CN113760294A - Application software encryption deployment method and system - Google Patents

Application software encryption deployment method and system Download PDF

Info

Publication number
CN113760294A
CN113760294A CN202110673404.7A CN202110673404A CN113760294A CN 113760294 A CN113760294 A CN 113760294A CN 202110673404 A CN202110673404 A CN 202110673404A CN 113760294 A CN113760294 A CN 113760294A
Authority
CN
China
Prior art keywords
application software
software package
source code
obfuscated
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110673404.7A
Other languages
Chinese (zh)
Inventor
段彦杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Original Assignee
Beijing Jingdong Century Trading Co Ltd
Beijing Wodong Tianjun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Century Trading Co Ltd, Beijing Wodong Tianjun Information Technology Co Ltd filed Critical Beijing Jingdong Century Trading Co Ltd
Priority to CN202110673404.7A priority Critical patent/CN113760294A/en
Publication of CN113760294A publication Critical patent/CN113760294A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3684Test management for test design, e.g. generating new test cases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/72Code refactoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/302Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes

Abstract

The application provides an application software encryption deployment method and system. The method comprises the following steps: the server may build a data warehouse using the git tool. After the programmer finishes writing the source code, the source code can be uploaded by logging in the git tool. The server may obtain obfuscated configuration information from the configuration center. After the server obtains the obfuscated configuration information, the server may obfuscate the source code using the obfuscated configuration information to obtain an obfuscated code. After the server obtains the obfuscated code, the obfuscated code may be compiled and packaged by using maven to obtain an application software package. After the server obtains the application software package, a docker tool is used for generating a mirror image container of the application software package. The mirror container may include an application server and a dynamic library in addition to the application software package. The method improves the safety of the application software package and avoids the problem of source code leakage caused by reverse analysis of the application software package.

Description

Application software encryption deployment method and system
Technical Field
The present application relates to the field of computers, and in particular, to a method and a system for encryption and deployment of application software.
Background
In the software industry, some customers may require application software to be deployed to the customer's internal server or private cloud. When the application software is JAVA application software, the program code of the JAVA application software deployed on the internal server of the client or on the private cloud is usually easy to be reversely parsed to obtain the source code. Further, problems such as code leakage are likely to occur.
To address this problem, the prior art typically implements obfuscation of the source code using a JAVA obfuscator. Currently, commonly used JAVA obfuscators include prosuard, alatori, Obfuscate4e, and the like. Programmers can use short nonsense names to rename already existing classes, fields, methods, and properties, thereby implementing obfuscation of the source code. The programmer may package and upload the obfuscated source code. Reverse parsing of the obfuscated source code will not result in the correct source code.
However, the JAVA obfuscator typically requires the source code to be obfuscated locally and manually before being uploaded by a programmer. The source code confusion mode has the problems of low automation degree, inconvenient operation and the like.
Disclosure of Invention
The application provides an application software encryption deployment method and system, which are used for solving the problems of low automation degree, inconvenient operation and the like caused by the fact that source codes need to be manually confused in the prior art.
In a first aspect, the present application provides an application software encryption deployment method, including:
acquiring a source code to be obfuscated;
obfuscating the source code according to the configuration information to obtain an obfuscated code, wherein the obfuscated code has the same logic content as the source code, and is used for preventing the source code from being leaked after the application software package is reversely analyzed;
packaging the obfuscated codes to obtain an application software package, wherein the application software package comprises a first file, a summary file and the obfuscated codes, and the first file comprises a class filing file or a Web application program;
and generating a mirror image container according to the application software package, wherein the mirror image container comprises the application software package, an application server and a dynamic library, and the application server is used for operating the application software package in the mirror image container.
Optionally, the obfuscating the source code according to the configuration information to obtain an obfuscated code includes at least one of:
replacing target words in classes, functions or fields in the source code with preset words;
replacing target words in classes, functions or fields in the source code with random characters;
and replacing target words in classes, functions or fields in the source code with a random permutation combination of preset characters, wherein the preset characters comprise a plurality of similar characters.
Optionally, the method further comprises:
generating a key pair according to a preset encryption rule, wherein the key pair comprises a public key and a private key;
and encrypting the first file according to the private key to obtain a first ciphertext.
Optionally, before obfuscating the source code according to the configuration information, the method further includes:
acquiring user information, wherein the user information comprises client information for uploading the source code and account information logged in the client;
and judging whether the source code needs to be confused or not according to the user information and the first white list.
Optionally, when the application server is operated in the image container, the method further includes:
judging whether an interface of the application server is legal or not according to the IP address of the application server and a second white list;
calling a verification interface of the dynamic library to verify whether the application software package is legal or not;
and when the interface of the application server and the application software package are both legal, executing the application software package in the mirror image container through the application server.
Optionally, the invoking a verification interface of the dynamic library to verify whether the application software package is legal further includes:
acquiring a public key, a first ciphertext, a first file and a summary file;
verifying whether the first file is correct or not according to the public key and the first ciphertext;
judging whether the class in the application software package is the latest version or not according to the abstract file;
and when the first file is correct and the classes in the application software package are all the latest versions, determining that the application software package is legal.
In a second aspect, the present application provides an application software encryption deployment system, including:
the data warehouse is used for acquiring and storing source codes;
the confusion service module is used for confusing the source codes in the data warehouse to obtain confusion codes;
the packaging service module is used for packaging the obfuscated code to obtain an application software package;
the mirror image service module is used for generating a mirror image container of the application software package, the mirror image container also comprises an application server and a dynamic library, and the application software package is started and executed in the mirror image container through the application server.
Optionally, the obfuscation service module further includes: the system comprises a configuration center, a background service module, a front-end service module and a database;
the configuration center is used for configuring confusion rules;
the background service module is used for obfuscating the source code according to the obfuscating rule to obtain an obfuscated code;
the front-end service module is used for visualizing the confusion process;
the database is used for storing the source code, the obfuscated code and the version information.
In a third aspect, the present application provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when at least one processor of the application software encryption deployment system executes the computer program, the application software encryption deployment system executes the application software encryption deployment method in any one of the possible designs of the first aspect and the first aspect.
In a fourth aspect, the present application provides a computer program product, where the computer program product includes a computer program, and when the computer program is executed by at least one processor of the application software encryption deployment system, the application software encryption deployment system executes the application software encryption deployment method in any one of the possible designs of the first aspect and the first aspect.
According to the application software encryption deployment method and system, the server can use the git tool to establish the data warehouse. After the programmer finishes writing the source code, the source code can be uploaded by logging in the git tool. The server may obtain obfuscated configuration information from the configuration center. After the server obtains the obfuscated configuration information, the server may obfuscate the source code using the obfuscated configuration information to obtain an obfuscated code. After the server obtains the obfuscated code, the obfuscated code may be compiled and packaged by using maven to obtain an application software package. After the server obtains the application software package, a docker tool is used for generating a mirror image container of the application software package. Besides the application software package, the mirror image container can also comprise means of an application server and a dynamic library, so that the safety of the application software package is improved, and the effect of avoiding the source code leakage problem caused by reverse analysis of the application software package is achieved.
Drawings
In order to more clearly illustrate the technical solutions in the present application or the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic view of a scenario of encryption deployment of application software according to an embodiment of the present application;
fig. 2 is a flowchart of an application encryption deployment method according to an embodiment of the present application;
fig. 3 is a flowchart of another application encryption deployment method according to an embodiment of the present application;
fig. 4 is a flowchart of another encryption deployment method for application software according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of encryption deployment of application software according to an embodiment of the present application.
Detailed Description
To make the purpose, technical solutions and advantages of the present application clearer, the technical solutions in the present application will be clearly and completely described below with reference to the drawings in the present application, and it is obvious that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein.
Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In the toB market of the software industry, hardware cost in the software deployment process is greatly reduced for customers by the introduction of SAAS service. The SAAS facilitator is a third party other than the software facilitator and the enterprise customer. The software service provider can complete a series of operations such as deployment, debugging, maintenance, upgrading and the like of application software by using a network infrastructure of the SAAS platform and a software and hardware operation platform. The client can realize the calling of the application software through an interface or an interactive interface provided by the software service provider. In this process, the source code of the application software is held in the hands of the software facilitator.
However, for some customers, the application software must be deployed separately on the customer's internal server or on a private cloud. At this time, after the software service provider deploys the application software on the customer's internal server or private cloud, the software service provider loses monitoring of the source code of the application software. The client can analyze the application software through the reverse attack to obtain the source code of the application software. In particular to application software written by using JAVA language, and a file obtained by compiling the JAVA application software is a byte code file. The byte code file is easier to reversely analyze out a source code compared with a binary file generated by compiling languages such as C/C + +, and the like.
Therefore, for JAVA application software, if not protected, code leakage and security problems caused by modification by malicious persons are easily caused.
In the prior art, a JAVA obfuscator is generally used to implement obfuscation of source codes for this problem. Currently, commonly used JAVA obfuscators include prosuard, alatori, Obfuscate4e, and the like. In the following, ProGuard is taken as an example, which can delete useless classes, fields, methods and properties, can delete useless comments, and can rename already existing classes, fields, methods and properties with a short meaningless name. The programmer may use the ProGuard to obfuscate the source code locally to obtain obfuscated code. After the obfuscation is completed, the programmer can upload the obfuscated code, and then packaging and using the obfuscated code are achieved. However, proguard requires that the program be obfuscated locally. The obfuscation mode does not have complete code version management, so that the code version of a class cannot be determined easily after multiple persons upload the code version. In addition, in the obfuscating mode, each obfuscating of the source code requires manual obfuscating operation by a programmer, so that automatic obfuscating operation cannot be performed, and the obfuscating mode has the problems of inconvenient operation and low automation degree.
In order to solve the problems, the application provides an application software encryption deployment method. The programmer may upload source code to the git repository. And the obfuscation server acquires the source code from the git warehouse and obfuscates the source code according to preset configuration information to obtain an obfuscated code. The obfuscated code is the source code after replacing target words in classes, functions or fields in the source code with other character strings. And the packaging server acquires the obfuscated code, and compiles and packages the obfuscated code by using a maven tool to obtain the application software package. The mirror server generates a mirror container for the application software package. The mirror server also includes an application server tomcat. The application software package may be run in the mirror container via the tomcat implementation. According to the method and the system, the confusion server is arranged in the pipeline process of jenkins, so that the automatic process has a source code confusion function, and automatic confusion is realized.
The technical solution of the present application will be described in detail below with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Fig. 1 shows a scene schematic diagram of encryption deployment of application software according to an embodiment of the present application. A schematic flow chart of Continuous Integration (CI) is shown. The CI process mainly adopts pipeline of jenkins to carry out process layout. The flow after arrangement mainly comprises 4 nodes. The workflow framework of Pipeline connects the 4 nodes in series to realize the process of encryption deployment of the application software. In this process, the workflow framework first calls the git tool to get the source code. The git tool may be a data warehouse built for an item. The source code data for the project will be stored in the data repository. When the programmer uploads source code to the data warehouse of the git tool, a second node in the workflow framework is triggered. The source code in the data store is sent to the node of the obfuscation service. At the obfuscation service node, the source code is obfuscated using an obfuscation service. Meanwhile, the node of the obfuscation service records the code versions before and after obfuscation and persists. The obfuscation service may include four parts, namely a Web service, a background service, a configuration center and a database. When the source code completes obfuscation at the obfuscation service node, the obfuscated code is sent to the packaging node. The packing node includes a maven tool. The obfuscated code is compiled and packaged by the maven tool. Finally, the packaged application software package is sent to the mirror node. The mirror image node uses docker to generate a mirror image container, and the packaged application software package, the customized tomcat and the so dynamic library are all injected into the mirror image container. Finally, the mirror container is deployed into the K8S cluster and a Continuous Delivery (CD) is implemented. Wherein the so file in the so dynamic library is a binary file. The so file will take over the decryption and verification work during the use of the application software.
In the present application, an electronic device is used as an execution subject, and the application software encryption deployment method according to the following embodiments is executed. In particular, the execution body may be composed of one or more servers. In the following embodiments shown in fig. 2 to 4, the application software encryption deployment method will be described in detail by taking a server as an example.
Fig. 2 shows a flowchart of an application encryption deployment method according to an embodiment of the present application. On the basis of the embodiment shown in fig. 1, as shown in fig. 2, with a server as an execution subject, the method of this embodiment may include the following steps:
and S101, acquiring a source code to be obfuscated.
In this embodiment, the server may use the git tool to build the data warehouse. The data repository may be run in the server. The programmer may complete the writing of the source code in the respective client. After the programmer finishes writing the source code, the source code can be uploaded by logging in the git tool. Where each programmer may have a git account number. When the programmer uploads the source code, the client of the programmer can also upload the terminal information and git account information of the programmer. Or after the programmers finish writing the source codes in respective clients, the programmers can log in jenkins accounts to upload the source codes. One or more programmers may have a jenkins account. When a programmer logs in the pipeline of jenkins by using the jenkins account, a source code can be uploaded in the process node of the pipeline. A git tool may be included in the process node to build a data warehouse.
In one example, the server may also obtain version information for the source code. The version information is used to indicate an updated version of the source code.
S102, the source code is obfuscated according to the configuration information to obtain an obfuscated code, the obfuscated code has the same logic content as the source code, and the obfuscated code is used for preventing the source code from being leaked after the application software package is reversely analyzed.
In this embodiment, the server may obtain obfuscated configuration information from the configuration center. The configuration center may be a visualization interface. The programmer can realize the setting of the configuration information by setting the configuration rule in the configuration center. Wherein, the basic setting can contain replacement rules of classes, functions and variables. For example, replacing a portion of the characters therein, etc. Wherein, the confusion difficulty can be divided into three grades according to the recognizability after the confusion.
In one example, the server may replace a target word in a class, function, or field in the source code with a preset word. This way of word replacement is a low difficulty confusion.
In another example, the server may replace the target word in a class, function, or field in the source code with a random character. This alternative to random characters is a confusion of medium difficulty. When the source code is confused by a difficult confusion mode in use, the source code cannot read meaning even if reversely analyzed. The obfuscation mode can better protect the security of the source code and avoid code leakage.
In another example, the server may replace a target word in a class, a function, or a field in the source code with a random permutation combination of preset characters, where the preset characters include a plurality of similar characters. This alternative to randomly arranged combinations is subject to high difficulty confusion. The preset characters can be characters with high similarity such as 'O', 'O', and '0', and the characters are fuzzy and not easy to distinguish. After the high-difficulty confusion mode is used for confusion, the source code cannot distinguish characters even if the source code is reversely analyzed. The confusion mode can increase the understanding difficulty to the greatest extent, can well protect the security of the source code and avoid code leakage.
After the server obtains the obfuscated configuration information, the server may obfuscate the source code using the obfuscated configuration information to obtain an obfuscated code. The obfuscated code has the same logical content as the source code. The logical content may include functional logic, interactive logic, and the like. And the application software package packed by using the confusion code cannot correctly interpret the meaning even if the application software package is reversely analyzed.
S103, packaging the obfuscated codes to obtain an application software package, wherein the application software package comprises a first file, a summary file and the obfuscated codes, and the first file comprises a class archive file or a Web application program.
In this embodiment, after the server obtains the obfuscated code, the obfuscated code may be compiled and packaged by using maven to obtain the application software package. The application software package may include a first file, a digest file, and obfuscated code. The first file comprises an archive file (jar package) or a Web application program (war package) of the class. The use of the jar or war package is determined by the item in which the source code is located. The summary file includes summary information of the obfuscated class file. The summary information includes a class name and version information of the class. The obfuscated code is compiled obfuscated code.
In one example, the digest file is obtained by performing digest calculation on each class file by using a digest algorithm. The digest algorithm may be configured in a configuration file. Meanwhile, in order to avoid tampering of the digest algorithm during running, the server may also encrypt the digest algorithm using the MD5 algorithm. The MD5 algorithm is used for ensuring the safe generation of the summary file, thereby improving the effectiveness of the summary file.
And S104, generating a mirror image container according to the application software package, wherein the mirror image container comprises the application software package, an application server and a dynamic library, and the application server is used for running the application software package in the mirror image container.
In this embodiment, after acquiring the application software package, the server generates a mirror image container of the application software package by using a docker tool. The mirror container may include an application server and a dynamic library in addition to the application software package. Where the application server is a customized tomcat. The tomcat is used to run the application package. The customized tomcat has a customized LifecycleListener interface. When tomcat starts, the lifecycllistener interface will start its listener, entering observer mode. Wherein, the dynamic library is a so dynamic library. Because the internal memory address of the so dynamic library is random when the so dynamic library is loaded, the safety of the application software package can be greatly improved, and the source code is prevented from being reversely analyzed.
According to the application software encryption deployment method, a data warehouse is established by using a git tool; logging in the git tool to upload a source code; obtaining obfuscated configuration information from a configuration center; obfuscating the source code by using the obfuscation configuration information to obtain an obfuscated code; compiling and packaging the obfuscated code by using maven to obtain an application software package; and generating a mirror container of the application software package by using a docker tool, wherein the mirror container comprises the application and the dynamic library besides the application software package. In the application, the source code is obfuscated in the source code management process by adding the obfuscating step to the pipeline process of jenkins, so that the safety of the application software package is improved, and the problem of source code leakage caused by reverse analysis of the application software package is avoided.
Fig. 3 shows a flowchart of an application encryption deployment method according to an embodiment of the present application. On the basis of the embodiments shown in fig. 1 and fig. 2, as shown in fig. 3, in order to execute the main body, the method of the present embodiment may include the following steps:
s201, obtaining a source code to be obfuscated.
Step S201 is similar to the step S101 in the embodiment of fig. 2, and this embodiment is not described herein again.
S202, user information is obtained, wherein the user information comprises client information of uploading source codes and account information logged in the client.
In this embodiment, the programmer may upload the source code to the server through an application program of its client. When the server acquires the source code uploaded by the client, the server can also acquire user information. The user information may include client information and account information that the user logs in an application of the client.
In one example, the application of the client may be bound to the client. That is, when a programmer uploads source code using the client, the server may determine its corresponding programmer from the client information. The method can bind the authority with the client, and irrelevant personnel can not log in the data warehouse through other clients to acquire relevant information of the project.
In another example, the programmer needs to log in the application program of the client, and then upload the source code. The server can determine the programmer corresponding to the source code according to the account information logged in the application program of the client. The method can bind the authority with the programmer, and irrelevant personnel cannot log in the data warehouse by using the account number of the irrelevant personnel to acquire the relevant information of the project.
In yet another example, a programmer may log in to the client using the jenkins account. The jenkins account number may be commonly held by one or more programmers. When a programmer needs to upload a source code on a client side of the programmer, the programmer needs to log in the application program by using the jenkins account, and then uploading of the source code is achieved. The server may obtain client information and account information of the client. According to the method, the permission and the jenkins account can be bound, and irrelevant personnel cannot know the jenkins account, so that the possibility that irrelevant personnel log in the data warehouse and acquire relevant information of a project is avoided.
S203, judging whether the source code needs to be mixed up or not according to the user information and the first white list.
In this embodiment, the server may include a first white list. The first white list comprises client information and/or account information. And the server judges whether the client information and/or the account information in the user information are in the first white list. When the user information is in the first white list, the server determines that the source code needs to be obfuscated. When the user information is not in the first whitelist, the server determines that the source code does not need to be obfuscated.
In the above process, the server realizes authentication and certification through the first white list. That is, when the user information is in the first white list, the authentication is successful. Otherwise, authentication fails. The use of the authentication in the pipeline process can prevent people unrelated to the project from acquiring the related information of the project. Meanwhile, the use of the authentication can manage the authority of a programmer, and can effectively avoid misoperation in the production process of the project.
S204, the source code is obfuscated according to the configuration information to obtain an obfuscated code, the obfuscated code has the same logic content as the source code, and the obfuscated code is used for preventing the source code from being leaked after the application software package is reversely analyzed.
S205, packaging the obfuscated codes to obtain an application software package, wherein the application software package comprises a first file, a summary file and the obfuscated codes, and the first file comprises a class archive file or a Web application program.
Steps S204 and S205 are similar to steps S102 and S103 in the embodiment of fig. 2, and are not described again in this embodiment.
S206, generating a key pair according to a preset encryption rule, wherein the key pair comprises a public key and a private key.
In this embodiment, the server may generate a key pair according to a preset encryption rule. The preset encryption rules may be configured in a configuration center of the server. The default preset encryption algorithm may be RSA1024 asymmetric encryption algorithm. The key pair may include a private key and a public key. The RSA algorithm key length is selected as a result of balance between security and program performance, and the longer the key length is, the better the security is, and the longer the time required for encryption and decryption is. RSA1024 refers to a public key and a private key each having 1024 bits (128 bytes). The length of the content which can be encrypted once by a1024 bit key is 117 bytes.
After the server generates the key pair, the public key therein will be saved in the dynamic library of the mirror container of S208. When decryption is needed, the mirror container decrypts the first ciphertext through the dynamic library by using the public key.
S207, encrypting the first file according to the private key to obtain a first ciphertext.
In this embodiment, after acquiring the key pair, the server encrypts the first file using a private key therein. Wherein, the first file comprises a jar package or a war package of the application software. And the server encrypts the jar packet or the war packet by using a private key to obtain a first ciphertext. The first ciphertext may be stored in the mirrored container generated in S208.
And S208, generating a mirror image container according to the application software package, wherein the mirror image container comprises the application software package, an application server and a dynamic library, and the application server is used for running the application software package in the mirror image container.
Step S208 is similar to the step S104 in the embodiment of fig. 2, and details of this embodiment are not repeated here.
According to the application software encryption deployment method, the server obtains the source code to be obfuscated. When the server acquires the source code uploaded by the client, the server can also acquire user information. The user information may include client information and account information that the user logs in an application of the client. The first white list may be included in the server. And the server judges whether the client information and/or the account information in the user information are/is in the first white list, so that authentication is realized. And the server obfuscates the source code according to the configuration information to obtain an obfuscated code. And the server packs the obfuscated codes to obtain the application software package. The server may generate a key pair according to a preset encryption rule. And after obtaining the key pair, the server encrypts the first file by using a private key in the key pair. And the server generates a mirror image container according to the application software package. In the application, the safety management of the confusion process is realized through authentication and encryption, and the safety of the pipeline process is improved.
On the basis of the above embodiments, the present embodiment can also save the source code, the obfuscated code, and the version information after obfuscating the source code, so as to implement version management of the obfuscated code. According to the application software encryption deployment method, the source code, the obfuscated code and the version information are obtained and stored, so that the historical information of each version can be retrieved, and version management of the source code and the obfuscated code is achieved.
Fig. 4 shows a flowchart of an application encryption deployment method according to an embodiment of the present application. On the basis of the embodiments shown in fig. 1 to fig. 3, as shown in fig. 4, after a server generates a mirror container and deploys the mirror container to a K8S cluster, taking a certain server in the K8S cluster as an execution subject, a running process of the application software package in the mirror container may include the following steps:
s301, judging whether the interface of the application server is legal or not according to the IP address of the application server and the second white list.
In this embodiment, the application server is a Web application server in the image container. The application server may be tomcat. The tomcat is used to run the application software package in the mirror container. The tomcat has a custom lifecyclylistener interface. When tomcat starts, tomcat may call JAVA Native Interface (JNI) of the dynamic library for authentication.
And after the authentication process is started, the dynamic library acquires a pre-stored second white list. The second whitelist includes one or more IP addresses. The customized tomcat is configured with a fixed IP address. The dynamic library may obtain the IP address of the tomcat. The dynamic library compares the IP address to IP addresses in the second whitelist. When the IP address is within the second whitelist range, the dynamic library determines that tomcat is a legitimate application server. Otherwise, the dynamic library determines that the application server is not legitimate. At this point, the dynamic library may end the launch of the next tomcat. The use of the authentication process can effectively prevent the application software package in the mirror image container from running in other tomcat after being extracted, thereby reducing the possibility of reverse analysis.
In one example, a third white list may also be stored in the dynamic library. The third white list includes one or more mirrored container identifications. When the application server is started, the dynamic library may obtain the mirror container identification of the mirror container. The dynamic library compares the mirrored container identification with mirrored container identifications in a third white list. When the application server runs in the mirror container allowed by the third white list, the authentication is successful. Otherwise, the authentication fails. When authentication fails, the dynamic library may end the start of the tomcat. The use of the authentication process can effectively avoid the application software package in the mirror image container from being used in other environments after being copied. The authentication process may also effectively avoid the mirror container from being unreasonably duplicated.
S302, calling a verification interface of the dynamic library to verify whether the application software package is legal or not.
In this embodiment, the dynamic library may also call a verification interface to verify information in the application software package, thereby ensuring the security of the information of the application software package.
In one example, the verification process specifically includes:
step 1, obtaining a public key, a first ciphertext, a first file and a summary file.
In this step, the dynamic library may obtain the public key, the first ciphertext, the first file, and the digest file from the mirror image container or the dynamic library.
And 2, verifying whether the first file is correct or not according to the public key and the first ciphertext.
In this step, the dynamic library encrypts the first file by using the public key to obtain a second ciphertext. The dynamic library compares the first ciphertext with the second ciphertext. And when the first ciphertext is consistent with the second ciphertext, the dynamic library determines that the first file is a correct first file. Otherwise the dynamic library determines that the first file is in error.
And 3, judging whether the class in the application software package is the latest version or not according to the summary file.
In this step, after the dynamic library acquires the summary file, the class file in the summary file is verified. The dynamic library determines whether each class file is the latest version of the class file. And when each class file in the summary file is the latest version, the dynamic library determines that the application software package is the latest version of the application software package. Otherwise, the dynamic library determines that the application package is not the latest version of the application package.
And 4, when the first file is correct and the classes in the application software package are all the latest versions, determining that the application software package is legal.
In this step, when the dynamic library determines that the first file is the correct first file and the application software package is the latest application software package, the dynamic library determines that the application software package is the valid application software package. When the application package is an illegal application package, the dynamic library may end the start of the tomcat.
And S303, when the interface of the application server and the application software package are legal, executing the application software package in the mirror image container.
In this embodiment, when it is determined that both the interface of the application server and the application software package are valid after the dynamic library is determined, the application server loads the class file in the dynamic library and executes the application software package.
According to the application software encryption deployment method, the application server is the Web application server in the mirror image container. The application server may be tomcat. When tomcat starts, tomcat may call JNI of the dynamic library for authentication. When the IP address is within the second whitelist range, the dynamic library determines that tomcat is a legitimate application server. Otherwise, the dynamic library determines that the application server is not legitimate. The dynamic library may also validate information in the application software package. And when the interface of the application server and the application software package are determined to be legal after the dynamic library is judged, the application server loads the class file in the dynamic library and executes the application software package. According to the application, the application software package is further improved in safety by performing authentication and verification when the application server runs, the application software package can be effectively prevented from being replaced, and meanwhile, the application software package can be effectively prevented from running in an unsafe environment.
Fig. 5 shows a schematic structural diagram of an application software encryption deployment system according to an embodiment of the present application, and as shown in fig. 5, an application software encryption deployment system 10 according to this embodiment is used to implement an operation corresponding to an electronic device in any one of the method embodiments described above, where the application software encryption deployment system 10 according to this embodiment includes: a data warehouse 11, an obfuscation service module 12, a packaging service module 13, and a mirroring service module 14.
The data warehouse 11 is used for acquiring and storing source codes. The data warehouse may be running in a first server. And the programmer logs in the data warehouse at the client to realize the uploading of the source code.
The obfuscation service module 12 is configured to obfuscate the source code in the data warehouse to obtain an obfuscated code.
In one example, the obfuscation service module 12 may specifically include a configuration center 121, a back-end service module 122, a front-end service module 123, and a database 124.
The configuration center 121 is used for configuring the obfuscation rule. The configuration center may include a front-end interface. The programmer may select or enter obfuscation rules through the front-end interface. The configuration center can also be used for configuring a digest algorithm and a preset encryption algorithm.
The background service module is used for obfuscating the source code according to the obfuscation rule to obtain an obfuscated code. The background service module may also be used for authentication.
The front-end service module is used for visualizing the confusion process. For example, visualization configures obfuscation rules, presents information before and after obfuscation of different versions of code, compares code before and after obfuscation, and so on.
Wherein the database is used for storing the source code, the obfuscated code and the version information. The database may also compute a summary file using a summarization algorithm for each obfuscated code. The database may also hold public and private keys of the RSA1024 algorithm that randomly generates jar or war packets.
The packaging service module is used for packaging the obfuscated codes to obtain the application software package. The packaging server module mainly uses a maven tool to realize the packaging of the obfuscated code.
The mirror image service module is used for generating a mirror image container of the application software package, the mirror image container also comprises an application server and a dynamic library, and the application software package is started and executed in the mirror image container through the application server. The mirror service module mainly uses docker to realize the generation of the mirror container.
In this embodiment, the modules may be physically separated, for example, installed at different positions of one device, or installed on different devices, or distributed on multiple network units, or distributed on multiple processors. Alternatively, the modules may be integrated, for example, installed in the same device, or integrated into a set of codes. The respective modules may exist in the form of hardware, or may also exist in the form of software, or may also be implemented in the form of software plus hardware.
The present application also provides a computer-readable storage medium. When the respective modules are integrated together in the form of software functional modules, the respective functional modules may be stored in the computer-readable storage medium. The software functional modules include computer programs for enabling a computer device (which may be a personal computer, a server, or a network device) or a processor to execute part of the steps of the methods according to the embodiments of the present application.
The computer-readable storage medium may be a computer storage medium or a communication medium. Communication media includes any medium that facilitates transfer of a computer program from one place to another. Computer storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, a computer readable storage medium is coupled to the processor such that the processor can read information from, and write information to, the computer readable storage medium. Of course, the computer readable storage medium may also be integral to the processor. The processor and the computer-readable storage medium may reside in an Application Specific Integrated Circuit (ASIC). Additionally, the ASIC may reside in user equipment. Of course, the processor and the computer-readable storage medium may also reside as discrete components in a communication device.
In particular, the computer-readable storage medium may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random-Access Memory (SRAM), Electrically-Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The present application also provides a computer program product comprising a computer program stored in a computer readable storage medium. The computer program can be read by at least one processor of the device from a computer-readable storage medium, and execution of the computer program by the at least one processor causes the device to implement the methods provided by the various embodiments described above.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of modules is merely a division of logical functions, and an actual implementation may have another division, for example, a plurality of modules may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
It should be understood that, although the respective steps in the flowcharts in the above-described embodiments are sequentially shown as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least some of the steps in the figures may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, in different orders, and may be performed alternately or at least partially with respect to other steps or sub-steps of other steps.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same. Although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: it is also possible to modify the solutions described in the previous embodiments or to substitute some or all of them with equivalents. And the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims (10)

1. An application software encryption deployment method, characterized in that the method comprises:
acquiring a source code to be obfuscated;
obfuscating the source code according to the configuration information to obtain an obfuscated code, wherein the obfuscated code has the same logic content as the source code, and is used for preventing the source code from being leaked after the application software package is reversely analyzed;
packaging the obfuscated codes to obtain an application software package, wherein the application software package comprises a first file, a summary file and the obfuscated codes, and the first file comprises a class filing file or a Web application program;
and generating a mirror image container according to the application software package, wherein the mirror image container comprises the application software package, an application server and a dynamic library, and the application server is used for operating the application software package in the mirror image container.
2. The encryption deployment method for application software according to claim 1, wherein the obfuscating the source code according to the configuration information to obtain an obfuscated code includes at least one of:
replacing target words in classes, functions or fields in the source code with preset words;
replacing target words in classes, functions or fields in the source code with random characters;
and replacing target words in classes, functions or fields in the source code with a random permutation combination of preset characters, wherein the preset characters comprise a plurality of similar characters.
3. The application software encryption deployment method according to claim 1 or 2, further comprising:
generating a key pair according to a preset encryption rule, wherein the key pair comprises a public key and a private key;
and encrypting the first file according to the private key to obtain a first ciphertext.
4. The encryption deployment method for application software according to claim 1 or 2, wherein before obfuscating the source code according to the configuration information, the method further comprises:
acquiring user information, wherein the user information comprises client information for uploading the source code and account information logged in the client;
and judging whether the source code needs to be confused or not according to the user information and the first white list.
5. The application software encryption deployment method according to any one of claim 3, wherein when the application server is running in the mirror container, the method further comprises:
judging whether an interface of the application server is legal or not according to the IP address of the application server and a second white list;
calling a verification interface of the dynamic library to verify whether the application software package is legal or not;
and when the interface of the application server and the application software package are both legal, executing the application software package in the mirror image container through the application server.
6. The method for encrypted deployment of application software according to claim 5, wherein the invoking the verification interface of the dynamic library to verify whether the application software package is legitimate further comprises:
acquiring a public key, a first ciphertext, a first file and a summary file;
verifying whether the first file is correct or not according to the public key and the first ciphertext;
judging whether the class in the application software package is the latest version or not according to the abstract file;
and when the first file is correct and the classes in the application software package are all the latest versions, determining that the application software package is legal.
7. An application software encryption deployment system, the system comprising: the system comprises a data warehouse, an obfuscation service module, a packaging service module and a mirror image service module;
the data warehouse is used for acquiring and storing source codes;
the confusion service module is used for confusing the source codes in the data warehouse to obtain confusion codes;
the packaging service module is used for packaging the obfuscated code to obtain an application software package;
the mirror image service module is used for generating a mirror image container of the application software package, the mirror image container also comprises an application server and a dynamic library, and the application software package is started and executed in the mirror image container through the application server.
8. The application software encryption deployment system of claim 7 wherein the obfuscation service module further comprises: the system comprises a configuration center, a background service module, a front-end service module and a database;
the configuration center is used for configuring confusion rules;
the background service module is used for obfuscating the source code according to the obfuscating rule to obtain an obfuscated code;
the front-end service module is used for visualizing the confusion process;
the database is used for storing the source code, the obfuscated code and the version information.
9. A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, is adapted to implement the application software encryption deployment method according to any one of claims 1 to 6.
10. A computer program product, characterized in that it comprises a computer program which, when executed by a processor, implements the application software cryptographic deployment method of any one of claims 1 to 6.
CN202110673404.7A 2021-06-17 2021-06-17 Application software encryption deployment method and system Pending CN113760294A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110673404.7A CN113760294A (en) 2021-06-17 2021-06-17 Application software encryption deployment method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110673404.7A CN113760294A (en) 2021-06-17 2021-06-17 Application software encryption deployment method and system

Publications (1)

Publication Number Publication Date
CN113760294A true CN113760294A (en) 2021-12-07

Family

ID=78787459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110673404.7A Pending CN113760294A (en) 2021-06-17 2021-06-17 Application software encryption deployment method and system

Country Status (1)

Country Link
CN (1) CN113760294A (en)

Similar Documents

Publication Publication Date Title
CN110968844B (en) Software authorization method in off-line state, server and readable storage medium
KR101265099B1 (en) A Method For Software Security Treatment And A Storage Medium
KR102433011B1 (en) Method of apk file protection, apk file protection system performing the same, and storage medium storing the same
CN108363580A (en) Application program installation method, device, computer equipment and storage medium
CN103530535A (en) Shell adding and removing method for Android platform application program protection
US10482221B2 (en) Protecting a computer program against reverse engineering
CN113010856A (en) Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system
US20110271350A1 (en) method for protecting software
CN109992987B (en) Script file protection method and device based on Nginx and terminal equipment
CN111639306A (en) Offline software authorization method, device, equipment and storage medium
CN106326691B (en) Encryption and decryption function realization method and device and server
CN110826031A (en) Encryption method, device, computer equipment and storage medium
KR20160020294A (en) Method and system for providing application security service based on cloud
CN110210188A (en) Code encryption method, apparatus, equipment and storage medium under Spring frame
CN114547558A (en) Authorization method, authorization control method and device, equipment and medium
JP4664055B2 (en) Program dividing device, program executing device, program dividing method, and program executing method
CN107257282B (en) Code full-package encryption method based on RC4 algorithm
Catuogno et al. Secure dependency enforcement in package management systems
CN109784072B (en) Security file management method and system
CN113515726B (en) Method and device for preventing enterprise product authorization file from leaking
CN114547653B (en) Encryption method, decryption method, device, equipment and medium for development environment
CN113760294A (en) Application software encryption deployment method and system
CN115391750A (en) Algorithm authorization method and device, electronic equipment and storage medium
KR101907846B1 (en) Apparatus, method for encryption using dependency integrity check of androids and other similar systems
CN112817615A (en) File processing method, device, system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination