1:RSA 加密 .pem .csr .crt .der .p12文件的区别 base64
Posted zyzmlc
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了1:RSA 加密 .pem .csr .crt .der .p12文件的区别 base64相关的知识,希望对你有一定的参考价值。
RSA
一:使用rsa加密解密,签名,认证
1:生成RSA私钥,base64编码的二进制数据。
openssl genrsa -out private.pem 1024
生成一个1024位的私钥
2:从private.pem 私钥中提取公钥,输出
openssl rsa -in private.pem -pubout -out public.pem
3:查看文件内容
cat private.pem
cat public.pem
pem文件中都是base64编码的二进制数据。
4:将私钥转化成明文
将私钥转化成明文
openssl rsa -in private.pem -text -out private.txt
5: 通过公钥rsa加密message.txt
openssl rsautl -encrypt -in message.txt -inkey public.pem -pubin -out enc.txt
6:通过私钥解密enc.txt
openssl rsautl -decrypt -in enc.txt -inkey private.pem -out dec.txt
7:使用私钥签名
openssl rsautl -sign -in message.txt -inkey private.pem -out enc.bin
8:xxd查看二进制文件,
9:使用公钥认证
openssl rsautl -verify -in enc.bin -inkey public.pem -pubin -out decode.txt
二:使用openssl生成证书
1:从代码中不会使用直接使用pem,会从pem中提取证书。
openssl req -new -key private.pem -out rsacert.csr
csr文件不是证书,是请求证书文件。
2: 给请求文件 从 pem文件中 提取证书,.crt 这个证书还是base64编码的,这个crt文件也不是直接使用的。
签名一个证书一年5千元。
openssl x509 -req -days 3650 -in rsacert.csr -signkey private.pem -out -rsacert.crt
3:生成der文件. 这个der文件主要包含公钥。最后通过这个来生成一个p12是这个der对应的私钥文件。
openssl x509 -outform der -in rsacert.crt -out rsacert.der
4:通过crt文件通提取私钥P12文件,公钥也是从crt中提取出来的
openssl pkcs12 -export -out p.p12 -inkey private.pem -in rsacert.crt
三:证书的关系
1:der 文件是公钥
.p12 是私钥文件
这两个是二进制文件
2:他们是从crt文件中提取出来的,crt文件是从pem文件中提取出来的。
crt和pem中有公钥和私钥他们是base64编码的文件。
四:base64编解码,所有的base64都是对二进制数据操作的。
A-Z 26个大写
a-z 26个小写
0-9 10个字母
/ + =(不足6位的用等号补充)
等号只会出现在最后面,
对于二进制数据不便于查看或者表示,所以用base64来编码查看。
1:base64编码
base64 zk.png -o zk.txt
2:base64解码
base64 zk.txt -o zk.png -D
五:rsa加密的代码
rsa加密的是二进制数据。
1:加密
rsa加密的是二进制数据
加密后的数据用base64来表示。表示结果是字符串
2:解密
解密的是二进制数据。
3:填充模式
不填充
pkcs加密数据是随机的。
代码
1:RSA加密代码
#import <Foundation/Foundation.h> @interface RSACryptor : NSObject + (instancetype)sharedRSACryptor; /** * 生成密钥对 * * @param keySize 密钥尺寸,可选数值(512/1024/2048) */ - (void)generateKeyPair:(NSUInteger)keySize; /** * 加载公钥 * * @param publicKeyPath 公钥路径 * @code # 生成证书 $ openssl genrsa -out ca.key 1024 # 创建证书请求 $ openssl req -new -key ca.key -out rsacert.csr # 生成证书并签名 $ openssl x509 -req -days 3650 -in rsacert.csr -signkey ca.key -out rsacert.crt # 转换格式 $ openssl x509 -outform der -in rsacert.crt -out rsacert.der @endcode */ - (void)loadPublicKey:(NSString *)publicKeyPath; /** * 加载私钥 * * @param privateKeyPath p12文件路径 * @param password p12文件密码 * @code openssl pkcs12 -export -out p.p12 -inkey ca.key -in rsacert.crt @endcode */ - (void)loadPrivateKey:(NSString *)privateKeyPath password:(NSString *)password; /** * 加密数据 * * @param plainData 明文数据 * * @return 密文数据 */ - (NSData *)encryptData:(NSData *)plainData; /** * 解密数据 * * @param cipherData 密文数据 * * @return 明文数据 */ - (NSData *)decryptData:(NSData *)cipherData; @end
#import "RSACryptor.h" // 填充模式 #define kTypeOfWrapPadding kSecPaddingPKCS1 // 公钥/私钥标签 #define kPublicKeyTag "com.zk.publickey" #define kPrivateKeyTag "com.zk.privatekey" static const uint8_t publicKeyIdentifier[] = kPublicKeyTag; static const uint8_t privateKeyIdentifier[] = kPrivateKeyTag; @interface RSACryptor() { SecKeyRef publicKeyRef; // 公钥引用 SecKeyRef privateKeyRef; // 私钥引用 } @property (nonatomic, retain) NSData *publicTag; // 公钥标签 @property (nonatomic, retain) NSData *privateTag; // 私钥标签 @end @implementation RSACryptor + (instancetype)sharedRSACryptor { static id instance; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ instance = [[self alloc] init]; }); return instance; } - (instancetype)init { self = [super init]; if (self) { // 查询密钥的标签 _privateTag = [[NSData alloc] initWithBytes:privateKeyIdentifier length:sizeof(privateKeyIdentifier)]; _publicTag = [[NSData alloc] initWithBytes:publicKeyIdentifier length:sizeof(publicKeyIdentifier)]; } return self; } #pragma mark - 加密 & 解密数据 - (NSData *)encryptData:(NSData *)plainData { OSStatus sanityCheck = noErr; size_t cipherBufferSize = 0; size_t keyBufferSize = 0; NSAssert(plainData != nil, @"明文数据为空"); NSAssert(publicKeyRef != nil, @"公钥为空"); NSData *cipher = nil; uint8_t *cipherBuffer = NULL; // 计算缓冲区大小 cipherBufferSize = SecKeyGetBlockSize(publicKeyRef); keyBufferSize = [plainData length]; if (kTypeOfWrapPadding == kSecPaddingNone) { NSAssert(keyBufferSize <= cipherBufferSize, @"加密内容太大"); } else { NSAssert(keyBufferSize <= (cipherBufferSize - 11), @"加密内容太大"); } // 分配缓冲区 cipherBuffer = malloc(cipherBufferSize * sizeof(uint8_t)); memset((void *)cipherBuffer, 0x0, cipherBufferSize); // 使用公钥加密 sanityCheck = SecKeyEncrypt(publicKeyRef, kTypeOfWrapPadding, (const uint8_t *)[plainData bytes], keyBufferSize, cipherBuffer, &cipherBufferSize ); NSAssert(sanityCheck == noErr, @"加密错误,OSStatus == %d", sanityCheck); // 生成密文数据 cipher = [NSData dataWithBytes:(const void *)cipherBuffer length:(NSUInteger)cipherBufferSize]; if (cipherBuffer) free(cipherBuffer); return cipher; } - (NSData *)decryptData:(NSData *)cipherData { OSStatus sanityCheck = noErr; size_t cipherBufferSize = 0; size_t keyBufferSize = 0; NSData *key = nil; uint8_t *keyBuffer = NULL; SecKeyRef privateKey = NULL; privateKey = [self getPrivateKeyRef]; NSAssert(privateKey != NULL, @"私钥不存在"); // 计算缓冲区大小 cipherBufferSize = SecKeyGetBlockSize(privateKey); keyBufferSize = [cipherData length]; NSAssert(keyBufferSize <= cipherBufferSize, @"解密内容太大"); // 分配缓冲区 keyBuffer = malloc(keyBufferSize * sizeof(uint8_t)); memset((void *)keyBuffer, 0x0, keyBufferSize); // 使用私钥解密 sanityCheck = SecKeyDecrypt(privateKey, kTypeOfWrapPadding, (const uint8_t *)[cipherData bytes], cipherBufferSize, keyBuffer, &keyBufferSize ); NSAssert1(sanityCheck == noErr, @"解密错误,OSStatus == %d", sanityCheck); // 生成明文数据 key = [NSData dataWithBytes:(const void *)keyBuffer length:(NSUInteger)keyBufferSize]; if (keyBuffer) free(keyBuffer); return key; } #pragma mark - 密钥处理 /** * 生成密钥对 */ - (void)generateKeyPair:(NSUInteger)keySize { OSStatus sanityCheck = noErr; publicKeyRef = NULL; privateKeyRef = NULL; NSAssert1((keySize == 512 || keySize == 1024 || keySize == 2048), @"密钥尺寸无效 %tu", keySize); // 删除当前密钥对 [self deleteAsymmetricKeys]; // 容器字典 NSMutableDictionary *privateKeyAttr = [[NSMutableDictionary alloc] init]; NSMutableDictionary *publicKeyAttr = [[NSMutableDictionary alloc] init]; NSMutableDictionary *keyPairAttr = [[NSMutableDictionary alloc] init]; // 设置密钥对的顶级字典 [keyPairAttr setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType]; [keyPairAttr setObject:[NSNumber numberWithUnsignedInteger:keySize] forKey:(__bridge id)kSecAttrKeySizeInBits]; // 设置私钥字典 [privateKeyAttr setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecAttrIsPermanent]; [privateKeyAttr setObject:_privateTag forKey:(__bridge id)kSecAttrApplicationTag]; // 设置公钥字典 [publicKeyAttr setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecAttrIsPermanent]; [publicKeyAttr setObject:_publicTag forKey:(__bridge id)kSecAttrApplicationTag]; // 设置顶级字典属性 [keyPairAttr setObject:privateKeyAttr forKey:(__bridge id)kSecPrivateKeyAttrs]; [keyPairAttr setObject:publicKeyAttr forKey:(__bridge id)kSecPublicKeyAttrs]; // SecKeyGeneratePair 返回密钥对引用 sanityCheck = SecKeyGeneratePair((__bridge CFDictionaryRef)keyPairAttr, &publicKeyRef, &privateKeyRef); NSAssert((sanityCheck == noErr && publicKeyRef != NULL && privateKeyRef != NULL), @"生成密钥对失败"); } /** * 加载公钥 */ - (void)loadPublicKey:(NSString *)publicKeyPath { NSAssert(publicKeyPath.length != 0, @"公钥路径为空"); // 删除当前公钥 if (publicKeyRef) CFRelease(publicKeyRef); // 从一个 DER 表示的证书创建一个证书对象 NSData *certificateData = [NSData dataWithContentsOfFile:publicKeyPath]; SecCertificateRef certificateRef = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certificateData); NSAssert(certificateRef != NULL, @"公钥文件错误"); // 返回一个默认 X509 策略的公钥对象,使用之后需要调用 CFRelease 释放 SecPolicyRef policyRef = SecPolicyCreateBasicX509(); // 包含信任管理信息的结构体 SecTrustRef trustRef; // 基于证书和策略创建一个信任管理对象 OSStatus status = SecTrustCreateWithCertificates(certificateRef, policyRef, &trustRef); NSAssert(status == errSecSuccess, @"创建信任管理对象失败"); // 信任结果 SecTrustResultType trustResult; // 评估指定证书和策略的信任管理是否有效 status = SecTrustEvaluate(trustRef, &trustResult); NSAssert(status == errSecSuccess, @"信任评估失败"); // 评估之后返回公钥子证书 publicKeyRef = SecTrustCopyPublicKey(trustRef); NSAssert(publicKeyRef != NULL, @"公钥创建失败"); if (certificateRef) CFRelease(certificateRef); if (policyRef) CFRelease(policyRef); if (trustRef) CFRelease(trustRef); } /** * 加载私钥 */ - (void)loadPrivateKey:(NSString *)privateKeyPath password:(NSString *)password { NSAssert(privateKeyPath.length != 0, @"私钥路径为空"); // 删除当前私钥 if (privateKeyRef) CFRelease(privateKeyRef); NSData *PKCS12Data = [NSData dataWithContentsOfFile:privateKeyPath]; CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data; CFStringRef passwordRef = (__bridge CFStringRef)password; // 从 PKCS #12 证书中提取标示和证书 SecIdentityRef myIdentity = NULL; SecTrustRef myTrust = NULL; const void *keys[] = {kSecImportExportPassphrase}; const void *values[] = {passwordRef}; CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL); CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL); // 返回 PKCS #12 格式数据中的标示和证书 OSStatus status = SecPKCS12Import(inPKCS12Data, optionsDictionary, &items); if (status == noErr) { CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex(items, 0); myIdentity = (SecIdentityRef)CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemIdentity); myTrust = (SecTrustRef)CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemTrust); } if (optionsDictionary) { CFRelease(optionsDictionary); } NSAssert(status == noErr, @"提取身份和信任失败"); SecTrustResultType trustResult; // 评估指定证书和策略的信任管理是否有效 status = SecTrustEvaluate(myTrust, &trustResult); NSAssert(status == errSecSuccess, @"信任评估失败"); // 提取私钥 status = SecIdentityCopyPrivateKey(myIdentity, &privateKeyRef); NSAssert(status == errSecSuccess, @"私钥创建失败"); } /** * 删除非对称密钥 */ - (void)deleteAsymmetricKeys { OSStatus sanityCheck = noErr; NSMutableDictionary *queryPublicKey = [[NSMutableDictionary alloc] init]; NSMutableDictionary *queryPrivateKey = [[NSMutableDictionary alloc] init]; // 设置公钥查询字典 [queryPublicKey setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass]; [queryPublicKey setObject:_publicTag forKey:(__bridge id)kSecAttrApplicationTag]; [queryPublicKey setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType]; // 设置私钥查询字典 [queryPrivateKey setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass]; [queryPrivateKey setObject:_privateTag forKey:(__bridge id)kSecAttrApplicationTag]; [queryPrivateKey setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType]; // 删除私钥 sanityCheck = SecItemDelete((__bridge CFDictionaryRef)queryPrivateKey); NSAssert1((sanityCheck == noErr || sanityCheck == errSecItemNotFound), @"删除私钥错误,OSStatus == %d", sanityCheck); // 删除公钥 sanityCheck = SecItemDelete((__bridge CFDictionaryRef)queryPublicKey); NSAssert1((sanityCheck == noErr || sanityCheck == errSecItemNotFound), @"删除公钥错误,OSStatus == %d", sanityCheck); if (publicKeyRef) CFRelease(publicKeyRef); if (privateKeyRef) CFRelease(privateKeyRef); } /** * 获得私钥引用 */ - (SecKeyRef)getPrivateKeyRef { OSStatus sanityCheck = noErr; SecKeyRef privateKeyReference = NULL; if (privateKeyRef == NULL) { NSMutableDictionary * queryPrivateKey = [[NSMutableDictionary alloc] init]; // 设置私钥查询字典 [queryPrivateKey setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass]; [queryPrivateKey setObject:_privateTag forKey:(__bridge id)kSecAttrApplicationTag]; [queryPrivateKey setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType]; [queryPrivateKey setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecReturnRef]; // 获得密钥 sanityCheck = SecItemCopyMatching((__bridge CFDictionaryRef)queryPrivateKey, (CFTypeRef *)&privateKeyReference); if (sanityCheck != noErr) { privateKeyReference = NULL; } } else { privateKeyReference = privateKeyRef; } return privateKeyReference; } @end
使用
- (void)viewDidLoad { [super viewDidLoad]; //1.加载公钥 [[RSACryptor sharedRSACryptor] loadPublicKey:[[NSBundle mainBundle] pathForResource:@"rsacert.der" ofType:nil]]; //2.加载私钥 [[RSACryptor sharedRSACryptor] loadPrivateKey: [[NSBundle mainBundle] pathForResource:@"p.p12" ofType:nil] password:@"123456"]; } static void my_encrypt(){ NSData * result = [[RSACryptor sharedRSACryptor] encryptData:[@"hello" dataUsingEncoding:NSUTF8StringEncoding]]; //base64编码 NSString * base64 = [result base64EncodedStringWithOptions:0]; NSLog(@"加密之后:%@ ",base64); //解密 NSData * dcStr = [[RSACryptor sharedRSACryptor] decryptData:result]; NSLog(@"%@",[[NSString alloc] initWithData:dcStr encoding:NSUTF8StringEncoding]); } -(void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event { my_encrypt(); }
六:base64代码、
base64编码(对二进制数据进行base64编码)
这个是ios7之后出现的。
// 对一个二进制数据进行编码,文件会变大! 原有文件的4/3 , 多了1/3 // 不便于查看的二进制数据,用base64进行表示。 //给一个字符 编码 -(NSString *)base64Endcode:(NSString *)str{ NSData * data = [str dataUsingEncoding:NSUTF8StringEncoding]; // 对二进制数据进行base64编码 return [data base64EncodedStringWithOptions:0]; } //给一个编码我对其进行解密 -(NSString *)base64Decode:(NSString *)str{ NSData * data = [[NSData alloc] initWithBase64EncodedString:str options:0]; // 对已经编码的二进制数据进行解码 return [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; } -(void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event { NSLog(@"%@",[self base64Endcode:@"A"]); NSLog(@"解码%@",[self base64Decode:@"QQ=="]); }
以上是关于1:RSA 加密 .pem .csr .crt .der .p12文件的区别 base64的主要内容,如果未能解决你的问题,请参考以下文章
OpenSSL使用2(SSL,X.509,PEM,DER,CRT,CER,KEY,CSR,P12概念说明)(转)
那些证书相关的玩意儿(SSL,X.509,PEM,DER,CRT,CER,KEY,CSR,P12等)
How to convert .crt to .pem [duplicate]证书转化