无法通过python3从AWS Secrets Manager正确访问GPG公钥/私钥

时间:2019-12-20 03:00:36

标签: json python-3.x gnupg aws-secrets-manager

我正在使用python-gnupg包创建GPG公钥和私钥。我存储在AWS Secrets Manager中的生成的私钥如下。

Key: private_key
value: -----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

lQO+BF37qDIBCADXq0iJVRYFb43+YU8Ts63hDgZl49ZNdnDVhd9H0JMXRHqtPqt9
bbFePPN47NRe6z6GsbPaPmDqEE9l3KjFnSZB/yCii+2wHZR0ij2g3ATbiAbOoQQy
I6bbUADmHtcfIJByoXVoDk489nUPt84Xyp1lHiBfCtUmq4w62Okq6InlRhxjxcEx
VvSXaCY8YnEXUAgNGpvcKHDejGS9V4djh7r7lgJ/Y+3Xb2eepOfiaCx2Cn8ZMI0q
7eWH0MmSeR4ueOLeb79ZKjpJraBfV91XplgHHiM18oECWWwsQCFiwi1GVOLpX6Fh
HIoUyaRAW2vZyFcNnO7iLbetie6fE884lfHxABEBAAH+AwMCO+Qoh7o3GWVga9f2
gHEeuGGH4KB3aspQZt/zwKpx7YlDB/uLd4q7JQt35nIH6pfYdMwgQt001CRhsGvX
QVKIkvipQvJZgCO8Nix7xYCukH0cI4TXD7S9BmRNMCPi74+Q1J3cDfKHCseynMNF
GzBeCDx6LW3CVfKKs0Mc2ecSl0c8gxaPDi3AfACRMefEAuVQyo82qJKjpI+O/Yik
z40C5OgK0XfetKstxcH4B0bx0o/PrUpYFM/gHHgFkbpVg5citcvFY4VcEkWryVcg
yF0qBPXP0OKBtCUU1ZGiCwRJy8iGd/dOOICcSCfMNy+jzzM3FSVzei69x7MYt3xu
IzCsmHpDvpdL7tiDDHgwajZeFFPTzf7Ic90K6TapQ3H59xPMxnL9K5o9rP1glRY0
8e4zYjYxg9A6Yl3K5zdqs+M1A3Os70HUlWZXZ4LQNcidPd1rhnPnm9eXkyV2ScXl
dE38aOA5pnrL0WZUM3/OLAToMP6h4rjw9WLqqgWlrl6yz9bhZrfRxlhZaEtNs1bi
pgrmPK/a5fK++BjMSuA94EkXTVNjKWNQBzcmrff27M1TMwN+34NWj3dk/a1gyflP
QZgK3MT+0GaMCcvy1EoZ87ffLQrWwFJOw5nT83yG7VBbuerSEk/tk30bxmYN6HzO
zvQgSjDiiH+ANXVupnzDjjBREmH6V1Hv+7Q0vrjKQHd3eYvKJpAWfFr9kO8DzKck
ZkSMj487SjlHbh33z1yupuwAtjyYQ5tN1adSlDa92t0Q08udnFDQtxXEnL6rw/Du
llEuCEVC9UYcNwwQGMsGXQBFFfj1389WHr0hkSOvyS1nPiIku5kNXDhSWq7/okTS
FwnCt+wbZa6TWbXjwKzHzu4LOarV1s8DnYHKNH6HHIqsVR2oJuIuqhyREAqjeP/T
3bQjQXV0b2dlbmVyYXRlZCBLZXkgPG1laHVsQHBoZWFhLm9yZz6JATkEEwECACMF
Al37qDICGy8HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDO+i9CZ70SvqMn
CACCmdzqZW68j1E45XTHz3fvqdft6fXOyrlMuDdcH2y7Zrl5JS7PlCeHzIcsSMlH
wDYpCG8km7nwZsnWqKsOXFWq1nq/j7Kv5AzR7UmPzTw/1HFSVhIFA0ZZMHAnwp7Y
bcAT+ssvo4To9CjzRp/ZI1k26RFXPWuXETa41DBIVz13Ss4SIaf7UG9FQ55o+2BA
TP48yCQqktiWOoZ0rV1ALSFlE4Gs3UWHcYxxCABA0JB4+FuCRfB8QMreLwFb47wc
dIitbVl0mQx5IXCkqhJKqR62rRy25Put4xnPhXGtXqfoYDVYvYvlsl/FA35cX+Z1
QODnLq/jQ7ZPdaFC7cFqxztk
=RvGa
-----END PGP PRIVATE KEY BLOCK-----

Key: passphrase
Value: secret123

我要做的就是从AWS Secrets Manager中提取“密钥和值”对,然后导入密钥并随后解密文件。

众所周知,JSON不会在多行值中解释换行符,因此GPG import_keys无法导入私钥。如果我只是读取具有相同私钥的本地文件,则没有问题。请让我知道是否有解决此问题的方法?

try:
    secretkey = self.get_secret(secretName)
    if not secretkey:
        self.logger.error("Empty secret key")
        exit(0)

    newdict = json.loads(secretkey)**
    #  newdict = ast.literal_eval(secretkey)
    private_key = newdict['private_key']

    #  private_key = open('/home/ec2-user/GPG/test_private_key.asc').read()
    passphrase = newdict['passphrase']

    gpg = gnupg.GPG(gnupghome=gpgHomeDir)
    import_result = gpg.import_keys(private_key)

    count = import_result.count
    if count == 0:
        self.logger.error("Failed to import private key")
        sys.exit(1)

    dataPath = srcDir + "/" + self.dataSource

    for root, folders, files in os.walk(dataPath):
        if not files:
            self.logger.info("No files found so skipping .....")
            continue
        for filename in folders + files:
            fullpath = os.path.join(root,filename)
            self.logger.info("Fullpath = {0}".format(fullpath))
            out_file = "/tmp/" + filename
            with open(fullpath, "rb") as f:
                status = gpg.decrypt_file(f, passphrase=passphrase, output=out_file)
                if status.ok:
                    s3Prefix = root.replace(srcDir + '/', '')
                    s3ObjKey = s3Prefix + "/" + filename
                    s3InPath = "s3://" + self.inBucketName + "/" + s3Prefix + "/" + filename
                    with open(out_file, "rb") as fl:
                        self.s3Client.upload_fileobj(fl,
                                                     self.inBucketName,
                                                     s3ObjKey
                                                    )
except Exception as e:
    print(str(e))
    self.logger.error(str(e))
    sys.exit(1)

3 个答案:

答案 0 :(得分:1)

我必须使用base64格式存储PGP密钥,如下所示。

import base64
import gnupg

try:
    gpg = gnupg.PGP(gnupghome="/home/guest/GPG")
    input_data = gpg.gen_key_input(key_type='RSA',
                                   key_length=2048,
                                   name_email="guest@xyz.com"
                                   passphrase="pass123")
    key = gpg.gen_key(input_data)
    ascii_armored_public_key = gpg.export_keys(key.fingerprint, armor=True)
    ascii_armored_private_key = gpg.export_keys(key.fingerprint, True, armor=True)
    b64_encoded_private_key = base64.b64encode(ascii_armored_private_key.encode())

    binaryPrivKeyFile = "/tmp/b64encoded_private_key.asc"
    with open(binaryPrivKeyFile, 'wb') as bPrivFile:
        bPrivFile.write(b64_encoded_private_key)
except Exception as e:
    print(str(e))
    sys.exit(1)

现在,我们必须按如下所示将b64encoded_private_key.asc存储到AWS Secrets Manager。

$ aws secretsmanager create-secret --name私钥--secret-binary文件b://b64encoded_private_key.asc --region us-east-1

我们无法将密码短语存储在同一秘密中,因此我们必须为密码短语创建单独的秘密,如下所示。

$ aws secretsmanager create-secret --name passwd --secret-string'{“ passphrase”:“ pass123”}'--region us-east-1

注意:私钥的秘密类型为二进制,而密码短语的秘密类型为纯文本。

创建密钥后,我们可以使用AWS密钥管理器代码获取私钥和​​密码。 AWS Secrets Manager代码使用base64.b64decode(..)方法解码私钥。

答案 1 :(得分:0)

Secrets Manager不需要您以JSON格式存储数据,它可以存储arbitrary strings or binary data

您可以选择分解所有内容并将其存储在单独的秘密中,也可以使用支持XML等新行的数据格式。

答案 2 :(得分:0)

您将存储的私钥将不会带有特殊字符,例如'\ n','\ r'。 要解决此问题,请复制private_key的输出,该输出将具有特殊字符。

private_key =打开('/home/ec2-user/GPG/test_private_key.asc')。read() private_key

将此私钥放入您的秘密中,并使用get_secret()获取它

注意:您将在私钥中看到另一个“”,它将使用load_json来处理需要使用private_key.replace('\ n','\ n')

您的代码如下所示。

private_key = newdict ['private_key'] private_key = private_key.replace('\ n','\ n')

然后您将可以获取密钥。