开放式安全系统图书馆
oll-securesystemslib的Python项目详细描述
为安全起见提供加密和通用功能的库 纽约大学的系统实验室项目。这些例程足够通用,可以由 其他项目。
概述
SecureSystemsLib支持公钥和通用加密,例如 ECDSA, Ed25519、RSA、SHA256、SHA512等。 大多数加密操作是由cryptography和PyNaCl库执行的,但是要验证ed25519 签名可以在纯python中完成。
密码学库用于生成密钥和签名 ecdsa和rsa算法,并执行通用密码,如 加密密钥。pynacl库用于生成ed25519密钥和 签名。pynacl是一个绑定到网络和密码的python 图书馆。对于密钥存储,rsa密钥可以以pem或json格式存储,并且 JSON格式的ED25519密钥。生成、导入和加载加密 密钥文件可以使用SecureSystemsLib中提供的功能完成。
安装
$ pip install securesystemslib
默认安装仅支持ed25519密钥和签名(纯 Python)。通过加密技术支持rsa、ecdsa和e25519 pynacl库可以通过安装crypto和pynacl附加功能获得:
$ pip install securesystemslib[crypto] $ pip install securesystemslib[pynacl]
创建rsa密钥
注意:在下面的说明中,以>>>开头的行表示命令 应该由读取器输入的,开始注释的开头,并且 不带前置符号的文本是命令的输出。
>>> from securesystemslib.interface import *
# The following function creates an RSA key pair, where the private key is
# saved to "rsa_key1" and the public key to "rsa_key1.pub" (both saved to
# the current working directory). A full directory path may be specified
# instead of saving keys to the current working directory. If specified
# directories do not exist, they will be created.
>>> generate_and_write_rsa_keypair("rsa_key1", bits=2048, password="password")
# If the key length is unspecified, it defaults to 3072 bits. A length of
# less than 2048 bits raises an exception. A password may be supplied as an
# argument, otherwise a user prompt is presented. If the password is an
# empty string, the private key is saved unencrypted.
>>> generate_and_write_rsa_keypair("rsa_key2")
Enter a password for the RSA key:
Confirm:
以下四个关键文件现在应该存在:
- RSA密钥1
- rsa_key1.pub
- RSA密钥2
- rsa_key2.pub
导入rsa密钥
# Continuing from the previous section . . .
# Import an existing public key.
>>> public_rsa_key1 = import_rsa_publickey_from_file("rsa_key1.pub")
# Import an existing private key. If your private key is encrypted,
# which it should be, you either have to pass a 'password' or enter one
# on the prompt.
>>> private_rsa_key1 = import_rsa_privatekey_from_file("rsa_key1", password='some passphrase")
OR:
>>> private_rsa_key1 = import_rsa_privatekey_from_file("rsa_key1", prompt=True)
Enter a password for the encrypted RSA key:
import_rsa_privatekey_from_file()引发 securesystemslib.exceptions.cryptoerror如果密钥/密码是 无效:
securesystemslib.exceptions.CryptoError: RSA (public, private) tuple cannot be generated from the encrypted PEM string: Bad decrypt. Incorrect password?
注意:异常提供的特定消息可能会有所不同,具体取决于 使用哪个密码库。
创建并导入ed25519密钥
# Continuing from the previous section . . .
# Generate and write an Ed25519 key pair. The private key is saved
# encrypted. A 'password' argument may be supplied, otherwise a prompt is
# presented.
>>> generate_and_write_ed25519_keypair('ed25519_key')
Enter a password for the Ed25519 key:
Confirm:
# Import the Ed25519 public key just created . . .
>>> public_ed25519_key = import_ed25519_publickey_from_file('ed25519_key.pub')
# and its corresponding private key.
>>> private_ed25519_key = import_ed25519_privatekey_from_file('ed25519_key')
Enter a password for the encrypted Ed25519 key:
创建和导入ecdsa密钥
# continuing from the previous sections . . .
>>> generate_and_write_ecdsa_keypair('ecdsa_key')
Enter a password for the ECDSA key:
Confirm:
>>> public_ecdsa_key = import_ecdsa_publickey_from_file('ecdsa_key.pub')
>>> private_ecdsa_key = import_ecdsa_privatekey_from_file('ecdsa_key')
Enter a password for the encrypted ECDSA key:
生成ecdsa、ed25519和rsa签名
注意:用户也可以直接访问加密功能来执行 加密操作。
>>> from securesystemslib.keys import * >>> data = 'The quick brown fox jumps over the lazy dog' >>> ed25519_key = generate_ed25519_key() >>> signature = create_signature(ed25519_key, data) >>> rsa_key = generate_rsa_key(2048) >>> signature = create_signature(rsa_key, data) >>> ecdsa_key = generate_ecdsa_key() >>> signature = create_signature(ecdsa_key, data)
验证ecdsa、ed25519和rsa签名
# Continuing from the previous sections . . . >>> data = 'The quick brown fox jumps over the lazy dog' >>> ed25519_key = generate_ed25519_key() >>> signature = create_signature(ed25519_key, data) >>> verify_signature(ed25519_key, signature, data) True >>> verify_signature(ed25519_key, signature, 'bad_data') False >>> rsa_key = generate_rsa_key() >>> signature = create_signature(rsa_key, data) >>> verify_signature(rsa_key, signature, data) True >>> ecdsa_key = generate_ecdsa_key() >>> signature = create_signature(ecdsa_key, data) >>> verify_signature(ecdsa_key, signature, data) True
其它功能
create_rsa_encrypted_pem()
# Continuing from the previous sections . . . >>> rsa_key = generate_rsa_key() >>> private = rsa_key['keyval']['private'] >>> passphrase = 'secret' >>> encrypted_pem = create_rsa_encrypted_pem(private, passphrase)
import_rsakey_from_public_pem()
>>> rsa_key = generate_rsa_key() >>> public = rsa_key['keyval']['public'] >>> rsa_key2 = import_rsakey_from_public_pem(public)
import_rsakey_from_pem()
>>> rsa_key = generate_rsa_key() >>> public = rsa_key['keyval']['public'] >>> private = rsa_key['keyval']['private'] >>> rsa_key2 = import_rsakey_from_pem(public) >>> rsa_key3 = import_rsakey_from_pem(private)
extract_pem()
>>> rsa_key = generate_rsa_key() >>> private_pem = extract_pem(rsakey['keyval']['private'], private_pem=True) >>> public_pem = extract_pem(rsakey['keyval']['public'], private_pem=False)
加密密钥()
>>> ed25519_key = generate_ed25519_key() >>> password = 'secret' >>> encrypted_key = encrypt_key(ed25519_key, password)
解密密钥()
>>> ed25519_key = generate_ed25519_key()
>>> password = 'secret'
>>> encrypted_key = encrypt_key(ed25519_key, password)
>>> decrypted_key = decrypt_key(encrypted_key.encode('utf-8'), password)
>>> decrypted_key == ed25519_key
True
create_rsa_encrypted_pem()
>>> rsa_key = generate_rsa_key() >>> private = rsa_key['keyval']['private'] >>> passphrase = 'secret' >>> encrypted_pem = create_rsa_encrypted_pem(private, passphrase)
is_pem_public()
>>> rsa_key = generate_rsa_key() >>> public = rsa_key['keyval']['public'] >>> private = rsa_key['keyval']['private'] >>> is_pem_public(public) True >>> is_pem_public(private) False
is_pem_private()
>>> rsa_key = generate_rsa_key() >>> private = rsa_key['keyval']['private'] >>> public = rsa_key['keyval']['public'] >>> is_pem_private(private) True >>> is_pem_private(public) False
import_ecdsakey_from_private_pem()
>>> ecdsa_key = generate_ecdsa_key() >>> private_pem = ecdsa_key['keyval']['private'] >>> ecdsa_key2 = import_ecdsakey_from_private_pem(private_pem)
import_ecdsakey_from_public_pem()
>>> ecdsa_key = generate_ecdsa_key() >>> public = ecdsa_key['keyval']['public'] >>> ecdsa_key2 = import_ecdsakey_from_public_pem(public)
import_ecdsakey_from_pem()
>>> ecdsa_key = generate_ecdsa_key() >>> private_pem = ecdsa_key['keyval']['private'] >>> ecdsa_key2 = import_ecdsakey_from_pem(private_pem) >>> public_pem = ecdsa_key['keyval']['public'] >>> ecdsa_key2 = import_ecdsakey_from_pem(public_pem)
欢迎加入QQ群-->: 979659372
