首先,我们知道计算机所用的key主要有两种,一种是对称key(symmetric-key), 如AES;而另一种是非对称key(asymmetric key),如RSA。AES的特点是计算量小,但是不利于网络间信息交换。而RSA的特点是计算量大(需要进行复杂的乘方,取模操作)由private key生成的密文只有public key才能解密,反之亦然。
对于信息,我们可以通过RSA进行加密,但如何确定发信人的身份呢,这时候我们就需要数字证书,需要有CA (certificate authority/certification authority)。
- RSA private key
使用openssl生成private key:
$ openssl genrsa | tee prvkey.pem Generating RSA private key, 2048 bit long modulus ......................................................+++ .....................+++ e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAn4BwLvrl0FH1CJJuPJMhCwopNOvGte5l/zoKKgvNihxSQ6W9 ADtYaJ8l8HbU33CJ5mZ26FLH9flyQVn/PgsrVZjU2CE0F1oDJHLyQNbP5mevNuC0 rIXSv/z8fFf1VdqAeKgYIzC8fJeHgKdw3wV3F0r23V7B2Nis9SNcJEiBWtbkT27d Lq+0oV8wKWObqS7xH/Nsj3xzvDXBeHxAzZ02KWtXnBpJPVNZleGSXRBjBPKYCwgJ KlEb84rTqAuIKRq9ceNR+G458/jpw/1d0wEmMhiLwXWZ9c7mdrWprRaciacPq+LV m/mBR9QikDhPuUycilZaA5Rop30pPqyeBmXpZQIDAQABAoIBAH00gFuQnhgSTcvl zl0EjZqx5jjhoAGuWyincdUhoL36j2UE1EE7VKID0+9YCLBBEi7nXg3u9YKTxmmg cOlOMT0nFGV4YwC1quPQy3O0bEyMNZFZgNowzofg2n3tOeuj8tdD9HajSkJvXHHU fpjDHIIPWYvaV0aWh+aCVFEzDT+1VODYn9tHJXSR7N1nDB1hGeu0u4Ad8p7jKtzG cdgGNY+SUD+RCIH85x5pIAtsBTJHbOAuaJIhFpqeyeVhTzEiZuQhHjkOgSrecYVZ A2Kso5Ki+A5TqUrWBQ36QG1BogWt8TTSnT2KwY1ErFTjKWbI3uwCM+SJJkp0rCBZ PYxrpAECgYEA0T8F24keuli8erD4S8FoMqjHEPRe8dOBSTUU+wZGEx2ZnRc2pOZn pwnuJ90zYpwRhKUfpf1F4ZbTLHFkEJsSCGRns4PI+QKlfe90Fh7vCZcBM7PgzTDB wsabJB+MRfJ3mr43C0F9rI2RbsNAn5/qMh/4ve6FctbZeAytd1q2rQECgYEAwyQC RkYaZXy257GEM1CnRenRAQKbmG1U1Wr2a2QvQTuZ6qOyBiV6774GZyNH7ox0steS i17068okTkDatX3BApvgYAS/UV4B++RT+LU9crjs+7LRJeQKnfU01reLSY0olc/t 5NDoNPeJRYuh+LtbpkeWInxE8+VqSfgaFSvLqGUCgYBvGybSFnIhgqK6ByQgnZbl Z2ckYo3TnHoG1E/Kpt8ooUwC9OOIFeut74Ds2/DACJzosQEoE1861OpWq/L1OlIN 8Lp7wJtDVZtoTnB2moBUuEDkIjxY1+3arbiNKs9CCOhnW19A88p2iElT5gt3duNV MFLVD0T+4IRi0WB+gsWDAQKBgQDBGFav1xqzpg8PgZcBeCOtiMrqJvx0fmtdq7Qf XEluUV3i0wyMDHZz2SNY146MPKwVdD9sbhAJakM2s/I3eTKONFR4bvopt85axPta tW0Som7OOYm/5sGiwEsC1SidJXMtm00aCKZeEzvgd2VVTYBJL7kecr2AYlkkzL5y iJ3ECQKBgDlKTvk36XolmUpWrKc3UmoyqE1kbEumZu/BUamRUJ/6qo9sFQ1oMbWe ULW1GT1vTOEDnhdnR1slzngkAMbjsobAquBgkqfkMKhfTwtHnMoq+BFrREh3EDuo w/NvOsfbeL5H+oOPNDrbCEpQcRvqJXpe1+vtMFnD/vBGofTFrK4P -----END RSA PRIVATE KEY-----
pem文件中的private key是由base64编码的,可以用openssl进行解码。
由private key文件获取public key
$ openssl rsa -in prvkey.pem -pubout | tee pubkey.pem writing RSA key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn4BwLvrl0FH1CJJuPJMh CwopNOvGte5l/zoKKgvNihxSQ6W9ADtYaJ8l8HbU33CJ5mZ26FLH9flyQVn/Pgsr VZjU2CE0F1oDJHLyQNbP5mevNuC0rIXSv/z8fFf1VdqAeKgYIzC8fJeHgKdw3wV3 F0r23V7B2Nis9SNcJEiBWtbkT27dLq+0oV8wKWObqS7xH/Nsj3xzvDXBeHxAzZ02 KWtXnBpJPVNZleGSXRBjBPKYCwgJKlEb84rTqAuIKRq9ceNR+G458/jpw/1d0wEm MhiLwXWZ9c7mdrWprRaciacPq+LVm/mBR9QikDhPuUycilZaA5Rop30pPqyeBmXp ZQIDAQAB -----END PUBLIC KEY-----
同样的pubkey.pem文件中public key文件也是经过base64编码的,可以用openssl进行解码:
$ openssl base64 -in pubkey.pem -d | hexdump -v -C 00000000 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 |0.."0...*.H.....| 00000010 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 |........0.......| 00000020 00 9f 80 70 2e fa e5 d0 51 f5 08 92 6e 3c 93 21 |...p....Q...n<.!| 00000030 0b 0a 29 34 eb c6 b5 ee 65 ff 3a 0a 2a 0b cd 8a |..)4....e.:.*...| 00000040 1c 52 43 a5 bd 00 3b 58 68 9f 25 f0 76 d4 df 70 |.RC...;Xh.%.v..p| 00000050 89 e6 66 76 e8 52 c7 f5 f9 72 41 59 ff 3e 0b 2b |..fv.R...rAY.>.+| 00000060 55 98 d4 d8 21 34 17 5a 03 24 72 f2 40 d6 cf e6 |U...!4.Z.$r.@...| 00000070 67 af 36 e0 b4 ac 85 d2 bf fc fc 7c 57 f5 55 da |g.6........|W.U.| 00000080 80 78 a8 18 23 30 bc 7c 97 87 80 a7 70 df 05 77 |.x..#0.|....p..w| 00000090 17 4a f6 dd 5e c1 d8 d8 ac f5 23 5c 24 48 81 5a |.J..^.....#\$H.Z| 000000a0 d6 e4 4f 6e dd 2e af b4 a1 5f 30 29 63 9b a9 2e |..On....._0)c...| 000000b0 f1 1f f3 6c 8f 7c 73 bc 35 c1 78 7c 40 cd 9d 36 |...l.|s.5.x|@..6| 000000c0 29 6b 57 9c 1a 49 3d 53 59 95 e1 92 5d 10 63 04 |)kW..I=SY...].c.| 000000d0 f2 98 0b 08 09 2a 51 1b f3 8a d3 a8 0b 88 29 1a |.....*Q.......).| 000000e0 bd 71 e3 51 f8 6e 39 f3 f8 e9 c3 fd 5d d3 01 26 |.q.Q.n9.....]..&| 000000f0 32 18 8b c1 75 99 f5 ce e6 76 b5 a9 ad 16 9c 89 |2...u....v......| 00000100 a7 0f ab e2 d5 9b f9 81 47 d4 22 90 38 4f b9 4c |........G.".8O.L| 00000110 9c 8a 56 5a 03 94 68 a7 7d 29 3e ac 9e 06 65 e9 |..VZ..h.})>...e.| 00000120 65 02 03 01 00 01 |e.....|
从这里可以看出,我们可以从private key文件获取public key, 那么是不是说private key文件包含有public key的相关信息呢?
通过openssl命令,我们可以将private key/public key文件转换成我们能够看得懂的文本行式,首先我们来看一下private key文件:
$ openssl rsa -in prvkey.pem -text Private-Key: (2048 bit) modulus: 00:9f:80:70:2e:fa:e5:d0:51:f5:08:92:6e:3c:93: 21:0b:0a:29:34:eb:c6:b5:ee:65:ff:3a:0a:2a:0b: cd:8a:1c:52:43:a5:bd:00:3b:58:68:9f:25:f0:76: d4:df:70:89:e6:66:76:e8:52:c7:f5:f9:72:41:59: ff:3e:0b:2b:55:98:d4:d8:21:34:17:5a:03:24:72: f2:40:d6:cf:e6:67:af:36:e0:b4:ac:85:d2:bf:fc: fc:7c:57:f5:55:da:80:78:a8:18:23:30:bc:7c:97: 87:80:a7:70:df:05:77:17:4a:f6:dd:5e:c1:d8:d8: ac:f5:23:5c:24:48:81:5a:d6:e4:4f:6e:dd:2e:af: b4:a1:5f:30:29:63:9b:a9:2e:f1:1f:f3:6c:8f:7c: 73:bc:35:c1:78:7c:40:cd:9d:36:29:6b:57:9c:1a: 49:3d:53:59:95:e1:92:5d:10:63:04:f2:98:0b:08: 09:2a:51:1b:f3:8a:d3:a8:0b:88:29:1a:bd:71:e3: 51:f8:6e:39:f3:f8:e9:c3:fd:5d:d3:01:26:32:18: 8b:c1:75:99:f5:ce:e6:76:b5:a9:ad:16:9c:89:a7: 0f:ab:e2:d5:9b:f9:81:47:d4:22:90:38:4f:b9:4c: 9c:8a:56:5a:03:94:68:a7:7d:29:3e:ac:9e:06:65: e9:65 publicExponent: 65537 (0x10001) privateExponent: 7d:34:80:5b:90:9e:18:12:4d:cb:e5:ce:5d:04:8d: 9a:b1:e6:38:e1:a0:01:ae:5b:28:a7:71:d5:21:a0: bd:fa:8f:65:04:d4:41:3b:54:a2:03:d3:ef:58:08: b0:41:12:2e:e7:5e:0d:ee:f5:82:93:c6:69:a0:70: e9:4e:31:3d:27:14:65:78:63:00:b5:aa:e3:d0:cb: 73:b4:6c:4c:8c:35:91:59:80:da:30:ce:87:e0:da: 7d:ed:39:eb:a3:f2:d7:43:f4:76:a3:4a:42:6f:5c: 71:d4:7e:98:c3:1c:82:0f:59:8b:da:57:46:96:87: e6:82:54:51:33:0d:3f:b5:54:e0:d8:9f:db:47:25: 74:91:ec:dd:67:0c:1d:61:19:eb:b4:bb:80:1d:f2: 9e:e3:2a:dc:c6:71:d8:06:35:8f:92:50:3f:91:08: 81:fc:e7:1e:69:20:0b:6c:05:32:47:6c:e0:2e:68: 92:21:16:9a:9e:c9:e5:61:4f:31:22:66:e4:21:1e: 39:0e:81:2a:de:71:85:59:03:62:ac:a3:92:a2:f8: 0e:53:a9:4a:d6:05:0d:fa:40:6d:41:a2:05:ad:f1: 34:d2:9d:3d:8a:c1:8d:44:ac:54:e3:29:66:c8:de: ec:02:33:e4:89:26:4a:74:ac:20:59:3d:8c:6b:a4: 01 prime1: 00:d1:3f:05:db:89:1e:ba:58:bc:7a:b0:f8:4b:c1: 68:32:a8:c7:10:f4:5e:f1:d3:81:49:35:14:fb:06: 46:13:1d:99:9d:17:36:a4:e6:67:a7:09:ee:27:dd: 33:62:9c:11:84:a5:1f:a5:fd:45:e1:96:d3:2c:71: 64:10:9b:12:08:64:67:b3:83:c8:f9:02:a5:7d:ef: 74:16:1e:ef:09:97:01:33:b3:e0:cd:30:c1:c2:c6: 9b:24:1f:8c:45:f2:77:9a:be:37:0b:41:7d:ac:8d: 91:6e:c3:40:9f:9f:ea:32:1f:f8:bd:ee:85:72:d6: d9:78:0c:ad:77:5a:b6:ad:01 prime2: 00:c3:24:02:46:46:1a:65:7c:b6:e7:b1:84:33:50: a7:45:e9:d1:01:02:9b:98:6d:54:d5:6a:f6:6b:64: 2f:41:3b:99:ea:a3:b2:06:25:7a:ef:be:06:67:23: 47:ee:8c:74:b2:d7:92:8b:5e:f4:eb:ca:24:4e:40: da:b5:7d:c1:02:9b:e0:60:04:bf:51:5e:01:fb:e4: 53:f8:b5:3d:72:b8:ec:fb:b2:d1:25:e4:0a:9d:f5: 34:d6:b7:8b:49:8d:28:95:cf:ed:e4:d0:e8:34:f7: 89:45:8b:a1:f8:bb:5b:a6:47:96:22:7c:44:f3:e5: 6a:49:f8:1a:15:2b:cb:a8:65 exponent1: 6f:1b:26:d2:16:72:21:82:a2:ba:07:24:20:9d:96: e5:67:67:24:62:8d:d3:9c:7a:06:d4:4f:ca:a6:df: 28:a1:4c:02:f4:e3:88:15:eb:ad:ef:80:ec:db:f0: c0:08:9c:e8:b1:01:28:13:5f:3a:d4:ea:56:ab:f2: f5:3a:52:0d:f0:ba:7b:c0:9b:43:55:9b:68:4e:70: 76:9a:80:54:b8:40:e4:22:3c:58:d7:ed:da:ad:b8: 8d:2a:cf:42:08:e8:67:5b:5f:40:f3:ca:76:88:49: 53:e6:0b:77:76:e3:55:30:52:d5:0f:44:fe:e0:84: 62:d1:60:7e:82:c5:83:01 exponent2: 00:c1:18:56:af:d7:1a:b3:a6:0f:0f:81:97:01:78: 23:ad:88:ca:ea:26:fc:74:7e:6b:5d:ab:b4:1f:5c: 49:6e:51:5d:e2:d3:0c:8c:0c:76:73:d9:23:58:d7: 8e:8c:3c:ac:15:74:3f:6c:6e:10:09:6a:43:36:b3: f2:37:79:32:8e:34:54:78:6e:fa:29:b7:ce:5a:c4: fb:5a:b5:6d:12:a2:6e:ce:39:89:bf:e6:c1:a2:c0: 4b:02:d5:28:9d:25:73:2d:9b:4d:1a:08:a6:5e:13: 3b:e0:77:65:55:4d:80:49:2f:b9:1e:72:bd:80:62: 59:24:cc:be:72:88:9d:c4:09 coefficient: 39:4a:4e:f9:37:e9:7a:25:99:4a:56:ac:a7:37:52: 6a:32:a8:4d:64:6c:4b:a6:66:ef:c1:51:a9:91:50: 9f:fa:aa:8f:6c:15:0d:68:31:b5:9e:50:b5:b5:19: 3d:6f:4c:e1:03:9e:17:67:47:5b:25:ce:78:24:00: c6:e3:b2:86:c0:aa:e0:60:92:a7:e4:30:a8:5f:4f: 0b:47:9c:ca:2a:f8:11:6b:44:48:77:10:3b:a8:c3: f3:6f:3a:c7:db:78:be:47:fa:83:8f:34:3a:db:08: 4a:50:71:1b:ea:25:7a:5e:d7:eb:ed:30:59:c3:fe: f0:46:a1:f4:c5:ac:ae:0f writing RSA key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAn4BwLvrl0FH1CJJuPJMhCwopNOvGte5l/zoKKgvNihxSQ6W9 ADtYaJ8l8HbU33CJ5mZ26FLH9flyQVn/PgsrVZjU2CE0F1oDJHLyQNbP5mevNuC0 rIXSv/z8fFf1VdqAeKgYIzC8fJeHgKdw3wV3F0r23V7B2Nis9SNcJEiBWtbkT27d Lq+0oV8wKWObqS7xH/Nsj3xzvDXBeHxAzZ02KWtXnBpJPVNZleGSXRBjBPKYCwgJ KlEb84rTqAuIKRq9ceNR+G458/jpw/1d0wEmMhiLwXWZ9c7mdrWprRaciacPq+LV m/mBR9QikDhPuUycilZaA5Rop30pPqyeBmXpZQIDAQABAoIBAH00gFuQnhgSTcvl zl0EjZqx5jjhoAGuWyincdUhoL36j2UE1EE7VKID0+9YCLBBEi7nXg3u9YKTxmmg cOlOMT0nFGV4YwC1quPQy3O0bEyMNZFZgNowzofg2n3tOeuj8tdD9HajSkJvXHHU fpjDHIIPWYvaV0aWh+aCVFEzDT+1VODYn9tHJXSR7N1nDB1hGeu0u4Ad8p7jKtzG cdgGNY+SUD+RCIH85x5pIAtsBTJHbOAuaJIhFpqeyeVhTzEiZuQhHjkOgSrecYVZ A2Kso5Ki+A5TqUrWBQ36QG1BogWt8TTSnT2KwY1ErFTjKWbI3uwCM+SJJkp0rCBZ PYxrpAECgYEA0T8F24keuli8erD4S8FoMqjHEPRe8dOBSTUU+wZGEx2ZnRc2pOZn pwnuJ90zYpwRhKUfpf1F4ZbTLHFkEJsSCGRns4PI+QKlfe90Fh7vCZcBM7PgzTDB wsabJB+MRfJ3mr43C0F9rI2RbsNAn5/qMh/4ve6FctbZeAytd1q2rQECgYEAwyQC RkYaZXy257GEM1CnRenRAQKbmG1U1Wr2a2QvQTuZ6qOyBiV6774GZyNH7ox0steS i17068okTkDatX3BApvgYAS/UV4B++RT+LU9crjs+7LRJeQKnfU01reLSY0olc/t 5NDoNPeJRYuh+LtbpkeWInxE8+VqSfgaFSvLqGUCgYBvGybSFnIhgqK6ByQgnZbl Z2ckYo3TnHoG1E/Kpt8ooUwC9OOIFeut74Ds2/DACJzosQEoE1861OpWq/L1OlIN 8Lp7wJtDVZtoTnB2moBUuEDkIjxY1+3arbiNKs9CCOhnW19A88p2iElT5gt3duNV MFLVD0T+4IRi0WB+gsWDAQKBgQDBGFav1xqzpg8PgZcBeCOtiMrqJvx0fmtdq7Qf XEluUV3i0wyMDHZz2SNY146MPKwVdD9sbhAJakM2s/I3eTKONFR4bvopt85axPta tW0Som7OOYm/5sGiwEsC1SidJXMtm00aCKZeEzvgd2VVTYBJL7kecr2AYlkkzL5y iJ3ECQKBgDlKTvk36XolmUpWrKc3UmoyqE1kbEumZu/BUamRUJ/6qo9sFQ1oMbWe ULW1GT1vTOEDnhdnR1slzngkAMbjsobAquBgkqfkMKhfTwtHnMoq+BFrREh3EDuo w/NvOsfbeL5H+oOPNDrbCEpQcRvqJXpe1+vtMFnD/vBGofTFrK4P -----END RSA PRIVATE KEY-----
从这里,我们可以看到private key有这些部份组成(默认生成key的长度为2048bit):
- modulus
- publicExponent
- privateExponent
- prime1
- prime2
- exponent1
- exponent2
- coefficient
我们再来看一下public key的组成部份:
$ openssl rsa -in pubkey.pem -pubin -text Public-Key: (2048 bit) Modulus: 00:9f:80:70:2e:fa:e5:d0:51:f5:08:92:6e:3c:93: 21:0b:0a:29:34:eb:c6:b5:ee:65:ff:3a:0a:2a:0b: cd:8a:1c:52:43:a5:bd:00:3b:58:68:9f:25:f0:76: d4:df:70:89:e6:66:76:e8:52:c7:f5:f9:72:41:59: ff:3e:0b:2b:55:98:d4:d8:21:34:17:5a:03:24:72: f2:40:d6:cf:e6:67:af:36:e0:b4:ac:85:d2:bf:fc: fc:7c:57:f5:55:da:80:78:a8:18:23:30:bc:7c:97: 87:80:a7:70:df:05:77:17:4a:f6:dd:5e:c1:d8:d8: ac:f5:23:5c:24:48:81:5a:d6:e4:4f:6e:dd:2e:af: b4:a1:5f:30:29:63:9b:a9:2e:f1:1f:f3:6c:8f:7c: 73:bc:35:c1:78:7c:40:cd:9d:36:29:6b:57:9c:1a: 49:3d:53:59:95:e1:92:5d:10:63:04:f2:98:0b:08: 09:2a:51:1b:f3:8a:d3:a8:0b:88:29:1a:bd:71:e3: 51:f8:6e:39:f3:f8:e9:c3:fd:5d:d3:01:26:32:18: 8b:c1:75:99:f5:ce:e6:76:b5:a9:ad:16:9c:89:a7: 0f:ab:e2:d5:9b:f9:81:47:d4:22:90:38:4f:b9:4c: 9c:8a:56:5a:03:94:68:a7:7d:29:3e:ac:9e:06:65: e9:65 Exponent: 65537 (0x10001) writing RSA key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn4BwLvrl0FH1CJJuPJMh CwopNOvGte5l/zoKKgvNihxSQ6W9ADtYaJ8l8HbU33CJ5mZ26FLH9flyQVn/Pgsr VZjU2CE0F1oDJHLyQNbP5mevNuC0rIXSv/z8fFf1VdqAeKgYIzC8fJeHgKdw3wV3 F0r23V7B2Nis9SNcJEiBWtbkT27dLq+0oV8wKWObqS7xH/Nsj3xzvDXBeHxAzZ02 KWtXnBpJPVNZleGSXRBjBPKYCwgJKlEb84rTqAuIKRq9ceNR+G458/jpw/1d0wEm MhiLwXWZ9c7mdrWprRaciacPq+LVm/mBR9QikDhPuUycilZaA5Rop30pPqyeBmXp ZQIDAQAB -----END PUBLIC KEY-----
这里可以看到public key由modules和Exponent组成。而这两个部分的内容private key也有。所以private key中是包含public key的;public key并不是由private key通过某个算法计算出来的。
再看一下我们通常使用ssh-keygen来生成RSA key, 如何从rsa_id中获得rsa_id.pub呢?
首先我们先使用ssh-keygen生成一组的RSA key:
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/hzak/.ssh/id_rsa): id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: 43:dd:92:14:9a:8c:c7:1f:85:5d:34:70:25:13:cb:bf hzak@B85PRO The key's randomart image is: +--[ RSA 2048]----+ | o+o+Oo.| | + =.+.o = | | . B = . o | | o . o . | | S . .| | . .| | E | | | | | +-----------------+ $ cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyvhlUWPXB13cITmcyK8It4SWxXXV0fx1lVkNatoVMZlHgHUdrAEsjzpBSh4mmSm+iQSuEjeWkRuQpeigCkgCmr2+MoJVijSK0rVDBhntcKLmjqOe5uwvLM1d+UbP4vAc1L7I3IP0hkxqOwMk7sAAC/BdNgkr3UZ7pPNuVa6uwzTlnjWUG6MfXUAhdA1Sl/IU2hckvh9EAcyTGr8kmiJAtNYlcNyxI49nktNbypljzL2BHx3aW6IROijgF0mlkxE5Q670p7UA0oSw5ZuczUko7YXkCldDVkM20Djbb4XyfU+nBiLXyg17yb5kdfe5gwevdwA0Od9Nw/KTdbseh/Wd hzak@B85PRO
接着,我们再通过ssh-keygen从private key文件中获取public key:
$ ssh-keygen -y -f id_rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHyvhlUWPXB13cITmcyK8It4SWxXXV0fx1lVkNatoVMZlHgHUdrAEsjzpBSh4mmSm+iQSuEjeWkRuQpeigCkgCmr2+MoJVijSK0rVDBhntcKLmjqOe5uwvLM1d+UbP4vAc1L7I3IP0hkxqOwMk7sAAC/BdNgkr3UZ7pPNuVa6uwzTlnjWUG6MfXUAhdA1Sl/IU2hckvh9EAcyTGr8kmiJAtNYlcNyxI49nktNbypljzL2BHx3aW6IROijgF0mlkxE5Q670p7UA0oSw5ZuczUko7YXkCldDVkM20Djbb4XyfU+nBiLXyg17yb5kdfe5gwevdwA0Od9Nw/KTdbseh/Wd
- CA(Certificate authority)
证书包括两种,一种是由权威机构颁发证书,另外一种是自签名证书(self signed certificate)。这里,我们主要看一下自签名证书。可以参考https://github.com/openssl/openssl/blob/master/doc/HOWTO/certificates.txt
$ openssl req -new -x509 -key prvkey.pem -days 1095 | tee cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:SH Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Brob. BWind Ltd. Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:brobwind.com Email Address []: -----BEGIN CERTIFICATE----- MIIDazCCAlOgAwIBAgIJAPUQys77KykaMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV BAYTAkNOMQswCQYDVQQIDAJTSDEZMBcGA1UECgwQQnJvYi4gQldpbmQgTHRkLjEV MBMGA1UEAwwMYnJvYndpbmQuY29tMB4XDTE2MDIwNTE0MzQ1MFoXDTE5MDIwNDE0 MzQ1MFowTDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNIMRkwFwYDVQQKDBBCcm9i LiBCV2luZCBMdGQuMRUwEwYDVQQDDAxicm9id2luZC5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCfgHAu+uXQUfUIkm48kyELCik068a17mX/Ogoq C82KHFJDpb0AO1honyXwdtTfcInmZnboUsf1+XJBWf8+CytVmNTYITQXWgMkcvJA 1s/mZ6824LSshdK//Px8V/VV2oB4qBgjMLx8l4eAp3DfBXcXSvbdXsHY2Kz1I1wk SIFa1uRPbt0ur7ShXzApY5upLvEf82yPfHO8NcF4fEDNnTYpa1ecGkk9U1mV4ZJd EGME8pgLCAkqURvzitOoC4gpGr1x41H4bjnz+OnD/V3TASYyGIvBdZn1zuZ2tamt FpyJpw+r4tWb+YFH1CKQOE+5TJyKVloDlGinfSk+rJ4GZellAgMBAAGjUDBOMB0G A1UdDgQWBBSTTL3gceHppiuUy3EWi3rcV5MrATAfBgNVHSMEGDAWgBSTTL3gceHp piuUy3EWi3rcV5MrATAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA1 HAfn8TE1mq23TB2EqW2MRVQOx70mZ7p5WrmXgUsM9Eh5+rVS92u9iQS8l7RXzhb5 3zNCQsLTOZQOhcwWy/aB+wQr+GqHdgKcYQ4Ef0kM/W72BfAJLW3Y6+sHxcuNuQaJ FEmOxpGdj268W+ELuQKZ0cSkwJPdm3N3AZ7ZuQE6PU8T+YRWOWgQuxDRNUplluK6 1SwpuT24sRe0Q98rlXuxVDdfRbIti+pPycp1RH94jV8SfsQsma7nBLjZKgDK0J2H YJG9ONJo+4bIiH/fKNzvkDBBc/a0eJguUZM2nv0M+oA9ERLZUJhfjETe+pQWgpP1 TsvjPEo4QLZKT/R4phOP -----END CERTIFICATE-----
证书文件的内容也是经过base64编码的。将证书通过openssl输出我们能够看得懂的文字信息:
$ openssl x509 -in cacert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 17658837129245698330 (0xf510cacefb2b291a) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=SH, O=Brob. BWind Ltd., CN=brobwind.com Validity Not Before: Feb 5 14:34:50 2016 GMT Not After : Feb 4 14:34:50 2019 GMT Subject: C=CN, ST=SH, O=Brob. BWind Ltd., CN=brobwind.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9f:80:70:2e:fa:e5:d0:51:f5:08:92:6e:3c:93: 21:0b:0a:29:34:eb:c6:b5:ee:65:ff:3a:0a:2a:0b: cd:8a:1c:52:43:a5:bd:00:3b:58:68:9f:25:f0:76: d4:df:70:89:e6:66:76:e8:52:c7:f5:f9:72:41:59: ff:3e:0b:2b:55:98:d4:d8:21:34:17:5a:03:24:72: f2:40:d6:cf:e6:67:af:36:e0:b4:ac:85:d2:bf:fc: fc:7c:57:f5:55:da:80:78:a8:18:23:30:bc:7c:97: 87:80:a7:70:df:05:77:17:4a:f6:dd:5e:c1:d8:d8: ac:f5:23:5c:24:48:81:5a:d6:e4:4f:6e:dd:2e:af: b4:a1:5f:30:29:63:9b:a9:2e:f1:1f:f3:6c:8f:7c: 73:bc:35:c1:78:7c:40:cd:9d:36:29:6b:57:9c:1a: 49:3d:53:59:95:e1:92:5d:10:63:04:f2:98:0b:08: 09:2a:51:1b:f3:8a:d3:a8:0b:88:29:1a:bd:71:e3: 51:f8:6e:39:f3:f8:e9:c3:fd:5d:d3:01:26:32:18: 8b:c1:75:99:f5:ce:e6:76:b5:a9:ad:16:9c:89:a7: 0f:ab:e2:d5:9b:f9:81:47:d4:22:90:38:4f:b9:4c: 9c:8a:56:5a:03:94:68:a7:7d:29:3e:ac:9e:06:65: e9:65 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 93:4C:BD:E0:71:E1:E9:A6:2B:94:CB:71:16:8B:7A:DC:57:93:2B:01 X509v3 Authority Key Identifier: keyid:93:4C:BD:E0:71:E1:E9:A6:2B:94:CB:71:16:8B:7A:DC:57:93:2B:01 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 35:1c:07:e7:f1:31:35:9a:ad:b7:4c:1d:84:a9:6d:8c:45:54: 0e:c7:bd:26:67:ba:79:5a:b9:97:81:4b:0c:f4:48:79:fa:b5: 52:f7:6b:bd:89:04:bc:97:b4:57:ce:16:f9:df:33:42:42:c2: d3:39:94:0e:85:cc:16:cb:f6:81:fb:04:2b:f8:6a:87:76:02: 9c:61:0e:04:7f:49:0c:fd:6e:f6:05:f0:09:2d:6d:d8:eb:eb: 07:c5:cb:8d:b9:06:89:14:49:8e:c6:91:9d:8f:6e:bc:5b:e1: 0b:b9:02:99:d1:c4:a4:c0:93:dd:9b:73:77:01:9e:d9:b9:01: 3a:3d:4f:13:f9:84:56:39:68:10:bb:10:d1:35:4a:65:96:e2: ba:d5:2c:29:b9:3d:b8:b1:17:b4:43:df:2b:95:7b:b1:54:37: 5f:45:b2:2d:8b:ea:4f:c9:ca:75:44:7f:78:8d:5f:12:7e:c4: 2c:99:ae:e7:04:b8:d9:2a:00:ca:d0:9d:87:60:91:bd:38:d2: 68:fb:86:c8:88:7f:df:28:dc:ef:90:30:41:73:f6:b4:78:98: 2e:51:93:36:9e:fd:0c:fa:80:3d:11:12:d9:50:98:5f:8c:44: de:fa:94:16:82:93:f5:4e:cb:e3:3c:4a:38:40:b6:4a:4f:f4: 78:a6:13:8f -----BEGIN CERTIFICATE----- MIIDazCCAlOgAwIBAgIJAPUQys77KykaMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV BAYTAkNOMQswCQYDVQQIDAJTSDEZMBcGA1UECgwQQnJvYi4gQldpbmQgTHRkLjEV MBMGA1UEAwwMYnJvYndpbmQuY29tMB4XDTE2MDIwNTE0MzQ1MFoXDTE5MDIwNDE0 MzQ1MFowTDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNIMRkwFwYDVQQKDBBCcm9i LiBCV2luZCBMdGQuMRUwEwYDVQQDDAxicm9id2luZC5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCfgHAu+uXQUfUIkm48kyELCik068a17mX/Ogoq C82KHFJDpb0AO1honyXwdtTfcInmZnboUsf1+XJBWf8+CytVmNTYITQXWgMkcvJA 1s/mZ6824LSshdK//Px8V/VV2oB4qBgjMLx8l4eAp3DfBXcXSvbdXsHY2Kz1I1wk SIFa1uRPbt0ur7ShXzApY5upLvEf82yPfHO8NcF4fEDNnTYpa1ecGkk9U1mV4ZJd EGME8pgLCAkqURvzitOoC4gpGr1x41H4bjnz+OnD/V3TASYyGIvBdZn1zuZ2tamt FpyJpw+r4tWb+YFH1CKQOE+5TJyKVloDlGinfSk+rJ4GZellAgMBAAGjUDBOMB0G A1UdDgQWBBSTTL3gceHppiuUy3EWi3rcV5MrATAfBgNVHSMEGDAWgBSTTL3gceHp piuUy3EWi3rcV5MrATAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA1 HAfn8TE1mq23TB2EqW2MRVQOx70mZ7p5WrmXgUsM9Eh5+rVS92u9iQS8l7RXzhb5 3zNCQsLTOZQOhcwWy/aB+wQr+GqHdgKcYQ4Ef0kM/W72BfAJLW3Y6+sHxcuNuQaJ FEmOxpGdj268W+ELuQKZ0cSkwJPdm3N3AZ7ZuQE6PU8T+YRWOWgQuxDRNUplluK6 1SwpuT24sRe0Q98rlXuxVDdfRbIti+pPycp1RH94jV8SfsQsma7nBLjZKgDK0J2H YJG9ONJo+4bIiH/fKNzvkDBBc/a0eJguUZM2nv0M+oA9ERLZUJhfjETe+pQWgpP1 TsvjPEo4QLZKT/R4phOP -----END CERTIFICATE-----
可以看到Issuer与Subject是一样的,所以是自签名证书。同时,我们可以看到证书中包含private key文件中的public key信息。当然我们还需要注意,证书是有时间限制的。
证书最后的签名是证书的相关信息经过sha256计算后,再由RSA private key进行加密的(sha256WithRSAEncryption)。所以要验证证书的真伪,只能通过private key进行验证。同时还可以看到最后的签名也是2048位,跟private key的长度一样。
当然如果是CA颁布的证书,你还可以进行吊销的操作。
最后,我们来看一下由Brillo系统生成的证书:
$ openssl x509 -in certificate -text Certificate: Data: Version: 3 (0x2) Serial Number: 1359928785 (0x510eddd1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=Brillo device Validity Not Before: Jan 16 02:31:05 2016 GMT Not After : Jan 15 07:37:05 2021 GMT Subject: CN=Brillo device Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bb:2c:af:cc:a3:dd:44:20:ab:61:22:7c:dd:5f: 6f:6c:74:e7:9a:97:d3:a6:e8:7a:94:95:d9:85:57: 1b:fb:8b:83:28:70:66:11:84:48:e6:2d:d2:75:9d: 14:aa:41:0e:04:95:70:a2:a0:46:9f:f2:92:15:48: 95:f3:52:08:9c:5c:77:60:2f:2d:f3:9a:c2:26:b3: 6b:ca:8b:f5:6e:4b:99:15:d9:f5:33:76:4c:65:34: 87:d0:77:11:61:fa:39:5a:82:da:b8:7e:1a:72:da: 75:7e:8d:25:7d:14:21:0c:86:02:36:75:65:5e:e1: 7e:73:40:f3:45:48:3f:2b:43 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 83:d8:3a:df:9e:39:19:a4:89:c4:69:ae:a2:04:cc:e3:18:90: ca:56:20:80:5b:8d:22:02:a3:f7:4e:68:1b:88:c0:e1:83:a1: f2:91:aa:af:d9:42:c1:56:8c:7d:74:b6:31:92:9a:af:f3:ba: d4:1b:a9:89:98:42:5d:8a:83:e7:93:11:c9:8b:55:d5:a2:fc: 06:6d:a2:3d:32:3a:b5:f1:27:0a:55:54:5d:02:d0:28:2d:46: 74:ec:01:0a:b0:88:3f:30:41:05:26:9d:86:74:c4:ce:74:d4: 15:ac:ef:8c:3c:71:61:ee:25:34:1b:9e:76:38:63:5f:e7:88: ac:7d -----BEGIN CERTIFICATE----- MIIBpzCCARCgAwIBAgIEUQ7d0TANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1C cmlsbG8gZGV2aWNlMB4XDTE2MDExNjAyMzEwNVoXDTIxMDExNTA3MzcwNVowGDEW MBQGA1UEAwwNQnJpbGxvIGRldmljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAuyyvzKPdRCCrYSJ83V9vbHTnmpfTpuh6lJXZhVcb+4uDKHBmEYRI5i3SdZ0U qkEOBJVwoqBGn/KSFUiV81IInFx3YC8t85rCJrNryov1bkuZFdn1M3ZMZTSH0HcR Yfo5WoLauH4actp1fo0lfRQhDIYCNnVlXuF+c0DzRUg/K0MCAwEAATANBgkqhkiG 9w0BAQsFAAOBgQCD2DrfnjkZpInEaa6iBMzjGJDKViCAW40iAqP3TmgbiMDhg6Hy kaqv2ULBVox9dLYxkpqv87rUG6mJmEJdioPnkxHJi1XVovwGbaI9Mjq18ScKVVRd AtAoLUZ07AEKsIg/MEEFJp2GdMTOdNQVrO+MPHFh7iU0G552OGNf54isfQ== -----END CERTIFICATE-----
相关的参考文档:
- https://en.wikipedia.org/wiki/RSA_(cryptosystem)
- https://en.wikipedia.org/wiki/Public-key_cryptography
- https://en.wikipedia.org/wiki/Certificate_authority
- https://en.wikipedia.org/wiki/Public_key_certificate
- https://en.wikipedia.org/wiki/X.509