當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

.pem和.pk8是什么文件？(转载)

發布時間：2023/12/10 编程问答 31 豆豆

生活随笔收集整理的這篇文章主要介紹了 .pem和.pk8是什么文件？(转载) 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

.pem和.pk8是什么文件？

原文地址： http://blog.csdn.net/lewif/article/details/49177653

在給android的apk簽名的時候，需要用到一個擴展名為.pem和.pk8的文件，我第一反應，這啥啊，英文縮寫？反正linux不用后綴名來區分文件，這到底是什么呢？?
首先在密碼學上，有兩個概念PKCS和X.509，在我理解，這倆都是類似一套協議，標準的東西。標準是啥，就比如人的姓名，以姓氏開始，然后再是名，張三。標準就是為了讓大家都去遵循，好形成一套好管理、易理解、大家都知道的東西。

基礎知識：

密碼學中將對稱加密的密鑰稱為secret key,而將非對稱加密的私鑰和公鑰分別稱為private key 和 public key

PKCS

PKCS全稱為Public-Key Cryptography Standards (PKCS) ，公鑰加密標準s，很多標準^_^。維基上關于其的解釋如下，

In cryptography, PKCS is a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. The company published the standards to promote the use of the cryptography techniques to which they had patents, such as the RSA algorithm, the Schnorr signature algorithm and several others. Though not industry standards (because the company retained control over them), some of the standards in recent years[when?] have begun to move into the "standards-track" processes of relevant standards organizations such as the IETF and the PKIX working-group.

就是由某個公司發布的一組公鑰加密標準，協議。目的是為了促進大家使用他們公司相關專利的技術，例如RSA算法等。由于這些專利是由RSA Security公司擁有，所以這些標準沒有成為工業標準，但是最新這些年開始進入IETF 和PKIX的standards-track。?
而PKCS這套協議呢，是以#數字的方式進行命名。例如?
PKCS #1： RSA Cryptography Standard

標準名名字解釋

PKCS #1	RSA Cryptography Standard	See RFC 3447. Defines the mathematical properties and format of RSA public and private keys (ASN.1-encoded in clear-text), and the basic algorithms and encoding/padding schemes for performing RSA encryption, decryption, and producing and verifying signatures.
PKCS #5	Password-based Encryption Standard	See RFC 2898 and PBKDF2.
PKCS #7	Cryptographic Message Syntax Standard	See RFC 2315. Used to sign and/or encrypt messages under a PKI. Used also for certificate dissemination (for instance as a response to a PKCS#10 message). Formed the basis for S/MIME, which is as of 2010 based on RFC 5652, an updated Cryptographic Message Syntax Standard (CMS). Often used for single sign-on.
PKCS #8	Private-Key Information Syntax Standard	See RFC 5958. Used to carry private certificate keypairs (encrypted or unencrypted).
PKCS #12	Personal Information Exchange Syntax Standard	See RFC 7292. Defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PFX is a predecessor to PKCS #12.This container format can contain multiple embedded objects, such as multiple certificates. Usually protected/encrypted with a password. Usable as a format for the Java key store and to establish client authentication certificates in Mozilla Firefox. Usable by Apache Tomcat.

其中，?
PKCS #5定義了給予密碼的加密標準；?
PKCS #8定義了保存private key信息的標準語法，用來保存private keys。PKCS#8 有兩個版本，加密的和非加密的。?
對于一個private key，非加密的PKCS#8為：

PrivateKeyInfo ::= SEQUENCE {

version Version,

//加密算法和privatekey

privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,

privateKey PrivateKey,

attributes [0] IMPLICIT Attributes OPTIONAL }

Version ::= INTEGER

PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier

PrivateKey ::= OCTET STRING

Attributes ::= SET OF Attribute

}

而相應的加密版本為：

EncryptedPrivateKeyInfo ::= SEQUENCE {

//加密算法和加密后的private key

encryptionAlgorithm EncryptionAlgorithmIdentifier,

encryptedData EncryptedData }

EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier

EncryptedData ::= OCTET STRING

PKCS #7和#12下節介紹。

X.509

維基百科對X.509的解釋如下，

In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

X.509是一個ITU-T的標準，用在PKI和PMI里面。通常X.509標準主要包括數字證書的標準格式、證書廢除列表、attribute certificates、a certification path validation algorithm等。

X.509 was initially issued on July 3, 1988 and was begun in association with the X.500 standard. It assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates. This contrasts with web of trust models, like PGP, where anyone (not just special CAs) may sign and thus attest to the validity of others' key certificates. Version 3 of X.509 includes the flexibility to support other topologies like bridges and meshes.[1] It can be used in a peer-to-peer, OpenPGP-like web of trust[citation needed], but was rarely used that way as of 2004. The X.500 system has only ever been implemented by sovereign nations for state identity information sharing treaty fulfillment purposes, and the IETF's Public-Key Infrastructure (X.509), or PKIX, working group has adapted the standard to the more flexible organization of the Internet. In fact, the term X.509 certificate usually refers to the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280., commonly referred to as PKIX for Public Key Infrastructure (X.509).

通過上面這段話可知，為了簽發證書，X.509定義了一套嚴格的等級分級系統，類似于金字塔，權限從高到低。而通常我們所說的X.509證書，表示IETF’s PKIX Certificate和CRL Profile of the X.509 v3 certificate standard。

In the X.509 system, a certification authority issues a certificate binding a public key to a particular distinguished name in the X.500 tradition, or to an alternative name such as an e-mail address or a DNS entry.

在X.509標準中，一個CA（證書頒發機構）可以頒發給用戶證書，這個證書中綁定了用戶的public key，和一個X.500類型的distinguished name（該distinguished name主要是CA用來區分不同的用戶）。

下面是維基百科上總結的X.509常用數字證書的擴展名：

.pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"

.cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)

.p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)

.p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)

.pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

.pem，?
Privacy Enhanced Mail (PEM), is a 1993 IETF proposal for securing email using public-key cryptography，?
以前是利用公鑰加密進行郵件安全的一個協議，?
The main legacy of PEM is the .pem file format, which is still in common use for storing keys and X.509 certificates.?
而現在PEM這個協議僅僅在使用的就是.pem這種文件格式，這種文件里面保存了keys和X.509證書，看到了嗎數字證書和key都能保存。?
而現在一般表示用Base64 encoded DER編碼的證書，這些encode咱們不用管，我理解就是字節打包的格式吧。這種證書的內容打開能夠看到在”—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”之間，如下所示；

-----BEGIN CERTIFICATE-----

MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix

EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD

VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y

aXR5MRQwEgYDVQQDEwtCZXN0IENBIEx0ZDAeFw0wMD..TUwMTZaFw0wMTAy

MDQxOTUwMTZaMIGHMQswCQYDVQQGEwJHQjETMBEGA1..29tZS1TdGF0ZTEU

MBIGA1UEChMLQmVzdCBDQSBMdGQxNzA1BgNVBAsTLk..DEgUHVibGljIFBy

aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFD..AMTC0Jlc3QgQ0Eg

THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg..Tz2mr7SZiAMfQyu

vBjM9OiJjRazXBZ1BjP5CE/Wm/Rr500PRK+Lh9x5eJ../ANBE0sTK0ZsDGM

ak2m1g7oruI3dY3VHqIxFTz0Ta1d+NAjwnLe4nOb7/..k05ShhBrJGBKKxb

8n104o/5p8HAsZPdzbFMIyNjJzBM2o5y5A13wiLitE..fyYkQzaxCw0Awzl

kVHiIyCuaF4wj571pSzkv6sv+4IDMbT/XpCo8L6wTa..sh+etLD6FtTjYbb

rvZ8RQM1tlKdoMHg2qxraAV++HNBYmNWs0duEdjUbJ..XI9TtnS4o1Ckj7P

OfljiQIDAQABo4HnMIHkMB0GA1UdDgQWBBQ8urMCRL..5AkIp9NJHJw5TCB

tAYDVR0jBIGsMIGpgBQ8urMCRLYYMHUKU5AkIp9NJH..aSBijCBhzELMAkG

A1UEBhMCR0IxEzARBgNVBAgTClNvbWUtU3RhdGUxFD..AoTC0Jlc3QgQ0Eg

THRkMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcm..ENlcnRpZmljYXRp

b24gQXV0aG9yaXR5MRQwEgYDVQQDEwtCZXN0IENBIE..DAMBgNVHRMEBTAD

AQH/MA0GCSqGSIb3DQEBBAUAA4IBAQC1uYBcsSncwA..DCsQer772C2ucpX

xQUE/C0pWWm6gDkwd5D0DSMDJRqV/weoZ4wC6B73f5..bLhGYHaXJeSD6Kr

XcoOwLdSaGmJYslLKZB3ZIDEp0wYTGhgteb6JFiTtn..sf2xdrYfPCiIB7g

BMAV7Gzdc4VspS6ljrAhbiiawdBiQlQmsBeFz9JkF4..b3l8BoGN+qMa56Y

It8una2gY4l2O//on88r5IWJlm1L0oA8e4fR2yrBHX..adsGeFKkyNrwGi/

7vQMfXdGsRrXNGRGnX+vWDZ3/zWI0joDtCkNnqEpVn..HoX

-----END CERTIFICATE-----

.cer、.crt、.der，?
而通常的.cer、.crt、.der的證書，貌似和.pem類似，encode格式差不多；?
.p7b、.p7c，?
對.p7b、.p7c文件，由上文可知，PKCS #7通常用來簽名或加密數據的，數字簽名的數據需要數字證書去檢驗數據的簽名(因為數字證書里面有公鑰嘛)。而.p7b這個文件其實就是一個SignedData structure（簽名所需原材料的數據結構），里面包含了數字證書或CRL，但是沒有要被簽名的數據。舉個例子，你給張三李四發了一封簽名郵件，同時你將你的個人證書隨郵件一起發給了張三李四，這個時候，你可以按照PKCS#7的格式來打包這個證書；?
.pfx?
.pfx文件，PKCS#12是一種供應標準格式，主要為了傳輸、備份、恢復數字證書和它們相關的在公鑰加密系統里的公鑰或私鑰。PKCS#12是輸出格式，通常用于輸出數字證書和它的私鑰，因為用一個安全性差一點的方法輸出一個用戶的私鑰會帶來安全上的危險。PKCS#12用于輸出數字證書給其他的計算機，到可移動的媒體以備份，或者到智能卡激活智能卡驗證方案。?
PKCS#12是“個人信息交換語法”。它可以用來將x.509的證書和證書對應的私鑰打包，進行交換。比如你在windows下，可以將IE里的證書連帶私鑰導出，并設置一個口令保護。這個pfx格式的文件，就是按照pkcs#12的格式打包的。當然pkcs#12不僅僅只是作以上用途的。它可以用來打包交換任何信息。你可以和張三李四用PKCS#12來交換私人數據，包括x.509證書和私鑰。

什么是.pem和.pk8文件

.pem

通過上面的分析，很明顯，在android對apk簽名的時候，.pem這種文件就是一個X.509的數字證書，里面有用戶的公鑰等信息。但是由上文可知，這種文件格式里面不僅可以存儲數字證書，還能存各種key。

.pk8?
上文沒有提過以.pk8為擴展名的文件，應該和PKCS #8是對應的，用來保存private key。

總結

以上是生活随笔為你收集整理的.pem和.pk8是什么文件？(转载)的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

文件
pem

上一篇：智能硬件开发怎么做？机智云全套自助式开发
下一篇：通信网络基础知识