feat(api): api sensitive data encryption

Author: GZTimeWalker

src/GZCTF.Test/SignatureTest.cs

@@ -166,4 +166,28 @@ public void SHA512WithRSATest()
         output.WriteLine(verified ? "Signature verified" : "Signature not verified");
         Assert.True(verified);
     }
+
+    [Fact]
+    public void TestEncryptData()
+    {
+        SecureRandom sr = new();
+        X25519KeyPairGenerator kpg = new();
+        kpg.Init(new X25519KeyGenerationParameters(sr));
+
+        AsymmetricCipherKeyPair kp = kpg.GenerateKeyPair();
+        var privateKey = (X25519PrivateKeyParameters)kp.Private;
+        var publicKey = (X25519PublicKeyParameters)kp.Public;
+
+        output.WriteLine("私钥：");
+        output.WriteLine(Base64.ToBase64String(privateKey.GetEncoded()));
+        output.WriteLine("公钥：");
+        output.WriteLine(Base64.ToBase64String(publicKey.GetEncoded()));
+
+        const string data = "Hello, GZCTF!";
+        var encryptedData = CryptoUtils.EncryptData(Encoding.UTF8.GetBytes(data), publicKey);
+        output.WriteLine($"加密数据：\n{Base64.ToBase64String(encryptedData)}");
+        var decryptedData = CryptoUtils.DecryptData(encryptedData, privateKey);
+        output.WriteLine($"解密数据：\n{Encoding.UTF8.GetString(decryptedData)}");
+        Assert.Equal(data, Encoding.UTF8.GetString(decryptedData));
+    }
 }

src/GZCTF.sln

@@ -6,7 +6,6 @@ MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{D270C86C-F293-4A9C-97C7-2A10404E8283}"
 	ProjectSection(SolutionItems) = preProject
 		Directory.Packages.props = Directory.Packages.props
-		Dockerfile = Dockerfile
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "GZCTF", "GZCTF\GZCTF.csproj", "{9AAEFC0F-73F3-44F0-B8AC-140640792603}"

src/GZCTF/ClientApp/src/Api.ts

@@ -364,6 +364,8 @@ export interface GlobalConfig {
   footerInfo?: string | null;
   /** Custom theme color */
   customTheme?: string | null;
+  /** Use asymmetric encryption for API requests */
+  apiEncryption?: boolean;
   /** Platform logo hash */
   logoHash?: string | null;
   /** Platform favicon hash */
@@ -1785,6 +1787,8 @@ export interface ClientConfig {
   footerInfo?: string | null;
   /** Custom theme color */
   customTheme?: string | null;
+  /** The public key used for API requests */
+  apiPublicKey?: string | null;
   /** Platform logo URL */
   logoUrl?: string | null;
   /** Container port mapping type */

src/GZCTF/ClientApp/src/components/GameChallengeModal.tsx

@@ -7,7 +7,9 @@ import React, { FC, useEffect, useState } from 'react'
 import { useTranslation } from 'react-i18next'
 import { ChallengeModal } from '@Components/ChallengeModal'
 import { showErrorNotification } from '@Utils/ApiHelper'
+import { encryptApiData } from '@Utils/Crypto'
 import { ChallengeCategoryItemProps } from '@Utils/Shared'
+import { useConfig } from '@Hooks/useConfig'
 import api, { AnswerResult, ChallengeType, SubmissionType } from '@Api'
 
 interface GameChallengeModalProps extends ModalProps {
@@ -28,6 +30,7 @@ export const GameChallengeModal: FC<GameChallengeModalProps> = (props) => {
     refreshInterval: 120 * 1000,
   })
 
+  const { config } = useConfig()
   const { t } = useTranslation()
 
   const wrongFlagHints = t('challenge.content.wrong_flag_hints', {
@@ -137,7 +140,7 @@ export const GameChallengeModal: FC<GameChallengeModalProps> = (props) => {
 
     try {
       const res = await api.game.gameSubmit(gameId, challengeId, {
-        flag,
+        flag: await encryptApiData(flag.trim(), config.apiPublicKey),
       })
       setSubmitId(res.data)
       notifications.clean()

src/GZCTF/ClientApp/src/components/PasswordChangeModal.tsx

@@ -8,6 +8,8 @@ import { useTranslation } from 'react-i18next'
 import { useNavigate } from 'react-router'
 import { StrengthPasswordInput } from '@Components/StrengthPasswordInput'
 import { showErrorNotification } from '@Utils/ApiHelper'
+import { encryptApiData } from '@Utils/Crypto'
+import { useConfig } from '@Hooks/useConfig'
 import api from '@Api'
 
 export const PasswordChangeModal: FC<ModalProps> = (props) => {
@@ -18,6 +20,7 @@ export const PasswordChangeModal: FC<ModalProps> = (props) => {
   const navigate = useNavigate()
 
   const { t } = useTranslation()
+  const { config } = useConfig()
 
   const onChangePwd = async () => {
     if (!pwd || !retypedPwd) {
@@ -30,8 +33,8 @@ export const PasswordChangeModal: FC<ModalProps> = (props) => {
     } else if (pwd === retypedPwd) {
       try {
         await api.account.accountChangePassword({
-          old: oldPwd,
-          new: pwd,
+          old: await encryptApiData(oldPwd, config.apiPublicKey),
+          new: await encryptApiData(pwd, config.apiPublicKey),
         })
         showNotification({
           color: 'teal',

src/GZCTF/ClientApp/src/locales/en-US/admin.json

@@ -90,6 +90,10 @@
           "description": "All dynamic attachments will be downloaded under this filename",
           "label": "Global Attachment Name"
         },
+        "blood_bonus": {
+          "description": "Enable blood bonus for this challenge",
+          "label": "Blood Bonus"
+        },
         "bonus": {
           "description": "The Triple Blood Bonus refers to the additional points awarded when a challenge is solved by the first three teams. Each team can receive a scoring bonus based on the current points of the challenge. The bonus will be added to the team's score in the form of a fixed percentage.",
           "first_blood": "First Blood Reward (%)",
@@ -106,10 +110,6 @@
         "description": "Description",
         "difficulty": "Difficulty Factor",
         "disable": "Are you sure you want to disable challenge {{name}}?",
-        "blood_bonus": {
-          "description": "Enable blood bonus for this challenge",
-          "label": "Blood Bonus"
-        },
         "empty": {
           "description": "Click the top right to create the first challenge",
           "title": "Ouch! This game has no challenge yet."
@@ -296,6 +296,10 @@
         "title": "Container Policy"
       },
       "platform": {
+        "api_encryption": {
+          "description": "Encrypt sensitive data in some APIs",
+          "label": "Enable API Encryption"
+        },
         "color": {
           "description": "Custom color for the platform",
           "label": "Platform Color"

src/GZCTF/ClientApp/src/locales/zh-CN/admin.json

@@ -90,6 +90,10 @@
           "description": "所有动态附件均会以此文件名下载",
           "label": "全局附件名"
         },
+        "blood_bonus": {
+          "description": "启用题目的三血加分",
+          "label": "三血奖励"
+        },
         "bonus": {
           "description": "三血奖励加成是指当一个题目被前三个队伍解出时，每个队伍可以得到的分值奖励。三血的奖励基于题目的当前分值，并以一个固定百分比的形式累加至该队伍的得分中。",
           "first_blood": "一血奖励 (%)",
@@ -106,10 +110,6 @@
         "description": "题目描述",
         "difficulty": "难度系数",
         "disable": "你确定要禁用题目 {{name}} 吗？",
-        "blood_bonus": {
-          "description": "启用题目的三血加分",
-          "label": "三血奖励"
-        },
         "empty": {
           "description": "点击右上角创建第一个题目",
           "title": "Ouch! 这个比赛还没有题目"
@@ -296,6 +296,10 @@
         "title": "容器策略"
       },
       "platform": {
+        "api_encryption": {
+          "description": "加密部分敏感数据，如用户密码、flag",
+          "label": "启用 API 数据加密"
+        },
         "color": {
           "description": "自定义平台颜色，用于生成主题色盘",
           "label": "平台颜色"

src/GZCTF/ClientApp/src/pages/account/Login.tsx

@@ -8,6 +8,8 @@ import { useTranslation } from 'react-i18next'
 import { Link, useNavigate, useSearchParams } from 'react-router'
 import { AccountView } from '@Components/AccountView'
 import { Captcha, useCaptchaRef } from '@Components/Captcha'
+import { encryptApiData } from '@Utils/Crypto'
+import { useConfig } from '@Hooks/useConfig'
 import { usePageTitle } from '@Hooks/usePageTitle'
 import { useUser } from '@Hooks/useUser'
 import api from '@Api'
@@ -24,6 +26,7 @@ const Login: FC = () => {
 
   const { captchaRef, getToken, cleanUp } = useCaptchaRef()
   const { user, mutate } = useUser()
+  const { config } = useConfig()
 
   const { t } = useTranslation()
 
@@ -78,7 +81,7 @@ const Login: FC = () => {
     try {
       await api.account.accountLogIn({
         userName: uname,
-        password: pwd,
+        password: await encryptApiData(pwd, config.apiPublicKey),
         challenge: token,
       })
 

src/GZCTF/ClientApp/src/pages/account/Register.tsx

@@ -9,6 +9,8 @@ import { Link, useNavigate } from 'react-router'
 import { AccountView } from '@Components/AccountView'
 import { Captcha, useCaptchaRef } from '@Components/Captcha'
 import { StrengthPasswordInput } from '@Components/StrengthPasswordInput'
+import { encryptApiData } from '@Utils/Crypto'
+import { useConfig } from '@Hooks/useConfig'
 import { usePageTitle } from '@Hooks/usePageTitle'
 import api, { RegisterStatus } from '@Api'
 import misc from '@Styles/Misc.module.css'
@@ -19,6 +21,7 @@ const Register: FC = () => {
   const [uname, setUname] = useInputState('')
   const [email, setEmail] = useInputState('')
   const [disabled, setDisabled] = useState(false)
+  const { config } = useConfig()
 
   const navigate = useNavigate()
   const { captchaRef, getToken, cleanUp } = useCaptchaRef()
@@ -90,7 +93,7 @@ const Register: FC = () => {
     try {
       const res = await api.account.accountRegister({
         userName: uname,
-        password: pwd,
+        password: await encryptApiData(pwd, config.apiPublicKey),
         email: email,
         challenge: token,
       })

src/GZCTF/ClientApp/src/pages/account/Reset.tsx

@@ -9,6 +9,8 @@ import { useLocation, useNavigate } from 'react-router'
 import { AccountView } from '@Components/AccountView'
 import { StrengthPasswordInput } from '@Components/StrengthPasswordInput'
 import { showErrorNotification } from '@Utils/ApiHelper'
+import { encryptApiData } from '@Utils/Crypto'
+import { useConfig } from '@Hooks/useConfig'
 import { usePageTitle } from '@Hooks/usePageTitle'
 import api from '@Api'
 
@@ -23,6 +25,7 @@ const Reset: FC = () => {
   const [disabled, setDisabled] = useState(false)
 
   const { t } = useTranslation()
+  const { config } = useConfig()
 
   usePageTitle(t('account.title.reset'))
 
@@ -52,7 +55,7 @@ const Reset: FC = () => {
       await api.account.accountPasswordReset({
         rToken: token,
         email: email,
-        password: pwd,
+        password: await encryptApiData(pwd, config.apiPublicKey),
       })
       showNotification({
         color: 'teal',

src/GZCTF/ClientApp/src/pages/admin/Settings.tsx

@@ -129,7 +129,7 @@ const Configs: FC = () => {
         <Stack gap="sm">
           <Title order={2}>{t('admin.content.settings.platform.title')}</Title>
           <Divider />
-          <Grid columns={4}>
+          <Grid columns={4} align="center">
             <Grid.Col span={1}>
               <TextInput
                 label={t('admin.content.settings.platform.name.label')}
@@ -200,7 +200,6 @@ const Configs: FC = () => {
                 }}
               />
             </Grid.Col>
-
             <Grid.Col span={1}>
               <ColorInput
                 label={t('admin.content.settings.platform.color.label')}
@@ -225,7 +224,7 @@ const Configs: FC = () => {
                 }}
               />
             </Grid.Col>
-            <Grid.Col span={4}>
+            <Grid.Col span={3}>
               <TextInput
                 label={t('admin.content.settings.platform.footer.label')}
                 description={t('admin.content.settings.platform.footer.description')}
@@ -237,6 +236,22 @@ const Configs: FC = () => {
                 }}
               />
             </Grid.Col>
+            <Grid.Col span={1} className={misc.alignCenter}>
+              <Switch
+                checked={globalConfig?.apiEncryption ?? false}
+                disabled={disabled}
+                label={SwitchLabel(
+                  t('admin.content.settings.platform.api_encryption.label'),
+                  t('admin.content.settings.platform.api_encryption.description')
+                )}
+                onChange={(e) =>
+                  setGlobalConfig({
+                    ...globalConfig,
+                    apiEncryption: e.currentTarget.checked,
+                  })
+                }
+              />
+            </Grid.Col>
           </Grid>
         </Stack>
         <Stack gap="sm">

src/GZCTF/ClientApp/src/utils/Crypto.ts

@@ -0,0 +1,86 @@
+function base64ToUint8Array(base64: string): Uint8Array {
+  const binaryString = atob(base64)
+  const len = binaryString.length
+  const bytes = new Uint8Array(len)
+  for (let i = 0; i < len; i++) {
+    bytes[i] = binaryString.charCodeAt(i)
+  }
+  return bytes
+}
+
+function uint8ArrayToBase64(bytes: Uint8Array): string {
+  let binary = ''
+  const len = bytes.byteLength
+  for (let i = 0; i < len; i++) {
+    binary += String.fromCharCode(bytes[i])
+  }
+  return btoa(binary)
+}
+
+async function encryptData(plainTextBytes: Uint8Array, recipientPublicKeyBase64: string): Promise<Uint8Array> {
+  if (!plainTextBytes || plainTextBytes.length === 0) {
+    throw new Error('Data to encrypt cannot be empty.')
+  }
+  if (!recipientPublicKeyBase64) {
+    throw new Error('Recipient public key cannot be empty.')
+  }
+
+  const recipientPublicKeyBytes = base64ToUint8Array(recipientPublicKeyBase64)
+  if (recipientPublicKeyBytes.length !== 32) {
+    throw new Error('Invalid X25519 public key length.')
+  }
+
+  const recipientPublicKeyCryptoKey = await crypto.subtle.importKey('raw', recipientPublicKeyBytes, 'X25519', true, [])
+
+  const ephemeralKeyPair = (await crypto.subtle.generateKey('X25519', true, ['deriveBits'])) as CryptoKeyPair
+
+  const ephemeralPublicKeyBytes = new Uint8Array(await crypto.subtle.exportKey('raw', ephemeralKeyPair.publicKey!))
+
+  const sharedSecret = new Uint8Array(
+    await crypto.subtle.deriveBits(
+      { name: 'X25519', public: recipientPublicKeyCryptoKey },
+      ephemeralKeyPair.privateKey!,
+      256
+    )
+  )
+
+  const aesKeyBytes = new Uint8Array(await crypto.subtle.digest('SHA-256', sharedSecret))
+
+  const aesKeyCryptoKey = await crypto.subtle.importKey('raw', aesKeyBytes, { name: 'AES-GCM', length: 256 }, false, [
+    'encrypt',
+  ])
+
+  const nonce = crypto.getRandomValues(new Uint8Array(12))
+
+  const ciphertextArrayBuffer = await crypto.subtle.encrypt(
+    { name: 'AES-GCM', iv: nonce, tagLength: 128 },
+    aesKeyCryptoKey,
+    plainTextBytes
+  )
+  const ciphertextBytes = new Uint8Array(ciphertextArrayBuffer)
+
+  const result = new Uint8Array(ephemeralPublicKeyBytes.length + nonce.length + ciphertextBytes.length)
+  result.set(ephemeralPublicKeyBytes, 0)
+  result.set(nonce, ephemeralPublicKeyBytes.length)
+  result.set(ciphertextBytes, ephemeralPublicKeyBytes.length + nonce.length)
+
+  return result
+}
+
+function isWebCryptoAvailable(): boolean {
+  return typeof crypto !== 'undefined' && typeof crypto.subtle !== 'undefined'
+}
+
+export async function encryptApiData(plainText: string, publicKey?: string | null): Promise<string> {
+  if (!publicKey) {
+    return plainText
+  }
+
+  if (!isWebCryptoAvailable()) {
+    throw new Error('Web Crypto API is not available in this environment.')
+  }
+
+  const plainTextBytes = new TextEncoder().encode(plainText)
+  const encryptedBytes = await encryptData(plainTextBytes, publicKey)
+  return uint8ArrayToBase64(encryptedBytes)
+}