Network

Network: RSA private key & certificate authority

~ 发表回复

首先,我们知道计算机所用的key主要有两种,一种是对称key(symmetric-key), 如AES;而另一种是非对称key(asymmetric key),如RSA。AES的特点是计算量小,但是不利于网络间信息交换。而RSA的特点是计算量大(需要进行复杂的乘方,取模操作)由private key生成的密文只有public key才能解密,反之亦然。

对于信息,我们可以通过RSA进行加密,但如何确定发信人的身份呢,这时候我们就需要数字证书,需要有CA (certificate authority/certification authority)。

  • RSA private key

使用openssl生成private key:

$ openssl genrsa | tee prvkey.pem
Generating RSA private key, 2048 bit long modulus
......................................................+++
.....................+++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAn4BwLvrl0FH1CJJuPJMhCwopNOvGte5l/zoKKgvNihxSQ6W9
ADtYaJ8l8HbU33CJ5mZ26FLH9flyQVn/PgsrVZjU2CE0F1oDJHLyQNbP5mevNuC0
rIXSv/z8fFf1VdqAeKgYIzC8fJeHgKdw3wV3F0r23V7B2Nis9SNcJEiBWtbkT27d
Lq+0oV8wKWObqS7xH/Nsj3xzvDXBeHxAzZ02KWtXnBpJPVNZleGSXRBjBPKYCwgJ
KlEb84rTqAuIKRq9ceNR+G458/jpw/1d0wEmMhiLwXWZ9c7mdrWprRaciacPq+LV
m/mBR9QikDhPuUycilZaA5Rop30pPqyeBmXpZQIDAQABAoIBAH00gFuQnhgSTcvl
zl0EjZqx5jjhoAGuWyincdUhoL36j2UE1EE7VKID0+9YCLBBEi7nXg3u9YKTxmmg
cOlOMT0nFGV4YwC1quPQy3O0bEyMNZFZgNowzofg2n3tOeuj8tdD9HajSkJvXHHU
fpjDHIIPWYvaV0aWh+aCVFEzDT+1VODYn9tHJXSR7N1nDB1hGeu0u4Ad8p7jKtzG
cdgGNY+SUD+RCIH85x5pIAtsBTJHbOAuaJIhFpqeyeVhTzEiZuQhHjkOgSrecYVZ
A2Kso5Ki+A5TqUrWBQ36QG1BogWt8TTSnT2KwY1ErFTjKWbI3uwCM+SJJkp0rCBZ
PYxrpAECgYEA0T8F24keuli8erD4S8FoMqjHEPRe8dOBSTUU+wZGEx2ZnRc2pOZn
pwnuJ90zYpwRhKUfpf1F4ZbTLHFkEJsSCGRns4PI+QKlfe90Fh7vCZcBM7PgzTDB
wsabJB+MRfJ3mr43C0F9rI2RbsNAn5/qMh/4ve6FctbZeAytd1q2rQECgYEAwyQC
RkYaZXy257GEM1CnRenRAQKbmG1U1Wr2a2QvQTuZ6qOyBiV6774GZyNH7ox0steS
i17068okTkDatX3BApvgYAS/UV4B++RT+LU9crjs+7LRJeQKnfU01reLSY0olc/t
5NDoNPeJRYuh+LtbpkeWInxE8+VqSfgaFSvLqGUCgYBvGybSFnIhgqK6ByQgnZbl
Z2ckYo3TnHoG1E/Kpt8ooUwC9OOIFeut74Ds2/DACJzosQEoE1861OpWq/L1OlIN
8Lp7wJtDVZtoTnB2moBUuEDkIjxY1+3arbiNKs9CCOhnW19A88p2iElT5gt3duNV
MFLVD0T+4IRi0WB+gsWDAQKBgQDBGFav1xqzpg8PgZcBeCOtiMrqJvx0fmtdq7Qf
XEluUV3i0wyMDHZz2SNY146MPKwVdD9sbhAJakM2s/I3eTKONFR4bvopt85axPta
tW0Som7OOYm/5sGiwEsC1SidJXMtm00aCKZeEzvgd2VVTYBJL7kecr2AYlkkzL5y
iJ3ECQKBgDlKTvk36XolmUpWrKc3UmoyqE1kbEumZu/BUamRUJ/6qo9sFQ1oMbWe
ULW1GT1vTOEDnhdnR1slzngkAMbjsobAquBgkqfkMKhfTwtHnMoq+BFrREh3EDuo
w/NvOsfbeL5H+oOPNDrbCEpQcRvqJXpe1+vtMFnD/vBGofTFrK4P
-----END RSA PRIVATE KEY-----

pem文件中的private key是由base64编码的,可以用openssl进行解码。

由private key文件获取public key

$ openssl rsa -in prvkey.pem -pubout | tee pubkey.pem
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn4BwLvrl0FH1CJJuPJMh
CwopNOvGte5l/zoKKgvNihxSQ6W9ADtYaJ8l8HbU33CJ5mZ26FLH9flyQVn/Pgsr
VZjU2CE0F1oDJHLyQNbP5mevNuC0rIXSv/z8fFf1VdqAeKgYIzC8fJeHgKdw3wV3
F0r23V7B2Nis9SNcJEiBWtbkT27dLq+0oV8wKWObqS7xH/Nsj3xzvDXBeHxAzZ02
KWtXnBpJPVNZleGSXRBjBPKYCwgJKlEb84rTqAuIKRq9ceNR+G458/jpw/1d0wEm
MhiLwXWZ9c7mdrWprRaciacPq+LVm/mBR9QikDhPuUycilZaA5Rop30pPqyeBmXp
ZQIDAQAB
-----END PUBLIC KEY-----

同样的pubkey.pem文件中public key文件也是经过base64编码的,可以用openssl进行解码:

$ openssl base64 -in pubkey.pem -d | hexdump -v -C
00000000  30 82 01 22 30 0d 06 09  2a 86 48 86 f7 0d 01 01  |0.."0...*.H.....|
00000010  01 05 00 03 82 01 0f 00  30 82 01 0a 02 82 01 01  |........0.......|
00000020  00 9f 80 70 2e fa e5 d0  51 f5 08 92 6e 3c 93 21  |...p....Q...n<.!|
00000030  0b 0a 29 34 eb c6 b5 ee  65 ff 3a 0a 2a 0b cd 8a  |..)4....e.:.*...|
00000040  1c 52 43 a5 bd 00 3b 58  68 9f 25 f0 76 d4 df 70  |.RC...;Xh.%.v..p|
00000050  89 e6 66 76 e8 52 c7 f5  f9 72 41 59 ff 3e 0b 2b  |..fv.R...rAY.>.+|
00000060  55 98 d4 d8 21 34 17 5a  03 24 72 f2 40 d6 cf e6  |U...!4.Z.$r.@...|
00000070  67 af 36 e0 b4 ac 85 d2  bf fc fc 7c 57 f5 55 da  |g.6........|W.U.|
00000080  80 78 a8 18 23 30 bc 7c  97 87 80 a7 70 df 05 77  |.x..#0.|....p..w|
00000090  17 4a f6 dd 5e c1 d8 d8  ac f5 23 5c 24 48 81 5a  |.J..^.....#\$H.Z|
000000a0  d6 e4 4f 6e dd 2e af b4  a1 5f 30 29 63 9b a9 2e  |..On....._0)c...|
000000b0  f1 1f f3 6c 8f 7c 73 bc  35 c1 78 7c 40 cd 9d 36  |...l.|s.5.x|@..6|
000000c0  29 6b 57 9c 1a 49 3d 53  59 95 e1 92 5d 10 63 04  |)kW..I=SY...].c.|
000000d0  f2 98 0b 08 09 2a 51 1b  f3 8a d3 a8 0b 88 29 1a  |.....*Q.......).|
000000e0  bd 71 e3 51 f8 6e 39 f3  f8 e9 c3 fd 5d d3 01 26  |.q.Q.n9.....]..&|
000000f0  32 18 8b c1 75 99 f5 ce  e6 76 b5 a9 ad 16 9c 89  |2...u....v......|
00000100  a7 0f ab e2 d5 9b f9 81  47 d4 22 90 38 4f b9 4c  |........G.".8O.L|
00000110  9c 8a 56 5a 03 94 68 a7  7d 29 3e ac 9e 06 65 e9  |..VZ..h.})>...e.|
00000120  65 02 03 01 00 01                                 |e.....|

从这里可以看出,我们可以从private key文件获取public key, 那么是不是说private key文件包含有public key的相关信息呢?

通过openssl命令,我们可以将private key/public key文件转换成我们能够看得懂的文本行式,首先我们来看一下private key文件:

$ openssl rsa -in prvkey.pem -text
Private-Key: (2048 bit)
modulus:
    00:9f:80:70:2e:fa:e5:d0:51:f5:08:92:6e:3c:93:
    21:0b:0a:29:34:eb:c6:b5:ee:65:ff:3a:0a:2a:0b:
    cd:8a:1c:52:43:a5:bd:00:3b:58:68:9f:25:f0:76:
    d4:df:70:89:e6:66:76:e8:52:c7:f5:f9:72:41:59:
    ff:3e:0b:2b:55:98:d4:d8:21:34:17:5a:03:24:72:
    f2:40:d6:cf:e6:67:af:36:e0:b4:ac:85:d2:bf:fc:
    fc:7c:57:f5:55:da:80:78:a8:18:23:30:bc:7c:97:
    87:80:a7:70:df:05:77:17:4a:f6:dd:5e:c1:d8:d8:
    ac:f5:23:5c:24:48:81:5a:d6:e4:4f:6e:dd:2e:af:
    b4:a1:5f:30:29:63:9b:a9:2e:f1:1f:f3:6c:8f:7c:
    73:bc:35:c1:78:7c:40:cd:9d:36:29:6b:57:9c:1a:
    49:3d:53:59:95:e1:92:5d:10:63:04:f2:98:0b:08:
    09:2a:51:1b:f3:8a:d3:a8:0b:88:29:1a:bd:71:e3:
    51:f8:6e:39:f3:f8:e9:c3:fd:5d:d3:01:26:32:18:
    8b:c1:75:99:f5:ce:e6:76:b5:a9:ad:16:9c:89:a7:
    0f:ab:e2:d5:9b:f9:81:47:d4:22:90:38:4f:b9:4c:
    9c:8a:56:5a:03:94:68:a7:7d:29:3e:ac:9e:06:65:
    e9:65
publicExponent: 65537 (0x10001)
privateExponent:
    7d:34:80:5b:90:9e:18:12:4d:cb:e5:ce:5d:04:8d:
    9a:b1:e6:38:e1:a0:01:ae:5b:28:a7:71:d5:21:a0:
    bd:fa:8f:65:04:d4:41:3b:54:a2:03:d3:ef:58:08:
    b0:41:12:2e:e7:5e:0d:ee:f5:82:93:c6:69:a0:70:
    e9:4e:31:3d:27:14:65:78:63:00:b5:aa:e3:d0:cb:
    73:b4:6c:4c:8c:35:91:59:80:da:30:ce:87:e0:da:
    7d:ed:39:eb:a3:f2:d7:43:f4:76:a3:4a:42:6f:5c:
    71:d4:7e:98:c3:1c:82:0f:59:8b:da:57:46:96:87:
    e6:82:54:51:33:0d:3f:b5:54:e0:d8:9f:db:47:25:
    74:91:ec:dd:67:0c:1d:61:19:eb:b4:bb:80:1d:f2:
    9e:e3:2a:dc:c6:71:d8:06:35:8f:92:50:3f:91:08:
    81:fc:e7:1e:69:20:0b:6c:05:32:47:6c:e0:2e:68:
    92:21:16:9a:9e:c9:e5:61:4f:31:22:66:e4:21:1e:
    39:0e:81:2a:de:71:85:59:03:62:ac:a3:92:a2:f8:
    0e:53:a9:4a:d6:05:0d:fa:40:6d:41:a2:05:ad:f1:
    34:d2:9d:3d:8a:c1:8d:44:ac:54:e3:29:66:c8:de:
    ec:02:33:e4:89:26:4a:74:ac:20:59:3d:8c:6b:a4:
    01
prime1:
    00:d1:3f:05:db:89:1e:ba:58:bc:7a:b0:f8:4b:c1:
    68:32:a8:c7:10:f4:5e:f1:d3:81:49:35:14:fb:06:
    46:13:1d:99:9d:17:36:a4:e6:67:a7:09:ee:27:dd:
    33:62:9c:11:84:a5:1f:a5:fd:45:e1:96:d3:2c:71:
    64:10:9b:12:08:64:67:b3:83:c8:f9:02:a5:7d:ef:
    74:16:1e:ef:09:97:01:33:b3:e0:cd:30:c1:c2:c6:
    9b:24:1f:8c:45:f2:77:9a:be:37:0b:41:7d:ac:8d:
    91:6e:c3:40:9f:9f:ea:32:1f:f8:bd:ee:85:72:d6:
    d9:78:0c:ad:77:5a:b6:ad:01
prime2:
    00:c3:24:02:46:46:1a:65:7c:b6:e7:b1:84:33:50:
    a7:45:e9:d1:01:02:9b:98:6d:54:d5:6a:f6:6b:64:
    2f:41:3b:99:ea:a3:b2:06:25:7a:ef:be:06:67:23:
    47:ee:8c:74:b2:d7:92:8b:5e:f4:eb:ca:24:4e:40:
    da:b5:7d:c1:02:9b:e0:60:04:bf:51:5e:01:fb:e4:
    53:f8:b5:3d:72:b8:ec:fb:b2:d1:25:e4:0a:9d:f5:
    34:d6:b7:8b:49:8d:28:95:cf:ed:e4:d0:e8:34:f7:
    89:45:8b:a1:f8:bb:5b:a6:47:96:22:7c:44:f3:e5:
    6a:49:f8:1a:15:2b:cb:a8:65
exponent1:
    6f:1b:26:d2:16:72:21:82:a2:ba:07:24:20:9d:96:
    e5:67:67:24:62:8d:d3:9c:7a:06:d4:4f:ca:a6:df:
    28:a1:4c:02:f4:e3:88:15:eb:ad:ef:80:ec:db:f0:
    c0:08:9c:e8:b1:01:28:13:5f:3a:d4:ea:56:ab:f2:
    f5:3a:52:0d:f0:ba:7b:c0:9b:43:55:9b:68:4e:70:
    76:9a:80:54:b8:40:e4:22:3c:58:d7:ed:da:ad:b8:
    8d:2a:cf:42:08:e8:67:5b:5f:40:f3:ca:76:88:49:
    53:e6:0b:77:76:e3:55:30:52:d5:0f:44:fe:e0:84:
    62:d1:60:7e:82:c5:83:01
exponent2:
    00:c1:18:56:af:d7:1a:b3:a6:0f:0f:81:97:01:78:
    23:ad:88:ca:ea:26:fc:74:7e:6b:5d:ab:b4:1f:5c:
    49:6e:51:5d:e2:d3:0c:8c:0c:76:73:d9:23:58:d7:
    8e:8c:3c:ac:15:74:3f:6c:6e:10:09:6a:43:36:b3:
    f2:37:79:32:8e:34:54:78:6e:fa:29:b7:ce:5a:c4:
    fb:5a:b5:6d:12:a2:6e:ce:39:89:bf:e6:c1:a2:c0:
    4b:02:d5:28:9d:25:73:2d:9b:4d:1a:08:a6:5e:13:
    3b:e0:77:65:55:4d:80:49:2f:b9:1e:72:bd:80:62:
    59:24:cc:be:72:88:9d:c4:09
coefficient:
    39:4a:4e:f9:37:e9:7a:25:99:4a:56:ac:a7:37:52:
    6a:32:a8:4d:64:6c:4b:a6:66:ef:c1:51:a9:91:50:
    9f:fa:aa:8f:6c:15:0d:68:31:b5:9e:50:b5:b5:19:
    3d:6f:4c:e1:03:9e:17:67:47:5b:25:ce:78:24:00:
    c6:e3:b2:86:c0:aa:e0:60:92:a7:e4:30:a8:5f:4f:
    0b:47:9c:ca:2a:f8:11:6b:44:48:77:10:3b:a8:c3:
    f3:6f:3a:c7:db:78:be:47:fa:83:8f:34:3a:db:08:
    4a:50:71:1b:ea:25:7a:5e:d7:eb:ed:30:59:c3:fe:
    f0:46:a1:f4:c5:ac:ae:0f
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAn4BwLvrl0FH1CJJuPJMhCwopNOvGte5l/zoKKgvNihxSQ6W9
ADtYaJ8l8HbU33CJ5mZ26FLH9flyQVn/PgsrVZjU2CE0F1oDJHLyQNbP5mevNuC0
rIXSv/z8fFf1VdqAeKgYIzC8fJeHgKdw3wV3F0r23V7B2Nis9SNcJEiBWtbkT27d
Lq+0oV8wKWObqS7xH/Nsj3xzvDXBeHxAzZ02KWtXnBpJPVNZleGSXRBjBPKYCwgJ
KlEb84rTqAuIKRq9ceNR+G458/jpw/1d0wEmMhiLwXWZ9c7mdrWprRaciacPq+LV
m/mBR9QikDhPuUycilZaA5Rop30pPqyeBmXpZQIDAQABAoIBAH00gFuQnhgSTcvl
zl0EjZqx5jjhoAGuWyincdUhoL36j2UE1EE7VKID0+9YCLBBEi7nXg3u9YKTxmmg
cOlOMT0nFGV4YwC1quPQy3O0bEyMNZFZgNowzofg2n3tOeuj8tdD9HajSkJvXHHU
fpjDHIIPWYvaV0aWh+aCVFEzDT+1VODYn9tHJXSR7N1nDB1hGeu0u4Ad8p7jKtzG
cdgGNY+SUD+RCIH85x5pIAtsBTJHbOAuaJIhFpqeyeVhTzEiZuQhHjkOgSrecYVZ
A2Kso5Ki+A5TqUrWBQ36QG1BogWt8TTSnT2KwY1ErFTjKWbI3uwCM+SJJkp0rCBZ
PYxrpAECgYEA0T8F24keuli8erD4S8FoMqjHEPRe8dOBSTUU+wZGEx2ZnRc2pOZn
pwnuJ90zYpwRhKUfpf1F4ZbTLHFkEJsSCGRns4PI+QKlfe90Fh7vCZcBM7PgzTDB
wsabJB+MRfJ3mr43C0F9rI2RbsNAn5/qMh/4ve6FctbZeAytd1q2rQECgYEAwyQC
RkYaZXy257GEM1CnRenRAQKbmG1U1Wr2a2QvQTuZ6qOyBiV6774GZyNH7ox0steS
i17068okTkDatX3BApvgYAS/UV4B++RT+LU9crjs+7LRJeQKnfU01reLSY0olc/t
5NDoNPeJRYuh+LtbpkeWInxE8+VqSfgaFSvLqGUCgYBvGybSFnIhgqK6ByQgnZbl
Z2ckYo3TnHoG1E/Kpt8ooUwC9OOIFeut74Ds2/DACJzosQEoE1861OpWq/L1OlIN
8Lp7wJtDVZtoTnB2moBUuEDkIjxY1+3arbiNKs9CCOhnW19A88p2iElT5gt3duNV
MFLVD0T+4IRi0WB+gsWDAQKBgQDBGFav1xqzpg8PgZcBeCOtiMrqJvx0fmtdq7Qf
XEluUV3i0wyMDHZz2SNY146MPKwVdD9sbhAJakM2s/I3eTKONFR4bvopt85axPta
tW0Som7OOYm/5sGiwEsC1SidJXMtm00aCKZeEzvgd2VVTYBJL7kecr2AYlkkzL5y
iJ3ECQKBgDlKTvk36XolmUpWrKc3UmoyqE1kbEumZu/BUamRUJ/6qo9sFQ1oMbWe
ULW1GT1vTOEDnhdnR1slzngkAMbjsobAquBgkqfkMKhfTwtHnMoq+BFrREh3EDuo
w/NvOsfbeL5H+oOPNDrbCEpQcRvqJXpe1+vtMFnD/vBGofTFrK4P
-----END RSA PRIVATE KEY-----

从这里,我们可以看到private key有这些部份组成(默认生成key的长度为2048bit):

  1. modulus
  2. publicExponent
  3. privateExponent
  4. prime1
  5. prime2
  6. exponent1
  7. exponent2
  8. coefficient

我们再来看一下public key的组成部份:

$ openssl rsa -in pubkey.pem -pubin -text
Public-Key: (2048 bit)
Modulus:
    00:9f:80:70:2e:fa:e5:d0:51:f5:08:92:6e:3c:93:
    21:0b:0a:29:34:eb:c6:b5:ee:65:ff:3a:0a:2a:0b:
    cd:8a:1c:52:43:a5:bd:00:3b:58:68:9f:25:f0:76:
    d4:df:70:89:e6:66:76:e8:52:c7:f5:f9:72:41:59:
    ff:3e:0b:2b:55:98:d4:d8:21:34:17:5a:03:24:72:
    f2:40:d6:cf:e6:67:af:36:e0:b4:ac:85:d2:bf:fc:
    fc:7c:57:f5:55:da:80:78:a8:18:23:30:bc:7c:97:
    87:80:a7:70:df:05:77:17:4a:f6:dd:5e:c1:d8:d8:
    ac:f5:23:5c:24:48:81:5a:d6:e4:4f:6e:dd:2e:af:
    b4:a1:5f:30:29:63:9b:a9:2e:f1:1f:f3:6c:8f:7c:
    73:bc:35:c1:78:7c:40:cd:9d:36:29:6b:57:9c:1a:
    49:3d:53:59:95:e1:92:5d:10:63:04:f2:98:0b:08:
    09:2a:51:1b:f3:8a:d3:a8:0b:88:29:1a:bd:71:e3:
    51:f8:6e:39:f3:f8:e9:c3:fd:5d:d3:01:26:32:18:
    8b:c1:75:99:f5:ce:e6:76:b5:a9:ad:16:9c:89:a7:
    0f:ab:e2:d5:9b:f9:81:47:d4:22:90:38:4f:b9:4c:
    9c:8a:56:5a:03:94:68:a7:7d:29:3e:ac:9e:06:65:
    e9:65
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn4BwLvrl0FH1CJJuPJMh
CwopNOvGte5l/zoKKgvNihxSQ6W9ADtYaJ8l8HbU33CJ5mZ26FLH9flyQVn/Pgsr
VZjU2CE0F1oDJHLyQNbP5mevNuC0rIXSv/z8fFf1VdqAeKgYIzC8fJeHgKdw3wV3
F0r23V7B2Nis9SNcJEiBWtbkT27dLq+0oV8wKWObqS7xH/Nsj3xzvDXBeHxAzZ02
KWtXnBpJPVNZleGSXRBjBPKYCwgJKlEb84rTqAuIKRq9ceNR+G458/jpw/1d0wEm
MhiLwXWZ9c7mdrWprRaciacPq+LVm/mBR9QikDhPuUycilZaA5Rop30pPqyeBmXp
ZQIDAQAB
-----END PUBLIC KEY-----

这里可以看到public key由modules和Exponent组成。而这两个部分的内容private key也有。所以private key中是包含public key的;public key并不是由private key通过某个算法计算出来的。

再看一下我们通常使用ssh-keygen来生成RSA key, 如何从rsa_id中获得rsa_id.pub呢?

首先我们先使用ssh-keygen生成一组的RSA key:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/hzak/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
43:dd:92:14:9a:8c:c7:1f:85:5d:34:70:25:13:cb:bf hzak@B85PRO
The key's randomart image is:
+--[ RSA 2048]----+
|          o+o+Oo.|
|       + =.+.o = |
|      . B = . o  |
|       o . o   . |
|        S .     .|
|         .      .|
|               E |
|                 |
|                 |
+-----------------+
$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyvhlUWPXB13cITmcyK8It4SWxXXV0fx1lVkNatoVMZlHgHUdrAEsjzpBSh4mmSm+iQSuEjeWkRuQpeigCkgCmr2+MoJVijSK0rVDBhntcKLmjqOe5uwvLM1d+UbP4vAc1L7I3IP0hkxqOwMk7sAAC/BdNgkr3UZ7pPNuVa6uwzTlnjWUG6MfXUAhdA1Sl/IU2hckvh9EAcyTGr8kmiJAtNYlcNyxI49nktNbypljzL2BHx3aW6IROijgF0mlkxE5Q670p7UA0oSw5ZuczUko7YXkCldDVkM20Djbb4XyfU+nBiLXyg17yb5kdfe5gwevdwA0Od9Nw/KTdbseh/Wd hzak@B85PRO

接着,我们再通过ssh-keygen从private key文件中获取public key:

$ ssh-keygen -y -f id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyvhlUWPXB13cITmcyK8It4SWxXXV0fx1lVkNatoVMZlHgHUdrAEsjzpBSh4mmSm+iQSuEjeWkRuQpeigCkgCmr2+MoJVijSK0rVDBhntcKLmjqOe5uwvLM1d+UbP4vAc1L7I3IP0hkxqOwMk7sAAC/BdNgkr3UZ7pPNuVa6uwzTlnjWUG6MfXUAhdA1Sl/IU2hckvh9EAcyTGr8kmiJAtNYlcNyxI49nktNbypljzL2BHx3aW6IROijgF0mlkxE5Q670p7UA0oSw5ZuczUko7YXkCldDVkM20Djbb4XyfU+nBiLXyg17yb5kdfe5gwevdwA0Od9Nw/KTdbseh/Wd
  • CA(Certificate authority)

证书包括两种,一种是由权威机构颁发证书,另外一种是自签名证书(self signed certificate)。这里,我们主要看一下自签名证书。可以参考https://github.com/openssl/openssl/blob/master/doc/HOWTO/certificates.txt

$ openssl req -new -x509 -key prvkey.pem -days 1095 | tee cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SH
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Brob. BWind Ltd.
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:brobwind.com
Email Address []:
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIJAPUQys77KykaMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJTSDEZMBcGA1UECgwQQnJvYi4gQldpbmQgTHRkLjEV
MBMGA1UEAwwMYnJvYndpbmQuY29tMB4XDTE2MDIwNTE0MzQ1MFoXDTE5MDIwNDE0
MzQ1MFowTDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNIMRkwFwYDVQQKDBBCcm9i
LiBCV2luZCBMdGQuMRUwEwYDVQQDDAxicm9id2luZC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCfgHAu+uXQUfUIkm48kyELCik068a17mX/Ogoq
C82KHFJDpb0AO1honyXwdtTfcInmZnboUsf1+XJBWf8+CytVmNTYITQXWgMkcvJA
1s/mZ6824LSshdK//Px8V/VV2oB4qBgjMLx8l4eAp3DfBXcXSvbdXsHY2Kz1I1wk
SIFa1uRPbt0ur7ShXzApY5upLvEf82yPfHO8NcF4fEDNnTYpa1ecGkk9U1mV4ZJd
EGME8pgLCAkqURvzitOoC4gpGr1x41H4bjnz+OnD/V3TASYyGIvBdZn1zuZ2tamt
FpyJpw+r4tWb+YFH1CKQOE+5TJyKVloDlGinfSk+rJ4GZellAgMBAAGjUDBOMB0G
A1UdDgQWBBSTTL3gceHppiuUy3EWi3rcV5MrATAfBgNVHSMEGDAWgBSTTL3gceHp
piuUy3EWi3rcV5MrATAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA1
HAfn8TE1mq23TB2EqW2MRVQOx70mZ7p5WrmXgUsM9Eh5+rVS92u9iQS8l7RXzhb5
3zNCQsLTOZQOhcwWy/aB+wQr+GqHdgKcYQ4Ef0kM/W72BfAJLW3Y6+sHxcuNuQaJ
FEmOxpGdj268W+ELuQKZ0cSkwJPdm3N3AZ7ZuQE6PU8T+YRWOWgQuxDRNUplluK6
1SwpuT24sRe0Q98rlXuxVDdfRbIti+pPycp1RH94jV8SfsQsma7nBLjZKgDK0J2H
YJG9ONJo+4bIiH/fKNzvkDBBc/a0eJguUZM2nv0M+oA9ERLZUJhfjETe+pQWgpP1
TsvjPEo4QLZKT/R4phOP
-----END CERTIFICATE-----

证书文件的内容也是经过base64编码的。将证书通过openssl输出我们能够看得懂的文字信息:

$ openssl x509 -in cacert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17658837129245698330 (0xf510cacefb2b291a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=SH, O=Brob. BWind Ltd., CN=brobwind.com
        Validity
            Not Before: Feb  5 14:34:50 2016 GMT
            Not After : Feb  4 14:34:50 2019 GMT
        Subject: C=CN, ST=SH, O=Brob. BWind Ltd., CN=brobwind.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9f:80:70:2e:fa:e5:d0:51:f5:08:92:6e:3c:93:
                    21:0b:0a:29:34:eb:c6:b5:ee:65:ff:3a:0a:2a:0b:
                    cd:8a:1c:52:43:a5:bd:00:3b:58:68:9f:25:f0:76:
                    d4:df:70:89:e6:66:76:e8:52:c7:f5:f9:72:41:59:
                    ff:3e:0b:2b:55:98:d4:d8:21:34:17:5a:03:24:72:
                    f2:40:d6:cf:e6:67:af:36:e0:b4:ac:85:d2:bf:fc:
                    fc:7c:57:f5:55:da:80:78:a8:18:23:30:bc:7c:97:
                    87:80:a7:70:df:05:77:17:4a:f6:dd:5e:c1:d8:d8:
                    ac:f5:23:5c:24:48:81:5a:d6:e4:4f:6e:dd:2e:af:
                    b4:a1:5f:30:29:63:9b:a9:2e:f1:1f:f3:6c:8f:7c:
                    73:bc:35:c1:78:7c:40:cd:9d:36:29:6b:57:9c:1a:
                    49:3d:53:59:95:e1:92:5d:10:63:04:f2:98:0b:08:
                    09:2a:51:1b:f3:8a:d3:a8:0b:88:29:1a:bd:71:e3:
                    51:f8:6e:39:f3:f8:e9:c3:fd:5d:d3:01:26:32:18:
                    8b:c1:75:99:f5:ce:e6:76:b5:a9:ad:16:9c:89:a7:
                    0f:ab:e2:d5:9b:f9:81:47:d4:22:90:38:4f:b9:4c:
                    9c:8a:56:5a:03:94:68:a7:7d:29:3e:ac:9e:06:65:
                    e9:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                93:4C:BD:E0:71:E1:E9:A6:2B:94:CB:71:16:8B:7A:DC:57:93:2B:01
            X509v3 Authority Key Identifier: 
                keyid:93:4C:BD:E0:71:E1:E9:A6:2B:94:CB:71:16:8B:7A:DC:57:93:2B:01

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         35:1c:07:e7:f1:31:35:9a:ad:b7:4c:1d:84:a9:6d:8c:45:54:
         0e:c7:bd:26:67:ba:79:5a:b9:97:81:4b:0c:f4:48:79:fa:b5:
         52:f7:6b:bd:89:04:bc:97:b4:57:ce:16:f9:df:33:42:42:c2:
         d3:39:94:0e:85:cc:16:cb:f6:81:fb:04:2b:f8:6a:87:76:02:
         9c:61:0e:04:7f:49:0c:fd:6e:f6:05:f0:09:2d:6d:d8:eb:eb:
         07:c5:cb:8d:b9:06:89:14:49:8e:c6:91:9d:8f:6e:bc:5b:e1:
         0b:b9:02:99:d1:c4:a4:c0:93:dd:9b:73:77:01:9e:d9:b9:01:
         3a:3d:4f:13:f9:84:56:39:68:10:bb:10:d1:35:4a:65:96:e2:
         ba:d5:2c:29:b9:3d:b8:b1:17:b4:43:df:2b:95:7b:b1:54:37:
         5f:45:b2:2d:8b:ea:4f:c9:ca:75:44:7f:78:8d:5f:12:7e:c4:
         2c:99:ae:e7:04:b8:d9:2a:00:ca:d0:9d:87:60:91:bd:38:d2:
         68:fb:86:c8:88:7f:df:28:dc:ef:90:30:41:73:f6:b4:78:98:
         2e:51:93:36:9e:fd:0c:fa:80:3d:11:12:d9:50:98:5f:8c:44:
         de:fa:94:16:82:93:f5:4e:cb:e3:3c:4a:38:40:b6:4a:4f:f4:
         78:a6:13:8f
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIJAPUQys77KykaMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJTSDEZMBcGA1UECgwQQnJvYi4gQldpbmQgTHRkLjEV
MBMGA1UEAwwMYnJvYndpbmQuY29tMB4XDTE2MDIwNTE0MzQ1MFoXDTE5MDIwNDE0
MzQ1MFowTDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNIMRkwFwYDVQQKDBBCcm9i
LiBCV2luZCBMdGQuMRUwEwYDVQQDDAxicm9id2luZC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCfgHAu+uXQUfUIkm48kyELCik068a17mX/Ogoq
C82KHFJDpb0AO1honyXwdtTfcInmZnboUsf1+XJBWf8+CytVmNTYITQXWgMkcvJA
1s/mZ6824LSshdK//Px8V/VV2oB4qBgjMLx8l4eAp3DfBXcXSvbdXsHY2Kz1I1wk
SIFa1uRPbt0ur7ShXzApY5upLvEf82yPfHO8NcF4fEDNnTYpa1ecGkk9U1mV4ZJd
EGME8pgLCAkqURvzitOoC4gpGr1x41H4bjnz+OnD/V3TASYyGIvBdZn1zuZ2tamt
FpyJpw+r4tWb+YFH1CKQOE+5TJyKVloDlGinfSk+rJ4GZellAgMBAAGjUDBOMB0G
A1UdDgQWBBSTTL3gceHppiuUy3EWi3rcV5MrATAfBgNVHSMEGDAWgBSTTL3gceHp
piuUy3EWi3rcV5MrATAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA1
HAfn8TE1mq23TB2EqW2MRVQOx70mZ7p5WrmXgUsM9Eh5+rVS92u9iQS8l7RXzhb5
3zNCQsLTOZQOhcwWy/aB+wQr+GqHdgKcYQ4Ef0kM/W72BfAJLW3Y6+sHxcuNuQaJ
FEmOxpGdj268W+ELuQKZ0cSkwJPdm3N3AZ7ZuQE6PU8T+YRWOWgQuxDRNUplluK6
1SwpuT24sRe0Q98rlXuxVDdfRbIti+pPycp1RH94jV8SfsQsma7nBLjZKgDK0J2H
YJG9ONJo+4bIiH/fKNzvkDBBc/a0eJguUZM2nv0M+oA9ERLZUJhfjETe+pQWgpP1
TsvjPEo4QLZKT/R4phOP
-----END CERTIFICATE-----

可以看到Issuer与Subject是一样的,所以是自签名证书。同时,我们可以看到证书中包含private key文件中的public key信息。当然我们还需要注意,证书是有时间限制的。

证书最后的签名是证书的相关信息经过sha256计算后,再由RSA private key进行加密的(sha256WithRSAEncryption)。所以要验证证书的真伪,只能通过private key进行验证。同时还可以看到最后的签名也是2048位,跟private key的长度一样。

当然如果是CA颁布的证书,你还可以进行吊销的操作。

 

最后,我们来看一下由Brillo系统生成的证书:

$ openssl x509 -in certificate -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1359928785 (0x510eddd1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Brillo device
        Validity
            Not Before: Jan 16 02:31:05 2016 GMT
            Not After : Jan 15 07:37:05 2021 GMT
        Subject: CN=Brillo device
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:bb:2c:af:cc:a3:dd:44:20:ab:61:22:7c:dd:5f:
                    6f:6c:74:e7:9a:97:d3:a6:e8:7a:94:95:d9:85:57:
                    1b:fb:8b:83:28:70:66:11:84:48:e6:2d:d2:75:9d:
                    14:aa:41:0e:04:95:70:a2:a0:46:9f:f2:92:15:48:
                    95:f3:52:08:9c:5c:77:60:2f:2d:f3:9a:c2:26:b3:
                    6b:ca:8b:f5:6e:4b:99:15:d9:f5:33:76:4c:65:34:
                    87:d0:77:11:61:fa:39:5a:82:da:b8:7e:1a:72:da:
                    75:7e:8d:25:7d:14:21:0c:86:02:36:75:65:5e:e1:
                    7e:73:40:f3:45:48:3f:2b:43
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         83:d8:3a:df:9e:39:19:a4:89:c4:69:ae:a2:04:cc:e3:18:90:
         ca:56:20:80:5b:8d:22:02:a3:f7:4e:68:1b:88:c0:e1:83:a1:
         f2:91:aa:af:d9:42:c1:56:8c:7d:74:b6:31:92:9a:af:f3:ba:
         d4:1b:a9:89:98:42:5d:8a:83:e7:93:11:c9:8b:55:d5:a2:fc:
         06:6d:a2:3d:32:3a:b5:f1:27:0a:55:54:5d:02:d0:28:2d:46:
         74:ec:01:0a:b0:88:3f:30:41:05:26:9d:86:74:c4:ce:74:d4:
         15:ac:ef:8c:3c:71:61:ee:25:34:1b:9e:76:38:63:5f:e7:88:
         ac:7d
-----BEGIN CERTIFICATE-----
MIIBpzCCARCgAwIBAgIEUQ7d0TANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1C
cmlsbG8gZGV2aWNlMB4XDTE2MDExNjAyMzEwNVoXDTIxMDExNTA3MzcwNVowGDEW
MBQGA1UEAwwNQnJpbGxvIGRldmljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAuyyvzKPdRCCrYSJ83V9vbHTnmpfTpuh6lJXZhVcb+4uDKHBmEYRI5i3SdZ0U
qkEOBJVwoqBGn/KSFUiV81IInFx3YC8t85rCJrNryov1bkuZFdn1M3ZMZTSH0HcR
Yfo5WoLauH4actp1fo0lfRQhDIYCNnVlXuF+c0DzRUg/K0MCAwEAATANBgkqhkiG
9w0BAQsFAAOBgQCD2DrfnjkZpInEaa6iBMzjGJDKViCAW40iAqP3TmgbiMDhg6Hy
kaqv2ULBVox9dLYxkpqv87rUG6mJmEJdioPnkxHJi1XVovwGbaI9Mjq18ScKVVRd
AtAoLUZ07AEKsIg/MEEFJp2GdMTOdNQVrO+MPHFh7iU0G552OGNf54isfQ==
-----END CERTIFICATE-----

 

相关的参考文档:

  1. https://en.wikipedia.org/wiki/RSA_(cryptosystem)
  2. https://en.wikipedia.org/wiki/Public-key_cryptography
  3. https://en.wikipedia.org/wiki/Certificate_authority
  4. https://en.wikipedia.org/wiki/Public_key_certificate
  5. https://en.wikipedia.org/wiki/X.509

发表评论

电子邮件地址不会被公开。 必填项已用*标注