refactor: 重构trustlog-sdk目录结构到trustlog/go-trustlog

- 将所有trustlog-sdk文件移动到trustlog/go-trustlog/目录 - 更新README中所有import路径从trustlog-sdk改为go-trustlog - 更新cookiecutter配置文件中的项目名称 - 更新根目录.lefthook.yml以引用新位置的配置 - 添加go.sum文件到版本控制 - 删除过时的示例文件这次重构与trustlog-server保持一致的目录结构，为未来支持多语言SDK（Python、Java等）预留空间。
2025-12-22 13:37:57 +08:00
commit d313449c5c
87 changed files with 20622 additions and 0 deletions
--- a/api/model/envelope_debug_test.go
+++ b/api/model/envelope_debug_test.go
@@ -0,0 +1,215 @@
+package model_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"go.yandata.net/iod/iod/trustlog-sdk/api/model"
+)
+
+// TestSignVerifyDataConsistency 详细测试加签和验签的数据一致性.
+func TestSignVerifyDataConsistency(t *testing.T) {
+	t.Parallel()
+
+	// 生成SM2密钥对
+	keyPair, err := model.GenerateSM2KeyPair()
+	require.NoError(t, err)
+
+	// 序列化为DER格式
+	privateKeyDER, err := model.MarshalSM2PrivateDER(keyPair.Private)
+	require.NoError(t, err)
+
+	publicKeyDER, err := model.MarshalSM2PublicDER(keyPair.Public)
+	require.NoError(t, err)
+
+	// 创建签名器
+	signer := model.NewSM2Signer(privateKeyDER, publicKeyDER)
+
+	// 测试数据1
+	testData1 := []byte("test data for signing")
+
+	// 测试数据2（不同数据）
+	testData2 := []byte("different test data")
+
+	// 1. 对testData1签名
+	signature1, err := signer.Sign(testData1)
+	require.NoError(t, err)
+	require.NotNil(t, signature1)
+
+	// 2. 用testData1验证signature1 - 应该成功
+	valid, err := signer.Verify(testData1, signature1)
+	require.NoError(t, err)
+	assert.True(t, valid, "使用相同数据验证应该成功")
+
+	// 3. 用testData2验证signature1 - 应该失败
+	valid, err = signer.Verify(testData2, signature1)
+	require.Error(t, err, "使用不同数据验证应该失败")
+	assert.Contains(t, err.Error(), "signature verification failed")
+	assert.False(t, valid)
+
+	// 4. 对testData2签名
+	signature2, err := signer.Sign(testData2)
+	require.NoError(t, err)
+	require.NotNil(t, signature2)
+
+	// 5. 用testData2验证signature2 - 应该成功
+	valid, err = signer.Verify(testData2, signature2)
+	require.NoError(t, err)
+	assert.True(t, valid, "使用相同数据验证应该成功")
+
+	// 6. 用testData1验证signature2 - 应该失败
+	valid, err = signer.Verify(testData1, signature2)
+	require.Error(t, err, "使用不同数据验证应该失败")
+	assert.Contains(t, err.Error(), "signature verification failed")
+	assert.False(t, valid)
+
+	t.Logf("测试完成：签名和验证逻辑正常")
+}
+
+// TestEnvelopeBodyTampering 测试修改envelope body后验签应该失败.
+func TestEnvelopeBodyTampering(t *testing.T) {
+	t.Parallel()
+
+	// 生成SM2密钥对
+	keyPair, err := model.GenerateSM2KeyPair()
+	require.NoError(t, err)
+
+	// 序列化为DER格式
+	privateKeyDER, err := model.MarshalSM2PrivateDER(keyPair.Private)
+	require.NoError(t, err)
+
+	publicKeyDER, err := model.MarshalSM2PublicDER(keyPair.Public)
+	require.NoError(t, err)
+
+	// 创建签名配置
+	signConfig := model.NewSM2EnvelopeConfig(privateKeyDER, publicKeyDER)
+	verifyConfig := model.NewSM2VerifyConfig(publicKeyDER)
+
+	// 创建测试Operation
+	op := &model.Operation{
+		OpID:         "op-test-002",
+		Timestamp:    time.Now(),
+		OpSource:     model.OpSourceIRP,
+		OpType:       model.OpTypeOCCreateHandle,
+		DoPrefix:     "test",
+		DoRepository: "repo",
+		Doid:         "test/repo/456",
+		ProducerID:   "producer-2",
+		OpActor:      "actor-2",
+	}
+
+	err = op.CheckAndInit()
+	require.NoError(t, err)
+
+	// 1. 加签：序列化为Envelope
+	envelopeData, err := model.MarshalOperation(op, signConfig)
+	require.NoError(t, err)
+	require.NotNil(t, envelopeData)
+
+	// 2. 验签：验证原始Envelope - 应该成功
+	verifiedEnv, err := model.VerifyEnvelopeWithConfig(envelopeData, verifyConfig)
+	require.NoError(t, err)
+	require.NotNil(t, verifiedEnv)
+
+	// 3. 反序列化获取原始body
+	originalEnv, err := model.UnmarshalEnvelope(envelopeData)
+	require.NoError(t, err)
+	originalBody := originalEnv.Body
+	originalSignature := originalEnv.Signature
+
+	t.Logf("原始body长度: %d", len(originalBody))
+	t.Logf("原始签名长度: %d", len(originalSignature))
+
+	// 4. 创建修改后的body（完全不同的数据）
+	modifiedBody := []byte("completely different body content")
+	require.NotEqual(t, originalBody, modifiedBody, "修改后的body应该不同")
+
+	// 5. 创建修改后的envelope（使用原始签名但修改body）
+	modifiedEnv := &model.Envelope{
+		ProducerID: originalEnv.ProducerID,
+		Signature:  originalSignature, // 使用原始签名
+		Body:       modifiedBody,      // 使用修改后的body
+	}
+	modifiedData, err := model.MarshalEnvelope(modifiedEnv)
+	require.NoError(t, err)
+
+	// 6. 验签修改后的envelope - 应该失败
+	_, err = model.VerifyEnvelopeWithConfig(modifiedData, verifyConfig)
+	require.Error(t, err, "修改body后验签应该失败")
+	assert.Contains(t, err.Error(), "signature verification failed")
+
+	t.Logf("测试完成：修改body后验签正确失败")
+}
+
+// TestEnvelopeSignatureTampering 测试修改envelope signature后验签应该失败.
+func TestEnvelopeSignatureTampering(t *testing.T) {
+	t.Parallel()
+
+	// 生成SM2密钥对
+	keyPair, err := model.GenerateSM2KeyPair()
+	require.NoError(t, err)
+
+	// 序列化为DER格式
+	privateKeyDER, err := model.MarshalSM2PrivateDER(keyPair.Private)
+	require.NoError(t, err)
+
+	publicKeyDER, err := model.MarshalSM2PublicDER(keyPair.Public)
+	require.NoError(t, err)
+
+	// 创建签名配置
+	signConfig := model.NewSM2EnvelopeConfig(privateKeyDER, publicKeyDER)
+	verifyConfig := model.NewSM2VerifyConfig(publicKeyDER)
+
+	// 创建测试Operation
+	op := &model.Operation{
+		OpID:         "op-test-003",
+		Timestamp:    time.Now(),
+		OpSource:     model.OpSourceIRP,
+		OpType:       model.OpTypeOCCreateHandle,
+		DoPrefix:     "test",
+		DoRepository: "repo",
+		Doid:         "test/repo/789",
+		ProducerID:   "producer-3",
+		OpActor:      "actor-3",
+	}
+
+	err = op.CheckAndInit()
+	require.NoError(t, err)
+
+	// 1. 加签：序列化为Envelope
+	envelopeData, err := model.MarshalOperation(op, signConfig)
+	require.NoError(t, err)
+
+	// 2. 反序列化获取原始signature
+	originalEnv, err := model.UnmarshalEnvelope(envelopeData)
+	require.NoError(t, err)
+	originalSignature := originalEnv.Signature
+
+	// 3. 创建修改后的signature（完全不同的数据）
+	modifiedSignature := make([]byte, len(originalSignature))
+	copy(modifiedSignature, originalSignature)
+	// 修改最后一个字节
+	if len(modifiedSignature) > 0 {
+		modifiedSignature[len(modifiedSignature)-1] ^= 0xFF
+	}
+	require.NotEqual(t, originalSignature, modifiedSignature, "修改后的signature应该不同")
+
+	// 4. 创建修改后的envelope（使用原始body但修改signature）
+	modifiedEnv := &model.Envelope{
+		ProducerID: originalEnv.ProducerID,
+		Signature:  modifiedSignature, // 使用修改后的signature
+		Body:       originalEnv.Body,  // 使用原始body
+	}
+	modifiedData, err := model.MarshalEnvelope(modifiedEnv)
+	require.NoError(t, err)
+
+	// 5. 验签修改后的envelope - 应该失败
+	_, err = model.VerifyEnvelopeWithConfig(modifiedData, verifyConfig)
+	require.Error(t, err, "修改signature后验签应该失败")
+	assert.Contains(t, err.Error(), "signature verification failed")
+
+	t.Logf("测试完成：修改signature后验签正确失败")
+}