如何在 Python 中将 Public 密钥加密与 AWS 加密 SDK 结合使用?

How do I use Public Key Encryption with the AWS Encryption SDK in Python?

我在这方面有点不知所措,所以我想知道是否有人可以提供帮助。

有谁知道如何使用 Public 密钥 encryption/decryption,使用 PEM 格式的 RSA 密钥?

如果我在两个方向都使用私钥,我可以让它工作,我可以获得 public 密钥来加密,但我不知道如何构建脚本来让它工作如果我想使用 public 密钥进行加密并使用私钥进行解密。我看到在基于 Java 的 SDK 版本中有一个示例,但我什至无法从中弄明白。

谁能指引我正确的方向?

我使用 public 密钥的加密过程的一些示例代码:

import os
import aws_encryption_sdk
from aws_encryption_sdk.internal.crypto import WrappingKey
from aws_encryption_sdk.key_providers.raw import RawMasterKeyProvider
from aws_encryption_sdk.identifiers import WrappingAlgorithm, EncryptionKeyType


class StaticPublicMasterKeyProvider(RawMasterKeyProvider):
    provider_id = 'static-public'

    def __init__(self, **kwargs):
        self._public_keys = {}

    def _get_raw_key(self, key_id):
                
        with open("public_key.pem", "rb") as key_file:
            public_key = key_file.read()
        self._public_keys[key_id] = public_key

        return WrappingKey(
            wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA512_MGF1,
            wrapping_key=public_key,
            wrapping_key_type=EncryptionKeyType.PUBLIC
        )


if __name__ == '__main__':
    
    source_file = r'myfile.jpg'

    source_file_enc = source_file + '.encrypt'    
    
    public_key_id = os.urandom(8)
    master_key_provider = StaticPublicMasterKeyProvider()
    master_key_provider.add_master_key(public_key_id)

    with open(source_file, 'rb') as sf, open(source_file_enc, 'wb') as sfe:
        with aws_encryption_sdk.stream(
            mode='e',
            source=sf,
            key_provider=master_key_provider
        ) as encryptor:
            for chunk in encryptor:
                sfe.write(chunk)

我查看了 AWS 上的 python 示例,他们在双向使用私钥。

如有任何帮助,我们将不胜感激。

编辑:文档链接:

AWS Encryption SDK Developers Guide

Python example generating RSA Key but using private key

Java example using RSA Public key

注意:这两个示例使用多个密钥提供程序,但仍包含 RSA 密钥

好的,我终于得到了我需要的例子。对于当前上下文,当前示例仅驻留在 github 上的功能分支中(以后要小心,因为这个 link 可能会被破坏。您可能需要在 master 中搜索以找到所需的示例) :

https://github.com/aws/aws-encryption-sdk-python/blob/keyring/examples/src/master_key_provider/multi/aws_kms_with_escrow.py

它的内容可以描述如下(直接从上面的例子中得出):

    # Create the encrypt master key that only has access to the public key.
    escrow_encrypt_master_key = RawMasterKey(
        # The provider ID and key ID are defined by you
        # and are used by the raw RSA master key
        # to determine whether it should attempt to decrypt
        # an encrypted data key.
        provider_id="some managed raw keys",  # provider ID corresponds to key namespace for keyrings
        key_id=b"my RSA wrapping key",  # key ID corresponds to key name for keyrings
        wrapping_key=WrappingKey(
            wrapping_key=public_key_pem,
            wrapping_key_type=EncryptionKeyType.PUBLIC,
            # The wrapping algorithm tells the raw RSA master key
            # how to use your wrapping key to encrypt data keys.
            #
            # We recommend using RSA_OAEP_SHA256_MGF1.
            # You should not use RSA_PKCS1 unless you require it for backwards compatibility.
            wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
        ),
    )

    # Create the decrypt master key that has access to the private key.
    escrow_decrypt_master_key = RawMasterKey(
        # The key namespace and key name MUST match the encrypt master key.
        provider_id="some managed raw keys",  # provider ID corresponds to key namespace for keyrings
        key_id=b"my RSA wrapping key",  # key ID corresponds to key name for keyrings
        wrapping_key=WrappingKey(
            wrapping_key=private_key_pem,
            wrapping_key_type=EncryptionKeyType.PRIVATE,
            # The wrapping algorithm MUST match the encrypt master key.
            wrapping_algorithm=WrappingAlgorithm.RSA_OAEP_SHA256_MGF1,
        ),
    )

如果需要,可以将 escrow_encrypt_master_key 添加到密钥环以提供多个密钥来加密您的负载。

我希望这对以后的人有所帮助。

谢谢