密钥格式梳理

article/2024/4/19 22:56:17

文章目录

  • 各种密钥格式简介
  • DER
    • PyCryptodome源码参考
  • PEM
  • OpenSSL命令操作
  • 参考资料

各种密钥格式简介

两种编码方式:

  • .der:用ASN.1语法编码的der格式;

  • .pem:用BASE64编码的密钥;

# ASN.1 ------(序列化)------ DER ------(Base64编码)------ PEM

主流密钥文件后缀:

  • .cer,.cert:Windows证书,存放公钥,没有私钥;

  • .crt:Linux证书,,存放公钥,没有私钥;

  • .key, 一般是私钥

其它格式

  • .pfx, p12:der格式,存放公钥和加密私钥,主要用于windows平台,浏览器可以使用,
openssl pkcs12 -info -nocerts -in keystore.p12
  • .X509 证书
openssl x509 -help
  • .csr,Certificate Signing Request,即证书签名请求文件,把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书私钥签名就生成了证书公钥文件,也就是颁发给用户的证书。
  • .jks,java 密钥库. 同时包含证书和私钥,一般有密码保护。可以由p12转换而来。
keytool -v -list -keystore file.jks

可以将多级证书导入同一个证书文件中,形成一个包含完整证书链的证书

PyCryptodome支持的非对称密钥格式如下

RSA public key:

  • X.509 certificate (binary or PEM format)
  • X.509 subjectPublicKeyInfo DER SEQUENCE (binary or PEM encoding)
  • PKCS#1 RSAPublicKey DER SEQUENCE (binary or PEM encoding)
  • An OpenSSH line (e.g. the content of ~/.ssh/id_ecdsa, ASCII)

RSA private key:

  • PKCS#1 RSAPrivateKey DER SEQUENCE (binary or PEM encoding)
  • PKCS#8 PrivateKeyInfo or EncryptedPrivateKeyInfo DER SEQUENCE (binary or PEM encoding)
  • OpenSSH (text format, introduced in OpenSSH 6.5)

DER

ASN.1 defines the following rule sets that govern how data structures that are being sent between computers are encoded and decoded.

  • Basic Encoding Rules (BER)
  • Canonical Encoding Rules (CER), subsets of BER
  • Distinguished Encoding Rules (DER), subsets of BER
  • Packed Encoding Rules (PER)

CER and DER were developed later as specialized subsets of BER.

PER was developed in response to criticisms about the amount of bandwidth required to transmit data using BER or its variants. PER provides a significant savings.

DER was created to satisfy the requirements of the X.509 specification for secure data transfer.

DER文件后缀通常为 “.der” 和 “.cer”

各个公钥算法文档都会给出密钥的DER格式,如RFC 8017: PKCS #1附录Appendix A部分给出的私钥格式:

RSAPrivateKey ::= SEQUENCE {version Version,modulus INTEGER, -- npublicExponent INTEGER, -- eprivateExponent INTEGER, -- dprime1 INTEGER, -- pprime2 INTEGER, -- qexponent1 INTEGER, -- d mod (p-1)exponent2 INTEGER, -- d mod (q-1)coefficient INTEGER, -- (inverse of q) mod potherPrimeInfos OtherPrimeInfos OPTIONAL
}

PyCryptodome源码参考

\Crypto\PublicKey\RSA.py

from Crypto.Util.asn1 import DerSequence#: `Object ID`_ for the RSA encryption algorithm. This OID often indicates
#: a generic RSA key, even when such key will be actually used for digital
#: signatures.
#:
#: .. _`Object ID`: http://www.alvestrand.no/objectid/1.2.840.113549.1.1.1.html
oid = "1.2.840.113549.1.1.1"def export_key(self, format='PEM', passphrase=None, pkcs=1,protection=None, randfunc=None):
# ...
# DER format is always used, even in case of PEM, which simply
# encodes it into BASE64.
if self.has_private():binary_key = DerSequence([0,self.n,self.e,self.d,self.p,self.q,self.d % (self.p-1),self.d % (self.q-1),Integer(self.q).inverse(self.p)]).encode()if pkcs == 1:key_type = 'RSA PRIVATE KEY'if format == 'DER' and passphrase:raise ValueError("PKCS#1 private key cannot be encrypted")else:  # PKCS#8from Crypto.IO import PKCS8if format == 'PEM' and protection is None:key_type = 'PRIVATE KEY'binary_key = PKCS8.wrap(binary_key, oid, None)else:key_type = 'ENCRYPTED PRIVATE KEY'if not protection:protection = 'PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC'binary_key = PKCS8.wrap(binary_key, oid,passphrase, protection)passphrase = None
else:	# if self.has_private():key_type = "PUBLIC KEY"binary_key = _create_subject_public_key_info(oid,DerSequence([self.n,self.e]))if format == 'DER':return binary_key
if format == 'PEM':from Crypto.IO import PEMpem_str = PEM.encode(binary_key, key_type, passphrase, randfunc)return tobytes(pem_str)

以上封装支持pkcs1和pkcs8两种,pkcs8封装源码如下:

if key_params is None:key_params = DerNull()
#
#   PrivateKeyInfo ::= SEQUENCE {
#       version                 Version,
#       privateKeyAlgorithm     PrivateKeyAlgorithmIdentifier,
#       privateKey              PrivateKey,
#       attributes              [0]  IMPLICIT Attributes OPTIONAL
#   }
#
pk_info = DerSequence([0,DerSequence([DerObjectId(key_oid),key_params]),DerOctetString(private_key)
])
pk_info_der = pk_info.encode()if passphrase is None:return pk_info_derif not passphrase:raise ValueError("Empty passphrase")# Encryption with PBES2passphrase = tobytes(passphrase)if protection is None:protection = 'PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC'return PBES2.encrypt(pk_info_der, passphrase,protection, prot_params, randfunc)

PEM

PEM,Privacy Enhanced Mail

以下为OpenSSL接口文档对私钥pem的介绍。

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89...base64 encoded data...
-----END RSA PRIVATE KEY-----

The line beginning with Proc-Type contains the version and the protection on the encapsulated data. The line beginning DEK-Info contains two comma separated values: the encryption algorithm name as used by EVP_get_cipherbyname() and an initialization vector used by the cipher encoded as a set of hexadecimal digits. After those two lines is the base64-encoded encrypted data.

文件后缀通常为".pem"、“.cer”、“.crt”、“.key”.

OpenSSL命令操作

环境:ubuntu 20.04

Windows下会有乱码

# 获取baidu证书
openssl s_client -connect baidu.com:443  < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > baidu.crt
head .\baidu.crt -n 20
openssl x509 -in baidu.crt -text -noout
# 转der
openssl x509 -outform der -in baidu.crt -out baidu.der
# 提取公钥
openssl x509 -in baidu.crt -pubkey -noout > baidu.crt
cat baidu.key
#-----BEGIN PUBLIC KEY-----
#MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn67f1NLdKwi96kdzB+/W
#...

参考资料

RSA — PyCryptodome 3.17.0 documentation

Distinguished Encoding Rules - Win32 apps | Microsoft Learn

PEM:

  • RFC 1421: Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures (rfc-editor.org)

  • RFC 1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management (rfc-editor.org)

  • RFC 1423: Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers (rfc-editor.org)

  • RFC 1424: Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services (rfc-editor.org)

/docs/man3.0/man1/openssl-s_client.html


http://www.ngui.cc/article/show-861245.html

相关文章

【C++】对象与类

【C】对象与类 文章目录【C】对象与类1、定义1.1 对象的定义1.2 类的定义2、对象与类的创建2.1 类的创建2.2 对象的创建3、封装3.1 访问限定符3.2 对封装的解释4、类的实例化5、类、对象大小6、this指针6.1 this指针概念6.2 this指针特点1、定义 1.1 对象的定义 现实世界对对…

Spring Security 源码解读 :基本架构及初始化

Spring Security 是基于web的安全组件&#xff0c;所以一些相关类会分散在 spring-security包和web包中。Spring Security通过自定义Servlet的Filter的方式实现&#xff0c;具体架构可参考官网Spring Security: Architecture 这里使用Spring Boot 2.7.4版本&#xff0c;对应Sp…

MYSQL常用工具

1、字符串截取 substring(INDEX_NAME, 3, 2) -----------INDEX_NAME 2、String 转 Int CAST(INDEX_NAME AS SIGNED integer) ------------INDEX_NAME 3、时间格式化 date_format(INDEX_NAME, ‘%Y-%m-%d %H:%i:%s’) ----------------INDEX_NAME 4、IFNULL()、CASE-WHEN …

关于splitChunks的一次原理探索

前言 前端时间在做项目加载优化时用到了splitChunks自动拆包&#xff0c;后了解了一下原理写下了此文。 Modules和Chunks Modules简单来理解就是我们写的功能模块&#xff0c;不管是CommonJS还是ESM都算是一个Module&#xff0c;而Chunks则是webpack根据我们的规则/默认规则…

贝克制药冲刺上市:资产负债率高,抗乙肝制剂产品收入和占比下滑

2月3日&#xff0c;安徽贝克制药股份有限公司&#xff08;下称“贝克制药”&#xff09;在上海证券交易所递交招股书&#xff0c;准备在科创板上市&#xff0c;国元证券为其保荐机构。 本次冲刺上市&#xff0c;贝克制药计划募资14.20亿元&#xff0c;其中5.32亿元用于年产单方…

矿山安全生产监测预警系统 opencv

矿山安全生产监测预警系统通过pythonopencv网络模型计算机视觉技术&#xff0c;对现场画面中人的不安全行为”、“物的不安全状态”、“环境的不安全因素”三方面出发进行实时监测&#xff0c;当监测到现场画面中人员未穿反光衣行为、明火烟雾、未穿安全帽行为、矿车掉道识别、…

Mybatis一对多以及多对一

场景&#xff1a; 多个学生对应一个老师 如果对于学生这边&#xff0c;就是一个多对一的现象&#xff0c;即从学生这边关联一个老师&#xff01; 数据库设计 CREATE TABLE teacher (id INT(10) NOT NULL,name VARCHAR(30) DEFAULT NULL,PRIMARY KEY (id) ) ENGINEINNODB DEF…

高质量有效编程笔记

来自李云的高质量有效编程电子书的摘抄&#xff0c;有些需要进一步实践 高质量有效编程笔记&#xff1a; 硬件部分 1、 微处理器、微控制器&#xff0c;从编程角度无区别。 2、 寄存器&#xff1a;通用寄存器GPR、浮点寄存器FPR 3、 通用寄存器GPR&#xff1a;执行指令、整数运…

Kaggle系列之预测泰坦尼克号人员的幸存与死亡(随机森林模型)

Kaggle是开发商和数据科学家提供举办机器学习竞赛、托管数据库、编写和分享代码的平台&#xff0c;本节是对于初次接触的伙伴们一个快速了解和参与比赛的例子&#xff0c;快速熟悉这个平台。当然提交预测结果需要注册&#xff0c;这个可能需要科学上网了。我们选择一个预测的入…

最新整理Spring面试题2023

Spring面试专题 1.Spring应该很熟悉吧&#xff1f;来介绍下你的Spring的理解 有些同学可能会抢答&#xff0c;不熟悉!!! 好了&#xff0c;不开玩笑&#xff0c;面对这个问题我们应该怎么来回答呢&#xff1f;我们给大家梳理这个几个维度来回答 1.1 Spring的发展历程 先介绍…