.pem和.pk8是什么文件?(转载)
.pem和.pk8是什么文件?
原文地址: http://blog.csdn.net/lewif/article/details/49177653
在給android的apk簽名的時(shí)候,需要用到一個(gè)擴(kuò)展名為.pem和.pk8的文件,我第一反應(yīng),這啥啊,英文縮寫?反正linux不用后綴名來區(qū)分文件,這到底是什么呢??
首先在密碼學(xué)上,有兩個(gè)概念PKCS和X.509,在我理解,這倆都是類似一套協(xié)議,標(biāo)準(zhǔn)的東西。標(biāo)準(zhǔn)是啥,就比如人的姓名,以姓氏開始,然后再是名,張三。標(biāo)準(zhǔn)就是為了讓大家都去遵循,好形成一套好管理、易理解、大家都知道的東西。
基礎(chǔ)知識(shí):
密碼學(xué)中將對稱加密的密鑰稱為secret key,而將非對稱加密的私鑰和公鑰分別稱為private key 和 public key
PKCS
PKCS全稱為Public-Key Cryptography Standards (PKCS) ,公鑰加密標(biāo)準(zhǔn)s,很多標(biāo)準(zhǔn)^_^。維基上關(guān)于其的解釋如下,
?
?
?
?
In cryptography, PKCS is a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. The company published the standards to promote the use of the cryptography techniques to which they had patents, such as the RSA algorithm, the Schnorr signature algorithm and several others. Though not industry standards (because the company retained control over them), some of the standards in recent years[when?] have begun to move into the "standards-track" processes of relevant standards organizations such as the IETF and the PKIX working-group.就是由某個(gè)公司發(fā)布的一組公鑰加密標(biāo)準(zhǔn),協(xié)議。目的是為了促進(jìn)大家使用他們公司相關(guān)專利的技術(shù),例如RSA算法等。由于這些專利是由RSA Security公司擁有,所以這些標(biāo)準(zhǔn)沒有成為工業(yè)標(biāo)準(zhǔn),但是最新這些年開始進(jìn)入IETF 和PKIX的standards-track。?
而PKCS這套協(xié)議呢,是以#數(shù)字的方式進(jìn)行命名。例如?
PKCS #1: RSA Cryptography Standard
| PKCS #1 | RSA Cryptography Standard | See RFC 3447. Defines the mathematical properties and format of RSA public and private keys (ASN.1-encoded in clear-text), and the basic algorithms and encoding/padding schemes for performing RSA encryption, decryption, and producing and verifying signatures. |
| PKCS #5 | Password-based Encryption Standard | See RFC 2898 and PBKDF2. |
| PKCS #7 | Cryptographic Message Syntax Standard | See RFC 2315. Used to sign and/or encrypt messages under a PKI. Used also for certificate dissemination (for instance as a response to a PKCS#10 message). Formed the basis for S/MIME, which is as of 2010 based on RFC 5652, an updated Cryptographic Message Syntax Standard (CMS). Often used for single sign-on. |
| PKCS #8 | Private-Key Information Syntax Standard | See RFC 5958. Used to carry private certificate keypairs (encrypted or unencrypted). |
| PKCS #12 | Personal Information Exchange Syntax Standard | See RFC 7292. Defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PFX is a predecessor to PKCS #12.This container format can contain multiple embedded objects, such as multiple certificates. Usually protected/encrypted with a password. Usable as a format for the Java key store and to establish client authentication certificates in Mozilla Firefox. Usable by Apache Tomcat. |
其中,?
PKCS #5定義了給予密碼的加密標(biāo)準(zhǔn);?
PKCS #8定義了保存private key信息的標(biāo)準(zhǔn)語法,用來保存private keys。PKCS#8 有兩個(gè)版本,加密的和非加密的。?
對于一個(gè)private key,非加密的PKCS#8為:
PrivateKeyInfo ::= SEQUENCE {
version Version,
//加密算法和privatekey
privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
privateKey PrivateKey,
attributes [0] IMPLICIT Attributes OPTIONAL }
Version ::= INTEGER
PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
PrivateKey ::= OCTET STRING
Attributes ::= SET OF Attribute
}
而相應(yīng)的加密版本為:
EncryptedPrivateKeyInfo ::= SEQUENCE {
//加密算法和加密后的private key
encryptionAlgorithm EncryptionAlgorithmIdentifier,
encryptedData EncryptedData }
EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
EncryptedData ::= OCTET STRING
PKCS #7和#12下節(jié)介紹。
X.509
維基百科對X.509的解釋如下,
In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.X.509是一個(gè)ITU-T的標(biāo)準(zhǔn),用在PKI和PMI里面。通常X.509標(biāo)準(zhǔn)主要包括數(shù)字證書的標(biāo)準(zhǔn)格式、證書廢除列表、attribute certificates、a certification path validation algorithm等。
X.509 was initially issued on July 3, 1988 and was begun in association with the X.500 standard. It assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates. This contrasts with web of trust models, like PGP, where anyone (not just special CAs) may sign and thus attest to the validity of others' key certificates. Version 3 of X.509 includes the flexibility to support other topologies like bridges and meshes.[1] It can be used in a peer-to-peer, OpenPGP-like web of trust[citation needed], but was rarely used that way as of 2004. The X.500 system has only ever been implemented by sovereign nations for state identity information sharing treaty fulfillment purposes, and the IETF's Public-Key Infrastructure (X.509), or PKIX, working group has adapted the standard to the more flexible organization of the Internet. In fact, the term X.509 certificate usually refers to the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280., commonly referred to as PKIX for Public Key Infrastructure (X.509).通過上面這段話可知,為了簽發(fā)證書,X.509定義了一套嚴(yán)格的等級(jí)分級(jí)系統(tǒng),類似于金字塔,權(quán)限從高到低。而通常我們所說的X.509證書,表示IETF’s PKIX Certificate和CRL Profile of the X.509 v3 certificate standard。
In the X.509 system, a certification authority issues a certificate binding a public key to a particular distinguished name in the X.500 tradition, or to an alternative name such as an e-mail address or a DNS entry.在X.509標(biāo)準(zhǔn)中,一個(gè)CA(證書頒發(fā)機(jī)構(gòu))可以頒發(fā)給用戶證書,這個(gè)證書中綁定了用戶的public key,和一個(gè)X.500類型的distinguished name(該distinguished name主要是CA用來區(qū)分不同的用戶)。
下面是維基百科上總結(jié)的X.509常用數(shù)字證書的擴(kuò)展名:
.pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
.cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
.p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
.p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)
.pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
- .pem,?
Privacy Enhanced Mail (PEM), is a 1993 IETF proposal for securing email using public-key cryptography,?
以前是利用公鑰加密進(jìn)行郵件安全的一個(gè)協(xié)議,?
The main legacy of PEM is the .pem file format, which is still in common use for storing keys and X.509 certificates.?
而現(xiàn)在PEM這個(gè)協(xié)議僅僅在使用的就是.pem這種文件格式,這種文件里面保存了keys和X.509證書,看到了嗎數(shù)字證書和key都能保存。?
而現(xiàn)在一般表示用Base64 encoded DER編碼的證書,這些encode咱們不用管,我理解就是字節(jié)打包的格式吧。這種證書的內(nèi)容打開能夠看到在”—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”之間,如下所示;
?
?
-----BEGIN CERTIFICATE-----
MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix
EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD
VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y
aXR5MRQwEgYDVQQDEwtCZXN0IENBIEx0ZDAeFw0wMD..TUwMTZaFw0wMTAy
MDQxOTUwMTZaMIGHMQswCQYDVQQGEwJHQjETMBEGA1..29tZS1TdGF0ZTEU
MBIGA1UEChMLQmVzdCBDQSBMdGQxNzA1BgNVBAsTLk..DEgUHVibGljIFBy
aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFD..AMTC0Jlc3QgQ0Eg
THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg..Tz2mr7SZiAMfQyu
vBjM9OiJjRazXBZ1BjP5CE/Wm/Rr500PRK+Lh9x5eJ../ANBE0sTK0ZsDGM
ak2m1g7oruI3dY3VHqIxFTz0Ta1d+NAjwnLe4nOb7/..k05ShhBrJGBKKxb
8n104o/5p8HAsZPdzbFMIyNjJzBM2o5y5A13wiLitE..fyYkQzaxCw0Awzl
kVHiIyCuaF4wj571pSzkv6sv+4IDMbT/XpCo8L6wTa..sh+etLD6FtTjYbb
rvZ8RQM1tlKdoMHg2qxraAV++HNBYmNWs0duEdjUbJ..XI9TtnS4o1Ckj7P
OfljiQIDAQABo4HnMIHkMB0GA1UdDgQWBBQ8urMCRL..5AkIp9NJHJw5TCB
tAYDVR0jBIGsMIGpgBQ8urMCRLYYMHUKU5AkIp9NJH..aSBijCBhzELMAkG
A1UEBhMCR0IxEzARBgNVBAgTClNvbWUtU3RhdGUxFD..AoTC0Jlc3QgQ0Eg
THRkMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcm..ENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MRQwEgYDVQQDEwtCZXN0IENBIE..DAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBBAUAA4IBAQC1uYBcsSncwA..DCsQer772C2ucpX
xQUE/C0pWWm6gDkwd5D0DSMDJRqV/weoZ4wC6B73f5..bLhGYHaXJeSD6Kr
XcoOwLdSaGmJYslLKZB3ZIDEp0wYTGhgteb6JFiTtn..sf2xdrYfPCiIB7g
BMAV7Gzdc4VspS6ljrAhbiiawdBiQlQmsBeFz9JkF4..b3l8BoGN+qMa56Y
It8una2gY4l2O//on88r5IWJlm1L0oA8e4fR2yrBHX..adsGeFKkyNrwGi/
7vQMfXdGsRrXNGRGnX+vWDZ3/zWI0joDtCkNnqEpVn..HoX
-----END CERTIFICATE-----
.cer、.crt、.der,?
而通常的.cer、.crt、.der的證書,貌似和.pem類似,encode格式差不多;?
.p7b、.p7c,?
對.p7b、.p7c文件,由上文可知,PKCS #7通常用來簽名或加密數(shù)據(jù)的,數(shù)字簽名的數(shù)據(jù)需要數(shù)字證書去檢驗(yàn)數(shù)據(jù)的簽名(因?yàn)閿?shù)字證書里面有公鑰嘛)。而.p7b這個(gè)文件其實(shí)就是一個(gè)SignedData structure(簽名所需原材料的數(shù)據(jù)結(jié)構(gòu)),里面包含了數(shù)字證書或CRL,但是沒有要被簽名的數(shù)據(jù)。舉個(gè)例子,你給張三李四發(fā)了一封簽名郵件,同時(shí)你將你的個(gè)人證書隨郵件一起發(fā)給了張三李四,這個(gè)時(shí)候,你可以按照PKCS#7的格式來打包這個(gè)證書;?
.pfx?
.pfx文件,PKCS#12是一種供應(yīng)標(biāo)準(zhǔn)格式,主要為了傳輸、備份、恢復(fù)數(shù)字證書和它們相關(guān)的在公鑰加密系統(tǒng)里的公鑰或私鑰。PKCS#12是輸出格式,通常用于輸出數(shù)字證書和它的私鑰,因?yàn)橛靡粋€(gè)安全性差一點(diǎn)的方法輸出一個(gè)用戶的私鑰會(huì)帶來安全上的危險(xiǎn)。PKCS#12用于輸出數(shù)字證書給其他的計(jì)算機(jī),到可移動(dòng)的媒體以備份,或者到智能卡激活智能卡驗(yàn)證方案。?
PKCS#12是“個(gè)人信息交換語法”。它可以用來將x.509的證書和證書對應(yīng)的私鑰打包,進(jìn)行交換。比如你在windows下,可以將IE里的證書連帶私鑰導(dǎo)出,并設(shè)置一個(gè)口令保護(hù)。這個(gè)pfx格式的文件,就是按照pkcs#12的格式打包的。當(dāng)然pkcs#12不僅僅只是作以上用途的。它可以用來打包交換任何信息。你可以和張三李四用PKCS#12來交換私人數(shù)據(jù),包括x.509證書和私鑰。
什么是.pem和.pk8文件
- .pem
通過上面的分析,很明顯,在android對apk簽名的時(shí)候,.pem這種文件就是一個(gè)X.509的數(shù)字證書,里面有用戶的公鑰等信息。但是由上文可知,這種文件格式里面不僅可以存儲(chǔ)數(shù)字證書,還能存各種key。
- .pk8?
上文沒有提過以.pk8為擴(kuò)展名的文件,應(yīng)該和PKCS #8是對應(yīng)的,用來保存private key。
總結(jié)
以上是生活随笔為你收集整理的.pem和.pk8是什么文件?(转载)的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 智能硬件开发怎么做?机智云全套自助式开发
- 下一篇: 前端学习(1834):前端面试题之从ur