Python的cryptography库介绍

? ? ? Python的cryptography是密码库，源码地址为：https://github.com/pyca/cryptography，最新发布版本为41.0.7,license为Apache 2.0/BSD 3，它支持在Windows、Linux、macOS上使用。如果通过源码编译，需要依赖OpenSSL。Python版本需要为3.7+.

? ? ? 通过pip安装,执行：

pip install cryptography

? ? ? 以下是对称加密AES测试code:

? ? ? 关于OpenSSL AES GCM的介绍可以参考：https://blog.csdn.net/fengbingchun/article/details/106113185

import os
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes

def aes_gcm_encrypt(plain_text, key, iv, aad):
    # Construct an AES-GCM Cipher object with the given key and iv
    encryptor = Cipher(algorithms.AES(key), modes.GCM(iv),).encryptor()

    # associated_data will be authenticated but not encrypted, it must also be passed in on decryption
    encryptor.authenticate_additional_data(aad)

    # Encrypt the plaintext and get the associated ciphertext. GCM does not require padding
    cipher_text = encryptor.update(plain_text) + encryptor.finalize()

    return (cipher_text, encryptor.tag)

def aes_gcm_decrypt(cipher_test, key, iv, aad, tag):
    # Construct a Cipher object, with the key, iv, and additionally the GCM tag used for authenticating the message
    decryptor = Cipher(algorithms.AES(key), modes.GCM(iv, tag),).decryptor()

    # We put associated_data back in or the tag will fail to verify when we finalize the decryptor
    decryptor.authenticate_additional_data(aad)

    # Decryption gets us the authenticated plaintext. If the tag does not match an InvalidTag exception will be raised
    return decryptor.update(cipher_test) + decryptor.finalize()

if __name__ == "__main__":
    # reference: https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/
    plain_test = b"https://github.com/fengbingchun"
    key = os.urandom(32) # bytes, secret key: either 128, 192, or 256 bits long
    iv = os.urandom(12) # bytes, initialisation vector
    aad = os.urandom(16) # authenticated encryption with additional data
    print("key: {}\niv: {}\naad: {}\n".format(key, iv, aad))

    cipher_text, tag = aes_gcm_encrypt(plain_test, key, iv, aad)
    print("cipher text: {}\ntag: {}\n".format(cipher_text, tag))

    plain_test2 = aes_gcm_decrypt(cipher_text, key, iv, aad, tag)
    print("before encryption, plaintext:{}\nafter  decryption, plaintext:{}".format(plain_test, plain_test2))

    if plain_test != plain_test2:
        print("Error: the decrypted content does not match the original plaintext")
        raise

    print("test finish")

? ? ? 执行结果如下图所示：

? ? ? 以下是非对称加密RSA测试code:
? ? ? 关于OpenSSL RSA的介绍可以参考：https://blog.csdn.net/fengbingchun/article/details/43638013

? ? ? 通过openssl执行文件生成rsa公钥-私钥对文件rsa_private.pem，密钥对长度为3072，执行如下命令：

openssl.exe genrsa -out rsa_private.pem 3072

from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import serialization, hashes

def rsa_public_key_encrypt(plain_text, public_key):
    return public_key.encrypt(
        plain_text,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )

def rsa_private_key_decrypt(cipher_test, private_key):
    return private_key.decrypt(
        cipher_test,
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )

if __name__ == "__main__":
    # reference: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/
    plain_test = b"https://blog.csdn.net/fengbingchun/"

    with open("test_data/rsa_private.pem", "rb") as key_file:
        private_key = serialization.load_pem_private_key(key_file.read(), password=None,)

    pem = private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption()
    )
    #print("private key: {}\n".format(pem.splitlines()))

    public_key = private_key.public_key()
    pem = public_key.public_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PublicFormat.SubjectPublicKeyInfo
    )
    #print("public key: {}\n".format(pem.splitlines()))

    cipher_text = rsa_public_key_encrypt(plain_test, public_key)
    print("cipher text:{}\n".format(cipher_text))

    plain_test2 = rsa_private_key_decrypt(cipher_text, private_key)
    print("before encryption, plaintext:{}\nafter  decryption, plaintext:{}".format(plain_test, plain_test2))

    if plain_test != plain_test2:
        print("Error: the decrypted content does not match the original plaintext")
        raise

    print("test finish")

? ? ? 执行结果如下图所示：

? ? ? GitHub：https://github.com/fengbingchun/Python_Test