我想生成RSA 1024密钥对。我从谷歌得到的是
openssl genrsa -out privatekey.txt 1024
openssl rsa -in privatekey.txt -pubout -out publickey.txt
但为什么这两个文件的大小不同(608字节和162字节)? RSA 1024的密钥对应该是相同的大小,对吗?
这些文件以
开头0x30 0x81 ...
和
0x30 0x82 ...
它是pem格式吗?它们如何与openssl一起使用?RSA* rsa = RSA_new();
BN_hex2bn(&rsa->n, WHAT_HERE);
BN_hex2bn(&rsa->e, AND_WHAT_HERE);
RSA_public_encrypt(....);
感谢。
答案 0 :(得分:3)
私钥大于公钥的原因有几个。一个是虽然私钥只需要包含模数和私有指数(这些是所需的解密的唯一参数),但它还包含公共指数(因此给定私钥,公钥)永远可以重新创建),以及原始素数值P和Q以及许多其他派生参数(DP,DQ,InverseQ)
可以创建一个包含仅所需参数(模数和私有指数)的私钥,但即使在这种情况下,由于公共和私有的大小,私钥也会更大指数 - 公共指数通常很小,通常是一组预定义值中的一个 - 例如65537,但相应的私有指数值要大得多。
关于在OpenSSL中使用PEM文件,有许多函数可以从PEM格式文件加载RSA密钥。请参阅:https://www.openssl.org/docs/crypto/pem.html
答案 1 :(得分:2)
但为什么这两个文件的大小不同(608字节和162字节)? RSA 1024的密钥对应该是相同的大小,对吗?
私钥有两种格式(例如,参见PKCS#1或RFC 3447)。
OpenSSL使用第二种表示形式,可以用n,e,d dp,dq等描述为“长形式”
$ openssl pkey -in test-key.txt -inform PEM -text
-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMQFuyeb8y+Losq3
0xBjg3EjbTdb+CddlZZ+JQWxjrhkJslLN7UsxL83Qz0ZNYRxGW5Pd1RDUfmqWAYm
5xZThRFoz7seEQ0yIfVnoI/OlDuzx+bb8ci3tSGQKQDPHv5aO8jdoeBtP0oz8Zog
oNBuVeRATnHkCoocrd0vwur+xWoZAgMBAAECgYBkiLvwGJ+k5uzbI2Rwp1kmkZDW
L6kaJ3ks8g1y2hnkoBj0bEtp9EgD+gfWMjOsdYUhekgtQ0mrzp3Oqe0jGjrISEoC
iKriv2mXA2mnlPUpulQ6VRMRDCiuofoRC9kG8hvzQx+abmRr/expGvXGJ2kkItTI
t6PEUnEnpctSE819sQJBAPVPXK3R56JMMRrykwct8RsKKx7iiV+X5R1zzNZIelPz
eLmt7h1y1Xk/fP22MVeQDfxXvQkjdG5HOKuXD3a4eKMCQQDMkIZERj/ll6EqVxPa
CeZuOiYNcmVXIEq3T3TRbjYxN2zBIdDBE9Fq19ZW/YBe81M8AVegxWu6mzW40r9b
kxITAkB3W/YsXUXnoksCYaVIiQIXtgrlLDTLXo0Ml5vDZ+CdmInVTtvdWFKmfE3E
5TF8+YrUjZxdJfMw9VaNpyLPEVMhAkADQW2Rmpibu80J0nbzamLrcCt43VA1kcL+
pdoTFzDvmZU2gaZD3F/h1muH2OL5H+A8PT06xsmPH7c8KMZ4259XAkAyG8NmkLIB
s4cfkDt6qeLMkBSI1TLe62/aXZAdIhkWKqH7jahOCzb4AiHaPxGf/kcIMtvLRw5J
NBOLSFGTJBoc
-----END PRIVATE KEY-----
Private-Key: (1024 bit)
modulus:
00:c4:05:bb:27:9b:f3:2f:8b:a2:ca:b7:d3:10:63:
83:71:23:6d:37:5b:f8:27:5d:95:96:7e:25:05:b1:
8e:b8:64:26:c9:4b:37:b5:2c:c4:bf:37:43:3d:19:
35:84:71:19:6e:4f:77:54:43:51:f9:aa:58:06:26:
e7:16:53:85:11:68:cf:bb:1e:11:0d:32:21:f5:67:
a0:8f:ce:94:3b:b3:c7:e6:db:f1:c8:b7:b5:21:90:
29:00:cf:1e:fe:5a:3b:c8:dd:a1:e0:6d:3f:4a:33:
f1:9a:20:a0:d0:6e:55:e4:40:4e:71:e4:0a:8a:1c:
ad:dd:2f:c2:ea:fe:c5:6a:19
publicExponent: 65537 (0x10001)
privateExponent:
64:88:bb:f0:18:9f:a4:e6:ec:db:23:64:70:a7:59:
26:91:90:d6:2f:a9:1a:27:79:2c:f2:0d:72:da:19:
e4:a0:18:f4:6c:4b:69:f4:48:03:fa:07:d6:32:33:
ac:75:85:21:7a:48:2d:43:49:ab:ce:9d:ce:a9:ed:
23:1a:3a:c8:48:4a:02:88:aa:e2:bf:69:97:03:69:
a7:94:f5:29:ba:54:3a:55:13:11:0c:28:ae:a1:fa:
11:0b:d9:06:f2:1b:f3:43:1f:9a:6e:64:6b:fd:ec:
69:1a:f5:c6:27:69:24:22:d4:c8:b7:a3:c4:52:71:
27:a5:cb:52:13:cd:7d:b1
prime1:
00:f5:4f:5c:ad:d1:e7:a2:4c:31:1a:f2:93:07:2d:
f1:1b:0a:2b:1e:e2:89:5f:97:e5:1d:73:cc:d6:48:
7a:53:f3:78:b9:ad:ee:1d:72:d5:79:3f:7c:fd:b6:
31:57:90:0d:fc:57:bd:09:23:74:6e:47:38:ab:97:
0f:76:b8:78:a3
prime2:
00:cc:90:86:44:46:3f:e5:97:a1:2a:57:13:da:09:
e6:6e:3a:26:0d:72:65:57:20:4a:b7:4f:74:d1:6e:
36:31:37:6c:c1:21:d0:c1:13:d1:6a:d7:d6:56:fd:
80:5e:f3:53:3c:01:57:a0:c5:6b:ba:9b:35:b8:d2:
bf:5b:93:12:13
exponent1:
77:5b:f6:2c:5d:45:e7:a2:4b:02:61:a5:48:89:02:
17:b6:0a:e5:2c:34:cb:5e:8d:0c:97:9b:c3:67:e0:
9d:98:89:d5:4e:db:dd:58:52:a6:7c:4d:c4:e5:31:
7c:f9:8a:d4:8d:9c:5d:25:f3:30:f5:56:8d:a7:22:
cf:11:53:21
exponent2:
03:41:6d:91:9a:98:9b:bb:cd:09:d2:76:f3:6a:62:
eb:70:2b:78:dd:50:35:91:c2:fe:a5:da:13:17:30:
ef:99:95:36:81:a6:43:dc:5f:e1:d6:6b:87:d8:e2:
f9:1f:e0:3c:3d:3d:3a:c6:c9:8f:1f:b7:3c:28:c6:
78:db:9f:57
coefficient:
32:1b:c3:66:90:b2:01:b3:87:1f:90:3b:7a:a9:e2:
cc:90:14:88:d5:32:de:eb:6f:da:5d:90:1d:22:19:
16:2a:a1:fb:8d:a8:4e:0b:36:f8:02:21:da:3f:11:
9f:fe:47:08:32:db:cb:47:0e:49:34:13:8b:48:51:
93:24:1a:1c
它是pem格式吗?
是:
$ openssl genrsa -out privatekey.txt 1024
$ cat privatekey.txt
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDEBbsnm/Mvi6LKt9MQY4NxI203W/gnXZWWfiUFsY64ZCbJSze1
LMS/N0M9GTWEcRluT3dUQ1H5qlgGJucWU4URaM+7HhENMiH1Z6CPzpQ7s8fm2/HI
t7UhkCkAzx7+WjvI3aHgbT9KM/GaIKDQblXkQE5x5AqKHK3dL8Lq/sVqGQIDAQAB
AoGAZIi78BifpObs2yNkcKdZJpGQ1i+pGid5LPINctoZ5KAY9GxLafRIA/oH1jIz
rHWFIXpILUNJq86dzqntIxo6yEhKAoiq4r9plwNpp5T1KbpUOlUTEQworqH6EQvZ
BvIb80Mfmm5ka/3saRr1xidpJCLUyLejxFJxJ6XLUhPNfbECQQD1T1yt0eeiTDEa
8pMHLfEbCise4olfl+Udc8zWSHpT83i5re4dctV5P3z9tjFXkA38V70JI3RuRzir
lw92uHijAkEAzJCGREY/5ZehKlcT2gnmbjomDXJlVyBKt0900W42MTdswSHQwRPR
atfWVv2AXvNTPAFXoMVrups1uNK/W5MSEwJAd1v2LF1F56JLAmGlSIkCF7YK5Sw0
y16NDJebw2fgnZiJ1U7b3VhSpnxNxOUxfPmK1I2cXSXzMPVWjacizxFTIQJAA0Ft
kZqYm7vNCdJ282pi63AreN1QNZHC/qXaExcw75mVNoGmQ9xf4dZrh9ji+R/gPD09
OsbJjx+3PCjGeNufVwJAMhvDZpCyAbOHH5A7eqnizJAUiNUy3utv2l2QHSIZFiqh
+42oTgs2+AIh2j8Rn/5HCDLby0cOSTQTi0hRkyQaHA==
-----END RSA PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----和-----END RSA PRIVATE KEY-----表示密钥为PEM格式。
如果它缺少-----BEGIN XXX-----和-----END XXX-----并且是二进制的,则可能是DER格式。
RSA* rsa = RSA_new();
BN_hex2bn(&rsa->n, WHAT_HERE);
BN_hex2bn(&rsa->e, AND_WHAT_HERE);
RSA_public_encrypt(....);
尝试使用PEM_read_PrivateKey,PEM_read_PupblicKey和朋友,因为密钥是PEM格式。有很多朋友,他们在OpenSSL文档的pem(3)列出。
OpenSSL经常使用这些功能。例如,cd进入<openssl dir>/apps并查看用途:
openssl-1.0.1f/apps$ grep -R PEM_read *
apps.c: x=PEM_read_bio_X509_AUX(cert,NULL,
apps.c: pkey=PEM_read_bio_PrivateKey(key,NULL,
apps.c: rsa = PEM_read_bio_RSAPublicKey(key, NULL,
apps.c: pkey=PEM_read_bio_PUBKEY(key,NULL,
ca.c: if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL)
cms.c: cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
cms.c: rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
crl2p7.c: crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
crl.c: x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
dh.c: dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
dhparam.c: dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL);
dhparam.c: dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
dsaparam.c: dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL);
ec.c: eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL,
ec.c: eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL,
ecparam.c: group = PEM_read_bio_ECPKParameters(in,NULL,NULL,NULL);
gendsa.c: if ((dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL)
genpkey.c: pkey = PEM_read_bio_Parameters(pbio, NULL);
nseq.c: while((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
nseq.c: if (!(seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL))) {
pkcs12.c: while((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
pkcs7.c: p7=PEM_read_bio_PKCS7(in,NULL,NULL,NULL);
pkcs8.c: p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL, NULL);
pkcs8.c: p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
pkeyparam.c: pkey = PEM_read_bio_Parameters(in, NULL);
req.c: req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
req.c: param = PEM_read_bio_Parameters(pbio, NULL);
req.c: x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
s_client.c: sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
sess_id.c: x=PEM_read_bio_SSL_SESSION(in,NULL,NULL,NULL);
smime.c: p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
s_server.c: ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
s_server.c: if (PEM_read_X509(in,&x,NULL) == NULL)
x509.c: req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
apps目录是genrsa,x509,req,encrypt,decrypt等实用程序的源代码所在的位置位于。