实现示例type Sig = { alg: 'RS256' | 'ES256'; kid: string; b64: string; created: number; expires: number } type Policy = { allowKids: Set<string>; allowAlgs: Set<string>; threshold: number } function b64(s: string): boolean { return /^[A-Za-z0-9+/=]+$/.test(s) } function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false; return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires } function validSig(s: Sig, p: Policy, now: number): boolean { return p.allowAlgs.has(s.alg) && p.allowKids.has(s.kid) && b64(s.b64) && within(s.created, s.expires, now, 60) } function meetThreshold(sigs: Sig[], p: Policy, now: number): boolean { let ok = 0; for (const s of sigs) if (validSig(s, p, now)) ok++; return ok >= p.threshold } 审计与发布治理审计签名算法与kid、时间窗口与阈值;不合规阻断。轮换策略与白名单变更需审批与归档。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复