In general, the current SaaS service provides the current SDK or API docking service that involves an authentication and data encryption issue. It is generally common practice to configure the use of asymmetric encryption to solve this problem, you hold the public key of the SaaS company, the SaaS company holds your public key, you can do encryption and signature verification.
Let's look at two ways to generate key pair under Linux or Mac:
Using OpenSSL to generate a 2048bit-length key pair, we first generate a. PEM-formatted private key:
OpenSSL genrsa-out Private_key.pem 2048
This private key is then generated in the. Pem format for the public key:
OpenSSL RSA- in Private_key.pem-pubout-out Public_key.pem
The generated format is in pkcs#1.5 format and can be directly read by the following similar statements directly to RSA. Publickey.load_pkcs1_openssl_pem () is more convenient for Python's RSA libraries.
We can also use Ssh-keygen to generate:
" [email protected] "
The last-c parameter is to add a comment to the key's public key. -t specifies the algorithm,-b specifies the length. This generation method allows you to enter a password that encrypts the generated private_key.
The president starts like this:
-----BEGIN RSA PRIVATE KEY-----Proc-type:4, Encrypteddek-info:des-cbc,84e01d31c0a59d1f
If you want to use this key to decrypt the signature and turn it into the key in the form above. Need to use:
OpenSSL RSA- in <encrypted key filename> -out < desired output file name>
You can remove the password and get the private key. Then use this private key to generate a public key, the same as the above operation is possible. Using the public key to generate a pair directly should not work, and the format is not pkcs#1.5.
The following is the introduction of the encryption and decryption and signature verification:
Before that, there was a concept that was very easy to confuse. Is the same use of asymmetric encryption principle of data encryption and data signing.
Encryption and signing are not the same thing at all.
Encryption uses the public key to encrypt the data, and when you use a 1024bit RSA public key, you can only encrypt up to 117byte of data at a time, if the amount of data exceeds this number, it may involve the problem of segmented encryption of data. And now the RSA 1024bit length of the key has been proven not safe enough, should try to use the 2048bit length of the key. 2048bit-length keys can encrypt 245byte-length data at once. This calculation method is 2048BIT/8 = 256byte-11byte = 245byte Long data. is the key length minus 11byte get the maximum amount of time you can encrypt how long data. If the error is exceeded, many platforms require that the data be encrypted with the public key, which may involve the issue of segmented encryption.
The tag is to sign the string that needs to be signed with your private key. And the other side needs to take the public key you gave to verify that the data is not issued by you, you need to use the public key to check the data. If successful, you're the one.
The following shows the process of using Python to fragment encrypt data, where we assume that we use a 1024bit public key for encryption:
defRsa_encrypt (Biz_content, Public_key): _p=RSA. Publickey.load_pkcs1_openssl_pem (public_key) biz_content= Biz_content.encode ('Utf-8') #1024bit KeyDefault_encrypt_length = 117len_content=Len (biz_content)ifLen_content <default_encrypt_length:returnBase64.b64encode (Rsa.encrypt (biz_content, _p)) offset=0 Params_lst= [] whileLen_content-offset >0:ifLen_content-offset >default_encrypt_length:params_lst.append (Rsa.encrypt (Biz_content[offset:offset+Default_encrypt_length], _p))Else: Params_lst.append (Rsa.encrypt (biz_content[offset:], _p)) offset+=default_encrypt_length Target="'. Join (PARAMS_LST)returnBase64.b64encode (target)
Finally, it is necessary to use the Base64 algorithm to transfer the binary into a string conveniently into the required parameters. Decryption can use this method of the RSA library
Rsa.decrypt (data, Private_key)
After the fragment is decrypted, the data is pieced together.
The following continues to show the process of adding a signature to the data:
def rsa_signature (data, Private_key): = RSA. Privatekey._load_pkcs1_pem (Private_key) 'SHA-1') return Base64.b64encode (signature)
Check using:
def rsa_verify (signature, message, Public_key): = RSA. Publickey.load_pkcs1_openssl_pem (public_key) = Base64.b64decode (signature) return rsa.verify (message, signature, _pub)
Above
Reference:
https://stuvel.eu/python-rsa-doc/usage.html#signing-and-verification Python-rsa 3.4.2 Documentation
Https://support.citrix.com/article/CTX122930#Decrypting%20the%20Private%20Key%20from%20the%20Command%20Line% 20Interface How to Decrypt a RSA Private Key Using OpenSSL on NetScaler
1190000009396950?_ea=2278883 Python's RSA encryption and PBE encryption
Https://stackoverflow.com/questions/1011572/convert-pem-key-to-ssh-rsa-format convert PEM key to SSH-RSA format
Python RSA public key generation RSA public key encryption (segmented encryption) private key plus sign in combat