iOS RSA加密以及生成公钥秘钥 pem文件

在iOS中使用RSA加密解密，需要用到.der和.p12后缀格式的文件，其中.der格式的文件存放的是公钥（Public key）用于加密，.p12格式的文件存放的是私钥（Private key）用于解密. 首先需要先生成这些文件，然后再将文件导入工程使用，不多说，开始做！

一、使用openssl生成所需秘钥文件

　　生成环境是在mac系统下，使用openssl进行生成，首先打开终端，按下面这些步骤依次来做：

1. 生成模长为1024bit的私钥文件`private_key.pem`

openssl genrsa -out private_key.pem 1024

2. 生成证书请求文件`rsaCertReq.csr`

openssl req -new -key private_key.pem -out rsaCerReq.csr

注意：这一步会提示输入国家、省份、mail等信息，可以根据实际情况填写，或者全部不用填写，直接全部敲回车.

3. 生成证书`rsaCert.crt`，并设置有效时间为10年

openssl x509 -req -days 3650 -in rsaCerReq.csr -signkey private_key.pem -out rsaCert.crt

4. 生成供iOS使用的公钥文件`public_key.der`

openssl x509 -outform der -in rsaCert.crt -out public_key.der

5. 生成供iOS使用的私钥文件`private_key.p12`

openssl pkcs12 -export -out private_key.p12 -inkey private_key.pem -in rsaCert.crt

注意：这一步会提示给私钥文件设置密码，直接输入想要设置密码即可，然后敲回车，然后再验证刚才设置的密码，再次输入密码，然后敲回车，完毕！
在解密时，private_key.p12文件需要和这里设置的密码配合使用，因此需要牢记此密码.

6. 生成供Java使用的公钥`rsa_public_key.pem`

openssl rsa -in private_key.pem -out rsa_public_key.pem -pubout

7. 生成供Java使用的私钥`pkcs8_private_key.pem`

openssl pkcs8 -topk8 -in private_key.pem -out pkcs8_private_key.pem -nocrypt

全部执行成功后，会生成如下文件，其中public_key.der和private_key.p12就是iOS需要用到的文件，如下图：

生成的文件

二、将文件导入工程使用

1.新建工程, 并导入`Security.framework`框架, 如下图:

新建工程并添加框架

2.导入秘钥文件

导入.der和.p12格式的秘钥文件, 如下图:

导入秘钥文件

3.新建用于加密、解密的类`RSAEncryptor`, 并实现相关方法

新建RSAEncryptor类, 如下图:

新建用于加密解密的类

下面开始上代码, 可以直接复制过去用:
RSAEncryptor.h代码如下:

#import <Foundation/Foundation.h>@interface RSAEncryptor : NSObject/***  加密方法**  @param str   需要加密的字符串*  @param path  '.der'格式的公钥文件路径*/
+ (NSString *)encryptString:(NSString *)str publicKeyWithContentsOfFile:(NSString *)path;/***  解密方法**  @param str       需要解密的字符串*  @param path      '.p12'格式的私钥文件路径*  @param password  私钥文件密码*/
+ (NSString *)decryptString:(NSString *)str privateKeyWithContentsOfFile:(NSString *)path password:(NSString *)password;/***  加密方法**  @param str    需要加密的字符串*  @param pubKey 公钥字符串*/
+ (NSString *)encryptString:(NSString *)str publicKey:(NSString *)pubKey;/***  解密方法**  @param str     需要解密的字符串*  @param privKey 私钥字符串*/
+ (NSString *)decryptString:(NSString *)str privateKey:(NSString *)privKey;@end

RSAEncryptor.m代码如下:

#import "RSAEncryptor.h"
#import <Security/Security.h>@implementation RSAEncryptorstatic NSString *base64_encode_data(NSData *data){data = [data base64EncodedDataWithOptions:0];NSString *ret = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];return ret;
}static NSData *base64_decode(NSString *str){NSData *data = [[NSData alloc] initWithBase64EncodedString:str options:NSDataBase64DecodingIgnoreUnknownCharacters];return data;
}#pragma mark - 使用'.der'公钥文件加密//加密
+ (NSString *)encryptString:(NSString *)str publicKeyWithContentsOfFile:(NSString *)path{if (!str || !path)  return nil;return [self encryptString:str publicKeyRef:[self getPublicKeyRefWithContentsOfFile:path]];
}//获取公钥
+ (SecKeyRef)getPublicKeyRefWithContentsOfFile:(NSString *)filePath{NSData *certData = [NSData dataWithContentsOfFile:filePath];if (!certData) {return nil;}SecCertificateRef cert = SecCertificateCreateWithData(NULL, (CFDataRef)certData);SecKeyRef key = NULL;SecTrustRef trust = NULL;SecPolicyRef policy = NULL;if (cert != NULL) {policy = SecPolicyCreateBasicX509();if (policy) {if (SecTrustCreateWithCertificates((CFTypeRef)cert, policy, &trust) == noErr) {SecTrustResultType result;if (SecTrustEvaluate(trust, &result) == noErr) {key = SecTrustCopyPublicKey(trust);}}}}if (policy) CFRelease(policy);if (trust) CFRelease(trust);if (cert) CFRelease(cert);return key;
}+ (NSString *)encryptString:(NSString *)str publicKeyRef:(SecKeyRef)publicKeyRef{if(![str dataUsingEncoding:NSUTF8StringEncoding]){return nil;}if(!publicKeyRef){return nil;}NSData *data = [self encryptData:[str dataUsingEncoding:NSUTF8StringEncoding] withKeyRef:publicKeyRef];NSString *ret = base64_encode_data(data);return ret;
}#pragma mark - 使用'.12'私钥文件解密//解密
+ (NSString *)decryptString:(NSString *)str privateKeyWithContentsOfFile:(NSString *)path password:(NSString *)password{if (!str || !path) return nil;if (!password) password = @"";return [self decryptString:str privateKeyRef:[self getPrivateKeyRefWithContentsOfFile:path password:password]];
}//获取私钥
+ (SecKeyRef)getPrivateKeyRefWithContentsOfFile:(NSString *)filePath password:(NSString*)password{NSData *p12Data = [NSData dataWithContentsOfFile:filePath];if (!p12Data) {return nil;}SecKeyRef privateKeyRef = NULL;NSMutableDictionary * options = [[NSMutableDictionary alloc] init];[options setObject: password forKey:(__bridge id)kSecImportExportPassphrase];CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);OSStatus securityError = SecPKCS12Import((__bridge CFDataRef) p12Data, (__bridge CFDictionaryRef)options, &items);if (securityError == noErr && CFArrayGetCount(items) > 0) {CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);SecIdentityRef identityApp = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);securityError = SecIdentityCopyPrivateKey(identityApp, &privateKeyRef);if (securityError != noErr) {privateKeyRef = NULL;}}CFRelease(items);return privateKeyRef;
}+ (NSString *)decryptString:(NSString *)str privateKeyRef:(SecKeyRef)privKeyRef{NSData *data = [[NSData alloc] initWithBase64EncodedString:str options:NSDataBase64DecodingIgnoreUnknownCharacters];if (!privKeyRef) {return nil;}data = [self decryptData:data withKeyRef:privKeyRef];NSString *ret = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];return ret;
}#pragma mark - 使用公钥字符串加密/* START: Encryption with RSA public key *///使用公钥字符串加密
+ (NSString *)encryptString:(NSString *)str publicKey:(NSString *)pubKey{NSData *data = [self encryptData:[str dataUsingEncoding:NSUTF8StringEncoding] publicKey:pubKey];NSString *ret = base64_encode_data(data);return ret;
}+ (NSData *)encryptData:(NSData *)data publicKey:(NSString *)pubKey{if(!data || !pubKey){return nil;}SecKeyRef keyRef = [self addPublicKey:pubKey];if(!keyRef){return nil;}return [self encryptData:data withKeyRef:keyRef];
}+ (SecKeyRef)addPublicKey:(NSString *)key{NSRange spos = [key rangeOfString:@"-----BEGIN PUBLIC KEY-----"];NSRange epos = [key rangeOfString:@"-----END PUBLIC KEY-----"];if(spos.location != NSNotFound && epos.location != NSNotFound){NSUInteger s = spos.location + spos.length;NSUInteger e = epos.location;NSRange range = NSMakeRange(s, e-s);key = [key substringWithRange:range];}key = [key stringByReplacingOccurrencesOfString:@"\r" withString:@""];key = [key stringByReplacingOccurrencesOfString:@"\n" withString:@""];key = [key stringByReplacingOccurrencesOfString:@"\t" withString:@""];key = [key stringByReplacingOccurrencesOfString:@" "  withString:@""];// This will be base64 encoded, decode it.NSData *data = base64_decode(key);data = [self stripPublicKeyHeader:data];if(!data){return nil;}//a tag to read/write keychain storageNSString *tag = @"RSAUtil_PubKey";NSData *d_tag = [NSData dataWithBytes:[tag UTF8String] length:[tag length]];// Delete any old lingering key with the same tagNSMutableDictionary *publicKey = [[NSMutableDictionary alloc] init];[publicKey setObject:(__bridge id) kSecClassKey forKey:(__bridge id)kSecClass];[publicKey setObject:(__bridge id) kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];[publicKey setObject:d_tag forKey:(__bridge id)kSecAttrApplicationTag];SecItemDelete((__bridge CFDictionaryRef)publicKey);// Add persistent version of the key to system keychain[publicKey setObject:data forKey:(__bridge id)kSecValueData];[publicKey setObject:(__bridge id) kSecAttrKeyClassPublic forKey:(__bridge id)kSecAttrKeyClass];[publicKey setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecReturnPersistentRef];CFTypeRef persistKey = nil;OSStatus status = SecItemAdd((__bridge CFDictionaryRef)publicKey, &persistKey);if (persistKey != nil){CFRelease(persistKey);}if ((status != noErr) && (status != errSecDuplicateItem)) {return nil;}[publicKey removeObjectForKey:(__bridge id)kSecValueData];[publicKey removeObjectForKey:(__bridge id)kSecReturnPersistentRef];[publicKey setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecReturnRef];[publicKey setObject:(__bridge id) kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];// Now fetch the SecKeyRef version of the keySecKeyRef keyRef = nil;status = SecItemCopyMatching((__bridge CFDictionaryRef)publicKey, (CFTypeRef *)&keyRef);if(status != noErr){return nil;}return keyRef;
}+ (NSData *)stripPublicKeyHeader:(NSData *)d_key{// Skip ASN.1 public key headerif (d_key == nil) return(nil);unsigned long len = [d_key length];if (!len) return(nil);unsigned char *c_key = (unsigned char *)[d_key bytes];unsigned int  idx     = 0;if (c_key[idx++] != 0x30) return(nil);if (c_key[idx] > 0x80) idx += c_key[idx] - 0x80 + 1;else idx++;// PKCS #1 rsaEncryption szOID_RSA_RSAstatic unsigned char seqiod[] ={ 0x30,   0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,0x01, 0x05, 0x00 };if (memcmp(&c_key[idx], seqiod, 15)) return(nil);idx += 15;if (c_key[idx++] != 0x03) return(nil);if (c_key[idx] > 0x80) idx += c_key[idx] - 0x80 + 1;else idx++;if (c_key[idx++] != '\0') return(nil);// Now make a new NSData from this bufferreturn ([NSData dataWithBytes:&c_key[idx] length:len - idx]);
}+ (NSData *)encryptData:(NSData *)data withKeyRef:(SecKeyRef) keyRef{const uint8_t *srcbuf = (const uint8_t *)[data bytes];size_t srclen = (size_t)data.length;size_t block_size = SecKeyGetBlockSize(keyRef) * sizeof(uint8_t);void *outbuf = malloc(block_size);size_t src_block_size = block_size - 11;NSMutableData *ret = [[NSMutableData alloc] init];for(int idx=0; idx<srclen; idx+=src_block_size){//NSLog(@"%d/%d block_size: %d", idx, (int)srclen, (int)block_size);size_t data_len = srclen - idx;if(data_len > src_block_size){data_len = src_block_size;}size_t outlen = block_size;OSStatus status = noErr;status = SecKeyEncrypt(keyRef,kSecPaddingPKCS1,srcbuf + idx,data_len,outbuf,&outlen);if (status != 0) {NSLog(@"SecKeyEncrypt fail. Error Code: %d", status);ret = nil;break;}else{[ret appendBytes:outbuf length:outlen];}}free(outbuf);CFRelease(keyRef);return ret;
}/* END: Encryption with RSA public key */#pragma mark - 使用私钥字符串解密/* START: Decryption with RSA private key *///使用私钥字符串解密
+ (NSString *)decryptString:(NSString *)str privateKey:(NSString *)privKey{if (!str) return nil;NSData *data = [[NSData alloc] initWithBase64EncodedString:str options:NSDataBase64DecodingIgnoreUnknownCharacters];data = [self decryptData:data privateKey:privKey];NSString *ret = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];return ret;
}+ (NSData *)decryptData:(NSData *)data privateKey:(NSString *)privKey{if(!data || !privKey){return nil;}SecKeyRef keyRef = [self addPrivateKey:privKey];if(!keyRef){return nil;}return [self decryptData:data withKeyRef:keyRef];
}+ (SecKeyRef)addPrivateKey:(NSString *)key{NSRange spos = [key rangeOfString:@"-----BEGIN RSA PRIVATE KEY-----"];NSRange epos = [key rangeOfString:@"-----END RSA PRIVATE KEY-----"];if(spos.location != NSNotFound && epos.location != NSNotFound){NSUInteger s = spos.location + spos.length;NSUInteger e = epos.location;NSRange range = NSMakeRange(s, e-s);key = [key substringWithRange:range];}key = [key stringByReplacingOccurrencesOfString:@"\r" withString:@""];key = [key stringByReplacingOccurrencesOfString:@"\n" withString:@""];key = [key stringByReplacingOccurrencesOfString:@"\t" withString:@""];key = [key stringByReplacingOccurrencesOfString:@" "  withString:@""];// This will be base64 encoded, decode it.NSData *data = base64_decode(key);data = [self stripPrivateKeyHeader:data];if(!data){return nil;}//a tag to read/write keychain storageNSString *tag = @"RSAUtil_PrivKey";NSData *d_tag = [NSData dataWithBytes:[tag UTF8String] length:[tag length]];// Delete any old lingering key with the same tagNSMutableDictionary *privateKey = [[NSMutableDictionary alloc] init];[privateKey setObject:(__bridge id) kSecClassKey forKey:(__bridge id)kSecClass];[privateKey setObject:(__bridge id) kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];[privateKey setObject:d_tag forKey:(__bridge id)kSecAttrApplicationTag];SecItemDelete((__bridge CFDictionaryRef)privateKey);// Add persistent version of the key to system keychain[privateKey setObject:data forKey:(__bridge id)kSecValueData];[privateKey setObject:(__bridge id) kSecAttrKeyClassPrivate forKey:(__bridge id)kSecAttrKeyClass];[privateKey setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecReturnPersistentRef];CFTypeRef persistKey = nil;OSStatus status = SecItemAdd((__bridge CFDictionaryRef)privateKey, &persistKey);if (persistKey != nil){CFRelease(persistKey);}if ((status != noErr) && (status != errSecDuplicateItem)) {return nil;}[privateKey removeObjectForKey:(__bridge id)kSecValueData];[privateKey removeObjectForKey:(__bridge id)kSecReturnPersistentRef];[privateKey setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecReturnRef];[privateKey setObject:(__bridge id) kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];// Now fetch the SecKeyRef version of the keySecKeyRef keyRef = nil;status = SecItemCopyMatching((__bridge CFDictionaryRef)privateKey, (CFTypeRef *)&keyRef);if(status != noErr){return nil;}return keyRef;
}+ (NSData *)stripPrivateKeyHeader:(NSData *)d_key{// Skip ASN.1 private key headerif (d_key == nil) return(nil);unsigned long len = [d_key length];if (!len) return(nil);unsigned char *c_key = (unsigned char *)[d_key bytes];unsigned int  idx     = 22; //magic byte at offset 22if (0x04 != c_key[idx++]) return nil;//calculate length of the keyunsigned int c_len = c_key[idx++];int det = c_len & 0x80;if (!det) {c_len = c_len & 0x7f;} else {int byteCount = c_len & 0x7f;if (byteCount + idx > len) {//rsa length field longer than bufferreturn nil;}unsigned int accum = 0;unsigned char *ptr = &c_key[idx];idx += byteCount;while (byteCount) {accum = (accum << 8) + *ptr;ptr++;byteCount--;}c_len = accum;}// Now make a new NSData from this bufferreturn [d_key subdataWithRange:NSMakeRange(idx, c_len)];
}+ (NSData *)decryptData:(NSData *)data withKeyRef:(SecKeyRef) keyRef{const uint8_t *srcbuf = (const uint8_t *)[data bytes];size_t srclen = (size_t)data.length;size_t block_size = SecKeyGetBlockSize(keyRef) * sizeof(uint8_t);UInt8 *outbuf = malloc(block_size);size_t src_block_size = block_size;NSMutableData *ret = [[NSMutableData alloc] init];for(int idx=0; idx<srclen; idx+=src_block_size){//NSLog(@"%d/%d block_size: %d", idx, (int)srclen, (int)block_size);size_t data_len = srclen - idx;if(data_len > src_block_size){data_len = src_block_size;}size_t outlen = block_size;OSStatus status = noErr;status = SecKeyDecrypt(keyRef,kSecPaddingNone,srcbuf + idx,data_len,outbuf,&outlen);if (status != 0) {NSLog(@"SecKeyEncrypt fail. Error Code: %d", status);ret = nil;break;}else{//the actual decrypted data is in the middle, locate it!int idxFirstZero = -1;int idxNextZero = (int)outlen;for ( int i = 0; i < outlen; i++ ) {if ( outbuf[i] == 0 ) {if ( idxFirstZero < 0 ) {idxFirstZero = i;} else {idxNextZero = i;break;}}}[ret appendBytes:&outbuf[idxFirstZero+1] length:idxNextZero-idxFirstZero-1];}}free(outbuf);CFRelease(keyRef);return ret;
}/* END: Decryption with RSA private key */@end

4. 测试加密、解密

首先先测试使用.der和.p12秘钥文件进行加密、解密, 在ViewController.m中进行测试, 代码如下:

#import "ViewController.h"
#import "RSAEncryptor.h"@interface ViewController ()@end@implementation ViewController- (void)viewDidLoad {[super viewDidLoad];//原始数据NSString *originalString = @"这是一段将要使用'.der'文件加密的字符串!";//使用.der和.p12中的公钥私钥加密解密NSString *public_key_path = [[NSBundle mainBundle] pathForResource:@"public_key.der" ofType:nil];NSString *private_key_path = [[NSBundle mainBundle] pathForResource:@"private_key.p12" ofType:nil];NSString *encryptStr = [RSAEncryptor encryptString:originalString publicKeyWithContentsOfFile:public_key_path];NSLog(@"加密前:%@", originalString);NSLog(@"加密后:%@", encryptStr);NSLog(@"解密后:%@", [RSAEncryptor decryptString:encryptStr privateKeyWithContentsOfFile:private_key_path password:@"123456"]);}- (void)didReceiveMemoryWarning {[super didReceiveMemoryWarning];// Dispose of any resources that can be recreated.
}@end

运行后, 输出信息如下:

输出结果

可以看到已经可以成功加密、解密了.

下面接着测试使用秘钥字符串进行加密、解密, 那么秘钥字符串从哪里来? 可以来这里:http://web.chacuo.net/netrsakeypair, 这是一个在线生成RSA秘钥的网站, 生成公钥和秘钥后, 复制出来用于测试. 然后在ViewController.m中使用RSAEntryptor.h头文件中对应的加密方法进行加密,ViewController.m中代码如下:

#import "ViewController.h"
#import "RSAEncryptor.h"@interface ViewController ()@end@implementation ViewController- (void)viewDidLoad {[super viewDidLoad];//原始数据NSString *originalString = @"这是一段将要使用'秘钥字符串'进行加密的字符串!";//使用字符串格式的公钥私钥加密解密NSString *encryptStr = [RSAEncryptor encryptString:originalString publicKey:@"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTbZ6cNH9PgdF60aQKveLz3FTalyzHQwbp601y77SzmGHX3F5NoVUZbdK7UMdoCLK4FBziTewYD9DWvAErXZo9BFuI96bAop8wfl1VkZyyHTcznxNJFGSQd/B70/ExMgMBpEwkAAdyUqIjIdVGh1FQK/4acwS39YXwbS+IlHsPSQIDAQAB"];NSLog(@"加密前:%@", originalString);NSLog(@"加密后:%@", encryptStr);NSLog(@"解密后:%@", [RSAEncryptor decryptString:encryptStr privateKey:@"MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANNtnpw0f0+B0XrRpAq94vPcVNqXLMdDBunrTXLvtLOYYdfcXk2hVRlt0rtQx2gIsrgUHOJN7BgP0Na8AStdmj0EW4j3psCinzB+XVWRnLIdNzOfE0kUZJB38HvT8TEyAwGkTCQAB3JSoiMh1UaHUVAr/hpzBLf1hfBtL4iUew9JAgMBAAECgYA1tGeQmAkqofga8XtwuxEWDoaDS9k0+EKeUoXGxzqoT/GyiihuIafjILFhoUA1ndf/yCQaG973sbTDhtfpMwqFNQq13+JAownslTjWgr7Hwf7qplYW92R7CU0v7wFfjqm1t/2FKU9JkHfaHfb7qqESMIbO/VMjER9o4tEx58uXDQJBAO0O4lnWDVjr1gN02cqvxPOtTY6DgFbQDeaAZF8obb6XqvCqGW/AVms3Bh8nVlUwdQ2K/xte8tHxjW9FtBQTLd8CQQDkUncO35gAqUF9Bhsdzrs7nO1J3VjLrM0ITrepqjqtVEvdXZc+1/UrkWVaIigWAXjQCVfmQzScdbznhYXPz5fXAkEAgB3KMRkhL4yNpmKRjhw+ih+ASeRCCSj6Sjfbhx4XaakYZmbXxnChg+JB+bZNz06YBFC5nLZM7y/n61o1f5/56wJBALw+ZVzE6ly5L34114uG04W9x0HcFgau7MiJphFjgUdAtd/H9xfgE4odMRPUD3q9Me9LlMYK6MiKpfm4c2+3dzcCQQC8y37NPgpNEkd9smMwPpSEjPW41aMlfcKvP4Da3z7G5bGlmuICrva9YDAiaAyDGGCK8LxC8K6HpKrFgYrXkRtt"]);}- (void)didReceiveMemoryWarning {[super didReceiveMemoryWarning];// Dispose of any resources that can be recreated.
}@end

运行后, 输出信息如下:

输出结果

可以看到,也成功加密、解密了.

至此, RSA加密演示完毕!

文／jianshu_wl（简书作者）
著作权归作者所有，转载请联系作者获得授权，并标注“简书作者”。