| |
|
|
| from cryptography.hazmat.primitives.asymmetric import rsa, ed25519 |
| from cryptography.hazmat.primitives import serialization, hashes |
| from cryptography.hazmat.primitives.kdf.scrypt import Scrypt |
| from cryptography.hazmat.primitives.ciphers.aead import AESGCM |
| from cryptography.hazmat.backends import default_backend |
| import os |
| import base64 |
|
|
| backend = default_backend() |
|
|
| |
|
|
| def generate_rsa_key_pair(key_size=2048): |
| private_key = rsa.generate_private_key( |
| public_exponent=65537, |
| key_size=key_size, |
| backend=backend |
| ) |
| public_key = private_key.public_key() |
| return private_key, public_key |
|
|
| |
|
|
| def generate_ed25519_key_pair(): |
| private_key = ed25519.Ed25519PrivateKey.generate() |
| public_key = private_key.public_key() |
| return private_key, public_key |
|
|
| |
|
|
| def serialize_private_key(private_key, password: str = None): |
| if password: |
| encryption_algorithm = serialization.BestAvailableEncryption(password.encode()) |
| else: |
| encryption_algorithm = serialization.NoEncryption() |
| |
| return private_key.private_bytes( |
| encoding=serialization.Encoding.PEM, |
| format=serialization.PrivateFormat.PKCS8, |
| encryption_algorithm=encryption_algorithm |
| ) |
|
|
| def serialize_public_key(public_key): |
| return public_key.public_bytes( |
| encoding=serialization.Encoding.PEM, |
| format=serialization.PublicFormat.SubjectPublicKeyInfo |
| ) |
|
|
| def load_private_key(pem_data, password: str = None): |
| return serialization.load_pem_private_key( |
| pem_data, |
| password=password.encode() if password else None, |
| backend=backend |
| ) |
|
|
| def load_public_key(pem_data): |
| return serialization.load_pem_public_key( |
| pem_data, |
| backend=backend |
| ) |
|
|
| def generate_keypair(method="rsa", password: bytes = None): |
| """ |
| Создаёт пару ключей (приватный, публичный) с заданным методом. |
| method: "rsa" или "ed25519" |
| password: если указан, приватный ключ будет зашифрован |
| Возвращает (private_key_pem: bytes, public_key_pem: bytes) |
| """ |
| if method == "rsa": |
| private_key = rsa.generate_private_key( |
| public_exponent=65537, key_size=2048, backend=default_backend() |
| ) |
| elif method == "ed25519": |
| private_key = ed25519.Ed25519PrivateKey.generate() |
| else: |
| raise ValueError("Unsupported key generation method") |
|
|
| encryption_algorithm = ( |
| serialization.BestAvailableEncryption(password) |
| if password |
| else serialization.NoEncryption() |
| ) |
|
|
| private_pem = private_key.private_bytes( |
| encoding=serialization.Encoding.PEM, |
| format=serialization.PrivateFormat.PKCS8, |
| encryption_algorithm=encryption_algorithm, |
| ) |
|
|
| public_pem = private_key.public_key().public_bytes( |
| encoding=serialization.Encoding.PEM, |
| format=serialization.PublicFormat.SubjectPublicKeyInfo, |
| ) |
|
|
| return private_pem, public_pem |
|
|
| |
|
|
| def derive_key(password: str, salt: bytes = None): |
| if not salt: |
| salt = os.urandom(16) |
| kdf = Scrypt( |
| salt=salt, |
| length=32, |
| n=2**14, |
| r=8, |
| p=1, |
| backend=backend |
| ) |
| key = kdf.derive(password.encode()) |
| return key, salt |
|
|
| def encrypt_data(data: bytes, password: str): |
| key, salt = derive_key(password) |
| aesgcm = AESGCM(key) |
| nonce = os.urandom(12) |
| encrypted = aesgcm.encrypt(nonce, data, None) |
| return { |
| 'ciphertext': base64.b64encode(encrypted).decode(), |
| 'salt': base64.b64encode(salt).decode(), |
| 'nonce': base64.b64encode(nonce).decode() |
| } |
|
|
| def decrypt_data(encrypted_data: dict, password: str): |
| ciphertext = base64.b64decode(encrypted_data['ciphertext']) |
| salt = base64.b64decode(encrypted_data['salt']) |
| nonce = base64.b64decode(encrypted_data['nonce']) |
| key, _ = derive_key(password, salt=salt) |
| aesgcm = AESGCM(key) |
| return aesgcm.decrypt(nonce, ciphertext, None) |
|
|
| |
|
|
| if __name__ == "__main__": |
| priv, pub = generate_ed25519_key_pair() |
| priv_pem = serialize_private_key(priv) |
| pub_pem = serialize_public_key(pub) |
|
|
| print("PRIVATE PEM:") |
| print(priv_pem.decode()) |
| print("PUBLIC PEM:") |
| print(pub_pem.decode()) |
|
|
| encrypted = encrypt_data(priv_pem, "secret-password") |
| decrypted = decrypt_data(encrypted, "secret-password") |
| assert decrypted == priv_pem |
| print("✅ Encryption/decryption OK") |
|
|
