密码学中有哪些不同的证书类型和格式 [英] What are different certificate types, formats in Cryptography
问题描述
我们正在SSL握手中为我们的一个客户端添加服务器证书验证。对于密码学和C语言世界来说,我是一个非常陌生的人,以为我首先要弄清楚这些事情的概念,然后再从实现开始。
We are adding server certificates verification in SSL handshake for one of our clients. Being very new to Cryptography and C world, thought I would first clear my concepts about these things and then start with implementation.
因此,我在Google上搜索了很多内容,主要是寻找证书概念,但无法使我的概念更好地令人满意。实际上,它增加了更多的混乱。 :)
So, I googled a lot looking mostly for Certificates concepts, but couldn't clear up my concepts any better to my satisfaction. Actually it added more confusion. :)
有些东西我几乎根本不了解:
1.什么是base64格式?与DER一样吗?
2. PEM文件始终包含base64内容吗?
3. Windows证书存储区使用什么格式?是二进制文件吗?
Here are some things which I don't understand almost at all: 1. What is base64 format? Is it same as DER? 2. PEM file always contains base64 content? 3. What is the format used by Windows Certificate Store? Is it binary?
有人可以在这里帮助我吗?
如果为我清除了这些内容,将非常感谢。
Can someone please help me here. Would be very much thankful if these things get cleared for me.
推荐答案
X.509证书的结构使用 ASN.1 进行定义。这是 X.509证书的总体结构定义的摘录:
The structure of an X.509 certificate is defined using ASN.1. Here is an excerpt of the overall structure definition of an X.509 certificate:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version MUST be v3
}
A Certificate 值(包含所包含的值)被编码使用 DER 格式,它是一种二进制格式。
A Certificate value (with the contained values filled in) is encoded using the DER format, which is a binary format.
Base64 是一种通用的方法,可通过减少二进制序列编码为文本
Base64 is a general way of encoding binary sequences into text, by reducing the set of bytes used to readable ASCII characters (so this representation is longer).
PEM格式的证书是证书的DER编码的Base64编码,在每个64个字符的块的末尾有一个换行符,放在定界符之间:
A certificate in PEM format is the Base64-encoding of the DER-encoding of the certificate, with a line-return at the end of each 64-character chunk, placed between delimiters:
-----BEGIN CERTIFICATE-----
MIIB2zCCAUSgAwIBAwIBADANBgkqhkiG9w0BAQQFADAYMRYwFAYDVQQDEw1OZXRn
...
-----END CERTIFICATE-----
您也可以使用PEM格式的私钥,在这种情况下,分隔符为 ----- BEGIN RSA PRIVATE KEY ----- (并且例如,与 END 匹配。
You could also have the private key in PEM format, in which case the delimiters would be -----BEGIN RSA PRIVATE KEY----- (and matching END), for example.
在TLS连接期间,使用在线方式使用DER。
On the wire, during a TLS connection, DER is used.
Windows证书存储在内部使用什么并不重要,它应该能够导入/导出DER或PEM / Base64证书。
It doesn't really matter what the Windows Certificate store uses internally, it should be able to import/export DER or PEM/Base64 certificates.
与DER / base64格式相比,证书类型的主题更广泛。用于SSL / TLS的大多数证书是X.509证书。然后,您将获得使用情况配置文件。最常见的是 Internet X.509公钥基础结构证书和证书吊销列表(CRL)配置文件 ,该配置文件实质上定义了证书颁发机构应如何颁发证书以及实体应如何验证远程证书。
Certificate "types" is a wider topic than the DER/base64 format. Most certificates used for SSL/TLS are X.509 certificates. Then you get usage profiles. The most common one is the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, which essentially defines how Certification Authorities should issue certificates and how entities should verify remote certificates.
您可能也对这些问题感兴趣:
You might also be interested in these questions:
- What does it mean for a digital certificate to be "signed"?
- What is an SSL certificate intended to prove, and how does it do it?
更一般地说,买一本有关PKI的书应该会有所帮助。
More generally, getting a book on PKI should help.
这篇关于密码学中有哪些不同的证书类型和格式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
