pem格式证书编码 x509_公钥证书编码解读

一、文件编码

PEM (Privacy Enhancement Message)，定义见

结构组成 == {header} body {tail}

示例

-----BEGIN PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMYfnvWtC8Id5bPKae5yXSxQTt

+Zpul6AnnZWfI2TtIarvjHBFUtXRo96y7hoL4VWOPKGCsRqMFDkrbeUjRrx8iL91

4/srnyf6sh9c8Zk04xEOpK1ypvBz+Ks4uZObtjnnitf0NBGdjMKxveTq+VE7BWUI

yQjtQ8mbDOsiLLvh7wIDAQAB

-----END PUBLIC KEY-----

DER (Distinguished Encoding Rules) , 定义见

编码方式 == DER uses a pattern of type-length-value triplets

二、公钥标准

PKCS (Public Key Cryptography Standards)，定义见

常见PKCS标准

三、RSA 密钥

RSA 公钥编码

PublicKey-PKCS#1-PEM

-----BEGIN RSA PUBLIC KEY-----

BASE64 ENCODED DATA

-----END RSA PUBLIC KEY-----

PublicKey-PKCS#1-DER

RSAPublicKey ::= SEQUENCE {

modulus INTEGER, -- n

publicExponent INTEGER -- e

}

PublicKey-PKCS#8-PEM

-----BEGIN PUBLIC KEY-----

BASE64 ENCODED DATA

-----END PUBLIC KEY-----

PublicKey-PKCS#8-DER

PublicKeyInfo ::= SEQUENCE {

algorithm AlgorithmIdentifier,

PublicKey BIT STRING

}

AlgorithmIdentifier ::= SEQUENCE {

algorithm OBJECT IDENTIFIER,

parameters ANY DEFINED BY algorithm OPTIONAL

}

对于RSA公钥来说，OID就是(1.2.840.113549.1.1.1)

RSA 私钥编码

PrivateKey-PKCS#1-PEM

-----BEGIN RSA PRIVATE KEY-----

BASE64 ENCODED DATA

-----END RSA PRIVATE KEY-----

PrivateKey-PKCS#1-DER

RSAPrivateKey ::= SEQUENCE {

version Version,

modulus INTEGER, -- n

publicExponent INTEGER, -- e

privateExponent INTEGER, -- d

prime1 INTEGER, -- p

prime2 INTEGER, -- q

exponent1 INTEGER, -- d mod (p-1)

exponent2 INTEGER, -- d mod (q-1)

coefficient INTEGER, -- (inverse of q) mod p

otherPrimeInfos OtherPrimeInfos OPTIONAL

}

PrivateKey-PKCS#8-PEM

-----BEGIN PRIVATE KEY-----

BASE64 ENCODED DATA

-----END PRIVATE KEY-----

PrivateKey-PKCS#8-DER

PrivateKeyInfo ::= SEQUENCE {

version Version,

algorithm AlgorithmIdentifier,

PrivateKey OCTET STRING

}

AlgorithmIdentifier ::= SEQUENCE {

algorithm OBJECT IDENTIFIER,

parameters ANY DEFINED BY algorithm OPTIONAL

}

私钥文件可采用加密方式存储，加密后的格式：

EncryptedPrivateKey-PKCS#8-PEM

-----BEGIN ENCRYPTED PRIVATE KEY-----

BASE64 ENCODED DATA

-----END ENCRYPTED PRIVATE KEY-----

Encrypted-PrivateKey-PKCS#8-DER

EncryptedPrivateKeyInfo ::= SEQUENCE {

encryptionAlgorithm EncryptionAlgorithmIdentifier,

encryptedData EncryptedData

}

EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier

EncryptedData ::= OCTET STRING

四、证书

X.509 证书，

证书结构

Certificate

Version Number

Serial Number

Signature Algorithm ID

Issuer Name

Validity period

Not Before

Not After

Subject name

Subject Public Key Info

Public Key Algorithm

Subject Public Key

Issuer Unique Identifier (optional)

Subject Unique Identifier (optional)

Extensions (optional)

...

Certificate Signature Algorithm

Certificate Signature

主要字段

扩展字段

​​样例-维基百科证书

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2

Validity

Not Before: Nov 21 08:00:00 GMT

Not After : Nov 22 07:59:59 GMT

Subject: C=US, ST=California, L=San Francisco, O=Wikimedia Foundation, Inc., CN=*.

Subject Public Key Info:

Public Key Algorithm: id-ecPublicKey

Public-Key: (256 bit)

pub:

04:c9:22:69:31:8a:d6:6c:ea:da:c3:7f:2c:ac:a5:

af:c0:02:ea:81:cb:65:b9:fd:0c:6d:46:5b:c9:1e:

ed:b2:ac:2a:1b:4a:ec:80:7b:e7:1a:51:e0:df:f7:

c7:4a:20:7b:91:4b:20:07:21:ce:cf:68:65:8c:c6:

9d:3b:ef:d5:c1

ASN1 OID: prime256v1

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Agreement

Authority Information Access:

CA Issuers - URI:/cacert/gsorganizationvalsha2g2r1.crt

OCSP - URI:/gsorganizationvalsha2g2

X509v3 Certificate Policies:

Policy: 1.3.6.1.4.1.4146.1.20

CPS: /repository/

Policy: 2.23.140.1.2.2

X509v3 Basic Constraints:

CA:FALSE

X509v3 CRL Distribution Points:

Full Name:

URI:/gs/gsorganizationvalsha2g2.crl

X509v3 Subject Alternative Name:

DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:*., DNS:, DNS:w.wiki, DNS:, DNS:, DNS:, DNS:, DNS:, DNS:, DNS:, DNS:, DNS:, DNS:, DNS:, DNS:

X509v3 Extended Key Usage:

TLS Web Server Authentication, TLS Web Client Authentication

X509v3 Subject Key Identifier:

28:2A:26:2A:57:8B:3B:CE:B4:D6:AB:54:EF:D7:38:21:2C:49:5C:36

X509v3 Authority Key Identifier:

keyid:96:DE:61:F1:BD:1C:16:29:53:1C:C0:CC:7D:3B:83:00:40:E6:1A:7C

Signature Algorithm: sha256WithRSAEncryption

8b:c3:ed:d1:9d:39:6f:af:40:72:bd:1e:18:5e:30:54:23:35:

66:5e:62:d5:01:e2:63:47:70:cb:6d:1b:17:b0:f5:4d:11:e4:

ad:94:51:c5:5e:72:03:b0:d5:ab:18:eb:b5:3a:08:a8:73:95:

f3:7f:41:1a:28:7b:45:7c:83:2e:d3:14:95:d8:d5:d1:5f:99:

4b:0c:f4:c3:9b:0b:4f:e9:49:f4:2c:b5:ae:c3:1d:7d:2a:80:

f6:70:29:4c:0c:e6:e0:cb:88:8a:8a:02:ee:a5:d1:73:c2:93:

58:24:ff:43:1b:e3:fd:7b:aa:f0:15:0c:60:52:8f:21:7d:87:

3a:14:fa:81:41:00:60:4f:96:9a:62:94:58:de:cb:15:5c:3c:

f4:c1:4d:33:e3:ff:39:fe:28:fb:b0:41:3e:d2:8a:11:d1:06:

01:28:74:7d:71:d4:2a:ef:1f:e3:25:4b:2d:f0:66:ef:26:fb:

4c:f0:81:85:bb:1a:99:06:c9:37:87:de:8d:49:f7:00:91:a9:

42:31:4a:b9:40:a0:7d:4f:4f:a6:ea:d4:58:07:3c:01:e0:1a:

53:54:66:e1:a3:7e:30:cd:3b:f8:69:59:a3:48:92:48:e1:9e:

63:ab:08:70:91:f2:48:d2:83:4b:98:06:fa:fd:bc:99:02:da:

9c:98:b1:a3

证书格式PKI ITU-T X509标准，传统标准(.der .pem .cer .crt)，仅包含公钥

PKCS#7 加密消息语法标准(.p7b .p7c .spc .p7r)，p7b/p7c/spc 包含了证书链，p7r是证书请求回复(非证书)

PKCS#10 证书请求标准(.p10)，.p10是证书请求文件，与.csr文件类似

PKCS#12 个人信息交换标准(.pfx *.p12)，包含公钥和私钥，需密码保护

编码形式X.509 DER(Distinguished Encoding Rules)编码，后缀为：.der .cer .crt

X.509 BASE64编码(PEM格式)，后缀为：.pem .cer .crt

X.509CRT-PEM

-----BEGIN CERTIFICATE-----

BASE64 ENCODED DATA

-----END CERTIFICATE-----

关键特性编码形式：二进制还是ASCII

是否包含公钥、私钥

包含一个还是多个证书

是否支持密码保护(针对当前证书)

参考文档

作者：美码师