
+      const dataStr = base64Util.encodeUTF8(new Uint8Array(data));
+      return new baseUtil.BaseRespFac({
+        header,
+        data: JSON.parse(dataStr),
+        retry: false,
+      });
+    }
+    const { retry, success: gwSuccess } = await eccUtil.resolveGwCode(gatewayCode);
+    if (!gwSuccess) {
+      // 网关加密流程出现问题，需要验证网关签名
+      const { verified, msg } = eccUtil.verifyServerCryptoSign(requestTraceId, header);
+      if (!verified) {
+        // 验证失败，表示请求被篡改
+        return new baseUtil.BaseRespFac({ header: null, data: null, retry: false }, false, `响应被篡改:${msg}`);
+      }
+      return new baseUtil.BaseRespFac({ header: null, data: null, retry }, false, `网关返回错误码: ${gatewayCode}`);
+    }
+    let decryptedHeaders = {};
+    if (encryptedResponseHeaderName) {                         // 解密响应Header
+      const { success, msg, res } = eccUtil.execDecrypt(baseUtil.decUrl(encryptedHeaders), cryptoKeyInfo);
+      if (!success) {
+        return new baseUtil.BaseRespFac({ header: null, data: null, retry: true }, false, `解密响应Header失败: ${msg}`);
+      }
+      decryptedHeaders = JSON.parse(res);
+    }
+    const needDecode = contentType.indexOf('text/plain') > -1;
+    const cipher = needDecode ? baseUtil.decUrl(data) : new Uint8Array(data);
+    const { success, msg, res } = eccUtil.execDecrypt(cipher, cryptoKeyInfo);
+    if (!success) {
+      return new baseUtil.BaseRespFac({ header: null, data: null, retry: true }, false, `解密响应Body失败: ${msg}`);
+    }
+    const decryptedBody = JSON.parse(res); // 解密响应Body
+    return new baseUtil.BaseRespFac({
+      retry: false,
+      header: {
+        ...header,
+        ...decryptedHeaders,
+      },
+      data: decryptedBody,
+    });
+  } catch (e) {
+    // 因为上面的逻辑有parse, 所以这里再加一个catch
+    return new baseUtil.BaseRespFac({ header: null, data: null, retry: true }, false, `解密响应Body失败: ${JSON.stringify(e)}`);
+  }
+};
+// 处理接下来的请求开关
+let dealEncryptionSwitching = false;
+const dealEncryptionSwitch = async (path: string, traceId: string, resHeader): Promise<string> => {
+  if ((!resHeader || dealEncryptionSwitching)) {
+    return '';
+  }
+  dealEncryptionSwitching = true;
+  const formatHeader = baseUtil.formatHeader(resHeader);
+  // 加密关闭或者`login接口和lastkey接口`，都需要先执行验签
+  const cryptoDisabled = formatHeader['x-crypto-enable'] === '0';
+  if ((eccUtil.checkCryptoOpen() && cryptoDisabled)) {
+    const { verified, msg } = eccUtil.verifyServerCryptoSign(traceId, formatHeader);
+    if (!verified) {
+      // 验签失败，表示响应被篡改
+      dealEncryptionSwitching = false;
+      return `验签失败: ${msg}`;
+    }
+  }
+  if (cryptoDisabled) {
+    eccUtil.closeCrypto();
+  } else if (formatHeader['x-crypto-enable'] === '1') {
+    await eccUtil.openCrypto();
+  } // 0是关闭，1是开启, 2是保持
+  dealEncryptionSwitching = false;
+  return '';
+};
+/**
+ * 处理非加密请求的响应
+ * @params path traceId resHeader reqData
+ * @returns 是否需要根据响应内容处理加密开关
+ */
+const dealRes = (path: string, traceId: string, resHeader, reqData): BaseResp<boolean> => {
+  const specialPath = [
+    `${baseUtil.getSinanHost()}/user/login`,
+    `${baseUtil.getSinanHost()}/basic/crypto/lastkey2`,
+  ].indexOf(path) > -1;
+  if (specialPath) {
+    const formatHeader = baseUtil.formatHeader(resHeader);
+    const { verified, msg } = eccUtil.verifyServerCryptoSign(traceId, formatHeader);
+    if (!verified) {
+      // 验签失败，表示响应被篡改
+      return new baseUtil.BaseRespFac(false, false, `验签失败: ${msg}`);
+    }
+    eccUtil._updateGlobalPublicKeyInfo(false, resHeader);
+  }
+  return new baseUtil.BaseRespFac(!cryptRuleUtil.isPerformanceReport(path, reqData));
+};
+const encryptUtil = {
+  init,                       // 初始化加密工具
+  isCryptoRuleMath,           // 请求是否符合加密规则
+  logInfo: baseUtil.logInfo,  // 本地日志打印
+  dealRes,                    // 处理不加密请求的响应
+  reqEncrypt,                 // 请求加密：header和data
+  resDecrypt,                 // 响应解密
+  dealEncryptionSwitch,       // 处理加密开关
+};
+export default encryptUtil;