pkcs12

Posted janly

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了pkcs12相关的知识,希望对你有一定的参考价值。

Public Key Infrastructure (PKI) provides the means to establish trust by binding public keys and identities, thus giving reasonable assurance that we’re communicating securely with who we think we are. PKI is important to using public key cryptography effectively, and is essential to understanding and using the SSL protocol.

Using public key cryptography, we can be sure that only the encrypted data can be decrypted with the corresponding private key. If we combine this with the use of a message digest algorithm to compute a signature, we can be sure that the encrypted data has not been tampered with. What’s missing is some means of ensuring that the party we’re communicating with is actually who they say they are. In other words, trust has not been established. This is where PKI fits in.

 

https://www.golinuxcloud.com/tutorial-pki-certificates-authority-ocsp/#:~:text=PFX%2FP12%20The%20Personal%20Information%20Exchange%20%28PFX%29%20format%2C%20also,PFX%20formatted%20files%20have%20an%20extension%20of.pfx%20or.p12.

 

Certificate Formats

There are different certificate formats because of the way the information is stored in the certificate. The following identifies common file formats for certificates:

  • DER/CER   Distinguished Encoding Rules (DER) and Canonical Encoding Rules (CER) are binary file formats used to store information in the certificate file. DER-formatted files can have a .der or a .cer file extension.
  • PEM   Privacy-enhanced Electronic Mail (PEM) is an ASCII file format that can have a file extension of .pem.crt.cer, or .key. PEM files are very common and start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
  • PFX/P12   The Personal Information Exchange (PFX) format, also known as the P12 or PKCS#12 format, is a binary file format that is common with Microsoft environments for importing and exporting certificates. PFX formatted files have an extension of .pfx or .p12.
  • P7B   The P7B format, also known as PKCS#7, is another ASCII file format used to store certificate information. If you open the ASCII file, you will see that it begins with the text -----BEGIN PKCS7----- and ends with -----END PKCS7-----. P7B files can have an extension of .p7b or .p7c.

 

 

Certificate Revocation Lists

Once a certificate has been issued, it is generally put into production, where it will be distributed to many clients. If an attacker compromises the associated private key, he now has the ability to use the certificate even though it doesn’t belong to him. Assuming the proper owner is aware of the compromise, a new certificate with a new key pair should be obtained and put into use. In this situation there are two certificates for the same entity—both are technically valid, but one should not be trusted. The compromised certificate will eventually expire, but in the meantime, how will the world at large know not to trust it?

The answer lies in something called a certificate revocation list (CRL). A CRL contains a list of all of the revoked certificates a CA has issued that have yet to expire. When a certificate is revoked, the CA declares that the certificate should no longer be trusted.

 

Online Certificate Status Protocol

The Online Certificate Status Protocol (OCSP), formally specified in RFC 2560, is a relatively new addition to PKI. Its primary aim is to address some of the distribution problems that have traditionally plagued CRLs.

Using OCSP, an application makes a connection to an OCSP responder and requests the status of a certificate by passing the certificate’s serial number. The responder replies “good,” “revoked,” or “unknown.” A “good” response indicates that the certificate is valid, so far as the responder knows. This does not necessarily mean that the certificate was ever issued, just that is hasn’t been revoked. A “revoked” response indicates that the certificate has been issued and that it has indeed been revoked. An “unknown” response indicates that the responder doesn’t know anything about the certificate. A typical reason for this response could be that the certificate was issued by a CA that is unknown to the responder.

 

 

"golang.org/x/crypto/pkcs12"

 

func main() {
clientStore := "/Users/jalyzhang/Documents/test/src/github.com/ultramesh/flato-msp-cert/z/client.keystore";
clientpwd := "client";
data, _ := ioutil.ReadFile(clientStore)
priv, cert, err := pkcs12.Decode(data, clientpwd)
if (err != nil){
panic(err)
}
fmt.Println(priv)
fmt.Println(cert)
}

 

 

 

type pfxPdu struct {
Version int
AuthSafe contentInfo
MacData macData `asn1:"optional"`
}

type contentInfo struct {
ContentType asn1.ObjectIdentifier
Content asn1.RawValue `asn1:"tag:0,explicit,optional"`
}


type macData struct {
Mac digestInfo
MacSalt []byte
Iterations int `asn1:"optional,default:1"`
}

type digestInfo struct {
Algorithm pkix.AlgorithmIdentifier
Digest []byte
}

 


type contentInfo struct {
ContentType asn1.ObjectIdentifier
Content asn1.RawValue `asn1:"tag:0,explicit,optional"`
}

type encryptedData struct {
Version int
EncryptedContentInfo encryptedContentInfo
}

type encryptedContentInfo struct {
ContentType asn1.ObjectIdentifier
ContentEncryptionAlgorithm pkix.AlgorithmIdentifier
EncryptedContent []byte `asn1:"tag:0,optional"`
}

 

type safeBag struct {
Id asn1.ObjectIdentifier
Value asn1.RawValue `asn1:"tag:0,explicit"`
Attributes []pkcs12Attribute `asn1:"set,optional"`
}

type pkcs12Attribute struct {
Id asn1.ObjectIdentifier
Value asn1.RawValue `asn1:"set"`
}


type certBag struct {
Id asn1.ObjectIdentifier
Data []byte `asn1:"tag:0,explicit"`
}

 

type encryptedPrivateKeyInfo struct {
AlgorithmIdentifier pkix.AlgorithmIdentifier
EncryptedData []byte
}

 



















































以上是关于pkcs12的主要内容,如果未能解决你的问题,请参考以下文章

证书互转操作pkcs8转到pkcs12

坑爹微信之读取PKCS12流时出现的java.io.IOException: DerInputStream.getLength

PKCS12 到 JKS 转换失败

PKCS#12:DerInputStream.getLength() 异常

如何使用 keytool 列出存储在 PKCS12 密钥库中的证书?

从 PFX (PKCS #12) 文件创建 RSA 私钥