PEM文件&X.690研究

分析PEM文件的组成方式

 

先转换一下格式：

 

p12/pfx->pem

openssl pkcs12 -in D:\certs\pri.pfx -out D:\certs\pri.pem -nodes

tips:

1. nodes为不设密码。

 

cer->pem

openssl x509 -inform DER -in D:\certs\pub.cer -out d:\certs\pub.pem

tips:

1. der编码的cer需要转换，base64编码的其实就是pem，不需要转换。

2. 双击重新导出也能转换编码。

3. inform和outform的默认格式是PEM。

 

 

 

 

先openssl读一下：

打印证书内容：

openssl x509 -in D:\certs\pri.pem -text

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            63:a0:bc:bc:16:a3:8f:26:ea:6a:67:9d:65:2e:57:a8

    Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, O=CFCA TEST CA

        Validity

            Not Before: Nov 11 06:22:46 2014 GMT

            Not After : Nov 11 06:22:46 2015 GMT

        Subject: C=CN, O=CFCA TEST CA, OU=TEST, OU=Enterprises, CN=041@Z2014-11-11@00010000:SIGN@00000001

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (1024 bit)

                Modulus:

                    00:b3:b3:4b:fa:ca:0f:8b:39:26:51:b4:80:08:f6:

                    89:27:56:e8:95:35:8f:c1:e3:81:00:7e:18:26:d5:

                    64:2e:2f:2e:2f:a9:93:12:b2:5e:ed:d4:14:5a:c8:

                    d7:0e:b9:95:4c:9f:13:ea:5e:bf:93:f2:58:69:b1:

                    1c:a7:35:6e:9c:3e:e6:7d:3d:67:29:b5:28:e8:c9:

                    5e:43:1b:56:17:8d:b8:1a:15:67:86:aa:f5:5c:9b:

                    ec:79:81:03:15:a3:a8:27:b9:d1:92:4d:9b:17:db:

                    5f:3e:47:55:2a:74:33:00:5c:69:f3:7c:ca:94:d6:

                    68:da:3c:1c:7a:a9:8a:41:fd

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Authority Key Identifier:

                keyid:46:72:DC:25:72:9F:02:4E:55:83:B5:80:F9:0B:DB:E9:93:B3:F4:4

5

 

            X509v3 Subject Key Identifier:

                25:D1:E9:90:04:E5:7E:1D:35:AD:F5:FF:43:67:60:FA:81:92:DF:5D

            X509v3 Key Usage:

                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping

            X509v3 CRL Distribution Points:

 

                Full Name:

                  DirName: C = CN, O = CFCA TEST CA, OU = CRL, CN = crl127_334

 

                Full Name:

                  URI:ldap://testldap.cfca.com.cn:389/CN=crl127_334,OU=CRL,O=CFCA TEST CA,C=CN?certificateRevocationList?base?objectclass=cRLDistributionPoint

 

    Signature Algorithm: sha1WithRSAEncryption

         2f:e8:b0:2f:93:25:0c:0b:59:d5:4b:57:62:b2:96:66:50:3d:

         b2:42:6f:b9:d4:21:37:3f:4d:4a:59:91:59:cf:e3:de:4d:3c:

         de:80:17:1d:3f:45:23:7a:0e:bd:ae:ad:eb:d6:b4:f9:23:43:

         78:73:08:33:bc:a4:49:c5:4a:3d:b3:0b:e4:e8:da:01:d7:1c:

         64:63:e9:4f:a6:f9:ba:e8:a1:d4:b1:ab:29:7c:c2:31:c1:3d:

         51:4b:82:1a:7a:a0:98:78:22:ab:ca:bf:4c:22:7e:4e:8c:c8:

         77:cf:39:54:10:84:c9:06:f6:f3:e9:ac:4e:f7:fa:88:60:ff:

         94:a5

-----BEGIN CERTIFICATE-----

MIIDtDCCAx2gAwIBAgIQY6C8vBajjybqamedZS5XqDANBgkqhkiG9w0BAQUFADAk

MQswCQYDVQQGEwJDTjEVMBMGA1UEChMMQ0ZDQSBURVNUIENBMB4XDTE0MTExMTA2

MjI0NloXDTE1MTExMTA2MjI0NlowejELMAkGA1UEBhMCQ04xFTATBgNVBAoTDENG

Q0EgVEVTVCBDQTENMAsGA1UECxMEVEVTVDEUMBIGA1UECxMLRW50ZXJwcmlzZXMx

LzAtBgNVBAMUJjA0MUBaMjAxNC0xMS0xMUAwMDAxMDAwMDpTSUdOQDAwMDAwMDAx

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzs0v6yg+LOSZRtIAI9oknVuiV

NY/B44EAfhgm1WQuLy4vqZMSsl7t1BRayNcOuZVMnxPqXr+T8lhpsRynNW6cPuZ9

PWcptSjoyV5DG1YXjbgaFWeGqvVcm+x5gQMVo6gnudGSTZsX218+R1UqdDMAXGnz

fMqU1mjaPBx6qYpB/QIDAQABo4IBjzCCAYswHwYDVR0jBBgwFoAURnLcJXKfAk5V

g7WA+Qvb6ZOz9EUwHQYDVR0OBBYEFCXR6ZAE5X4dNa31/0NnYPqBkt9dMAsGA1Ud

DwQEAwIE8DAMBgNVHRMEBTADAQEAMDsGA1UdJQQ0MDIGCCsGAQUFBwMBBggrBgEF

BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCDCB8AYDVR0fBIHoMIHl

ME+gTaBLpEkwRzELMAkGA1UEBhMCQ04xFTATBgNVBAoTDENGQ0EgVEVTVCBDQTEM

MAoGA1UECxMDQ1JMMRMwEQYDVQQDEwpjcmwxMjdfMzM0MIGRoIGOoIGLhoGIbGRh

cDovL3Rlc3RsZGFwLmNmY2EuY29tLmNuOjM4OS9DTj1jcmwxMjdfMzM0LE9VPUNS

TCxPPUNGQ0EgVEVTVCBDQSxDPUNOP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/

YmFzZT9vYmplY3RjbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDANBgkqhkiG9w0B

AQUFAAOBgQAv6LAvkyUMC1nVS1dispZmUD2yQm+51CE3P01KWZFZz+PeTTzegBcd

P0Ujeg69rq3r1rT5I0N4cwgzvKRJxUo9swvk6NoB1xxkY+lPpvm66KHUsaspfMIx

wT1RS4IaeqCYeCKryr9MIn5OjMh3zzlUEITJBvbz6axO9/qIYP+UpQ==

-----END CERTIFICATE-----

 

 

打印rsa公私钥相关信息：

openssl rsa -in D:\certs\inst.pem -text

Private-Key: (1024 bit)

modulus:

    00:b3:b3:4b:fa:ca:0f:8b:39:26:51:b4:80:08:f6:

    89:27:56:e8:95:35:8f:c1:e3:81:00:7e:18:26:d5:

    64:2e:2f:2e:2f:a9:93:12:b2:5e:ed:d4:14:5a:c8:

    d7:0e:b9:95:4c:9f:13:ea:5e:bf:93:f2:58:69:b1:

    1c:a7:35:6e:9c:3e:e6:7d:3d:67:29:b5:28:e8:c9:

    5e:43:1b:56:17:8d:b8:1a:15:67:86:aa:f5:5c:9b:

    ec:79:81:03:15:a3:a8:27:b9:d1:92:4d:9b:17:db:

    5f:3e:47:55:2a:74:33:00:5c:69:f3:7c:ca:94:d6:

    68:da:3c:1c:7a:a9:8a:41:fd

publicExponent: 65537 (0x10001)

privateExponent:

    30:fe:55:5c:ce:f2:65:f6:f2:e7:9b:da:bc:96:da:

    d6:0a:ef:e6:9e:6f:cf:61:03:ae:ea:b2:13:04:63:

    07:e4:7d:27:29:88:9b:b4:5e:05:61:a9:1b:07:5e:

    fa:f8:c6:27:d9:c7:48:43:04:e0:85:56:6d:9a:88:

    41:5e:64:05:68:78:01:7a:56:08:97:3b:3f:b3:76:

    95:b1:ea:b0:c2:2e:78:99:ae:5e:e3:30:cb:f1:44:

    55:45:40:ca:69:76:5b:2e:e6:43:1d:98:7e:95:5c:

    7b:93:f2:55:c0:dd:de:08:e1:c6:c4:79:0a:1d:bc:

    d3:25:42:80:8a:e8:b8:01

prime1:

    00:da:1f:68:25:cd:40:3c:ae:41:43:f5:74:e0:66:

    42:0e:c1:0e:d5:4a:99:c9:24:0d:dc:cf:d6:d7:5c:

    6a:ee:d6:d0:21:3a:f5:65:14:c4:14:ff:2c:ed:8c:

    86:f1:81:7b:07:fe:19:bd:19:f8:d2:8e:39:f8:b4:

    fe:c4:6f:8e:7d

prime2:

    00:d2:e7:d5:d8:bd:75:84:1d:7c:28:13:cc:ac:f9:

    ff:25:b0:3a:2f:38:b6:4d:29:84:d1:1a:5d:2e:68:

    25:b7:80:11:8b:d8:51:51:ce:a6:1a:00:b1:1f:5b:

    ba:1a:0d:67:33:fc:ad:03:f2:a6:59:25:2c:2e:b1:

    28:60:12:59:81

exponent1:

    43:c4:28:2e:3e:63:6b:b6:d3:ae:12:6f:5a:5c:4a:

    bf:9c:b9:48:08:e2:58:7c:6c:16:23:38:63:36:62:

    3e:8b:dc:a3:c6:56:81:2d:ff:71:6a:8a:01:cf:7c:

    09:42:2a:00:24:b0:c8:70:6e:3e:b4:53:4c:72:a7:

    08:4e:84:5d

exponent2:

    11:46:5c:05:bc:be:fb:6b:4e:d8:19:87:12:44:07:

    da:16:6d:2d:a0:ff:8d:a2:70:f6:8f:aa:42:3a:d5:

    9c:0a:29:65:c2:fa:26:31:3e:f9:b2:44:cf:c4:bb:

    a1:96:a7:75:62:a4:e9:45:de:ca:3e:79:37:f9:da:

    cc:c3:b4:01

coefficient:

    76:65:eb:1f:45:b3:55:52:44:cc:6d:04:b7:b2:25:

    0c:66:a1:73:b6:df:55:e4:22:6b:78:a4:95:88:1f:

    80:1a:43:e0:95:95:b7:88:f2:00:33:88:64:02:ac:

    3a:1f:fe:28:3b:70:b1:c2:c8:83:c9:cd:07:5e:58:

    f7:28:00:e0

writing RSA key

-----BEGIN RSA PRIVATE KEY-----

MIICWwIBAAKBgQCzs0v6yg+LOSZRtIAI9oknVuiVNY/B44EAfhgm1WQuLy4vqZMS

sl7t1BRayNcOuZVMnxPqXr+T8lhpsRynNW6cPuZ9PWcptSjoyV5DG1YXjbgaFWeG

qvVcm+x5gQMVo6gnudGSTZsX218+R1UqdDMAXGnzfMqU1mjaPBx6qYpB/QIDAQAB

AoGAMP5VXM7yZfby55vavJba1grv5p5vz2EDruqyEwRjB+R9JymIm7ReBWGpGwde

+vjGJ9nHSEME4IVWbZqIQV5kBWh4AXpWCJc7P7N2lbHqsMIueJmuXuMwy/FEVUVA

yml2Wy7mQx2YfpVce5PyVcDd3gjhxsR5Ch280yVCgIrouAECQQDaH2glzUA8rkFD

9XTgZkIOwQ7VSpnJJA3cz9bXXGru1tAhOvVlFMQU/yztjIbxgXsH/hm9GfjSjjn4

tP7Eb459AkEA0ufV2L11hB18KBPMrPn/JbA6Lzi2TSmE0RpdLmglt4ARi9hRUc6m

GgCxH1u6Gg1nM/ytA/KmWSUsLrEoYBJZgQJAQ8QoLj5ja7bTrhJvWlxKv5y5SAji

WHxsFiM4YzZiPovco8ZWgS3/cWqKAc98CUIqACSwyHBuPrRTTHKnCE6EXQJAEUZc

Bby++2tO2BmHEkQH2hZtLaD/jaJw9o+qQjrVnAopZcL6JjE++bJEz8S7oZandWKk

6UXeyj55N/nazMO0AQJAdmXrH0WzVVJEzG0Et7IlDGahc7bfVeQia3iklYgfgBpD

4JWVt4jyADOIZAKsOh/+KDtwscLIg8nNB15Y9ygA4A==

-----END RSA PRIVATE KEY-----

 

 

 

 

然后我们来手工解析吧(<ゝω·)☆

UE或者nodepad++之类的工具打开pem文件：

Bag Attributes

    localKeyID: 01 00 00 00 

    friendlyName: {1718B256-A834-4D5F-81D4-4FAC1A1D6BC7}

    Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0

Key Attributes

    X509v3 Key Usage: 10 

-----BEGIN PRIVATE KEY-----

MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALOzS/rKD4s5JlG0

gAj2iSdW6JU1j8HjgQB+GCbVZC4vLi+pkxKyXu3UFFrI1w65lUyfE+pev5PyWGmx

HKc1bpw+5n09Zym1KOjJXkMbVheNuBoVZ4aq9Vyb7HmBAxWjqCe50ZJNmxfbXz5H

VSp0MwBcafN8ypTWaNo8HHqpikH9AgMBAAECgYAw/lVczvJl9vLnm9q8ltrWCu/m

nm/PYQOu6rITBGMH5H0nKYibtF4FYakbB176+MYn2cdIQwTghVZtmohBXmQFaHgB

elYIlzs/s3aVseqwwi54ma5e4zDL8URVRUDKaXZbLuZDHZh+lVx7k/JVwN3eCOHG

xHkKHbzTJUKAiui4AQJBANofaCXNQDyuQUP1dOBmQg7BDtVKmckkDdzP1tdcau7W

0CE69WUUxBT/LO2MhvGBewf+Gb0Z+NKOOfi0/sRvjn0CQQDS59XYvXWEHXwoE8ys

+f8lsDovOLZNKYTRGl0uaCW3gBGL2FFRzqYaALEfW7oaDWcz/K0D8qZZJSwusShg

ElmBAkBDxCguPmNrttOuEm9aXEq/nLlICOJYfGwWIzhjNmI+i9yjxlaBLf9xaooB

z3wJQioAJLDIcG4+tFNMcqcIToRdAkARRlwFvL77a07YGYcSRAfaFm0toP+NonD2

j6pCOtWcCillwvomMT75skTPxLuhlqd1YqTpRd7KPnk3+drMw7QBAkB2ZesfRbNV

UkTMbQS3siUMZqFztt9V5CJreKSViB+AGkPglZW3iPIAM4hkAqw6H/4oO3CxwsiD

yc0HXlj3KADg

-----END PRIVATE KEY-----

Bag Attributes

    localKeyID: 01 00 00 00 

subject=/C=CN/O=CFCA TEST CA/OU=TEST/OU=Enterprises/CN=041@Z2014-11-11@00010000:SIGN@00000001

issuer=/C=CN/O=CFCA TEST CA

-----BEGIN CERTIFICATE-----

MIIDtDCCAx2gAwIBAgIQY6C8vBajjybqamedZS5XqDANBgkqhkiG9w0BAQUFADAk

MQswCQYDVQQGEwJDTjEVMBMGA1UEChMMQ0ZDQSBURVNUIENBMB4XDTE0MTExMTA2

MjI0NloXDTE1MTExMTA2MjI0NlowejELMAkGA1UEBhMCQ04xFTATBgNVBAoTDENG

Q0EgVEVTVCBDQTENMAsGA1UECxMEVEVTVDEUMBIGA1UECxMLRW50ZXJwcmlzZXMx

LzAtBgNVBAMUJjA0MUBaMjAxNC0xMS0xMUAwMDAxMDAwMDpTSUdOQDAwMDAwMDAx

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzs0v6yg+LOSZRtIAI9oknVuiV

NY/B44EAfhgm1WQuLy4vqZMSsl7t1BRayNcOuZVMnxPqXr+T8lhpsRynNW6cPuZ9

PWcptSjoyV5DG1YXjbgaFWeGqvVcm+x5gQMVo6gnudGSTZsX218+R1UqdDMAXGnz

fMqU1mjaPBx6qYpB/QIDAQABo4IBjzCCAYswHwYDVR0jBBgwFoAURnLcJXKfAk5V

g7WA+Qvb6ZOz9EUwHQYDVR0OBBYEFCXR6ZAE5X4dNa31/0NnYPqBkt9dMAsGA1Ud

DwQEAwIE8DAMBgNVHRMEBTADAQEAMDsGA1UdJQQ0MDIGCCsGAQUFBwMBBggrBgEF

BQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcDCDCB8AYDVR0fBIHoMIHl

ME+gTaBLpEkwRzELMAkGA1UEBhMCQ04xFTATBgNVBAoTDENGQ0EgVEVTVCBDQTEM

MAoGA1UECxMDQ1JMMRMwEQYDVQQDEwpjcmwxMjdfMzM0MIGRoIGOoIGLhoGIbGRh

cDovL3Rlc3RsZGFwLmNmY2EuY29tLmNuOjM4OS9DTj1jcmwxMjdfMzM0LE9VPUNS

TCxPPUNGQ0EgVEVTVCBDQSxDPUNOP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/

YmFzZT9vYmplY3RjbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDANBgkqhkiG9w0B

AQUFAAOBgQAv6LAvkyUMC1nVS1dispZmUD2yQm+51CE3P01KWZFZz+PeTTzegBcd

P0Ujeg69rq3r1rT5I0N4cwgzvKRJxUo9swvk6NoB1xxkY+lPpvm66KHUsaspfMIx

wT1RS4IaeqCYeCKryr9MIn5OjMh3zzlUEITJBvbz6axO9/qIYP+UpQ==

-----END CERTIFICATE-----

 

 

私钥的地方解一下base64：

30820275020100300D06092A864886F70D01010105000482025F3082025B02010002818100B3B34BFACA0F8B392651B48008F6892756E895358FC1E381007E1826D5642E2F2E2FA99312B25EEDD4145AC8D70EB9954C9F13EA5EBF93F25869B11CA7356E9C3EE67D3D6729B528E8C95E431B56178DB81A156786AAF55C9BEC79810315A3A827B9D1924D9B17DB5F3E47552A7433005C69F37CCA94D668DA3C1C7AA98A41FD020301000102818030FE555CCEF265F6F2E79BDABC96DAD60AEFE69E6FCF6103AEEAB213046307E47D2729889BB45E0561A91B075EFAF8C627D9C7484304E085566D9A88415E64056878017A5608973B3FB37695B1EAB0C22E7899AE5EE330CBF144554540CA69765B2EE6431D987E955C7B93F255C0DDDE08E1C6C4790A1DBCD32542808AE8B801024100DA1F6825CD403CAE4143F574E066420EC10ED54A99C9240DDCCFD6D75C6AEED6D0213AF56514C414FF2CED8C86F1817B07FE19BD19F8D28E39F8B4FEC46F8E7D024100D2E7D5D8BD75841D7C2813CCACF9FF25B03A2F38B64D2984D11A5D2E6825B780118BD85151CEA61A00B11F5BBA1A0D6733FCAD03F2A659252C2EB12860125981024043C4282E3E636BB6D3AE126F5A5C4ABF9CB94808E2587C6C1623386336623E8BDCA3C656812DFF716A8A01CF7C09422A0024B0C8706E3EB4534C72A7084E845D024011465C05BCBEFB6B4ED81987124407DA166D2DA0FF8DA270F68FAA423AD59C0A2965C2FA26313EF9B244CFC4BBA196A77562A4E945DECA3E7937F9DACCC3B40102407665EB1F45B3555244CC6D04B7B2250C66A173B6DF55E4226B78A495881F801A43E09595B788F20033886402AC3A1FFE283B70B1C2C883C9CD075E58F72800E0

 

这就是X.690（http://en.wikipedia.org/wiki/X.690）编码格式的东西了。

分析一下：

30 <= tag: SEQUENCE

820275 <= length: 10000010 <= 后面2位都是长度，0275转十进制=629字节。

02 <= tag: INTEGER

01 <= length: 1字节

00 <= value: 不造什么大概设了空

30 <= tag: SEQUENCE

0D <= length: 13字节

06 <= tag: OBJECT IDENTIFIER

09 <= length: 9

2A864886F70D010101 <= pkcs1OID

05 <= tag: NULL

00 <= value: 空

04 <= tag: OCTET STRING

82025F <= length: 607

30 <= tag: SEQUENCE

82025B <= length: 603

02 <= tag: INTEGER

01 <= length: 1字节

00 <= value: 不造什么大概设了空

02 <= tag: INTEGER

8181 <= length: 129

00B3B34BFACA0F8B392651B48008F6892756E895358FC1E381007E1826D5642E2F2E2FA99312B25EEDD4145AC8D70EB9954C9F13EA5EBF93F25869B11CA7356E9C3EE67D3D6729B528E8C95E431B56178DB81A156786AAF55C9BEC79810315A3A827B9D1924D9B17DB5F3E47552A7433005C69F37CCA94D668DA3C1C7AA98A41FD <= value: 模

02 <= tag: INTEGER

03 <= length: 3字节

010001 <= value: 私钥指数

02 <= tag: INTEGER

8180 <= length: 128

30FE555CCEF265F6F2E79BDABC96DAD60AEFE69E6FCF6103AEEAB213046307E47D2729889BB45E0561A91B075EFAF8C627D9C7484304E085566D9A88415E64056878017A5608973B3FB37695B1EAB0C22E7899AE5EE330CBF144554540CA69765B2EE6431D987E955C7B93F255C0DDDE08E1C6C4790A1DBCD32542808AE8B801 <= 公钥指数

02 <= tag: INTEGER

41 <= length: 65

00DA1F6825CD403CAE4143F574E066420EC10ED54A99C9240DDCCFD6D75C6AEED6D0213AF56514C414FF2CED8C86F1817B07FE19BD19F8D28E39F8B4FEC46F8E7D <= value: prime1

02 <= tag: INTEGER

41 <= length: 65

00D2E7D5D8BD75841D7C2813CCACF9FF25B03A2F38B64D2984D11A5D2E6825B780118BD85151CEA61A00B11F5BBA1A0D6733FCAD03F2A659252C2EB12860125981

02 <= tag: INTEGER

40 <= length: 64

43C4282E3E636BB6D3AE126F5A5C4ABF9CB94808E2587C6C1623386336623E8BDCA3C656812DFF716A8A01CF7C09422A0024B0C8706E3EB4534C72A7084E845D

02 <= tag: INTEGER

40 <= length: 64

11465C05BCBEFB6B4ED81987124407DA166D2DA0FF8DA270F68FAA423AD59C0A2965C2FA26313EF9B244CFC4BBA196A77562A4E945DECA3E7937F9DACCC3B401

02 <= tag: INTEGER

40 <= length: 64

7665EB1F45B3555244CC6D04B7B2250C66A173B6DF55E4226B78A495881F801A43E09595B788F20033886402AC3A1FFE283B70B1C2C883C9CD075E58F72800E0

 

证书的地方也可分析一下玩玩，基本和openssl读出的内容一样，Issuer、时间等都是明文直接打印的，分析太长，这里不放了。