这里主要介绍:
- 私钥的PKCS#1格式,及PKCS#8格式
- 格式PKCS#1和PKCS#8之间的互相转化
- 私钥的加密,解密
- PKCS#1 -> PKCS#8
- 生成PKCS#1私钥
$ openssl genrsa -out rsakey-pkcs1.pem 2048
Generating RSA private key, 2048 bit long modulus
......+++
................................................................................+++
e is 65537 (0x10001)
$ cat rsakey-pkcs1.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAlGO0ftihLRztaQBA9GdRTnhdUudAUHBAQla68jtmGTxNKKLx
pSjy0R+LANfK1jxcPKfBZUF2dAyMP9dds26xvNaH5l0oK3cD3UxrOkRsQkYDKG8A
...
hZzWZ2MRfk5dp18q6owuFBxEl0BDeZ1XJ+jVR88EHDUkPth7zj1Lxi+fBDQ5kx1G
8isoizsPJEgNqRjKIME4x0UMmXkpVrYyKehoroo3Nt6OwGBRxZUsNQ==
-----END RSA PRIVATE KEY-----
- pkcs1 -> pkcs8
$ openssl pkcs8 -in rsakey-pkcs1.pem -topk8 -out rsakey-pkcs8.pem -nocrypt
$ cat rsakey-pkcs8.pem
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCUY7R+2KEtHO1p
AED0Z1FOeF1S50BQcEBCVrryO2YZPE0oovGlKPLRH4sA18rWPFw8p8FlQXZ0DIw/
...
nVcn6NVHzwQcNSQ+2HvOPUvGL58ENDmTHUbyKyiLOw8kSA2pGMogwTjHRQyZeSlW
tjIp6Giuijc23o7AYFHFlSw1
-----END PRIVATE KEY-----
或者
- pkcs1 -> encrypted pkcs8
$ openssl pkcs8 -in rsakey-pkcs1.pem -topk8 -out rsakey-pkcs8-enc.pem
Enter Encryption Password: xxxx
Verifying - Enter Encryption Password: xxxx
$ cat rsakey-pkcs8-enc.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIE6TAbBgkqhkiG9w0BBQMwDgQIEPePqNLAC28CAggABIIEyPoOH9NOipfWjHKR
snVrLuiYGqth/7UmI6j0oNxZlAla/ul9YwL+reRKJ3yyqkgvPdhiPd/N1nKdWtZm
...
nAwlffpdL0YbmfuinM4Ei2QzDKGLMKSyYKUY7Vq+m/L07s2YCpQvxro7wxsfA+iV
U1u6LDc05Pq/aH5mlw==
-----END ENCRYPTED PRIVATE KEY-----
- PKCS#8 -> PKCS#1
- 生成PKCS#8私钥
$ openssl genpkey -out rsakey-pkcs8.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
..........................................................+++
.................................................................+++
$ cat rsakey-pkcs8.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDINFnVgP46hRJj
sy6nqsyG0PfNogjB5mG9E7xCACqMLdmavgOBinuXTfRRsUg5EUqENuDdKLI1tX5U
...
ThDF1ndtMCNfov32kVqC+d4H2VHGC5YUPrqS2cP00fCvSWUumyFYc88R6Mpb3Y/X
HGZuMrWml0IS3FUNkCYgjk0=
-----END PRIVATE KEY-----
- pkcs8 -> pkcs1
$ openssl rsa -in rsakey-pkcs8.pem -out rsakey-pkcs1.pem
writing RSA key
$ cat rsakey-pkcs1.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAyDRZ1YD+OoUSY7Mup6rMhtD3zaIIweZhvRO8QgAqjC3Zmr4D
gYp7l030UbFIORFKhDbg3SiyNbV+VAg2RRGPD9CBGFhaLgi8dIABIvZ4vLHpCGvN
...
cCsSfsDCy0ZLYYEuk//ViFNy2BYv2E4QxdZ3bTAjX6L99pFagvneB9lRxguWFD66
ktnD9NHwr0llLpshWHPPEejKW92P1xxmbjK1ppdCEtxVDZAmII5N
-----END RSA PRIVATE KEY-----
- 加密私钥
- 生成加密的pkcs#1私钥
$ openssl genrsa -aes256 -passout pass:12345 -out rsakey-pkcs1-enc.pem 2048
$ cat rsakey-pkcs1-enc.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,01A768B630B1CA242ED626CF41721833
554N/AyVlKeRaoUyGrWiYGwZa5yGm8HbZ4M4bMOCoP6+IzTf/6AgoyEGXMaXKsps
ohw977LmshcQq1du5utQ50IYrlAmAJ2kSNeL4FgaM1erX8C2QxA3CHKL6i601gt9
...
cJaGKWnu16H5NPvypuLObrRu1eugxbxIGbp6T6Sb2KkLC/1QyXTbrbA1RBDePANC
XEqiFkmS8wFzGammsd+M3h3jqqPpGtwioeRc0OX0o71P1Me5qyGjqCcdTj0Ouynr
-----END RSA PRIVATE KEY-----
- 解密pkcs#1私钥
$ openssl rsa -in rsakey-pkcs1-enc.pem -out rsakey-pkcs1.pem
$ cat rsakey-pkcs1.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAtgXgvZHfI7Gpl48flLWKHumlSjnzjX+5OJfty8nambMxQEDC
PivjwvaQBsgR2YQTarzSd4LUI6bGiaS+Tnvzqw3lWcU+eWHkbqMHQ5QmbeF+c0M/
...
9huV4op3188Ki07iazgK8R/R1/r9k5vSkbN9Ayn0Ukw1vial1Kh9yzEIJ3/aRgcm
ov9Lx33O/R41TLF3IjRbpDazjtOltc1wadrWKPpKZDLkoB1GtUE=
-----END RSA PRIVATE KEY-----
- 加密pkcs#1私钥
$ openssl rsa -des -in rsakey-pkcs1.pem -out rsakey-pkcs1-enc.pem
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
$ cat rsakey-pkcs1-enc.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,6A8C6BA0B2AAA75B
qA/i2W3cNEP124GhbO7OXrD/mPXuRCJg0+VtMGlQrob0ug+VLRA8C9B+hVeomT5l
a4WbC7t9bFUo8xHzz7ZUiyhe34EjnwOUfmeyEIjgq1cBPypxrSlN4sl5ELiIHj6n
...
7n9taJFawlhBS6K0KZiTkpEIGxMZH0pF8NO9SmCPQGLPxwbZTcjGMqM5ZSli1oCR
BJ9ECgoGlA9mphr3/icwkDvlnG3MvLedHVVJ9/A5qExJXvZtiUT4LA==
-----END RSA PRIVATE KEY-----
- 生成加密的pkcs#8私钥
$ openssl genpkey -aes256 -pass pass:12345 -out rsakey-pkcs8-enc.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
$ cat rsakey-pkcs8-enc.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIB6CchEkgyFECAggA
MB0GCWCGSAFlAwQBKgQQbhgxcmrL1rUpIQcqNBTw2wSCBNDg8GNQKR2cVYV7pkKp
...
bfjKrNg5DqWdi5heKLaVJuAfNR7YUmFzvWPEAzHP/OeK8YTo0oCxTvP/ZemIm2CT
6cpk/GibUFP/SuqAZuqfdWlZdw==
-----END ENCRYPTED PRIVATE KEY-----
- 解密pkcs#8私钥
$ openssl pkcs8 -in rsakey-pkcs8-enc.pem -topk8 -out rsakey-pkcs8.pem -nocrypt
Enter pass phrase for rsakey-pkcs8-enc.pem:
writing RSA key
$ cat rsakey-pkcs8.pem
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC3wXDRsAnUKqwF
aziSfDO+f1cfD13FyVGxMA2zDwwHVnDVUKoHwkYEy1hC0RYnZ6U+9X2E3W1jWFws
...
n7mIrQmVssKxxEARR2MGfLnAyrBGLF+K20o1ZA0r23mdGyJpfu9oISaZYxZmuRhA
/vgGkeXhAhfyHRTDTNOPeolEaMf+dvXNTAgjK52+ZOL3Izmpc6jTr9gzSN8bDxtj
1Bp/sDWNVYXaEWTqAAh78jf4
-----END PRIVATE KEY-----
- 加密pkcs#8私钥
$ openssl pkcs8 -in rsakey-pkcs8.pem -topk8 -out rsakey-pkcs8-enc.pem
writing RSA key
Enter PEM pass phrase: xxxx
Verifying - Enter PEM pass phrase: xxxx
$ cat rsakey-pkcs8-enc.pem
$ cat rsakey-pkcs8-enc.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIE6TAbBgkqhkiG9w0BBQMwDgQIDI9pUK8qVqoCAggABIIEyBkMIyP4LAfr7HTH
quGki99iPIZg0/BtkWVLuD27IrE943KUcqduVi6L+d7bXwQTF/FWypOc0dAy3pXN
...
Qihd5ljx16OYLt4bjx0axiFsJ0OAYIdIj4uqfkXJl9Ef6HWi9129Bk6Z9k6kzIW3
ta5WWtNfWY28QO/twA==
-----END ENCRYPTED PRIVATE KEY-----
- 区别PKCS#1和PKCS#8 格式的PEM证书
从前面我们也看到,PEM的头不一样。
- PKCS#1
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
或者,ASN加密格式:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,6A8C6BA0B2AAA75B
...
- PKCS#8
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
或者,加密格式:
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
- 补充一点ECC私钥的加解密
- 生成ECC私钥
$ openssl ecparam -genkey -name secp384r1 | openssl ec -out ecckey.pem
read EC key
writing EC key
$ cat ecckey.pem
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDDh4I0soK31L0LK7pD6WKzRAL2FOxK3t1Bc5sWrcio7i5uAt5jVPnwh
EygYkk7tzRSgBwYFK4EEACKhZANiAATFCTpt9qSH3qis9iNEI0C//zxbkiaMvI/z
ryrPSDuhPsSqOMTAaTrGT5c1b9LGTqD/TidaawpWpDCTzmidoHKkxNBzsT9Ba5jE
1YL+/rsT4wA+S9ukP49ISxSngZPTMjQ=
-----END EC PRIVATE KEY-----
- 加密ECC私钥
$ openssl ec -in ecckey.pem -out ecckey-enc.pem -des
read EC key
writing EC key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
$ cat ecckey-enc.pem
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,4E1E3AF041C16903
mGEnm/HMzqalrl7hz8V1sbb9vaHXdTNizp/PiRvdX4HVCJt7xPXe1jgKSbTmjJtc
gzQbwqznDwEDSIeip42kjFapdzHa+5qGdUjzpj02n9qpmpxYLthjEfE09xDBSLSX
kucXLvMV9vm6r9WX2UBfSWwBPiVh+0V+WZacQZrkh4I5HtrjR/Y5+/8xaoJjcMMl
LhlOWw3fdVYyxPD4gAwoxkUNoHNd0lSf
-----END EC PRIVATE KEY-----
- 解密ECC私钥
$ openssl ec -in ecckey-enc.pem -out ecckey.pem
read EC key
Enter PEM pass phrase:
writing EC key
$ cat ecckey.pem
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDDh4I0soK31L0LK7pD6WKzRAL2FOxK3t1Bc5sWrcio7i5uAt5jVPnwh
EygYkk7tzRSgBwYFK4EEACKhZANiAATFCTpt9qSH3qis9iNEI0C//zxbkiaMvI/z
ryrPSDuhPsSqOMTAaTrGT5c1b9LGTqD/TidaawpWpDCTzmidoHKkxNBzsT9Ba5jE
1YL+/rsT4wA+S9ukP49ISxSngZPTMjQ=
-----END EC PRIVATE KEY-----
- 生活PKCS#8的ECC私钥
$ openssl genpkey -out ecckey-pkcs8.pem -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve
$ cat ecckey-pkcs8.pem
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWdWdnCq3ipdzfGkv
8Kh2BzLf8/wMTsQgHy9DAt/vxxahRANCAAQPp3gs69soKKBkRkYB7eJEhHTukq40
iUucBHb8IzogxztpFNeygzQ7jZE+oNqsOuCBlLt6sLmfXy9Qwf44ov3H
-----END PRIVATE KEY-----
网友评论