.pem和.pk8是什么文件?

原文地址: http://blog.csdn.net/lewif/article/details/49177653

在给android的apk签名的时候,需要用到一个扩展名为.pem和.pk8的文件,我第一反应,这啥啊,英文缩写?反正linux不用后缀名来区分文件,这到底是什么呢? 
首先在密码学上,有两个概念PKCS和X.509,在我理解,这俩都是类似一套协议,标准的东西。标准是啥,就比如人的姓名,以姓氏开始,然后再是名,张三。标准就是为了让大家都去遵循,好形成一套好管理、易理解、大家都知道的东西。



  1. 基础知识:
    2. 

  2. 密码学中将对称加密的密钥称为secret key,而将非对称加密的私钥和公钥分别称为private key 和 public key


PKCS


PKCS全称为Public-Key Cryptography Standards (PKCS) ,公钥加密标准s,很多标准^_^。维基上关于其的解释如下,




In cryptography, PKCS is a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. The company published the standards to promote the use of the cryptography techniques to which they had patents, such as the RSA algorithm, the Schnorr signature algorithm and several others. Though not industry standards (because the company retained control over them), some of the standards in recent years[when?] have begun to move into the "standards-track" processes of relevant standards organizations such as the IETF and the PKIX working-group.



就是由某个公司发布的一组公钥加密标准,协议。目的是为了促进大家使用他们公司相关专利的技术,例如RSA算法等。由于这些专利是由RSA Security公司拥有,所以这些标准没有成为工业标准,但是最新这些年开始进入IETF 和PKIX的standards-track。 

    而PKCS这套协议呢,是以#数字的方式进行命名。例如 

    PKCS #1: RSA Cryptography Standard







                标准名
            

                名字
            

                解释
            







                PKCS #1
            

                RSA Cryptography Standard
            

                See RFC 3447. Defines the mathematical properties and format of RSA public and private keys (ASN.1-encoded in clear-text), and the basic algorithms and encoding/padding schemes for performing RSA encryption, decryption, and producing and verifying signatures.
            





                PKCS #5
            

                Password-based Encryption Standard
            

                See RFC 2898 and PBKDF2.
            





                PKCS #7
            

                Cryptographic Message Syntax Standard
            

                See RFC 2315. Used to sign and/or encrypt messages under a PKI. Used also for certificate dissemination (for instance as a response to a PKCS#10 message). Formed the basis for S/MIME, which is as of 2010 based on RFC 5652, an updated Cryptographic Message Syntax Standard (CMS). Often used for single sign-on.
            





                PKCS #8
            

                Private-Key Information Syntax Standard
            

                See RFC 5958. Used to carry private certificate keypairs (encrypted or unencrypted).
            





                PKCS #12
            

                Personal Information Exchange Syntax Standard
            

                See RFC 7292. Defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PFX is a predecessor to PKCS #12.This container format can contain multiple embedded objects, such as multiple certificates. Usually protected/encrypted with a password. Usable as a format for the Java key store and to establish client authentication certificates in Mozilla Firefox. Usable by Apache Tomcat.
            






其中, 

    PKCS #5定义了给予密码的加密标准; 

    PKCS #8定义了保存private key信息的标准语法,用来保存private keys。PKCS#8 有两个版本,加密的和非加密的。 

    对于一个private key,非加密的PKCS#8为:




  1. PrivateKeyInfo ::= SEQUENCE {
    2. 

  2. version Version,
    3. 

  3. //加密算法和privatekey
    4. 

  4. privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
    5. 

  5. privateKey PrivateKey,
    6. 

  6. attributes [0] IMPLICIT Attributes OPTIONAL }
    7. 

  7. Version ::= INTEGER
    8. 

  8. PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
    9. 

  9. PrivateKey ::= OCTET STRING
    10. 

  10. Attributes ::= SET OF Attribute
    11. 

  11. }


而相应的加密版本为:




  1. EncryptedPrivateKeyInfo ::= SEQUENCE {
    2. 

  2. //加密算法和加密后的private key
    3. 

  3. encryptionAlgorithm EncryptionAlgorithmIdentifier,
    4. 

  4. encryptedData EncryptedData }
    5. 

  5. EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
    6. 

  6. EncryptedData ::= OCTET STRING


PKCS #7和#12下节介绍。


X.509


维基百科对X.509的解释如下,


In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.



X.509是一个ITU-T的标准,用在PKI和PMI里面。通常X.509标准主要包括数字证书的标准格式、证书废除列表、attribute certificates、a certification path validation algorithm等。


X.509 was initially issued on July 3, 1988 and was begun in association with the X.500 standard. It assumes a strict hierarchical system of certificate authorities (CAs) for issuing the certificates. This contrasts with web of trust models, like PGP, where anyone (not just special CAs) may sign and thus attest to the validity of others' key certificates. Version 3 of X.509 includes the flexibility to support other topologies like bridges and meshes.[1] It can be used in a peer-to-peer, OpenPGP-like web of trust[citation needed], but was rarely used that way as of 2004. The X.500 system has only ever been implemented by sovereign nations for state identity information sharing treaty fulfillment purposes, and the IETF's Public-Key Infrastructure (X.509), or PKIX, working group has adapted the standard to the more flexible organization of the Internet. In fact, the term X.509 certificate usually refers to the IETF's PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280., commonly referred to as PKIX for Public Key Infrastructure (X.509).



通过上面这段话可知,为了签发证书,X.509定义了一套严格的等级分级系统,类似于金字塔,权限从高到低。而通常我们所说的X.509证书,表示IETF’s PKIX Certificate和CRL Profile of the X.509 v3 certificate standard。


In the X.509 system, a certification authority issues a certificate binding a public key to a particular distinguished name in the X.500 tradition, or to an alternative name such as an e-mail address or a DNS entry.



在X.509标准中,一个CA(证书颁发机构)可以颁发给用户证书,这个证书中绑定了用户的public key,和一个X.500类型的distinguished name(该distinguished name主要是CA用来区分不同的用户)。


下面是维基百科上总结的X.509常用数字证书的扩展名:




  1. .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
    2. 

  2. .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
    3. 

  3. .p7b, .p7c – PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
    4. 

  4. .p12 – PKCS#12, may contain certificate(s) (public) and private keys (password protected)
    5. 

  5. .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)


    • 

  • .pem, 
    
        Privacy Enhanced Mail (PEM), is a 1993 IETF proposal for securing email using public-key cryptography, 
    
        以前是利用公钥加密进行邮件安全的一个协议, 
    
        The main legacy of PEM is the .pem file format, which is still in common use for storing keys and X.509 certificates. 
    
        而现在PEM这个协议仅仅在使用的就是.pem这种文件格式,这种文件里面保存了keys和X.509证书,看到了吗数字证书和key都能保存。 
    
        而现在一般表示用Base64 encoded DER编码的证书,这些encode咱们不用管,我理解就是字节打包的格式吧。这种证书的内容打开能够看到在”—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”之间,如下所示;






  1. -----BEGIN CERTIFICATE-----
    2. 

  2. MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix
    3. 

  3. EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD
    4. 

  4. VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y
    5. 

  5. aXR5MRQwEgYDVQQDEwtCZXN0IENBIEx0ZDAeFw0wMD..TUwMTZaFw0wMTAy
    6. 

  6. MDQxOTUwMTZaMIGHMQswCQYDVQQGEwJHQjETMBEGA1..29tZS1TdGF0ZTEU
    7. 

  7. MBIGA1UEChMLQmVzdCBDQSBMdGQxNzA1BgNVBAsTLk..DEgUHVibGljIFBy
    8. 

  8. aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFD..AMTC0Jlc3QgQ0Eg
    9. 

  9. THRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg..Tz2mr7SZiAMfQyu
    10. 

  10. vBjM9OiJjRazXBZ1BjP5CE/Wm/Rr500PRK+Lh9x5eJ../ANBE0sTK0ZsDGM
    11. 

  11. ak2m1g7oruI3dY3VHqIxFTz0Ta1d+NAjwnLe4nOb7/..k05ShhBrJGBKKxb
    12. 

  12. 8n104o/5p8HAsZPdzbFMIyNjJzBM2o5y5A13wiLitE..fyYkQzaxCw0Awzl
    13. 

  13. kVHiIyCuaF4wj571pSzkv6sv+4IDMbT/XpCo8L6wTa..sh+etLD6FtTjYbb
    14. 

  14. rvZ8RQM1tlKdoMHg2qxraAV++HNBYmNWs0duEdjUbJ..XI9TtnS4o1Ckj7P
    15. 

  15. OfljiQIDAQABo4HnMIHkMB0GA1UdDgQWBBQ8urMCRL..5AkIp9NJHJw5TCB
    16. 

  16. tAYDVR0jBIGsMIGpgBQ8urMCRLYYMHUKU5AkIp9NJH..aSBijCBhzELMAkG
    17. 

  17. A1UEBhMCR0IxEzARBgNVBAgTClNvbWUtU3RhdGUxFD..AoTC0Jlc3QgQ0Eg
    18. 

  18. THRkMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcm..ENlcnRpZmljYXRp
    19. 

  19. b24gQXV0aG9yaXR5MRQwEgYDVQQDEwtCZXN0IENBIE..DAMBgNVHRMEBTAD
    20. 

  20. AQH/MA0GCSqGSIb3DQEBBAUAA4IBAQC1uYBcsSncwA..DCsQer772C2ucpX
    21. 

  21. xQUE/C0pWWm6gDkwd5D0DSMDJRqV/weoZ4wC6B73f5..bLhGYHaXJeSD6Kr
    22. 

  22. XcoOwLdSaGmJYslLKZB3ZIDEp0wYTGhgteb6JFiTtn..sf2xdrYfPCiIB7g
    23. 

  23. BMAV7Gzdc4VspS6ljrAhbiiawdBiQlQmsBeFz9JkF4..b3l8BoGN+qMa56Y
    24. 

  24. It8una2gY4l2O//on88r5IWJlm1L0oA8e4fR2yrBHX..adsGeFKkyNrwGi/
    25. 

  25. 7vQMfXdGsRrXNGRGnX+vWDZ3/zWI0joDtCkNnqEpVn..HoX
    26. 

  26. -----END CERTIFICATE-----


.cer、.crt、.der, 

    而通常的.cer、.crt、.der的证书,貌似和.pem类似,encode格式差不多; 

    .p7b、.p7c, 

    对.p7b、.p7c文件,由上文可知,PKCS #7通常用来签名或加密数据的,数字签名的数据需要数字证书去检验数据的签名(因为数字证书里面有公钥嘛)。而.p7b这个文件其实就是一个SignedData structure(签名所需原材料的数据结构),里面包含了数字证书或CRL,但是没有要被签名的数据。举个例子,你给张三李四发了一封签名邮件,同时你将你的个人证书随邮件一起发给了张三李四,这个时候,你可以按照PKCS#7的格式来打包这个证书; 

    .pfx 

    .pfx文件,PKCS#12是一种供应标准格式,主要为了传输、备份、恢复数字证书和它们相关的在公钥加密系统里的公钥或私钥。PKCS#12是输出格式,通常用于输出数字证书和它的私钥,因为用一个安全性差一点的方法输出一个用户的私钥会带来安全上的危险。PKCS#12用于输出数字证书给其他的计算机,到可移动的媒体以备份,或者到智能卡激活智能卡验证方案。 

    PKCS#12是“个人信息交换语法”。它可以用来将x.509的证书和证书对应的私钥打包,进行交换。比如你在windows下,可以将IE里的证书连带私钥导出,并设置一个口令保护。这个pfx格式的文件,就是按照pkcs#12的格式打包的。当然pkcs#12不仅仅只是作以上用途的。它可以用来打包交换任何信息。你可以和张三李四用PKCS#12来交换私人数据,包括x.509证书和私钥。


什么是.pem和.pk8文件


  • .pem


通过上面的分析,很明显,在android对apk签名的时候,.pem这种文件就是一个X.509的数字证书,里面有用户的公钥等信息。但是由上文可知,这种文件格式里面不仅可以存储数字证书,还能存各种key


  • .pk8 
    
        上文没有提过以.pk8为扩展名的文件,应该和PKCS #8是对应的,用来保存private key。
												


											

.pem和.pk8是什么文件?(转载)相关推荐
	

    
						
  1. android安全学习之2—android中.pem和.pk8是什么文件?
		
    PKCS X509 什么是pem和pk8文件 在给android的apk签名的时候,需要用到一个扩展名为.pem和.pk8的文件,我第一反应,这啥啊,英文缩写?反正linux不用后缀名来区分文件,这到 ...
    
		
    2. 
						
  2. .pem和.pk8(公钥私钥的协议相关)
		
    android安全学习之2-android中.pem和.pk8是什么文件? 相关维基百科: 公钥密码学标准 X.509
    
		
    3. 
						
  3. 关于keystore 证书转*.x509.pem 和*.pk8
		
    <span style="font-family: Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255) ...
    
		
    4. 
						
  4. matlab怎么输入输出文件,[转载]底层文件输入输出函数
		
    [转载]底层文件输入输出函数 http://sincerewfeng.spaces.live.com/ fclose :关闭文件 fopen :打开文件 fread :从文件中读入二进制数据 fwri ...
    
		
    5. 
						
  5. selector是在文件夹drawable中进行定义的xml文件转载  https://www.cnblogs.com/fx2008/p/3157040.html...
		
    获取Drawable对象: Resources res = mContext.getResources(); Drawable myImage = res.getDrawable(R.drawable ...
    
		
    6. 
						
  6. 使用org.apache.jasper.JspC编译jsp文件--转载
		
    JspC可以通过jspc.setArgs(args);设置所需参数,和使用指令进行编译相同, 使用指令编译范例: java -cp jasper.jar;servlet-api.jar;Fcatali ...
    
		
    7. 
						
  7. mac下profile文件(转载)
		
    备忘. 原文地址:http://woshixushigang.iteye.com/blog/1545709 当你的home下面有.bash_profile或者.bash_login的时候,会忽略掉.p ...
    
		
    8. 
						
  8. Java 证书pem转KeyStore、jks文件
		
    一.服务端pem转KeyStore CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509 ...
    
		
    9. 
						
  9. 内存映射处理大文件[转载]
		
    首先通过GetFileSize()得到被处理文件长度(64位)的高32位和低32位值.然后在映射过程中设定每次映射的块大小为1000倍的分配粒度(系统的数据分块大小),如果文件长度小于1000倍的分配 ...
    
		
    10. 
						
  10. 【Git】删除文件(转载)
		
    转载于廖雪峰的git教程 在Git中,删除文件也是一个修改操作 先添加一个新的文件test.txt到Git并且提交 git add test.txt git commit -m "add t ...
    
		
    11. 
		


					

最新文章
	

    
						
  1. python 时间time()及日期date()函数
		
    2. 
						
  2. pearsonr() python_Python 来算算一线城市的二手房价格指数相关性
		
    3. 
						
  3. 使用typedef简化函数指针的声明
		
    4. 
						
  4. 数据库的那些事(全是干货)
		
    5. 
						
  5. nginx+uWSGI + django部署项目
		
    6. 
						
  6. php io流 读取wav,记php中的io流---帮助理解
		
    7. 
						
  7. 一些adb的常用命令
		
    8. 
						
  8. linux php7 替换,linux-shell-命令替换和变量替换
		
    9. 
						
  9. 实验1 201521410028
		
    10. 
						
  10. windows ce操作系统能用哪个导航_微软的windows和苹果的mac操作系统,在技术难度上哪个更高...
		
    11. 
						
  11. 【Linux】【Shell】【Basic】函数
		
    12. 
						
  12. android 脱壳 加固,安卓的脱壳之战-爱加密加固
		
    13. 
						
  13. Labview温度采集系统
		
    14. 
						
  14. 免费领取40本前端学习书籍【高清电子版】
		
    15. 
						
  15. 数据库系统的简单结构图
		
    16. 
						
  16. Canvas绘制地图
		
    17. 
						
  17. general error c101008a: Failed to save the updated manifest to the file .\D
		
    18. 
						
  18. webapp期末作业-oneapp
		
    19. 
						
  19. android property实现路径
		
    20. 
						
  20. r语言 svycoxph_R语言-Cox比例风险模型
		
    21. 
		

	


热门文章
	

    
									
  1. VS2010对话框中使用MSChart控件
			
    2. 
						
  2. Python教学视频(五)顺序结构练习
			
    3. 
						
  3. fpv  freerider穿越机模拟器怎么和HTC Vive vr 设备连接配置
			
    4. 
						
  4. EasyUI框架分页实现
			
    5. 
						
  5. scratch3.0教程(持续更新)
			
    6. 
						
  6. VB2010(1)_Hello User
			
    7. 
						
  7. 什么是私有ip 、A类地址、B类地址和C类地址?
			
    8. 
						
  8. 【eNSP 华为模拟器】了解一下交换机原理和基础命令
			
    9. 
						
  9. 关关小说采集器规则正则表达式方法
			
    10. 
						
  10. Python项目--飞机作战完整版(附带图片素材)
			
    11.