原文链接:http://joelinoff.com/blog/?p=885
这里的示例显示了如何使用python以与openssl aes-256-cbc完全兼容的方式加密和解密数据。它是基于我在本网站上发布的C ++ Cipher类中所做的工作。它适用于python-2.7和python-3.x。
关键思想是基于openssl生成密钥和iv密码的数据以及它使用的“Salted__”前缀的方式。
因为我也掌握openssl的内部细节,所以先留着,等以后要是遇到需要了,在研究
使用方法
代码:
#!/usr/bin/env python'''Implement openssl compatible AES-256 CBC mode encryption/decryption.This module provides encrypt() and decrypt() functions that are compatiblewith the openssl algorithms.This is basically a python encoding of my C++ work on the Cipher classusing the Crypto.Cipher.AES class.URL: http://projects.joelinoff.com/cipher-1.1/doxydocs/html/'''# LICENSE## MIT Open Source## Copyright (c) 2014 Joe Linoff## Permission is hereby granted, free of charge, to any person# obtaining a copy of this software and associated documentation files# (the "Software"), to deal in the Software without restriction,# including without limitation the rights to use, copy, modify, merge,# publish, distribute, sublicense, and/or sell copies of the Software,# and to permit persons to whom the Software is furnished to do so,# subject to the following conditions:## The above copyright notice and this permission notice shall be# included in all copies or substantial portions of the Software.## THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE# SOFTWARE.import argparseimport base64import osimport reimport hashlibimport inspectimport sysfrom getpass import getpassfrom Crypto.Cipher import AESVERSION='1.2'# ================================================================# debug# ================================================================def _debug(msg, lev=1): ''' Print a debug message with some context. ''' sys.stderr.write('DEBUG:{} ofp {}\n'.format(inspect.stack()[lev][2], msg))# ================================================================# get_key_and_iv# ================================================================def get_key_and_iv(password, salt, klen=32, ilen=16, msgdgst='md5'): ''' Derive the key and the IV from the given password and salt. This is a niftier implementation than my direct transliteration of the C++ code although I modified to support different digests. CITATION: http://stackoverflow.com/questions/13907841/implement-openssl-aes-encryption-in-python @param password The password to use as the seed. @param salt The salt. @param klen The key length. @param ilen The initialization vector length. @param msgdgst The message digest algorithm to use. ''' # equivalent to: # from hashlib import as mdf # from hashlib import md5 as mdf # from hashlib import sha512 as mdf mdf = getattr(__import__('hashlib', fromlist=[msgdgst]), msgdgst) password = password.encode('ascii', 'ignore') # convert to ASCII try: maxlen = klen + ilen keyiv = mdf(password + salt).digest() tmp = [keyiv] while len(tmp) < maxlen: tmp.append( mdf(tmp[-1] + password + salt).digest() ) keyiv += tmp[-1] # append the last byte key = keyiv[:klen] iv = keyiv[klen:klen+ilen] return key, iv except UnicodeDecodeError: return None, None# ================================================================# encrypt# ================================================================def encrypt(password, plaintext, chunkit=True, msgdgst='md5'): ''' Encrypt the plaintext using the password using an openssl compatible encryption algorithm. It is the same as creating a file with plaintext contents and running openssl like this: $ cat plaintext <div></div> $ openssl enc -e -aes-256-cbc -base64 -salt \\ -pass pass:<password> -n plaintext @param password The password. @param plaintext The plaintext to encrypt. @param chunkit Flag that tells encrypt to split the ciphertext into 64 character (MIME encoded) lines. This does not affect the decrypt operation. @param msgdgst The message digest algorithm. ''' salt = os.urandom(8) key, iv = get_key_and_iv(password, salt, msgdgst=msgdgst) if key is None: return None # PKCS#7 padding padding_len = 16 - (len(plaintext) % 16) if isinstance(plaintext, str): padded_plaintext = plaintext + (chr(padding_len) * padding_len) else: # assume bytes padded_plaintext = plaintext + (bytearray([padding_len] * padding_len)) # Encrypt cipher = AES.new(key, AES.MODE_CBC, iv) ciphertext = cipher.encrypt(padded_plaintext) # Make openssl compatible. # I first discovered this when I wrote the C++ Cipher class. # CITATION: http://projects.joelinoff.com/cipher-1.1/doxydocs/html/ openssl_ciphertext = b'Salted__' + salt + ciphertext b64 = base64.b64encode(openssl_ciphertext) if not chunkit: return b64 LINELEN = 64 chunk = lambda s: b'\n'.join(s[i:min(i+LINELEN, len(s))] for i in range(0, len(s), LINELEN)) return chunk(b64)# ================================================================# decrypt# ================================================================def decrypt(password, ciphertext, msgdgst='md5'): ''' Decrypt the ciphertext using the password using an openssl compatible decryption algorithm. It is the same as creating a file with ciphertext contents and running openssl like this: $ cat ciphertext # ENCRYPTED <ciphertext> $ egrep -v '^#|^$' | \\ openssl enc -d -aes-256-cbc -base64 -salt -pass pass:<password> -in ciphertext @param password The password. @param ciphertext The ciphertext to decrypt. @param msgdgst The message digest algorithm. @returns the decrypted data. ''' # unfilter -- ignore blank lines and comments if isinstance(ciphertext, str): filtered = '' nl = '\n' re1 = r'^\s*$' re2 = r'^\s*#' else: filtered = b'' nl = b'\n' re1 = b'^\\s*$' re2 = b'^\\s*#' for line in ciphertext.split(nl): line = line.strip() if re.search(re1,line) or re.search(re2, line): continue filtered += line + nl # Base64 decode raw = base64.b64decode(filtered) assert(raw[:8] == b'Salted__' ) salt = raw[8:16] # get the salt # Now create the key and iv. key, iv = get_key_and_iv(password, salt, msgdgst=msgdgst) if key is None: return None # The original ciphertext ciphertext = raw[16:] # Decrypt cipher = AES.new(key, AES.MODE_CBC, iv) padded_plaintext = cipher.decrypt(ciphertext) if isinstance(padded_plaintext, str): padding_len = ord(padded_plaintext[-1]) else: padding_len = padded_plaintext[-1] plaintext = padded_plaintext[:-padding_len] return plaintext# include the code above ...# ================================================================# _open_ios# ================================================================def _open_ios(args): ''' Open the IO files. ''' ifp = sys.stdin ofp = sys.stdout if args.input is not None: try: ifp = open(args.input, 'rb') except IOError: print('ERROR: cannot read file: {}'.format(args.input)) sys.exit(1) if args.output is not None: try: ofp = open(args.output, 'wb') except IOError: print('ERROR: cannot write file: {}'.format(args.output)) sys.exit(1) return ifp, ofp# ================================================================# _close_ios# ================================================================def _close_ios(ifp, ofp): ''' Close the IO files if necessary. ''' if ifp != sys.stdin: ifp.close() if ofp != sys.stdout: ofp.close()# ================================================================# _write# ================================================================def _write(ofp, out, newline=False): ''' Write out the data in the correct format. ''' if ofp == sys.stdout and isinstance(out, bytes): out = out.decode('utf-8', 'ignored') ofp.write(out) if newline: ofp.write('\n') elif isinstance(out, str): ofp.write(out) if newline: ofp.write('\n') else: # assume bytes ofp.write(out) if newline: ofp.write(b'\n') # ================================================================# _write# ================================================================def _read(ifp): ''' Read the data in the correct format. ''' return ifp.read()# ================================================================# _runenc# ================================================================def _runenc(args): ''' Encrypt data. ''' if args.passphrase is None: while True: passphrase = getpass('Passphrase: ') tmp = getpass('Re-enter passphrase: ') if passphrase == tmp: break print('') print('Passphrases do not match, please try again.') else: passphrase = args.passphrase ifp, ofp = _open_ios(args) text = _read(ifp) out = encrypt(passphrase, text, msgdgst=args.msgdgst) _write(ofp, out, True) _close_ios(ifp, ofp)# ================================================================# _rundec# ================================================================def _rundec(args): ''' Decrypt data. ''' if args.passphrase is None: passphrase = getpass('Passphrase: ') else: passphrase = args.passphrase ifp, ofp = _open_ios(args) text = _read(ifp) out = decrypt(passphrase, text, msgdgst=args.msgdgst) _write(ofp, out, False) _close_ios(ifp, ofp)# ================================================================# _runtest# ================================================================def _runtest(args): ''' Run a series of iteration where each iteration generates a random password from 8-32 characters and random text from 20 to 256 characters. The encrypts and decrypts the random data. It then compares the results to make sure that everything works correctly. The test output looks like this: $ crypt 2000 2000 of 2000 100.00% 15 139 2000 0 $ # ^ ^ ^ ^ ^ ^ $ # | | | | | +-- num failed $ # | | | | +---------- num passed $ # | | | +-------------- size of text for a test $ # | | +----------------- size of passphrase for a test $ # | +-------------------------- percent completed $ # +------------------------------- total # #+------------------------------------ current test @param args The args parse arguments. ''' import string import random from random import randint # Encrypt/decrypt N random sets of plaintext and passwords. num = args.test ofp = sys.stdout if args.output is not None: try: ofp = open(args.output, 'w') except IOError: print('ERROR: can open file for writing: {}'.format(args.output)) sys.exit(1) chset = string.printable passed = 0 failed = [] maxlen = len(str(num)) for i in range(num): ran1 = randint(8,32) password = ''.join(random.choice(chset) for x in range(ran1)) ran2 = randint(20, 256) plaintext = ''.join(random.choice(chset) for x in range(ran2)) ciphertext = encrypt(password, plaintext, msgdgst=args.msgdgst) verification = decrypt(password, ciphertext, msgdgst=args.msgdgst) if plaintext != verification: failed.append( [password, plaintext] ) else: passed += 1 output = '%*d of %d %6.2f%% %3d %3d %*d %*d %s' % (maxlen,i+1, num, 100*(i+1)/num, len(password), len(plaintext), maxlen, passed, maxlen, len(failed), args.msgdgst) if args.output is None: ofp.write('\b'*80) ofp.write(output) ofp.flush() else: ofp.write(output+'\n') ofp.write('\n') if len(failed): for i in range(len(failed)): ofp.write('%3d %2d %-34s %3d %s\n' % (i, len(failed[i][0]), '"'+failed[i][0]+'"', len(failed[i][1]), '"'+failed[i][1]+'"')) ofp.write('\n') if args.output is not None: ofp.close()# ================================================================# _cli_opts# ================================================================def _cli_opts(): ''' Parse command line options. @returns the arguments ''' mepath = os.path.abspath(sys.argv[0]).encode('utf-8') mebase = os.path.basename(mepath) description = ''' Implements encryption/decryption that is compatible with openssl AES-256 CBC mode. You can use it as follows: EXAMPLE 1: {0} -> {0} (MD5) $ # Encrypt and decrypt using {0}. $ echo 'Lorem ipsum dolor sit amet' | \\ {0} -e -p secret | \\ {0} -d -p secret Lorem ipsum dolor sit amet EXAMPLE 2: {0} -> openssl (MD5) $ # Encrypt using {0} and decrypt using openssl. $ echo 'Lorem ipsum dolor sit amet' | \\ {0} -e -p secret | \\ openssl enc -d -aes-256-cbc -md md5 -base64 -salt -pass pass:secret Lorem ipsum dolor sit amet EXAMPLE 3: openssl -> {0} (MD5) $ # Encrypt using openssl and decrypt using {0} $ echo 'Lorem ipsum dolor sit amet' | \\ openssl enc -e -aes-256-cbc -md md5 -base64 -salt -pass pass:secret {0} -d -p secret Lorem ipsum dolor sit amet EXAMPLE 4: openssl -> openssl (MD5) $ # Encrypt and decrypt using openssl $ echo 'Lorem ipsum dolor sit amet' | \\ openssl enc -e -aes-256-cbc -md md5 -base64 -salt -pass pass:secret openssl enc -d -aes-256-cbc -md md5 -base64 -salt -pass pass:secret Lorem ipsum dolor sit amet EXAMPLE 5: {0} -> {0} (SHA512) $ # Encrypt and decrypt using {0}. $ echo 'Lorem ipsum dolor sit amet' | \\ {0} -e -m sha512 -p secret | \\ {0} -d -m sha512 -p secret Lorem ipsum dolor sit amet EXAMPLE 6: {0} -> openssl (SHA512) $ # Encrypt using {0} and decrypt using openssl. $ echo 'Lorem ipsum dolor sit amet' | \\ {0} -e -m sha512 -p secret | \\ openssl enc -d -aes-256-cbc -md sha1=512 -base64 -salt -pass pass:secret Lorem ipsum dolor sit amet EXAMPLE 7: $ # Run internal tests. $ {0} -t 2000 2000 of 2000 100.00%% 21 104 2000 0 md5 $ # ^ ^ ^ ^ ^ ^ ^ $ # | | | | | | +- message digest $ # | | | | | +--- num failed $ # | | | | +----------- num passed $ # | | | +--------------- size of text for a test $ # | | +------------------ size of passphrase for a test $ # | +--------------------------- percent completed $ # +-------------------------------- total # #+------------------------------------- current test'''.format(mebase.decode('ascii', 'ignore')) parser = argparse.ArgumentParser(prog=mebase, formatter_class=argparse.RawDescriptionHelpFormatter, description=description, ) group = parser.add_mutually_exclusive_group(required=True) group.add_argument('-d', '--decrypt', action='store_true', help='decryption mode') group.add_argument('-e', '--encrypt', action='store_true', help='encryption mode') parser.add_argument('-i', '--input', action='store', help='input file, default is stdin') parser.add_argument('-m', '--msgdgst', action='store', default='md5', help='message digest (md5, sha, sha1, sha256, sha512), default is md5') parser.add_argument('-o', '--output', action='store', help='output file, default is stdout') parser.add_argument('-p', '--passphrase', action='store', help='passphrase for encrypt/decrypt operations') group.add_argument('-t', '--test', action='store', default=-1, type=int, help='test mode (TEST is an integer)') parser.add_argument('-v', '--verbose', action='count', help='the level of verbosity') parser.add_argument('-V', '--version', action='version', version='%(prog)s '+VERSION) args = parser.parse_args() return args# ================================================================# main# ================================================================def main(): args = _cli_opts() if args.test > 0: if args.input is not None: print('WARNING: input argument will be ignored.') if args.passphrase is not None: print('WARNING: passphrase argument will be ignored.') _runtest(args) elif args.encrypt: _runenc(args) elif args.decrypt: _rundec(args)# ================================================================# MAIN# ================================================================if __name__ == "__main__": main()<div></div> </plaintext><div></div> </mdi></pre> <div></div> </div> <div></div> <span class="cnblogs_code_collapse">View Code</span> <div></div> </div> <div></div> <p> </p> <div></div> </div> <div></div> <p>转载于:https://www.cnblogs.com/renfanzi/p/7358578.html</p><div></div> </body><div></div></html></div>
</div>
<div class="more-title">
你可能感兴趣的文章
</div>
<a class="new-title" href="http://klwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">Find Backpacker Jobs in Australia</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://ulwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">面试题:return和finally执行</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://ylwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">Heroku第三方服务接入指南(二)</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://jlwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">MSRA专访摘要</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://nlwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">团队作业4</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://glwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">第四次团队作业--选题</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://wmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">记录专用</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://zmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">一句实现jquery导航栏</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://jmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">条形码生成包 BarCodeToHTML.cs(以颜色为背景的完整版)(下载的完整版)</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://nmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">数据库事务的四大特性以及事务的隔离级别</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://imwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">电脑屏幕保护眼睛</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://smwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">有用的东西</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://pmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">如何开启VMware串口</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://vmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">数据库</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://tmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">常见Struts、Hibernate、Spring、J2EE、ibatis、Oracle等开发框架架构图及其简介</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://xmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">Java为何大行其道</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://lmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">CFileDialog的使用方法简单介绍</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://mmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">send,recv,sendto,recvfrom</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://qmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">C#开发问题汇总</div>
<div class="find">查看>></div>
</div>
</a><a class="new-title" href="http://hmwsv.baihongyu.com/">
<div class="item-more" data-scroll-reveal>
<div class="find-title">Kettle</div>
<div class="find">查看>></div>
</div>
</a>
</div>
</div>
<div class="footer">
<div>
<div class="footer-main">
<div class="blog-name">喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!</div>
<div class="copyright">
当前时间: <span>2024-11-21 02:35:45</span>
当前IP: <span>18.118.10.36</span>
联系邮箱:javaeecc@qq.com
Copyright © 2020 - 2022 baihongyu.com
<a style="color: #FFFFFF;" href="https://beian.miit.gov.cn" target="_blank">京ICP备2021015314号-2</a>
</div>
</div>
<a href="http://gpt.css8.cn" target="_blank">
<div class="gpt-main-left">
强烈建议你试试无所不能的CHAT-GPT,快点击我
</div>
</a>
<a href="http://gpt.css8.cn" target="_blank">
<div class="gpt-main-right">
强烈建议你试试无所不能的CHAT-GPT,快点击我
</div>
</a>
</div>
</div>
<div>
<script src="/baihongyu/js/jquery-1.8.2.js"></script>
<script src="/baihongyu/js/scrollReveal.js"></script>
<script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script>
<script>LA.init({id: "JeQUgUJ4FtcgrGgk",ck: "JeQUgUJ4FtcgrGgk"})</script>
<script>
window.scrollReveal = new scrollReveal({
enter: 'left',
move: '80px',
over: '0.1s',
reset: true,
init: false
});
scrollReveal.init();
</script>
</div>
</body>
</html>