我有一个带有日志记录的Python脚本,现在我想使用pycrypto用AES加密日志。
import logging
import base64
from Crypto.Cipher import AES
aes = AES.new(cryptoKey)
logging.basicConfig(filename='example.log',level=logging.DEBUG) # file name, not custom file
logging.info('text')
base64.b64encode(aes.encrypt('#logging text#')),如何最好地实现呢?加密不仅仅是简单的数据转发。我建议编写自己的日志格式化程序并将其设置为根格式化程序——这样,无论您在应用程序中从哪里记录日志,即使是由您的代码不控制的部分,它也将始终通过一层加密。因此,可以尝试以下类似的内容:
import base64
import logging
from Crypto.Cipher import AES
from Crypto.Hash import SHA256
from Crypto import Random
class EncryptedLogFormatter(logging.Formatter):
# make sure that the `key` is a byte stream on Python 3.x
def __init__(self, key, fmt=None, datefmt=None):
self._key = SHA256.new(key).digest() # use SHA-256 for a proper-sized AES key
super(EncryptedLogFormatter, self).__init__(fmt=fmt, datefmt=datefmt)
def format(self, record):
message = record.msg # log message to encrypt, if any
if message: # no sense to encrypt empty log messages
# on Python 3.x encode first: message = message.encode("utf-8")
iv = Random.new().read(AES.block_size) # we'll be using CBC so generate an IV
cipher = AES.new(self._key, AES.MODE_CBC, iv)
# AES demands all blocks to be of `AES.block_size` so we have to pad the message
# you can use any padding you prefer, I think PKCS#7 is the best option
padding = AES.block_size - len(message) % AES.block_size
# pad the message...
message += chr(padding) * padding # Python 3.x: bytes([padding]) * padding
message_enc = iv + cipher.encrypt(message) # add iv and encrypt
# finally, replace our plain-text message with base64 encoded encrypted one
record.msg = base64.b64encode(message_enc).decode("latin-1")
# you can do more here, even print out your own string but we'll just
# pass it to the default formatter now that the message is encrypted
# so that it can respect other formatting options.
return super(EncryptedLogFormatter, self).format(record)
然后您可以在任何可以更改日志格式的地方使用它, 即:
import sys
import logging
# lets get the root logger
root = logging.getLogger()
root.handlers = [] # blank out the existing handlers
# create a new handler, file handler instead of stdout is perfectly fine
handler = logging.StreamHandler(stream=sys.stdout)
# now lets get to business
handler.setFormatter(EncryptedLogFormatter("Whatever key/pass you'd like to use",
"[%(levelname)s] %(message)s"))
# lets add it to the root logger so it gets called by the rest of the app automatically
root.addHandler(handler)
# And lets see what happens:
logging.warn("Sensitive stuff, hide me!")
# [WARNING] NDKeIav5G5DtbaSPB4Y/DR3+GZ9IwmXKzVTua1tTuDZ7uMwxBAKTXgIi0lam2dOQ
# YMMV, the IV is random so every block will be different every time
当然,您可以对日志记录(logging.LogRecord)中的级别、时间戳以及几乎任何内容进行加密,并输出您喜欢的任何格式。当需要读取日志时,只需进行相反操作-在这个答案中有一个示例。
更新:根据要求,以下是如何执行“反向”操作(即解密已加密的日志)的说明。首先,让我们创建一些用于测试的日志条目(继续之前的内容):
root.setLevel(logging.DEBUG) # let's make sure we support all levels
logging.warn("Lorem ipsum dolor sit amet.")
logging.info("Consectetur adipiscing elit.")
logging.debug("Sed do eiusmod tempor.")
假设格式保持不变([%(levelname)s] %(message)s),这将生成一个类似于以下日志的内容(当然,由于随机IV的存在,它将始终是不同的):
[WARNING] LQMLkbx3YF7ra3e5ZLRj3p1mi2dwCOJe/GMfo2Xg8BBSZMDmZO75rrgoiy/6kqjf [INFO] D+ehnsq1kWQi61AsLOBkqglXla7jgc2myPFaCGcfCRe6drk9ZmNl+M3UkKPWkDiU [DEBUG] +rHEHkM2YHJCkIL+YwWI4FNqg6AOXfaBLRyhZpk8/fQxrXLWxcGoGxh9A2vO+7bq
要为这样的日志(文件)创建一个读取器,我们需要了解格式,以便区分加密和非加密数据。在这种情况下,分离各个部分很容易 - 每个日志条目都在新行上,级别未加密,实际加密数据总是与实际日志级别之间用空格隔开。因此,要将所有这些组合起来,我们可以构建一些类似于以下的东西:
import base64
from Crypto.Cipher import AES
from Crypto.Hash import SHA256
# make sure that the `key` is a byte stream on Python 3.x
def log_decryptor(key, stream): # assume the stream can be iterated line-by-line
key = SHA256.new(key).digest() # same derivation as in the EncryptedLogFormatter
for line in stream:
if not line.strip(): # empty line...
continue # ignore it!
level, stream = line.split(None, 1) # split on log level and log data
message_enc = base64.b64decode(stream.encode("latin-1")) # decode the stream
iv = message_enc[:AES.block_size] # grab the IV from the beginning
# decrypt the stream
message = AES.new(key, AES.MODE_CBC, iv).decrypt(message_enc[AES.block_size:])
padding = ord(message[-1]) # get the padding value; Python 3.x: message[-1]
if message[-padding:] != chr(padding) * padding: # verify the padding
# on Python 3.x: bytes([padding]) * padding
raise ValueError("Invalid padding encountered.")
# Python 3.x: decode the message: message[:-padding].decode("utf-8")
yield "{} {}".format(level, message[:-padding]) # yield the decrypted value
然后您可以像使用常规生成器一样使用它来解密日志,例如:
logs = ["[WARNING] LQMLkbx3YF7ra3e5ZLRj3p1mi2dwCOJe/GMfo2Xg8BBSZMDmZO75rrgoiy/6kqjf",
"[INFO] D+ehnsq1kWQi61AsLOBkqglXla7jgc2myPFaCGcfCRe6drk9ZmNl+M3UkKPWkDiU",
"[DEBUG] +rHEHkM2YHJCkIL+YwWI4FNqg6AOXfaBLRyhZpk8/fQxrXLWxcGoGxh9A2vO+7bq"]
for line in log_decryptor("Whatever key/pass you'd like to use", logs):
print(line)
# [WARNING] Lorem ipsum dolor sit amet.
# [INFO] Consectetur adipiscing elit.
# [DEBUG] Sed do eiusmod tempor.
如果你已将日志设置为流式记录到文件中,那么你可以直接解密该文件,如下所示:
with open("path/to/encrypted.log", "r") as f:
for line in log_decryptor("Whatever key/pass you'd like to use", f):
print(line) # or write to a 'decrypted.log' for a more persistent solution
setFormatter在Python3中不存在,有没有替代方法? - Masoud Rahimilogging.Handler.setFormatter(),基本结构没有改变。我刚刚双重检查了一下,它可以正常工作。你遇到了什么样的错误? - zwerEncryptedLogFormatter中的消息必须进行编码。 - Masoud Rahimi
\n也可能出现在单个日志消息的密文中间。 - Artjom B.