rsa验签中文_RSA加解密&RSA加验签详解

RSA 加密算法是目前最有影响力的 公钥加密算法，并且被普遍认为是目前 最优秀的公钥方案 之一。RSA 是第一个能同时用于 数据加密 和 数字签名 的算法，它能够 抵抗 到目前为止已知的 所有密码攻击，已被 ISO 推荐为公钥数据加密标准。

1.1 密钥对生成

RSA非对称加密密钥对，可以用OpenSSL的命令生成，也可以直接在线生成(http://web.chacuo.net/netrsakeypair)。

秘钥位数：1024位(bit) 或 2048位(bit) 即，秘钥的长度。在加解密时可能需要分段加解密。1024b和2048b要求的block是不同的。

秘钥格式：PKCS#8格式 pkcs#1格式的也可以转成pkcs#8

证书密码：指的是私钥文件的密码。如果需要加密，可以指定。 无密码的私钥以“-----BEGIN PRIVATE KEY-----”开头，有密码的私钥以“-----BEGIN ENCRYPTED PRIVATE KEY-----”开头。

注意，在线生成的密钥对，是有开头和结尾标记的，并且有换行符。如果直接copy到程序配置里，则要把这些去掉。

1.2 数字证书格式

一般情况，公钥证书采用的是X509的格式，私钥证书采用的是pkcs7/pkcs8/pkcs12的格式。

【公钥证书格式】

格式

扩展名

说明

X.509 PEM格式

.pem .cer .crt

Base64编码的ASCII文件，以"-----BEGIN CERTIFICATE-----"开头，以"-----END CERTIFICATE-----"结尾。可存放证书，也可存放私钥。

X.509 DER格式

.der .cer .crt

用于存放证书，它是2进制形式存放的，不含私钥。

【公钥证书格式英文介绍】

PEM Format

The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms. The SSL Converter can only convert certificates to DER format. If you need to convert a private key to DER, please use the OpenSSL commands on this page

【私钥证书格式】

格式

扩展名

说明

PKCS#7/P7B格式

.p7b .p7c

Base64编码的ASCII文件，以"-----BEGIN PKCS7-----"开头，以"-----END PKCS7-----"结尾。其中，p7b以树状展示证书链(certificate chain)，同时也支持单个证书，不含私钥。

PKCS#12/PFX格式

.pfx .p12

用于存放个人证书/私钥，他通常包含保护密码，2进制文件。

【私钥证书格式英文介绍】

PKCS#7/P7B Format

The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.

知道了吧？ 再看到.pfx，就可知是pkcs#12格式的私钥证书，.cer就是公钥证书

公钥，可以对外给任何人的加密和解密密码，公开的，可以任何人访问

私钥，私钥是一定要严格保护的，通过私钥可以生成公钥，但是从公钥可以认为是永远无法推导出私钥的。 ∴ pfx文件一般都有文件密码。

pfx→cer   可以用OpenSSL

OpenSSL工具可以生成RSA公私钥和证书格式转换。不同格式的证书之间可以做如下转换：

PEM → DER

PEM → P7B

PEM → PFX

P7B → PEM

P7B → PFX

PFX → PEM

DER → PEM

开发语言与私钥证书的关系

开发