Python has a certificate encryption and decryption implementation method

Source: Internet
Author: User
Tags sha1
This paper describes the implementation method of encryption and decryption of Python with certificates. Share to everyone for your reference. The implementation method is as follows:

Recently in Python to do the encryption and decryption work, at the same time add a secret string can be solved in PHP, online also found some reliable information, just have time I summed up the python in the encryption and decryption of this piece of code, in the future may still be used. Compared to PHP, Python has a large number of encryption and decryption components, namely:

Python-crypto-This component is a basic component, and the function used is relatively complex.
Ezpycrypto-relatively simple, but he made the public private key can not be compatible with other programs Sslcrypto-Ezpycrypto is the same author developed, more efficient than ezpycrypto. But not as compatible with other programs.
Pyopenssl-seems to be used on HTTPS communication, and I can not find the use of encryption and decryption.
M2crypto-finally let me find, but it has a big drawback, it is the bottom of the SWIG with OpenSSL handover.
Installing the Swig program in Windows is very difficult.

I chose to use the M2crypto, the public key and the private key certificate generation has two ways, one uses the RSA generation, the other is the X509 generation. I would like to share these two types of encryption and decryption code for your reference, but when reproduced or use, please specify the source.

I. Certificate generated by RSA Standard mode

1. Encrypt the decryption, encrypt the signature, verify the encrypted signature
Copy the Code code as follows:

#encoding: UTF8
Import OS
Import M2crypto
#随机数生成器 (1024-bit random)
M2Crypto.Rand.rand_seed (Os.urandom (1024))
#生成一个1024位公钥与私密钥证书
Geekso = M2Crypto.RSA.gen_key (1024, 65537)
Geekso.save_key (' Jb51.net-private.pem ', None)
Geekso.save_pub_key (' Jb51.net-public.pem ')
#使用公钥证书加密开始
Writersa = M2Crypto.RSA.load_pub_key (' Jb51.net-public.pem ')
ciphertext = Writersa.public_encrypt ("This is a secret message that can only be decrypted with the private key", M2Crypto.RSA.pkcs1_oaep_padding)
Print "The encrypted string is:"
Print Ciphertext.encode (' base64 ')
#对加密串进行签名
Msgdigest = M2Crypto.EVP.MessageDigest (' SHA1 ')
Msgdigest.update (ciphertext)
#提示, you can also use a private key to sign
#WriteRSA = M2Crypto.RSA.load_key (' Jb51.net-private.pem ')
#Signature = Writersa.sign_rsassa_pss (Msgdigest.digest ())
Signature = Geekso.sign_rsassa_pss (Msgdigest.digest ())
Print "The signed string is:"
Print Signature.encode (' base64 ')
#使用私钥证书解密开始
Readrsa = M2Crypto.RSA.load_key (' Jb51.net-private.pem ')
Try
plaintext = Readrsa.private_decrypt (ciphertext, M2Crypto.RSA.pkcs1_oaep_padding)
Except
Print "Decryption Error"
plaintext = ""
If plaintext:
Print "The decrypted string is:"
Print plaintext
# Verify the signature of the encrypted string
Msgdigest = M2Crypto.EVP.MessageDigest (' SHA1 ')
Msgdigest.update (ciphertext)
#提示, if you signed it with a private key, verify it with the public key.
#VerifyRSA = M2Crypto.RSA.load_pub_key (' Alice-public.pem ')
#VerifyRSA. VERIFY_RSASSA_PSS (Msgdigest.digest (), Signature)
If GEEKSO.VERIFY_RSASSA_PSS (Msgdigest.digest (), Signature) = = 1:
Print "signed correctly"
Else
Print "Signature is incorrect"

2. String to generate signature, verify signature
Copy the Code code as follows:

#用私钥签名
SIGNEVP = M2Crypto.EVP.load_key (' Jb51.net-private.pem ')
Signevp.sign_init ()
Signevp.sign_update (' signature string from this guest (http://www.jb51.net) ')
Stringsignature = Signevp.sign_final ()
Print "Signature string is:"
Print Stringsignature.encode (' base64 ')
#用公钥验证签名
PubKey = M2Crypto.RSA.load_pub_key (' Jb51.net-public.pem ')
VERIFYEVP = M2Crypto.EVP.PKey ()
Verifyevp.assign_rsa (PubKey)
Verifyevp.verify_init ()
Verifyevp.verify_update (' signature string from this guest (http://www.jb51.net) ')
If verifyevp.verify_final (stringsignature) = = 1:
Print "string was successfully validated. "
Else
Print "String validation failed!"

3. Add a password to the certificate

The advantage of adding a password to a certificate is that even if the certificate is taken, no password is used.
Copy the Code code as follows:

def passphrase (v):
Return ' 4567890 '


When generating the certificate, use the
Copy CodeThe code is as follows:

Geekso.save_key (' Jb51.net-private.pem ', callback=passphrase)


When using certificates
Copy CodeThe code is as follows:

Readrsa = Rsa.load_key (' Jb51.net-private.pem ', passphrase)


Second, the X509 standard way to generate certificates

1. Generate certificate, public key file, private key file
Copy the Code code as follows:

Import time
From M2crypto import X509, EVP, RSA, ASN1
Def issuer_name ():
"""
The name of the certificate issuer (the distinguished name).
Parameters:
None
Return:
The issuer of the X509 standard, obj.
"""
Issuer = X509. X509_name ()
Issuer. C = "CN" # Country name
Issuer. CN = "*.jb51.net" # Common name
Issuer. ST = "Hunan Changsha"
Issuer. L = "Hunan Changsha"
Issuer. O = "GEEKSO Company Ltd."
Issuer. OU = "GEEKSO Company Ltd."
Issuer. Email = "123456@qq.com"
return issuer
def make_request (Bits, CN):
"""
Creates a request for a X509 standard.
Parameters:
BITS = number of certificate bits
CN = Certificate Name
Return:
Returns X509 request with private key (EVP).
"""
RSA = Rsa.gen_key (Bits, 65537, None)
PK = EVP. PKey ()
Pk.assign_rsa (RSA)
req = X509. Request ()
Req.set_pubkey (PK)
Name = Req.get_subject ()
Name. C = "US"
Name. CN = CN
Req.sign (PK, ' sha256 ')
return req, PK
def make_certificate_valid_time (cert, days):
"""
The certificate is valid for a few days from the current time.
Parameters:
Cert = Certificate obj
Day = number of days the certificate expires
Return:
None
"""
t = Long (Time.time ()) # Gets the current time
Time_now = ASN1. Asn1_utctime ()
Time_now.set_time (t)
Time_exp = ASN1. Asn1_utctime ()
Time_exp.set_time (t + days * 24 * 60 * 60)
Cert.set_not_before (Time_now)
Cert.set_not_after (TIME_EXP)
def make_certificate (bits):
"""
Create a certificate
Parameters:
bits = number of digits with a fast pass
Return:
Certificate, private key (EVP) and public key key (EVP).
"""
Req, pk = make_request (bits, "localhost")
PUK = Req.get_pubkey ()
Cert = X509. X509 ()
Cert.set_serial_number (1) # Certificate Order example number
Cert.set_version (1) # Version of the certificate
Cert.set_issuer (Issuer_name ()) # Issuer Information
Cert.set_subject (Issuer_name ()) # Topic information
Cert.set_pubkey (PUK)
Make_certificate_valid_time (cert, 365) # Expiration time of the certificate
Cert.sign (PK, ' sha256 ')
Return cert, PK, PUK
# Start creating
Cert, PK, puk= make_certificate (1024)
Cert.save_pem (' Jb51.net-cret.pem ')
Pk.save_key (' Jb51.net-private.pem ', cipher = None, callback = Lambda:none)
Puk.get_rsa (). Save_pub_key (' Jb51.net-public.pem ')

2. Use certificate encryption, private key file decryption
Copy the Code code as follows:

def geekso_encrypt_with_certificate (Message, Cert_loc):
"""
The CERT certificate is encrypted and can be decrypted with the private key file.
Parameters:
Message = string to encrypt
Cert_loc = cert Certificate path
Return:
Encrypt string or exception string
"""
Cert = X509.load_cert (Cert_loc)
PUK = Cert.get_pubkey (). Get_rsa () # Get RSA for encryption
Message = Base64.b64encode (message)
Try
encrypted = Puk.public_encrypt (message, rsa.pkcs1_padding)
Except RSA. Rsaerror as E:
Return "ERROR encrypting" + e.message
return encrypted
encrypted = Geekso_encrypt_with_certificate (' www.jb51.net ', ' Jb51.net-cret.pem ')
print ' Encrypt string ', encrypted
def geekso_decrypt_with_private_key (Message, Pk_loc):
"""
Cryptographic string generated by the private key decryption certificate
Parameters:
Message = encrypted string
Pk_loc = Private Key Path
Return:
Decrypting a string or exception string
"""
PK = Rsa.load_key (pk_loc) # load RSA for decryption
Try
decrypted = pk.private_decrypt (message, rsa.pkcs1_padding)
decrypted = Base64.b64decode (decrypted)
Except RSA. Rsaerror as E:
Return "ERROR decrypting" + e.message
Return decrypted
print ' decryption string ', Geekso_decrypt_with_private_key (encrypted, ' JB51.NET-PRIVATE.PEM ')

3. Encryption with private key, certificate decryption
Copy the Code code as follows:

def geekso_encrypt_with_private_key (Message,pk_loc):
"""
Private key encryption
Parameters:
Message = encrypted string
Pk_loc = Private Key Path
Return:
Encrypt string or exception string
"""
Readrsa = Rsa.load_key (Pk_loc);
Message = Base64.b64encode (message)
Try
encrypted = Readrsa.private_encrypt (message,rsa.pkcs1_padding)
Except RSA. Rsaerror as E:
Return "ERROR encrypting" + e.message
return encrypted
encrypted = Geekso_encrypt_with_private_key (' www.jb51.net ', ' Jb51.net-private.pem ')
Print encrypted
def geekso_decrypt_with_certificate (Message, Cert_loc):
"""
Cert Certificate decryption.
Parameters:
message = the string to decrypt
Cert_loc = cert Certificate path
Return:
The decrypted string or exception string
"""
Cert = X509.load_cert (Cert_loc)
PUK = Cert.get_pubkey (). Get_rsa ()
Try
Decrypting = puk.public_decrypt (message, rsa.pkcs1_padding)
Decrypting = Base64.b64decode (decrypting)
Except RSA. Rsaerror as E:
Return "ERROR decrypting" + e.message
Return decrypting
Decrypting = geekso_decrypt_with_certificate (encrypted, ' JB51.NET-CRET.PEM ')
Print decrypting

4. Signing with a private key, certificate authentication
Copy the Code code as follows:

def geekso_sign_with_private_key (message, pk_loc, base64 = True):
"""
Private key Signature
Parameters:
Message = string to be signed
Pk_loc = Private Key Path
Base64 = True (bease64 processing) False (16 binary processing)
Return:
String or exception string after signature
"""
PK = Evp.load_key (Pk_loc)
Pk.sign_init ()
Try
Pk.sign_update (Message)
Signature = Pk.sign_final ()
Except EVP. Evperror as E:
Return "ERROR signature" + E.message
Return Signature.encode (' base64 ') if Base64 is True else Signature.encode (' hex ')
Signature = Geekso_sign_with_private_key (' www.jb51.net ', ' Jb51.net-private.pem ')
Print signature
def geekso_verifysign_with_certificate (message, signature, cert_loc, base64 = True):
"""
Certificate validation Signature
Parameters:
Message = The string that was originally signed
Signature = string after signature
Cert_loc = Certificate Path file
Base64 = True (bease64 processing) False (16 binary processing)
Return:
Success or failure string or exception string
"""
Signature = Signature.decode (' base64 ') if Base64 is True else Signature.decode (' hex ')
Cert = X509.load_cert (Cert_loc)
PUK = Cert.get_pubkey (). Get_rsa ()
Try
VERIFYEVP = EVP. PKey ()
Verifyevp.assign_rsa (PUK)
Verifyevp.verify_init ()
Verifyevp.verify_update (Message)
Verifysign = verifyevp.verify_final (signature)
if verifysign = = 1:
Return ' success '
else:
Return ' failed '
Except EVP. Evperror as E:
Return "ERROR Verify sign" + e.message

Print geekso_verifysign_with_certificate (' www.jb51.net ', signature, ' Jb51.net-cret.pem ')

Hopefully this article will help you with Python programming.

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.