首次提交

paste/security/cryp_rsa.py

@@ -0,0 +1,59 @@
+import base64
+
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import padding, rsa
+
+
+def generate_rsa_keypair():
+    """
+    生成RSA密钥对，并返回公钥的PEM格式字符串。
+
+    此函数生成一个2048位的RSA密钥对，使用65537作为公钥指数。
+    仅返回公钥部分的PEM编码字符串，私钥不返回以确保安全性。
+
+    返回:
+        str: 公钥的PEM格式字符串，包含-----BEGIN PUBLIC KEY-----和-----END PUBLIC KEY-----头尾。
+
+    示例:
+        -----BEGIN PUBLIC KEY-----
+        MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
+        -----END PUBLIC KEY-----
+
+    注意:
+        - 私钥在此函数中生成但未返回，应由调用方安全存储。
+        - 不建议在生产环境中直接使用此函数生成密钥，应使用更安全的密钥管理服务。
+    """
+    private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+    public_key = private_key.public_key()
+
+    # 获取公钥的 PEM 格式
+    public_pem = public_key.public_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PublicFormat.SubjectPublicKeyInfo
+    ).decode('utf-8')
+
+    return public_pem
+
+
+def rsa_encrypt_pkcs1_v1_5(public_key_pem, plaintext):
+    """
+    使用 PKCS#1 v1.5 填充对字符串进行 RSA 加密。
+
+    :param public_key_pem: 公钥的 PEM 格式字符串
+    :param plaintext: 要加密的明文字符串
+    :return: Base64 编码的加密后字节串
+    """
+    # 加载公钥
+    public_key = serialization.load_pem_public_key(public_key_pem.encode())
+
+    # 将字符串编码为字节
+    plaintext_bytes = plaintext.encode('utf-8')
+
+    # 使用 PKCS#1 v1.5 填充进行加密
+    ciphertext = public_key.encrypt(
+        plaintext_bytes,
+        padding.PKCS1v15()
+    )
+
+    # 返回 Base64 编码的加密结果
+    return base64.b64encode(ciphertext).decode('utf-8')

paste/security/shash.py

@@ -0,0 +1,106 @@
+import hashlib
+import hmac
+import secrets
+from typing import Tuple
+
+SALT_CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+"""
+加盐字符。
+"""
+
+DEFAULT_PBKDF2_ITERATIONS = 260000
+"""
+加密迭代数。
+"""
+
+
+def gen_salt(length: int) -> str:
+    """
+    Generate a random string of SALT_CHARS with specified ``length``.
+    """
+    if length <= 0:
+        raise ValueError("Salt length must be positive")
+
+    return "".join(secrets.choice(SALT_CHARS) for _ in range(length))
+
+
+def _hash_internal(method: str, salt: str, password: str) -> Tuple[str, str]:
+    """
+    Internal password hash helper. Supports plaintext without salt, unsalted and salted passwords.
+    In case salted passwords are used hmac is used.
+    """
+    if method == "plain":
+        return password, method
+
+    salt = salt.encode("utf-8")
+    password = password.encode("utf-8")
+
+    if method.startswith("pbkdf2:"):
+        if not salt:
+            raise ValueError("Salt is required for PBKDF2")
+
+        args = method[7:].split(":")
+
+        if len(args) not in (1, 2):
+            raise ValueError("Invalid number of arguments for PBKDF2")
+
+        method = args.pop(0)
+        iterations = int(args[0] or 0) if args else DEFAULT_PBKDF2_ITERATIONS
+        return (
+            hashlib.pbkdf2_hmac(method, password, salt, iterations).hex(),
+            f"pbkdf2:{method}:{iterations}",
+        )
+
+    if salt:
+        return hmac.new(salt, password, method).hexdigest(), method
+
+    return hashlib.new(method, password).hexdigest(), method
+
+
+def generate_password_hash(pwd: str, method: str = "pbkdf2:sha256", salt_length: int = 16) -> str:
+    """
+    Hash a password with the given method and salt with a string of
+    the given length. The format of the string returned includes the method
+    that was used so that :func:`check_password_hash` can check the hash.
+
+    The format for the hashed string looks like this::
+
+        method$salt$hash
+
+    This method can **not** generate unsalted passwords but it is possible
+    to set param method='plain' in order to enforce plaintext passwords.
+    If a salt is used, hmac is used internally to salt the password.
+
+    If PBKDF2 is wanted it can be enabled by setting the method to
+    ``pbkdf2:method:iterations`` where iterations is optional::
+
+        pbkdf2:sha256:80000$salt$hash
+        pbkdf2:sha256$salt$hash
+
+    :param pwd: the password to hash
+    :param method: the hash method to use (one that hashlib supports). Can
+                   optionally be in the format ``pbkdf2:method:iterations``
+                   to enable PBKDF2
+    :param salt_length: the length of the salt in letters
+    """
+    salt = gen_salt(salt_length) if method != "plain" else ""
+    h, actual_method = _hash_internal(method, salt, pwd)
+    return f"{actual_method}${salt}${h}"
+
+
+def check_password_hash(pwd_hash: str, password: str) -> bool:
+    """
+    Check a password against a given salted and hashed password value.
+    In order to support unsalted legacy passwords this method supports
+    plain text passwords, md5 and sha1 hashes (both salted and unsalted).
+
+    Returns `True` if the password matched, `False` otherwise
+    :param pwd_hash: a hashed string like returned by
+                   :func:`generate_password_hash`
+    :param password: the plaintext password to compare against the hash
+    """
+    if pwd_hash.count("$") < 2:
+        return False
+
+    method, salt, hash_val = pwd_hash.split("$", 2)
+    return hmac.compare_digest(_hash_internal(method, salt, password)[0], hash_val)

paste/security/token.py

@@ -0,0 +1,89 @@
+import base64
+import datetime
+import uuid
+from typing import Optional
+
+import jwt
+
+SECRET_KEY = 'IrOYFjXtQPuofoXEpsR+2VsvjnaCWkPzvfmym1qNmcI='
+"""
+自定义密钥，生成方法见 generate_secret_key() 函数。该密钥应当在应用程序服务器启动时更新，并使用动态生成的密钥。
+"""
+
+PRIVATE_ISS = 'hǎi_tén_education_technology_co_ltd'
+"""
+签发者签名。
+"""
+
+
+def generate_secret_key():
+    """
+    生成如 IrOYFjXtQPuofoXEpsR+2VsvjnaCWkPzvfmym1qNmcI= 的随机串。
+    """
+    return base64.b64encode(uuid.uuid4().bytes + uuid.uuid4().bytes).decode()
+
+
+def reset_secret_key():
+    """
+    重置加密密钥。
+
+    :return: 加密密钥
+    """
+    global SECRET_KEY
+    SECRET_KEY = generate_secret_key()
+    return SECRET_KEY
+
+
+def get_secret_key():
+    """
+    取得加密密钥。
+
+    :return: 加密密钥
+    """
+    global SECRET_KEY
+    return SECRET_KEY
+
+
+def encode_token(exp: Optional[datetime.datetime] = None, **kwargs):
+    """
+    对用户信息加密生成令牌。
+
+    :param exp: 过期时间，不传默认 7 天过期
+    :param kwargs: 要加入到数据部分的参数
+    :return: 加密后的 token 内容
+    """
+    try:
+        iat = datetime.datetime.now(datetime.timezone.utc)
+        exp = exp if exp else iat + datetime.timedelta(days=7)
+        # 即 JWT 三部分中的载荷部分
+        # 过期时间最后是和 UTC 作比较，所以设置的时候使用 datetime.datetime.now()
+        payload = {
+            'iss': PRIVATE_ISS,     # 签发者
+            'iat': iat,             # 签发时间
+            'exp': exp,             # 过期时间，这里设置7天
+            'params': {}            # 参数，存放用户自定义数据
+        }
+
+        payload['params'].update(kwargs)
+
+        # 开始进行加密，返回字符串，传入例如密钥，指定加密算法
+        # encode 返回的是 bytes，需要 decode() 得到 str,不转换的话，在封装json的时候报错
+        auth_token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
+        if isinstance(auth_token, bytes):
+            auth_token = auth_token.decode()
+        return auth_token
+    except Exception as e:
+        raise e
+
+
+def decode_token(auth_token: str):
+    """
+    解码 token 并从中提取用户信息，进行验证。
+
+    :param auth_token: 令牌
+    """
+    # 如果需要关闭过期时间的验证，可以在 options 中使用 verify_exp
+    # jwt.decode(auth_token, secret_key, issuer=private_iss, algorithms=['HS256'], options={'verify_exp': False})
+    # 传入了密钥和算法，和加密是对应的，因此密钥一定不要泄露
+    token_payload = jwt.decode(auth_token, SECRET_KEY, issuer=PRIVATE_ISS, algorithms=['HS256'])
+    return token_payload