什么是扩展名.p8的文件? (APNs身份验证密钥/JWT) [英] What is the file with .p8 extension? (APNs Auth Key / JWT)
问题描述
我认为这有点荒谬,但是很难找到有关此文件的信息.我已经找到了很多有关如何获取此Apple Push Notification Authentication Key的信息,但我也想确切地知道它是什么.
这是我找到的一些信息:
I think it is a little ridiculous but it's hard to find information about what is this file. I've found a lot info how to get this Apple Push Notification Authentication Key, but i also want to know exactly what is it.
Here is some info i have found:
好处:
- 无需每年重新生成推送证书;
- 一个身份验证密钥 可用于您的所有应用程序;
- 与沙箱和生产相同.
- No need to re-generate the push certificate every year;
- One auth key can be used for all your apps;
- Same for sandbox and Production.
来自 Apple文档:
基于令牌的提供商连接信任:使用 基于HTTP/2的API可以使用JSON Web令牌(JWT)提供验证 与APN连接的凭据.在此方案中,您提供了一个 Apple将保留的公共密钥,以及您保留的私有密钥 并保护.然后,您的提供商将使用您的私钥来生成和 对JWT提供者身份验证令牌进行签名.每个你的推 通知请求必须包含提供商身份验证令牌.
Token-based provider connection trust: A provider using the HTTP/2-based API can use JSON web tokens (JWT) to provide validation credentials for connection with APNs. In this scheme, you provision a public key to be retained by Apple, and a private key which you retain and protect. Your providers then use your private key to generate and sign JWT provider authentication tokens. Each of your push notification requests must include a provider authentication token.
您可以在提供商和提供商之间使用基于令牌的单个连接 APN可以将推送通知请求发送到所有其应用程序的应用程序 捆绑包ID列在您的在线开发者帐户中.
You can use a single, token-based connection between a provider and APNs can to send push notification requests to all the apps whose bundle IDs are listed in your online developer account.
每个推送通知请求都会导致来自HTTP/2的响应 APN,将成功或失败的详细信息返回给您的提供商. 进一步检查基于令牌的提供商对APN的信任部分.
Every push notification request results in an HTTP/2 response from APNs, returning details on success or failure to your provider. Further check Token-Based Provider-to-APNs Trust section.
问题:
- .p8文件实际上是什么?
- 什么程序可以打开它? (钥匙串对我不起作用)
- 是否可以将其转换为
.pem或.p12? - 为了不引起新话题,我们提出了一个小问题:服务器端使用.p8的方式是否与.p12相同,还是应该添加其他工具?
- What is actually the .p8 file?
- What programm can open it? (Keychain didn't work for me)
- Is there a way to convert it to
.pemor.p12? - A little flow-out question in order to not create a new topic: Does the server side operate with .p8 the same way as .p12 or it should be additional tools added?
推荐答案
以下是我的研究状态:
APNS .p8文件包含私钥,该私钥用于 SIGN 用于APNS消息的JWT内容. 该文件本身是纯文本文件,其内部的KEY格式为PEM格式.
The APNS .p8 file contains the PRIVATE KEY that is used to SIGN the JWT content for APNS messages. The file itself is a pure text file, the KEY inside is formatted in PEM format.
----- BEGIN PRIVATE KEY -----和----- END PRIVATE KEY -----之间的部分是密钥本身的base64格式的ASN.1 PKCS#8表示形式.有些人可以使用以下Web服务提取其内容( ASN1JS ).
The part between the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- is a base64 formatted ASN.1 PKCS#8 representation of the key itself. Some can use the following web service to extract its contents (ASN1JS).
KEY本身的长度为32个字节,用于为JWT创建所需的ECDSA P-256 SHA-256签名.生成的JWT看起来像这样的' {JWT标头base64编码}.{JWT有效载荷base64编码}.签名(64字节)base64编码'.
The KEY itself is 32 bytes long and is used to create the required ECDSA P-256 SHA-256 signature for the JWT. The resulting JWT looks like this '{JWT header base64 encoded}.{JWT payload base64 encoded}.Signature (64 bytes) base64 encoded'.
有很多Web服务可对此类令牌进行解码,但由于无法识别相应的PUBLIC KEY(Apple在提供PRIVATE KEY时将其保密),因此某些服务无法检查签名.
There are a lot of web services to decode such tokens, but some couldn't check the signature, as the corresponding PUBLIC KEY isn't known (Apple keeps it secret when providing the PRIVATE KEY).
看来,.p8文件中也包含公共密钥,它可以通过OpenSSL提取(在解码ASN.1内容:520位流时可见).
It seems, that the PUBLIC KEY is also included in the .p8 file, it can be extracted via OpenSSL (and is visible when decoding the ASN.1 content: the 520 bit stream).
openssl ec -in AuthKey_123ABC4567.p8 -pubout -out AuthKey_123ABC4567_Public.p8
openssl ec -in AuthKey_123ABC4567.p8 -pubout -out AuthKey_123ABC4567_Public.p8
这篇关于什么是扩展名.p8的文件? (APNs身份验证密钥/JWT)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
