|
|
|
|
|
|
|
|
from cryptography.hazmat.primitives.asymmetric import rsa, ed25519 |
|
|
from cryptography.hazmat.primitives import serialization, hashes |
|
|
from cryptography.hazmat.primitives.kdf.scrypt import Scrypt |
|
|
from cryptography.hazmat.primitives.ciphers.aead import AESGCM |
|
|
from cryptography.hazmat.backends import default_backend |
|
|
import os |
|
|
import base64 |
|
|
|
|
|
backend = default_backend() |
|
|
|
|
|
|
|
|
|
|
|
def generate_rsa_key_pair(key_size=2048): |
|
|
private_key = rsa.generate_private_key( |
|
|
public_exponent=65537, |
|
|
key_size=key_size, |
|
|
backend=backend |
|
|
) |
|
|
public_key = private_key.public_key() |
|
|
return private_key, public_key |
|
|
|
|
|
|
|
|
|
|
|
def generate_ed25519_key_pair(): |
|
|
private_key = ed25519.Ed25519PrivateKey.generate() |
|
|
public_key = private_key.public_key() |
|
|
return private_key, public_key |
|
|
|
|
|
|
|
|
|
|
|
def serialize_private_key(private_key, password: str = None): |
|
|
if password: |
|
|
encryption_algorithm = serialization.BestAvailableEncryption(password.encode()) |
|
|
else: |
|
|
encryption_algorithm = serialization.NoEncryption() |
|
|
|
|
|
return private_key.private_bytes( |
|
|
encoding=serialization.Encoding.PEM, |
|
|
format=serialization.PrivateFormat.PKCS8, |
|
|
encryption_algorithm=encryption_algorithm |
|
|
) |
|
|
|
|
|
def serialize_public_key(public_key): |
|
|
return public_key.public_bytes( |
|
|
encoding=serialization.Encoding.PEM, |
|
|
format=serialization.PublicFormat.SubjectPublicKeyInfo |
|
|
) |
|
|
|
|
|
def load_private_key(pem_data, password: str = None): |
|
|
return serialization.load_pem_private_key( |
|
|
pem_data, |
|
|
password=password.encode() if password else None, |
|
|
backend=backend |
|
|
) |
|
|
|
|
|
def load_public_key(pem_data): |
|
|
return serialization.load_pem_public_key( |
|
|
pem_data, |
|
|
backend=backend |
|
|
) |
|
|
|
|
|
def generate_keypair(method="rsa", password: bytes = None): |
|
|
""" |
|
|
Создаёт пару ключей (приватный, публичный) с заданным методом. |
|
|
method: "rsa" или "ed25519" |
|
|
password: если указан, приватный ключ будет зашифрован |
|
|
Возвращает (private_key_pem: bytes, public_key_pem: bytes) |
|
|
""" |
|
|
if method == "rsa": |
|
|
private_key = rsa.generate_private_key( |
|
|
public_exponent=65537, key_size=2048, backend=default_backend() |
|
|
) |
|
|
elif method == "ed25519": |
|
|
private_key = ed25519.Ed25519PrivateKey.generate() |
|
|
else: |
|
|
raise ValueError("Unsupported key generation method") |
|
|
|
|
|
encryption_algorithm = ( |
|
|
serialization.BestAvailableEncryption(password) |
|
|
if password |
|
|
else serialization.NoEncryption() |
|
|
) |
|
|
|
|
|
private_pem = private_key.private_bytes( |
|
|
encoding=serialization.Encoding.PEM, |
|
|
format=serialization.PrivateFormat.PKCS8, |
|
|
encryption_algorithm=encryption_algorithm, |
|
|
) |
|
|
|
|
|
public_pem = private_key.public_key().public_bytes( |
|
|
encoding=serialization.Encoding.PEM, |
|
|
format=serialization.PublicFormat.SubjectPublicKeyInfo, |
|
|
) |
|
|
|
|
|
return private_pem, public_pem |
|
|
|
|
|
|
|
|
|
|
|
def derive_key(password: str, salt: bytes = None): |
|
|
if not salt: |
|
|
salt = os.urandom(16) |
|
|
kdf = Scrypt( |
|
|
salt=salt, |
|
|
length=32, |
|
|
n=2**14, |
|
|
r=8, |
|
|
p=1, |
|
|
backend=backend |
|
|
) |
|
|
key = kdf.derive(password.encode()) |
|
|
return key, salt |
|
|
|
|
|
def encrypt_data(data: bytes, password: str): |
|
|
key, salt = derive_key(password) |
|
|
aesgcm = AESGCM(key) |
|
|
nonce = os.urandom(12) |
|
|
encrypted = aesgcm.encrypt(nonce, data, None) |
|
|
return { |
|
|
'ciphertext': base64.b64encode(encrypted).decode(), |
|
|
'salt': base64.b64encode(salt).decode(), |
|
|
'nonce': base64.b64encode(nonce).decode() |
|
|
} |
|
|
|
|
|
def decrypt_data(encrypted_data: dict, password: str): |
|
|
ciphertext = base64.b64decode(encrypted_data['ciphertext']) |
|
|
salt = base64.b64decode(encrypted_data['salt']) |
|
|
nonce = base64.b64decode(encrypted_data['nonce']) |
|
|
key, _ = derive_key(password, salt=salt) |
|
|
aesgcm = AESGCM(key) |
|
|
return aesgcm.decrypt(nonce, ciphertext, None) |
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__": |
|
|
priv, pub = generate_ed25519_key_pair() |
|
|
priv_pem = serialize_private_key(priv) |
|
|
pub_pem = serialize_public_key(pub) |
|
|
|
|
|
print("PRIVATE PEM:") |
|
|
print(priv_pem.decode()) |
|
|
print("PUBLIC PEM:") |
|
|
print(pub_pem.decode()) |
|
|
|
|
|
encrypted = encrypt_data(priv_pem, "secret-password") |
|
|
decrypted = decrypt_data(encrypted, "secret-password") |
|
|
assert decrypted == priv_pem |
|
|
print("✅ Encryption/decryption OK") |
|
|
|
