# cryptography使用

### cryptography简介

cryptography模块主要分为两类:
1. 高层次的加密配方，也就是我们只用关心如何使用它提供的api，并不用关心具体加密过程等细节，这也是我们经常使用的。
2. 低层次的加密原语，如果对密码学不是很了解的话，使用加密原语构造自己的加密算法是很危险的。

本片文章介绍高层次的对称加密api和低层次非对称的公钥私钥以及证书

### RSA简介

RSA公钥加密算法是1977年由罗纳德·李维斯特（Ron Rivest）、阿迪·萨莫尔（Adi Shamir）和伦纳德·阿德曼（Leonard Adleman）一起提出的。RSA就是他们三人姓氏开头字母拼在一起组成的。
RSA是目前最有影响力的公钥加密算法，它能够抵抗到目前为止已知的绝大多数密码攻击，RSA算法基于一个十分简单的数论事实：将两个大质数相乘十分容易，但是想要对其乘积进行因式分解却极其困难，因此可以将乘积公开作为加密密钥。

RSA算法的原理，目前网络上有许多优秀的文章，特别推荐阅读阮一峰老师的文章：

* [RSA算法原理1](http://www.ruanyifeng.com/blog/2013/06/rsa_algorithm_part_one.html)
* [RSA算法原理2](http://www.ruanyifeng.com/blog/2013/07/rsa_algorithm_part_two.html)


### RSA加密和解密

In [7]:
import os
import base64
import hashlib
import netifaces
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import serialization


class LicenceModel(object):

    def __init__(self):
        super(LicenceModel, self).__init__()
        self.trial_days = 30
        self.device_count = 50
    
    def crypto_password(self, pwd):
        md_5 = hashlib.md5()
        md_5.update(pwd.encode('utf8'))
        md5_pwd = md_5.hexdigest()
        sha1 = hashlib.sha1()
        sha1.update(md5_pwd.encode('utf8'))
        sha1_pwd = sha1.hexdigest()
        return sha1_pwd
    
    def get_device_info(self):
        names = netifaces.interfaces()
        names.sort()
        info = ''
        for name in names:
            mac_list = netifaces.ifaddresses(name)[netifaces.AF_LINK]
            for mac in mac_list:
                address = mac.get('addr')
                if address:
                    info += address
        print('device info: {}'.format(info))
        return info
    
    def get_device_series(self):
        device_series = None
        device_info =self.get_device_info()
        if device_info:
            device_series = self.crypto_password(device_info)
        print('device series: {}'.format(device_series))
        return device_series
    
    def get_message(self):
        device_serise = self.get_device_series()
        message = 'serise:{},amount:{},days:{}'.format(device_serise, self.device_count, self.trial_days)
        print('message: {}'.format(message))
        return message

    def encrypt_licence_file(self):
        message = self.get_message()
        message = message.encode(encoding='utf-8')
        public_key = self.load_publice_key()
        # 公钥加密生成licence文件
        ciphertext = public_key.encrypt(message,
            padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()),
            algorithm=hashes.SHA1(), label=None))
        # 生成的密文最好base64加密,主要是不显示出乱码符号
        ciphertext = base64.b64encode(ciphertext)
        with open(os.path.join('licence'), 'wb') as f:
            f.write(ciphertext)
        print('生成licence:\n')
        print(ciphertext)

    def decrypt_licence_file(self, licence=None):
        with open('licence', 'rb') as f:
            licence = f.read()
        ciphertext = base64.b64decode(licence)
        private_key = self.load_private_key(password='use_password')
        plaintext = private_key.decrypt(ciphertext, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()),
                                        algorithm=hashes.SHA1(), label=None))
        print(plaintext)
        return plaintext

    def genarator_RSA_keys(self):
        private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())
        public_key = private_key.public_key()
        self.serialize_private_key(private_key, password='use_password')
        self.serialize_public_key(public_key)

    def serialize_private_key(self, private_key, password=None):
        # 强烈建议对私钥进行序列化的时候用自己的密钥进行加密，这样不会将私钥完全暴露,
        # pem文件不止包含私钥，还包括一些有关私钥的重要信息
        if password:
            encryption_algorithm = serialization.BestAvailableEncryption(password.encode())
        else:
            # 不加密
            encryption_algorithm = encryption_algorithm=serialization.NoEncryption()

        pem = private_key.private_bytes(encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.PKCS8, encryption_algorithm=encryption_algorithm)
        print('生成秘钥:\n')
        with open('private_key.pem', 'wb') as f:
            for line in pem.splitlines():
                f.write(line+b'\n')
                print(line)
        print('\n')

    def serialize_public_key(self, public_key):
        pem = public_key.public_bytes(encoding=serialization.Encoding.PEM,
            format=serialization.PublicFormat.SubjectPublicKeyInfo)
        print('生成公钥:\n')
        with open('public_key.pem', 'wb') as f:
            for line in pem.splitlines():
                f.write(line+b'\n')
                print(line)
        print('\n')

    def load_private_key(self, password=None):
        with open("private_key.pem", "rb") as key_file:
            if password:
                private_key = serialization.load_pem_private_key(key_file.read(), password=password.encode(), backend=default_backend())
            else:
                private_key = serialization.load_pem_private_key(key_file.read(), backend=default_backend())
            return private_key
            

    def load_publice_key(self):
        with open("public_key.pem", "rb") as key_file:
            public_key = serialization.load_pem_public_key(
                key_file.read(), backend=default_backend())
            return public_key

licence = LicenceModel()

licence.genarator_RSA_keys()

licence.encrypt_licence_file()

licence.decrypt_licence_file()

生成秘钥:

b'-----BEGIN ENCRYPTED PRIVATE KEY-----'
b'MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIqUKqAhQDFEMCAggA'
b'MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBC4JTP9fjXwZKZvGtAh2pMUBIIE'
b'0KesVBfk5OIRiRJ0nGRAvLlnBNmKRrsvRYYdC7ltTgNe56LSfyyEqmGkmmYVOxSc'
b'MnEISOvpgSqC/j2PK20iUxvPV/jgj1ubbhjpio0zw79NreSXW1r6VI//y40dERhn'
b'xAkgjo8HjAr7mhoD24DcCxBY1nonV5oaViE9jGxmai6xxJMY54Q0ROymZ/WvD242'
b'cJIwp2SelceQ/krgM8RNiwm6b+Qi5zSU26qRSJVoztlJq9XeNm9co3ExEXoT4erp'
b'cG4qaxUQBreTn1luSYR0bQaASyZwU0iE7li59/iQXrF0hVL2gnpA2me6qqQQyzIr'
b'6R9EG4uX9dpflu52/f8b69AkmYkcSyjC4TDNlOAFcu7cQv2YLTTYWeVa4w9chRE6'
b'vBWqzsmQgFd4z/EOq0nC4yevu4Jw5ei9bpNdaJmMJBBjH/eV1UYsshwF1eo6XlGZ'
b'YZIhQbVgoaasLbVuHkCwLp17NLdzFLA1ylrbzsmJak734t0r5zdoMP48wd7rtCJ1'
b'X2E5Mn86Svjv3U5KIE/VFzfmtefbfhKQSzP9S7yIlqNSxwQoL+zfnK4wYNv+XvAO'
b'IxGtxhjx4HU1yLP4j99BxFWVA1iDphS5y19ERppb3yHhxtkwiM4A/Ijj1SuG/S5S'
b'Vyg3GvIXH1BZErz4lZhgZ45Gj9dOWcNflsireHEZGmkKkfnLAuGy+QtaB0dpXUO5'
b'9yVmi+8teArqk7VnewF7oKD5D8apYV6g4hrLmIsdmno4QsHXDgm5Gg8m+K/KbwWu'


b'serise:5b319e9455c55d212839a46e7d8df6b4c9fe79d4,amount:50,days:30'

### 使用DSA签名加密

DSA签名方案，Digital Signature Algorithm,  DSA是ElGamal签名方案的变种，被美国NIST作为DSS(DigitalSignature Standard)。其安全性依赖于离散对数难题.

In [20]:
import os
import base64
import hashlib
import netifaces
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import dsa
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import utils


class LicenceModel(object):

    def __init__(self):
        super(LicenceModel, self).__init__()
        self.trial_days = 30
        self.device_count = 50
        self.key = b'abcdefgh'  # 密钥 8位或16位,必须为bytes

    def crypto_password(self, pwd):
        md_5 = hashlib.md5()
        md_5.update(pwd.encode('utf8'))
        md5_pwd = md_5.hexdigest()
        sha1 = hashlib.sha1()
        sha1.update(md5_pwd.encode('utf8'))
        sha1_pwd = sha1.hexdigest()
        return sha1_pwd
    
    def get_device_info(self):
        names = netifaces.interfaces()
        names.sort()
        info = ''
        for name in names:
            mac_list = netifaces.ifaddresses(name)[netifaces.AF_LINK]
            for mac in mac_list:
                address = mac.get('addr')
                if address:
                    info += address
        print('device info: {}'.format(info))
        return info
    
    def get_device_series(self):
        device_series = None
        device_info =self.get_device_info()
        if device_info:
            device_series = self.crypto_password(device_info)
        print('device series: {}'.format(device_series))
        return device_series
    
    def get_message(self):
        device_serise = self.get_device_series()
        message = 'serise:{},amount:{},days:{}'.format(device_serise, self.device_count, self.trial_days)
        print('message: {}'.format(message))
        return message

    def genarator_DSA_keys(self):     
        private_key = dsa.generate_private_key(key_size=2048, backend=default_backend())
        public_key = private_key.public_key()
        self.serialize_private_key(private_key, password='use_password')
        self.serialize_public_key(public_key)

    def serialize_private_key(self, private_key, password=None):
        # 强烈建议对私钥进行序列化的时候用自己的密钥进行加密，这样不会将私钥完全暴露,
        # pem文件不止包含私钥，还包括一些有关私钥的重要信息
        if password:
            encryption_algorithm = serialization.BestAvailableEncryption(password.encode())
        else:
            # 不加密
            encryption_algorithm = encryption_algorithm=serialization.NoEncryption()

        pem = private_key.private_bytes(encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.PKCS8, encryption_algorithm=encryption_algorithm)
        print('生成秘钥:\n')
        with open('private_key.pem', 'wb') as f:
            for line in pem.splitlines():
                f.write(line+b'\n')
                print(line)
        print('\n')

    def serialize_public_key(self, public_key):
        pem = public_key.public_bytes(encoding=serialization.Encoding.PEM,
            format=serialization.PublicFormat.SubjectPublicKeyInfo)
        print('生成公钥:\n')
        with open('public_key.pem', 'wb') as f:
            for line in pem.splitlines():
                f.write(line+b'\n')
                print(line)
        print('\n')
        
    def load_private_key(self, password=None):
        with open("private_key.pem", "rb") as key_file:
            if password:
                private_key = serialization.load_pem_private_key(key_file.read(), password=password.encode(), backend=default_backend())
            else:
                private_key = serialization.load_pem_private_key(key_file.read(), backend=default_backend())
            return private_key
            

    def load_publice_key(self):
        with open("public_key.pem", "rb") as key_file:
            public_key = serialization.load_pem_public_key(
                key_file.read(), backend=default_backend())
            return public_key


    def signature_with_dsa(self, message):
        private_key = self.load_private_key(password='use_password')
        signature = private_key.sign(message, hashes.SHA256())
        signature = base64.b64encode(signature)
        with open('signature', 'wb') as f:
            f.write(signature)
        print(signature)

    def verify_signature(self, message):
        status = False
        public_key = self.load_publice_key()
        with open('signature', 'rb') as f:
            signature = f.read()
        signature = base64.b64decode(signature)
        try:
            public_key.verify(signature, message, hashes.SHA256())
            status = True
        except Exception  as e:
            print(e)
        print(status)
        return status


license = LicenceModel()

license.genarator_DSA_keys()

message = license.get_message()

message = message.encode()

license.signature_with_dsa(message)

license.verify_signature(message)

生成秘钥:

b'-----BEGIN ENCRYPTED PRIVATE KEY-----'
b'MIICzTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIbJl2aZ8lD78CAggA'
b'MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBBaPEvr8wDWrLfOK4eQYnCJBIIC'
b'cC+7A3AlMvVqM4lnfT6+IaqSA22QOX3xA1QWBe1hlZx4um024YEMzINL7GikZBFS'
b'rWgXCTDuD8ndkmMh3AAEW+Dj7d2/VBTX6ScDx4EC6kllA1FyAeImPdXZydArh41Z'
b'WjzSrFrD05E4UjD7Eai++hp9OiALXQuDB5iFuWASocyhhyUdTOxBG6DCvsIlNIna'
b'qAKNcL6C0g6BMkUdlTguZL82a6DWtjdSrkZrL7f6tJ5mlPg9DPm4KzEQebgovH58'
b'4XR9ruioONybBhQKZWUPe7jumwAwwPzbvrUAcRRhO0pWRl475X/OYVIyDu5NvfGu'
b'7ePEZCGFY7/d9rJzvW7kwnZHFO4wvoVUaxu+lR7nQkzlSXLiznNqIlmXbpTbfftM'
b'6O8neHx8ILHki0Qsz4j5QZrj7xfNC76x5F1MizgEKqrFHQNA1x9i7TwiaBbR5mBH'
b'kkYseg9qgzqOxLPJ/C9AJf30EXYfAq7ogOlf/lTs3sjHCgLr6cZQ+f7o/R/qQOpM'
b'PsjWZzB+GPc0zzJVwyAIgFn/G62c0tIWNBhnMzymSXaFNt54xcKTRXRe3VmE44AD'
b'M9Y7AHjlFxq/aGRQoCbES8WS1E77R0+SiNIkHvNN6BdfECQEky/R1Wm8SvpNiCgB'
b'lwiEr8mWRmt9n6/Es9CTURDGjiNSVyudJSdsxf1P/qtb+VnejeJ5k00dDZ9r5xw7'
b'hIEKNwVDPKgrDsAw88jmGN/xmLK+9i9uT1mq2XPofNlQtbjchheEtIQ2H83X7oe9'


True

### DES加密(对称加密)

DES对称加密,只有一把密匙,公用一把密匙

In [11]:
# crypto==1.4.1
import os
import base64
import hashlib
import netifaces
from Crypto.Cipher import DES

class LicenceModel(object):

    def __init__(self):
        super(LicenceModel, self).__init__()
        self.trial_days = 30
        self.device_count = 50
#         self.key = b'abcdefgh'  # 密钥 8位或16位,必须为bytes

    def crypto_password(self, pwd):
        md_5 = hashlib.md5()
        md_5.update(pwd.encode('utf8'))
        md5_pwd = md_5.hexdigest()
        sha1 = hashlib.sha1()
        sha1.update(md5_pwd.encode('utf8'))
        sha1_pwd = sha1.hexdigest()
        return sha1_pwd
    
    def get_device_info(self):
        names = netifaces.interfaces()
        names.sort()
        info = ''
        for name in names:
            mac_list = netifaces.ifaddresses(name)[netifaces.AF_LINK]
            for mac in mac_list:
                address = mac.get('addr')
                if address:
                    info += address
        print('device info: {}'.format(info))
        return info
    
    def get_device_series(self):
        device_series = None
        device_info =self.get_device_info()
        if device_info:
            device_series = self.crypto_password(device_info)
        print('device series: {}'.format(device_series))
        return device_series
    
    def get_message(self):
        device_serise = self.get_device_series()
        message = 'serise:{},amount:{},days:{}'.format(device_serise, self.device_count, self.trial_days)
        print('message: {}'.format(message))
        return message

    def pad(SELF, text):
        """
        # 加密函数，如果text不是8的倍数【加密文本text必须为8的倍数！】，那就补足为8的倍数
        :param text:
        :return:
        """
        while len(text) % 8 != 0:
            text += ' '
        return text

    def encrpyt_message(self, key, message):
        # 创建一个DES实例
        des = DES.new(key, DES.MODE_ECB)
        padded_text = self.pad(message)
        # 加密
        encrypted_text = des.encrypt(padded_text.encode('utf-8'))
        print(encrypted_text)
        return encrypted_text

    def decrypto_message(self, key, encrypted_text):
        des = DES.new(key, DES.MODE_ECB)
        # rstrip(' ')返回从字符串末尾删除所有字符串的字符串(默认空白字符)的副本
        plain_text = des.decrypt(encrypted_text).decode().rstrip(' ')  # 解密
        print(plain_text)

# 密钥 8位或16位,必须为bytes
key = 'abcdefgh'.encode()  
license = LicenceModel()
message = license.get_message()
encrypted_text = license.encrpyt_message(key, message)
license.decrypto_message(key, encrypted_text)

device info: 00:50:56:c0:00:0800:50:56:c0:00:0150:9a:4c:22:09:3800:15:5d:8f:8e:71
device series: 5b319e9455c55d212839a46e7d8df6b4c9fe79d4
message: serise:5b319e9455c55d212839a46e7d8df6b4c9fe79d4,amount:50,days:30
b"\x05b\x1fn\xf2\x94\xbf\xecx\xd9!uerZ\xefG\x08\xbbN\xf8\x17sc\x14b<L\xfe\x88\xd3\xb4\xa3\r\xf7W\xbfn\x08[E1Cg'\x9aqw\xd28\x1d\x1aX\xa3\xf8\x81{\x84\x8d\x12\xf0m\x06wv\xeb)!\xbe\xfd\xde\xd8"
serise:5b319e9455c55d212839a46e7d8df6b4c9fe79d4,amount:50,days:30
