无法通过 python3 从 AWS Secrets Manager 正确访问 GPG 公钥/私钥

Question

我正在使用 python-gnupg 包来创建 GPG 公钥和私钥。我将生成的私钥存储在 AWS Secrets Manager 中，如下所示。

Key: private_key
value: -----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

lQO+BF37qDIBCADXq0iJVRYFb43+YU8Ts63hDgZl49ZNdnDVhd9H0JMXRHqtPqt9
bbFePPN47NRe6z6GsbPaPmDqEE9l3KjFnSZB/yCii+2wHZR0ij2g3ATbiAbOoQQy
I6bbUADmHtcfIJByoXVoDk489nUPt84Xyp1lHiBfCtUmq4w62Okq6InlRhxjxcEx
VvSXaCY8YnEXUAgNGpvcKHDejGS9V4djh7r7lgJ/Y+3Xb2eepOfiaCx2Cn8ZMI0q
7eWH0MmSeR4ueOLeb79ZKjpJraBfV91XplgHHiM18oECWWwsQCFiwi1GVOLpX6Fh
HIoUyaRAW2vZyFcNnO7iLbetie6fE884lfHxABEBAAH+AwMCO+Qoh7o3GWVga9f2
gHEeuGGH4KB3aspQZt/zwKpx7YlDB/uLd4q7JQt35nIH6pfYdMwgQt001CRhsGvX
QVKIkvipQvJZgCO8Nix7xYCukH0cI4TXD7S9BmRNMCPi74+Q1J3cDfKHCseynMNF
GzBeCDx6LW3CVfKKs0Mc2ecSl0c8gxaPDi3AfACRMefEAuVQyo82qJKjpI+O/Yik
z40C5OgK0XfetKstxcH4B0bx0o/PrUpYFM/gHHgFkbpVg5citcvFY4VcEkWryVcg
yF0qBPXP0OKBtCUU1ZGiCwRJy8iGd/dOOICcSCfMNy+jzzM3FSVzei69x7MYt3xu
IzCsmHpDvpdL7tiDDHgwajZeFFPTzf7Ic90K6TapQ3H59xPMxnL9K5o9rP1glRY0
8e4zYjYxg9A6Yl3K5zdqs+M1A3Os70HUlWZXZ4LQNcidPd1rhnPnm9eXkyV2ScXl
dE38aOA5pnrL0WZUM3/OLAToMP6h4rjw9WLqqgWlrl6yz9bhZrfRxlhZaEtNs1bi
pgrmPK/a5fK++BjMSuA94EkXTVNjKWNQBzcmrff27M1TMwN+34NWj3dk/a1gyflP
QZgK3MT+0GaMCcvy1EoZ87ffLQrWwFJOw5nT83yG7VBbuerSEk/tk30bxmYN6HzO
zvQgSjDiiH+ANXVupnzDjjBREmH6V1Hv+7Q0vrjKQHd3eYvKJpAWfFr9kO8DzKck
ZkSMj487SjlHbh33z1yupuwAtjyYQ5tN1adSlDa92t0Q08udnFDQtxXEnL6rw/Du
llEuCEVC9UYcNwwQGMsGXQBFFfj1389WHr0hkSOvyS1nPiIku5kNXDhSWq7/okTS
FwnCt+wbZa6TWbXjwKzHzu4LOarV1s8DnYHKNH6HHIqsVR2oJuIuqhyREAqjeP/T
3bQjQXV0b2dlbmVyYXRlZCBLZXkgPG1laHVsQHBoZWFhLm9yZz6JATkEEwECACMF
Al37qDICGy8HCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDO+i9CZ70SvqMn
CACCmdzqZW68j1E45XTHz3fvqdft6fXOyrlMuDdcH2y7Zrl5JS7PlCeHzIcsSMlH
wDYpCG8km7nwZsnWqKsOXFWq1nq/j7Kv5AzR7UmPzTw/1HFSVhIFA0ZZMHAnwp7Y
bcAT+ssvo4To9CjzRp/ZI1k26RFXPWuXETa41DBIVz13Ss4SIaf7UG9FQ55o+2BA
TP48yCQqktiWOoZ0rV1ALSFlE4Gs3UWHcYxxCABA0JB4+FuCRfB8QMreLwFb47wc
dIitbVl0mQx5IXCkqhJKqR62rRy25Put4xnPhXGtXqfoYDVYvYvlsl/FA35cX+Z1
QODnLq/jQ7ZPdaFC7cFqxztk
=RvGa
-----END PGP PRIVATE KEY BLOCK-----

Key: passphrase
Value: secret123

我想要做的就是从 AWS Secrets Manager 中提取密钥和值对并导入密钥，然后解密文件。

众所周知，JSON 不会解释多行值中的换行符，因此 GPG import_keys 无法导入私钥。如果我只是读取具有相同私钥的本地文件，那么就没问题。请告诉我这个问题是否有任何解决方法？

try:
    secretkey = self.get_secret(secretName)
    if not secretkey:
        self.logger.error("Empty secret key")
        exit(0)

    newdict = json.loads(secretkey)**
    #  newdict = ast.literal_eval(secretkey)
    private_key = newdict['private_key']

    #  private_key = open('/home/ec2-user/GPG/test_private_key.asc').read()
    passphrase = newdict['passphrase']

    gpg = gnupg.GPG(gnupghome=gpgHomeDir)
    import_result = gpg.import_keys(private_key)

    count = import_result.count
    if count == 0:
        self.logger.error("Failed to import private key")
        sys.exit(1)

    dataPath = srcDir + "/" + self.dataSource

    for root, folders, files in os.walk(dataPath):
        if not files:
            self.logger.info("No files found so skipping .....")
            continue
        for filename in folders + files:
            fullpath = os.path.join(root,filename)
            self.logger.info("Fullpath = {0}".format(fullpath))
            out_file = "/tmp/" + filename
            with open(fullpath, "rb") as f:
                status = gpg.decrypt_file(f, passphrase=passphrase, output=out_file)
                if status.ok:
                    s3Prefix = root.replace(srcDir + '/', '')
                    s3ObjKey = s3Prefix + "/" + filename
                    s3InPath = "s3://" + self.inBucketName + "/" + s3Prefix + "/" + filename
                    with open(out_file, "rb") as fl:
                        self.s3Client.upload_fileobj(fl,
                                                     self.inBucketName,
                                                     s3ObjKey
                                                    )
except Exception as e:
    print(str(e))
    self.logger.error(str(e))
    sys.exit(1)

Answer 1

我必须使用 base64 格式来存储 PGP 密钥，如下所示。

import base64
import gnupg

try:
    gpg = gnupg.PGP(gnupghome="/home/guest/GPG")
    input_data = gpg.gen_key_input(key_type='RSA',
                                   key_length=2048,
                                   name_email="guest@xyz.com"
                                   passphrase="pass123")
    key = gpg.gen_key(input_data)
    ascii_armored_public_key = gpg.export_keys(key.fingerprint, armor=True)
    ascii_armored_private_key = gpg.export_keys(key.fingerprint, True, armor=True)
    b64_encoded_private_key = base64.b64encode(ascii_armored_private_key.encode())

    binaryPrivKeyFile = "/tmp/b64encoded_private_key.asc"
    with open(binaryPrivKeyFile, 'wb') as bPrivFile:
        bPrivFile.write(b64_encoded_private_key)
except Exception as e:
    print(str(e))
    sys.exit(1)

现在我们必须将 b64encoded_private_key.asc 存储到 AWS Secrets Manager，如下所示。

$ aws Secretsmanager create-secret --name private-key --secret-binary fileb://b64encoded_private_key.asc --region us-east-1

我们不能将密码存储在同一个秘密中，因此我们必须为密码创建单独的秘密，如下所示。

$ aws Secretsmanager create-secret --name passwd --secret-string '{"passphrase" : "pass123"}' --region us-east-1

注意：私钥的秘密类型是二进制的，而密码短语的秘密类型是纯文本的。

创建密钥后，我们可以使用AWS密钥管理器代码来获取私钥和​​密码。AWS Secrets Manager 代码使用 base64.b64decode(..) 方法对私钥进行解码。