dify/api/libs/rsa.py

import hashlib
import os
from typing import Union

from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Random import get_random_bytes

from extensions.ext_redis import redis_client
from extensions.ext_storage import storage
from libs import gmpy2_pkcs10aep_cipher


def generate_key_pair(tenant_id: str) -> str:
    private_key = RSA.generate(2048)
    public_key = private_key.publickey()

    pem_private = private_key.export_key()
    pem_public = public_key.export_key()

    filepath = os.path.join("privkeys", tenant_id, "private.pem")

    storage.save(filepath, pem_private)

    return pem_public.decode()


prefix_hybrid = b"HYBRID:"


def encrypt(text: str, public_key: Union[str, bytes]) -> bytes:
    if isinstance(public_key, str):
        public_key = public_key.encode()

    aes_key = get_random_bytes(16)
    cipher_aes = AES.new(aes_key, AES.MODE_EAX)

    ciphertext, tag = cipher_aes.encrypt_and_digest(text.encode())

    rsa_key = RSA.import_key(public_key)
    cipher_rsa = gmpy2_pkcs10aep_cipher.new(rsa_key)

    enc_aes_key: bytes = cipher_rsa.encrypt(aes_key)

    encrypted_data = enc_aes_key + cipher_aes.nonce + tag + ciphertext

    return prefix_hybrid + encrypted_data


def get_decrypt_decoding(tenant_id: str) -> tuple[RSA.RsaKey, object]:
    filepath = os.path.join("privkeys", tenant_id, "private.pem")

    cache_key = f"tenant_privkey:{hashlib.sha3_256(filepath.encode()).hexdigest()}"
    private_key = redis_client.get(cache_key)
    if not private_key:
        try:
            private_key = storage.load(filepath)
        except FileNotFoundError:
            raise PrivkeyNotFoundError(f"Private key not found, tenant_id: {tenant_id}")

        redis_client.setex(cache_key, 120, private_key)

    rsa_key = RSA.import_key(private_key)
    cipher_rsa = gmpy2_pkcs10aep_cipher.new(rsa_key)

    return rsa_key, cipher_rsa


def decrypt_token_with_decoding(encrypted_text: bytes, rsa_key: RSA.RsaKey, cipher_rsa) -> str:
    if encrypted_text.startswith(prefix_hybrid):
        encrypted_text = encrypted_text[len(prefix_hybrid) :]

        enc_aes_key = encrypted_text[: rsa_key.size_in_bytes()]
        nonce = encrypted_text[rsa_key.size_in_bytes() : rsa_key.size_in_bytes() + 16]
        tag = encrypted_text[rsa_key.size_in_bytes() + 16 : rsa_key.size_in_bytes() + 32]
        ciphertext = encrypted_text[rsa_key.size_in_bytes() + 32 :]

        aes_key = cipher_rsa.decrypt(enc_aes_key)

        cipher_aes = AES.new(aes_key, AES.MODE_EAX, nonce=nonce)
        decrypted_text = cipher_aes.decrypt_and_verify(ciphertext, tag)
    else:
        decrypted_text = cipher_rsa.decrypt(encrypted_text)

    return decrypted_text.decode()


def decrypt(encrypted_text: bytes, tenant_id: str) -> str:
    rsa_key, cipher_rsa = get_decrypt_decoding(tenant_id)

    return decrypt_token_with_decoding(encrypted_text=encrypted_text, rsa_key=rsa_key, cipher_rsa=cipher_rsa)


class PrivkeyNotFoundError(Exception):
    pass
Initial commit 2023-05-15 08:51:32 +08:00			`import hashlib`
fix: private.pem keyPath error in windows (#22814) Co-authored-by: songkunling <songkunling@cabrtech.com> 2025-07-23 23:29:46 +08:00			`import os`
refactor: Fix some type error (#22594) Signed-off-by: -LAN- <laipz8200@outlook.com> 2025-07-18 09:26:29 +08:00			`from typing import Union`
Initial commit 2023-05-15 08:51:32 +08:00
refine: faster rsa implement (#2182) 2024-01-24 20:22:01 +08:00			`from Crypto.Cipher import AES`
Initial commit 2023-05-15 08:51:32 +08:00			`from Crypto.PublicKey import RSA`
feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00			`from Crypto.Random import get_random_bytes`
enhancement: introduce Ruff for Python linter for reordering and removing unused imports with automated pre-commit and sytle check (#2366) 2024-02-06 13:21:13 +08:00
Initial commit 2023-05-15 08:51:32 +08:00			`from extensions.ext_redis import redis_client`
			`from extensions.ext_storage import storage`
chore: refurish python code by applying Pylint linter rules (#8322) 2024-09-13 22:42:08 +08:00			`from libs import gmpy2_pkcs10aep_cipher`
Initial commit 2023-05-15 08:51:32 +08:00

refactor: Fix some type error (#22594) Signed-off-by: -LAN- <laipz8200@outlook.com> 2025-07-18 09:26:29 +08:00			`def generate_key_pair(tenant_id: str) -> str:`
Initial commit 2023-05-15 08:51:32 +08:00			`private_key = RSA.generate(2048)`
			`public_key = private_key.publickey()`

			`pem_private = private_key.export_key()`
			`pem_public = public_key.export_key()`

fix: private.pem keyPath error in windows (#22814) Co-authored-by: songkunling <songkunling@cabrtech.com> 2025-07-23 23:29:46 +08:00			`filepath = os.path.join("privkeys", tenant_id, "private.pem")`
Initial commit 2023-05-15 08:51:32 +08:00
			`storage.save(filepath, pem_private)`

			`return pem_public.decode()`


feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00			`prefix_hybrid = b"HYBRID:"`


refactor: Fix some type error (#22594) Signed-off-by: -LAN- <laipz8200@outlook.com> 2025-07-18 09:26:29 +08:00			`def encrypt(text: str, public_key: Union[str, bytes]) -> bytes:`
Initial commit 2023-05-15 08:51:32 +08:00			`if isinstance(public_key, str):`
			`public_key = public_key.encode()`

feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00			`aes_key = get_random_bytes(16)`
			`cipher_aes = AES.new(aes_key, AES.MODE_EAX)`

			`ciphertext, tag = cipher_aes.encrypt_and_digest(text.encode())`

Initial commit 2023-05-15 08:51:32 +08:00			`rsa_key = RSA.import_key(public_key)`
refine: faster rsa implement (#2182) 2024-01-24 20:22:01 +08:00			`cipher_rsa = gmpy2_pkcs10aep_cipher.new(rsa_key)`
feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00
refactor: Fix some type error (#22594) Signed-off-by: -LAN- <laipz8200@outlook.com> 2025-07-18 09:26:29 +08:00			`enc_aes_key: bytes = cipher_rsa.encrypt(aes_key)`
feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00
			`encrypted_data = enc_aes_key + cipher_aes.nonce + tag + ciphertext`

			`return prefix_hybrid + encrypted_data`
Initial commit 2023-05-15 08:51:32 +08:00

refactor: Fix some type error (#22594) Signed-off-by: -LAN- <laipz8200@outlook.com> 2025-07-18 09:26:29 +08:00			`def get_decrypt_decoding(tenant_id: str) -> tuple[RSA.RsaKey, object]:`
fix: private.pem keyPath error in windows (#22814) Co-authored-by: songkunling <songkunling@cabrtech.com> 2025-07-23 23:29:46 +08:00			`filepath = os.path.join("privkeys", tenant_id, "private.pem")`
Initial commit 2023-05-15 08:51:32 +08:00
make logging not use f-str, change others to f-str (#22882) 2025-07-25 11:32:48 +09:00			`cache_key = f"tenant_privkey:{hashlib.sha3_256(filepath.encode()).hexdigest()}"`
Initial commit 2023-05-15 08:51:32 +08:00			`private_key = redis_client.get(cache_key)`
			`if not private_key:`
			`try:`
			`private_key = storage.load(filepath)`
			`except FileNotFoundError:`
make logging not use f-str, change others to f-str (#22882) 2025-07-25 11:32:48 +09:00			`raise PrivkeyNotFoundError(f"Private key not found, tenant_id: {tenant_id}")`
Initial commit 2023-05-15 08:51:32 +08:00
			`redis_client.setex(cache_key, 120, private_key)`

			`rsa_key = RSA.import_key(private_key)`
refine: faster rsa implement (#2182) 2024-01-24 20:22:01 +08:00			`cipher_rsa = gmpy2_pkcs10aep_cipher.new(rsa_key)`
feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00
Model Runtime (#1858) Co-authored-by: StyleZhang <jasonapring2015@outlook.com> Co-authored-by: Garfield Dai <dai.hai@foxmail.com> Co-authored-by: chenhe <guchenhe@gmail.com> Co-authored-by: jyong <jyong@dify.ai> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: Yeuoly <admin@srmxy.cn> 2024-01-02 23:42:00 +08:00			`return rsa_key, cipher_rsa`


refactor: Fix some type error (#22594) Signed-off-by: -LAN- <laipz8200@outlook.com> 2025-07-18 09:26:29 +08:00			`def decrypt_token_with_decoding(encrypted_text: bytes, rsa_key: RSA.RsaKey, cipher_rsa) -> str:`
feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00			`if encrypted_text.startswith(prefix_hybrid):`
chore(api/libs): Apply ruff format. (#7301) 2024-08-15 17:53:12 +08:00			`encrypted_text = encrypted_text[len(prefix_hybrid) :]`
feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00
chore(api/libs): Apply ruff format. (#7301) 2024-08-15 17:53:12 +08:00			`enc_aes_key = encrypted_text[: rsa_key.size_in_bytes()]`
			`nonce = encrypted_text[rsa_key.size_in_bytes() : rsa_key.size_in_bytes() + 16]`
			`tag = encrypted_text[rsa_key.size_in_bytes() + 16 : rsa_key.size_in_bytes() + 32]`
			`ciphertext = encrypted_text[rsa_key.size_in_bytes() + 32 :]`
feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00
			`aes_key = cipher_rsa.decrypt(enc_aes_key)`

			`cipher_aes = AES.new(aes_key, AES.MODE_EAX, nonce=nonce)`
			`decrypted_text = cipher_aes.decrypt_and_verify(ciphertext, tag)`
			`else:`
			`decrypted_text = cipher_rsa.decrypt(encrypted_text)`

Initial commit 2023-05-15 08:51:32 +08:00			`return decrypted_text.decode()`


refactor: Fix some type error (#22594) Signed-off-by: -LAN- <laipz8200@outlook.com> 2025-07-18 09:26:29 +08:00			`def decrypt(encrypted_text: bytes, tenant_id: str) -> str:`
Model Runtime (#1858) Co-authored-by: StyleZhang <jasonapring2015@outlook.com> Co-authored-by: Garfield Dai <dai.hai@foxmail.com> Co-authored-by: chenhe <guchenhe@gmail.com> Co-authored-by: jyong <jyong@dify.ai> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: Yeuoly <admin@srmxy.cn> 2024-01-02 23:42:00 +08:00			`rsa_key, cipher_rsa = get_decrypt_decoding(tenant_id)`

refactor: Fix some type error (#22594) Signed-off-by: -LAN- <laipz8200@outlook.com> 2025-07-18 09:26:29 +08:00			`return decrypt_token_with_decoding(encrypted_text=encrypted_text, rsa_key=rsa_key, cipher_rsa=cipher_rsa)`
Model Runtime (#1858) Co-authored-by: StyleZhang <jasonapring2015@outlook.com> Co-authored-by: Garfield Dai <dai.hai@foxmail.com> Co-authored-by: chenhe <guchenhe@gmail.com> Co-authored-by: jyong <jyong@dify.ai> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: Yeuoly <admin@srmxy.cn> 2024-01-02 23:42:00 +08:00

Initial commit 2023-05-15 08:51:32 +08:00			`class PrivkeyNotFoundError(Exception):`
			`pass`