为纽约大学安全系统实验室项目提供加密和通用例程的库
securesystemslib的Python项目详细描述
为安全起见提供加密和通用功能的库 纽约大学的系统实验室项目。这些例程足够通用,可以由 其他项目。
概述
SecureSystemsLib支持公钥和通用加密,例如 ECDSA, Ed25519、RSA、SHA256、SHA512等。 大多数加密操作是由cryptography和PyNaCl库执行的,但是要验证ed25519 签名可以在纯python中完成。
密码学库用于生成密钥和签名 ecdsa和rsa算法,并执行通用密码,如 加密密钥。pynacl库用于生成ed25519密钥和 签名。pynacl是一个绑定到网络和密码的python 图书馆。对于密钥存储,rsa密钥可以以pem或json格式存储,并且 JSON格式的ED25519密钥。生成、导入和加载加密 密钥文件可以使用SecureSystemsLib中提供的功能完成。
安装
$ pip install securesystemslib
默认安装仅支持ed25519密钥和签名(纯 巨蟒)。通过加密技术支持rsa、ecdsa和e25519 pynacl库可以通过安装crypto和pynacl附加功能获得:
$ pip install securesystemslib[crypto] $ pip install securesystemslib[pynacl]
创建rsa密钥
注意:在下面的说明中,以>>>开头的行表示命令 应该由读取器输入的,开始注释的开头,并且 不带前置符号的文本是命令的输出。
>>> from securesystemslib.interface import * # The following function creates an RSA key pair, where the private key is # saved to "rsa_key1" and the public key to "rsa_key1.pub" (both saved to # the current working directory). A full directory path may be specified # instead of saving keys to the current working directory. If specified # directories do not exist, they will be created. >>> generate_and_write_rsa_keypair("rsa_key1", bits=2048, password="password") # If the key length is unspecified, it defaults to 3072 bits. A length of # less than 2048 bits raises an exception. A password may be supplied as an # argument, otherwise a user prompt is presented. If the password is an # empty string, the private key is saved unencrypted. >>> generate_and_write_rsa_keypair("rsa_key2") Enter a password for the RSA key: Confirm:
以下四个关键文件现在应该存在:
- RSA密钥1
- rsa_key1.pub
- RSA密钥2
- rsa_key2.pub
导入rsa密钥
# Continuing from the previous section . . . # Import an existing public key. >>> public_rsa_key1 = import_rsa_publickey_from_file("rsa_key1.pub") # Import an existing private key. If your private key is encrypted, # which it should be, you either have to pass a 'password' or enter one # on the prompt. >>> private_rsa_key1 = import_rsa_privatekey_from_file("rsa_key1", password='some passphrase") OR: >>> private_rsa_key1 = import_rsa_privatekey_from_file("rsa_key1", prompt=True) Enter a password for the encrypted RSA key:
import_rsa_privatekey_from_file()引发 securesystemslib.exceptions.cryptoerror如果密钥/密码是 无效:
securesystemslib.exceptions.CryptoError: RSA (public, private) tuple cannot be generated from the encrypted PEM string: Bad decrypt. Incorrect password?
注意:异常提供的特定消息可能会有所不同,具体取决于 使用哪个密码库。
创建并导入ed25519密钥
# Continuing from the previous section . . . # Generate and write an Ed25519 key pair. The private key is saved # encrypted. A 'password' argument may be supplied, otherwise a prompt is # presented. >>> generate_and_write_ed25519_keypair('ed25519_key') Enter a password for the Ed25519 key: Confirm: # Import the Ed25519 public key just created . . . >>> public_ed25519_key = import_ed25519_publickey_from_file('ed25519_key.pub') # and its corresponding private key. >>> private_ed25519_key = import_ed25519_privatekey_from_file('ed25519_key') Enter a password for the encrypted Ed25519 key:
创建和导入ecdsa密钥
# continuing from the previous sections . . . >>> generate_and_write_ecdsa_keypair('ecdsa_key') Enter a password for the ECDSA key: Confirm: >>> public_ecdsa_key = import_ecdsa_publickey_from_file('ecdsa_key.pub') >>> private_ecdsa_key = import_ecdsa_privatekey_from_file('ecdsa_key') Enter a password for the encrypted ECDSA key:
生成ecdsa、ed25519和rsa签名
注意:用户也可以直接访问加密功能来执行 加密操作。
>>> from securesystemslib.keys import * >>> data = 'The quick brown fox jumps over the lazy dog' >>> ed25519_key = generate_ed25519_key() >>> signature = create_signature(ed25519_key, data) >>> rsa_key = generate_rsa_key(2048) >>> signature = create_signature(rsa_key, data) >>> ecdsa_key = generate_ecdsa_key() >>> signature = create_signature(ecdsa_key, data)
验证ecdsa、ed25519和rsa签名
# Continuing from the previous sections . . . >>> data = 'The quick brown fox jumps over the lazy dog' >>> ed25519_key = generate_ed25519_key() >>> signature = create_signature(ed25519_key, data) >>> verify_signature(ed25519_key, signature, data) True >>> verify_signature(ed25519_key, signature, 'bad_data') False >>> rsa_key = generate_rsa_key() >>> signature = create_signature(rsa_key, data) >>> verify_signature(rsa_key, signature, data) True >>> ecdsa_key = generate_ecdsa_key() >>> signature = create_signature(ecdsa_key, data) >>> verify_signature(ecdsa_key, signature, data) True
其它功能
create_rsa_encrypted_pem()
# Continuing from the previous sections . . . >>> rsa_key = generate_rsa_key() >>> private = rsa_key['keyval']['private'] >>> passphrase = 'secret' >>> encrypted_pem = create_rsa_encrypted_pem(private, passphrase)
import_rsakey_from_public_pem()
>>> rsa_key = generate_rsa_key() >>> public = rsa_key['keyval']['public'] >>> rsa_key2 = import_rsakey_from_public_pem(public)
import_rsakey_from_pem()
>>> rsa_key = generate_rsa_key() >>> public = rsa_key['keyval']['public'] >>> private = rsa_key['keyval']['private'] >>> rsa_key2 = import_rsakey_from_pem(public) >>> rsa_key3 = import_rsakey_from_pem(private)
extract_pem()
>>> rsa_key = generate_rsa_key() >>> private_pem = extract_pem(rsakey['keyval']['private'], private_pem=True) >>> public_pem = extract_pem(rsakey['keyval']['public'], private_pem=False)
加密密钥()
>>> ed25519_key = generate_ed25519_key() >>> password = 'secret' >>> encrypted_key = encrypt_key(ed25519_key, password)
解密密钥()
>>> ed25519_key = generate_ed25519_key() >>> password = 'secret' >>> encrypted_key = encrypt_key(ed25519_key, password) >>> decrypted_key = decrypt_key(encrypted_key.encode('utf-8'), password) >>> decrypted_key == ed25519_key True
create_rsa_encrypted_pem()
>>> rsa_key = generate_rsa_key() >>> private = rsa_key['keyval']['private'] >>> passphrase = 'secret' >>> encrypted_pem = create_rsa_encrypted_pem(private, passphrase)
is_pem_public()
>>> rsa_key = generate_rsa_key() >>> public = rsa_key['keyval']['public'] >>> private = rsa_key['keyval']['private'] >>> is_pem_public(public) True >>> is_pem_public(private) False
is_pem_private()
>>> rsa_key = generate_rsa_key() >>> private = rsa_key['keyval']['private'] >>> public = rsa_key['keyval']['public'] >>> is_pem_private(private) True >>> is_pem_private(public) False
import_ecdsakey_from_private_pem()
>>> ecdsa_key = generate_ecdsa_key() >>> private_pem = ecdsa_key['keyval']['private'] >>> ecdsa_key2 = import_ecdsakey_from_private_pem(private_pem)
import_ecdsakey_from_public_pem()
>>> ecdsa_key = generate_ecdsa_key() >>> public = ecdsa_key['keyval']['public'] >>> ecdsa_key2 = import_ecdsakey_from_public_pem(public)
import_ecdsakey_from_pem()
>>> ecdsa_key = generate_ecdsa_key() >>> private_pem = ecdsa_key['keyval']['private'] >>> ecdsa_key2 = import_ecdsakey_from_pem(private_pem) >>> public_pem = ecdsa_key['keyval']['public'] >>> ecdsa_key2 = import_ecdsakey_from_pem(public_pem)