diff --git a/Bookworm-OneClick-Mac.sh b/Bookworm-OneClick-Mac.sh index 06edcce..6a55d13 100644 --- a/Bookworm-OneClick-Mac.sh +++ b/Bookworm-OneClick-Mac.sh @@ -239,16 +239,29 @@ $k=$v" success "凭证已缓存至今日 23:59 (下次免密)" || true } + # 解密工具: 优先 node crypto-helper.js (BWENC1 格式), 回退 openssl + CRYPTO_HELPER="$BOOT_DIR/crypto-helper.js" + _do_decrypt() { + local pass="$1" enc="$2" + if command -v node &>/dev/null && [ -f "$CRYPTO_HELPER" ]; then + node "$CRYPTO_HELPER" decrypt "$pass" "$enc" 2>/dev/null + elif [ -n "$OPENSSL_CMD" ]; then + $OPENSSL_CMD enc -aes-256-cbc -d -pbkdf2 -iter 600000 -in "$enc" -pass pass:"$pass" 2>/dev/null + else + return 1 + fi + } + # 解密凭证 (先查缓存) SECRETS_ENC="$BOOT_DIR/secrets.enc" if _kc_load 2>/dev/null; then : # 缓存命中 - elif [ -f "$SECRETS_ENC" ] && [ -n "$OPENSSL_CMD" ]; then + elif [ -f "$SECRETS_ENC" ]; then echo "" for attempt in 1 2 3; do read -rs -p " 输入主密码解密凭证 (第 $attempt/3 次): " PASSWORD echo "" - DECRYPTED=$($OPENSSL_CMD enc -aes-256-cbc -d -pbkdf2 -iter 600000 -in "$SECRETS_ENC" -pass pass:"$PASSWORD" 2>/dev/null) || true + DECRYPTED=$(_do_decrypt "$PASSWORD" "$SECRETS_ENC") || true PASSWORD="" if [ -n "$DECRYPTED" ]; then while IFS= read -r line; do diff --git a/Bookworm-Setup.sh b/Bookworm-Setup.sh index 58a735a..15c347e 100644 --- a/Bookworm-Setup.sh +++ b/Bookworm-Setup.sh @@ -261,16 +261,29 @@ $k=$v" warn "Keychain 缓存失败 (不影响使用)" } +# 解密工具: 优先 node crypto-helper.js (BWENC1 格式), 回退 openssl +CRYPTO_HELPER="$BOOT_DIR/crypto-helper.js" +_decrypt_secrets() { + local pass="$1" enc="$2" + if command -v node &>/dev/null && [ -f "$CRYPTO_HELPER" ]; then + node "$CRYPTO_HELPER" decrypt "$pass" "$enc" 2>/dev/null + elif [ -n "$OPENSSL_CMD" ]; then + $OPENSSL_CMD enc -aes-256-cbc -d -pbkdf2 -iter 600000 -in "$enc" -pass pass:"$pass" 2>/dev/null + else + return 1 + fi +} + # 先尝试缓存 if load_cached_secrets 2>/dev/null; then : # 缓存加载成功 -elif [ -f "$SECRETS_ENC" ] && [ -n "$OPENSSL_CMD" ]; then +elif [ -f "$SECRETS_ENC" ]; then DECRYPTED="" for attempt in 1 2 3; do echo "" read -rs -p " 输入主密码解密凭证 (第 $attempt/3 次): " PASSWORD echo "" - DECRYPTED=$($OPENSSL_CMD enc -aes-256-cbc -d -pbkdf2 -iter 600000 -in "$SECRETS_ENC" -pass pass:"$PASSWORD" 2>/dev/null) || true + DECRYPTED=$(_decrypt_secrets "$PASSWORD" "$SECRETS_ENC") || true PASSWORD="" if [ -n "$DECRYPTED" ]; then while IFS= read -r line; do diff --git a/auto-setup.ps1 b/auto-setup.ps1 index d71b255..6256448 100644 --- a/auto-setup.ps1 +++ b/auto-setup.ps1 @@ -531,7 +531,12 @@ if (Get-CachedSecrets) { $secretsDecrypted = $true } # 再解密 -elseif ((Test-Path $SecretsEnc) -and $opensslCmd) { +$cryptoHelper = Join-Path $ScriptDir "crypto-helper.js" +$useNode = (Test-Cmd "node") -and (Test-Path $cryptoHelper) +if (-not $useNode -and -not $opensslCmd) { + Log-Fail "无解密工具 (需要 Node.js 或 OpenSSL)" +} +elseif (Test-Path $SecretsEnc) { for ($attempt = 1; $attempt -le 3; $attempt++) { $password = Show-PasswordDialog "输入主密码解密凭证`n(非 Gitea 密码, 区分大小写)" $attempt 3 if (-not $password) { @@ -540,10 +545,18 @@ elseif ((Test-Path $SecretsEnc) -and $opensslCmd) { } try { - $decrypted = & $opensslCmd enc -aes-256-cbc -d -pbkdf2 -iter 600000 -in $SecretsEnc -pass "pass:$password" 2>$null + if ($useNode) { + # Node.js crypto-helper (BWENC1 格式, 跨平台一致) + $decrypted = & node $cryptoHelper decrypt $password $SecretsEnc 2>&1 + $decExit = $LASTEXITCODE + } else { + # OpenSSL 回退 (仅支持 Salted__ 格式) + $decrypted = & $opensslCmd enc -aes-256-cbc -d -pbkdf2 -iter 600000 -in $SecretsEnc -pass "pass:$password" 2>$null + $decExit = $LASTEXITCODE + } $password = $null # 立即清零 - if ($decrypted) { + if ($decExit -eq 0 -and $decrypted -and $decrypted -notmatch 'WRONG_PASSWORD|WRONG_FORMAT|bad decrypt|bad magic') { $count = 0 foreach ($line in $decrypted -split "`n") { $line = $line.Trim()