一、文件編碼

PEM (Privacy Enhancement Message)，定義見

結構組成 == {header} body {tail}

示例

-----BEGIN PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMYfnvWtC8Id5bPKae5yXSxQTt

+Zpul6AnnZWfI2TtIarvjHBFUtXRo96y7hoL4VWOPKGCsRqMFDkrbeUjRrx8iL91

4/srnyf6sh9c8Zk04xEOpK1ypvBz+Ks4uZObtjnnitf0NBGdjMKxveTq+VE7BWUI

yQjtQ8mbDOsiLLvh7wIDAQAB

-----END PUBLIC KEY-----

DER (Distinguished Encoding Rules) , 定義見

編碼方式 == DER uses a pattern of type-length-value triplets

二、公鑰標準

PKCS (Public Key Cryptography Standards)，定義見

常見PKCS標準

三、RSA 密鑰

RSA 公鑰編碼

PublicKey-PKCS#1-PEM

-----BEGIN RSA PUBLIC KEY-----

BASE64 ENCODED DATA

-----END RSA PUBLIC KEY-----

PublicKey-PKCS#1-DER

RSAPublicKey ::= SEQUENCE {

modulus INTEGER, -- n

publicExponent INTEGER -- e

}

PublicKey-PKCS#8-PEM

-----BEGIN PUBLIC KEY-----

BASE64 ENCODED DATA

-----END PUBLIC KEY-----

PublicKey-PKCS#8-DER

PublicKeyInfo ::= SEQUENCE {

algorithm AlgorithmIdentifier,

PublicKey BIT STRING

}

AlgorithmIdentifier ::= SEQUENCE {

algorithm OBJECT IDENTIFIER,

parameters ANY DEFINED BY algorithm OPTIONAL

}

對于RSA公鑰來說，OID就是(1.2.840.113549.1.1.1)

RSA 私鑰編碼

PrivateKey-PKCS#1-PEM

-----BEGIN RSA PRIVATE KEY-----

BASE64 ENCODED DATA

-----END RSA PRIVATE KEY-----

PrivateKey-PKCS#1-DER

RSAPrivateKey ::= SEQUENCE {

version Version,

modulus INTEGER, -- n

publicExponent INTEGER, -- e

privateExponent INTEGER, -- d

prime1 INTEGER, -- p

prime2 INTEGER, -- q

exponent1 INTEGER, -- d mod (p-1)

exponent2 INTEGER, -- d mod (q-1)

coefficient INTEGER, -- (inverse of q) mod p

otherPrimeInfos OtherPrimeInfos OPTIONAL

}

PrivateKey-PKCS#8-PEM

-----BEGIN PRIVATE KEY-----

BASE64 ENCODED DATA

-----END PRIVATE KEY-----

PrivateKey-PKCS#8-DER

PrivateKeyInfo ::= SEQUENCE {

version Version,

algorithm AlgorithmIdentifier,

PrivateKey OCTET STRING

}

AlgorithmIdentifier ::= SEQUENCE {

algorithm OBJECT IDENTIFIER,

parameters ANY DEFINED BY algorithm OPTIONAL

}

私鑰文件可采用加密方式存儲，加密后的格式：

EncryptedPrivateKey-PKCS#8-PEM

-----BEGIN ENCRYPTED PRIVATE KEY-----

BASE64 ENCODED DATA

-----END ENCRYPTED PRIVATE KEY-----

Encrypted-PrivateKey-PKCS#8-DER

EncryptedPrivateKeyInfo ::= SEQUENCE {

encryptionAlgorithm EncryptionAlgorithmIdentifier,

encryptedData EncryptedData

}

EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier

EncryptedData ::= OCTET STRING

四、證書

X.509 證書，

證書結構

Certificate

Version Number

Serial Number

Signature Algorithm ID

Issuer Name

Validity period

Not Before

Not After

Subject name

Subject Public Key Info

Public Key Algorithm

Subject Public Key

Issuer Unique Identifier (optional)

Subject Unique Identifier (optional)

Extensions (optional)

...

Certificate Signature Algorithm

Certificate Signature

主要字段

擴展字段

??樣例-維基百科證書

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2

Validity

Not Before: Nov 21 08:00:00 2016 GMT

Not After : Nov 22 07:59:59 2017 GMT

Subject: C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.wikipedia.org

Subject Public Key Info:

Public Key Algorithm: id-ecPublicKey

Public-Key: (256 bit)

pub:

04:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5:

af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e:

ed:b2:ac:2a:1b:4a:ec:80:7b:e7:1a:51:e0:df:f7:

c7:4a:20:7b:91:4b:20:07:21:ce:cf:68:65:8c:c6:

9d:3b:ef:d5:c1

ASN1 OID: prime256v1

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Agreement

Authority Information Access:

CA Issuers - URI:http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt

OCSP - URI:http://ocsp2.globalsign.com/gsorganizationvalsha2g2

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.4146.1.20

CPS: https://www.globalsign.com/repository/

Policy: 2.23.140.1.2.2

X509v3 Basic Constraints:

CA:FALSE

X509v3 CRL Distribution Points:

Full Name:

URI:http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl

X509v3 Subject Alternative Name:

DNS:*.wikipedia.org, DNS:*.m.mediawiki.org, DNS:*.m.wikibooks.org, DNS:*.m.wikidata.org, DNS:*.m.wikimedia.org, DNS:*.m.wikimediafoundation.org, DNS:*.m.wikinews.org, DNS:*.m.wikipedia.org, DNS:*.m.wikiquote.org, DNS:*.m.wikisource.org, DNS:*.m.wikiversity.org, DNS:*.m.wikivoyage.org, DNS:*.m.wiktionary.org, DNS:*.mediawiki.org, DNS:*.planet.wikimedia.org, DNS:*.wikibooks.org, DNS:*.wikidata.org, DNS:*.wikimedia.org, DNS:*.wikimediafoundation.org, DNS:*.wikinews.org, DNS:*.wikiquote.org, DNS:*.wikisource.org, DNS:*.wikiversity.org, DNS:*.wikivoyage.org, DNS:*.wiktionary.org, DNS:*.wmfusercontent.org, DNS:*.zero.wikipedia.org, DNS:mediawiki.org, DNS:w.wiki, DNS:wikibooks.org, DNS:wikidata.org, DNS:wikimedia.org, DNS:wikimediafoundation.org, DNS:wikinews.org, DNS:wikiquote.org, DNS:wikisource.org, DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org, DNS:wmfusercontent.org, DNS:wikipedia.org

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication

X509v3 Subject Key Identifier:

28:2A:26:2A:57:8B:3B:CE:B4:D6:AB:54:EF:D7:38:21:2C:49:5C:36

X509v3 Authority Key Identifier:

keyid:96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C

Signature Algorithm: sha256WithRSAEncryption

8b:c3:ed:d1:9d:39:6f:af:40:72:bd:1e:18:5e:30:54:23:35:

66:5e:62:d5:01:e2:63:47:70:cb:6d:1b:17:b0:f5:4d:11:e4:

ad:94:51:c5:5e:72:03:b0:d5:ab:18:eb:b5:3a:08:a8:73:95:

f3:7f:41:1a:28:7b:45:7c:83:2e:d3:14:95:d8:d5:d1:5f:99:

4b:0c:f4:c3:9b:0b:4f:e9:49:f4:2c:b5:ae:c3:1d:7d:2a:80:

f6:70:29:4c:0c:e6:e0:cb:88:8a:8a:02:ee:a5:d1:73:c2:93:

58:24:ff:43:1b:e3:fd:7b:aa:f0:15:0c:60:52:8f:21:7d:87:

3a:14:fa:81:41:00:60:4f:96:9a:62:94:58:de:cb:15:5c:3c:

f4:c1:4d:33:e3:ff:39:fe:28:fb:b0:41:3e:d2:8a:11:d1:06:

01:28:74:7d:71:d4:2a:ef:1f:e3:25:4b:2d:f0:66:ef:26:fb:

4c:f0:81:85:bb:1a:99:06:c9:37:87:de:8d:49:f7:00:91:a9:

42:31:4a:b9:40:a0:7d:4f:4f:a6:ea:d4:58:07:3c:01:e0:1a:

53:54:66:e1:a3:7e:30:cd:3b:f8:69:59:a3:48:92:48:e1:9e:

63:ab:08:70:91:f2:48:d2:83:4b:98:06:fa:fd:bc:99:02:da:

9c:98:b1:a3

證書格式PKI ITU-T X509標準，傳統標準(.der .pem .cer .crt)，僅包含公鑰

PKCS#7 加密消息語法標準(.p7b .p7c .spc .p7r)，p7b/p7c/spc 包含了證書鏈，p7r是證書請求回復(非證書)

PKCS#10 證書請求標準(.p10)，.p10是證書請求文件，與.csr文件類似

PKCS#12 個人信息交換標準(.pfx *.p12)，包含公鑰和私鑰，需密碼保護

編碼形式X.509 DER(Distinguished Encoding Rules)編碼，后綴為：.der .cer .crt

X.509 BASE64編碼(PEM格式)，后綴為：.pem .cer .crt

X.509CRT-PEM

-----BEGIN CERTIFICATE-----

BASE64 ENCODED DATA

-----END CERTIFICATE-----

關鍵特性編碼形式：二進制還是ASCII

是否包含公鑰、私鑰

包含一個還是多個證書

是否支持密碼保護(針對當前證書)

參考文檔

作者：美碼師

與50位技術專家面對面20年技術見證，附贈技術全景圖

總結

以上是生活随笔為你收集整理的pem格式证书编码 x509_公钥证书编码解读的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。