RSACng和CngKeyBlobFormat导入和导出格式 [英] RSACng and CngKeyBlobFormat import and export formats
问题描述
我在pem文件中具有以下格式的ASN.1编码的RSA私钥:
I have a ASN.1 encoded RSA private key in a pem file in this format:
-----BEGIN RSA PRIVATE KEY-----
base64 encoded pkcs8 key
-----END RSA PRIVATE KEY-----
现在,要将其导入到我的 RSACng 对象中,我需要遵循以下步骤:
Now, to import it into my RSACng object I neeed to follow these steps:
-
读取文件并提取编码的密钥
Read the file and extract the encoded key
将 base64 转换为字节以获取pkcs8密钥的 byte []
Convert base64 to bytes to get the byte[] for pkcs8 key
将ASN.1(DER)中的 byte [] 解码为关键信息(模量,指数等)
Decode the byte[] from ASN.1 (DER) to key information (modulus, exponent etc.)
将这些参数加载到 RSACng 对象
我有以下两个问题:
1.为什么 CngKeyBlobFormat.Pkcs8PrivateBlob 为什么不允许您自动将PKCS8 byte [] 密钥导入到 RSACng 对象?
例如,为什么它不能以这种方式工作:
For instance, why couldn't it work in this way:
var keyData = GetBytesFromPEM(pemstring); // Get the bytes for key that is ASN.1 DER encoded
CngKey cngKey = CngKey.Import(keyData, CngKeyBlobFormat.Pkcs8PrivateBlob);
CngKeyBlobFormat明确指定它是PKCS8私有Blob.
CngKeyBlobFormat clearly specifies that it is a PKCS8 private blob.
2. RSACng.Key.Export(CngKeyBlobFormat.Pkcs8PrivateBlob) 的ASN.1编码格式是什么?
我注意到,如果如上所述将密钥加载到 RSACng 中,然后使用上述代码导出相同的密钥,则会得到在不同ASN.1中编码的BLOB.格式,以及其中包含ASN.1 DER编码密钥的哪一个.基本上,要从此导出的密钥中获取信息,我需要再次从此ASN.1格式对其进行解码,以获取存储在其中的原始密钥参数,这些原始参数由ASN.1 DER重新编码.
I noticed that if I load the key into the RSACng as I described above and I then export the same key using the above code, I get the BLOB which is encoded in a different ASN.1 format, and which INSIDE it contains the ASN.1 DER encoded key. Basically, to get information from this exported key I would need to DECODE it from this ASN.1 format again to get the original key parameters stored inside it which are AGAIN encoded in ASN.1 DER.
为什么这样一团糟?这就是为什么您无法将ASN.1 DER编码的密钥导入到 CngKeyBlobFormat.Pkcs8PrivateBlob 具有不同的ASN.1编码格式且不是DER的 RSACng 中的原因?那么可能的解决方法是将原始RSA私钥编码为另一种ASN.1格式,因为这正是密钥的导出方式?
Why is it such a mess? And is the reason why you cannot import the ASN.1 DER encoded key into the RSACng that CngKeyBlobFormat.Pkcs8PrivateBlob has a different ASN.1 encoding format and it is not DER? Would the potential workaround then be to encode the original RSA private key to that another ASN.1 format, since this is exactly how the key is exported?
显然, RSACng.Key.Export(CngKeyBlobFormat.Pkcs8PrivateBlob)使用对象标识符(我对此还不熟悉),但它似乎仍然是DER格式
apparently, RSACng.Key.Export(CngKeyBlobFormat.Pkcs8PrivateBlob) uses Object Identifiers (I'm not yet familiar with that), but it seems to still be in DER format
推荐答案
- 为什么CngKeyBlobFormat.Pkcs8PrivateBlob不允许您将PKCS8 byte []键自动导入到RSACng对象中?
因为 BEGIN RSA私有密钥表示PKCS#1 RSAPrivateKey ,而不是PKCS#8 PrivateKeyInfo .PKCS#8未加密的私钥会显示 BEGIN私钥.
Because BEGIN RSA PRIVATE KEY indicates a PKCS#1 RSAPrivateKey, not a PKCS#8 PrivateKeyInfo. A PKCS#8 non-encrypted private key would say BEGIN PRIVATE KEY.
-
RSACng.Key.Export(CngKeyBlobFormat.Pkcs8PrivateBlob)的ASN.1编码格式是什么?
- What is the ASN.1 encoding format of the
RSACng.Key.Export(CngKeyBlobFormat.Pkcs8PrivateBlob)?
PKCS#8 PrivateKeyInfo. https://tools.ietf.org/html/rfc5208#section-5.
PKCS#8 PrivateKeyInfo. https://tools.ietf.org/html/rfc5208#section-5.
PrivateKeyInfo ::= SEQUENCE {
version Version,
privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
privateKey PrivateKey,
attributes [0] IMPLICIT Attributes OPTIONAL }
Version ::= INTEGER
PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
PrivateKey ::= OCTET STRING
Attributes ::= SET OF Attribute
PrivateKey 中RSA密钥的值是PKCS#1 RSAPrivateKey 值.
The value in PrivateKey for an RSA key is the PKCS#1 RSAPrivateKey value.
为什么这样一团糟?...对象标识符...
Why is it such a mess? ... Object Identifiers ...
PKCS#8 PrivateKeyInfo格式是用于任何类型的私钥的容器.对象标识符(OID)告诉读者有效负载是什么东西.如果OID是 rsaEncryption (1.2.840.113549.1.1.1),则有效负载是 RSAPrivateKey ,如果它是 id-dsa (1.2.840.10040.4.1),则有效载荷是表示私钥的INTEGER(上下文参数在 privateKeyAlgorithm.Parameters 中)(如果它是 id-ecPublicKey (1.2.840.10045.2.1)(是"public","cuz名称"),则有效载荷就是 ECPrivateKey 等.
The PKCS#8 PrivateKeyInfo format is a container for any kind of private key. The Object Identifier (OID) tells the reader what kind of thing the payload is. If the OID is rsaEncryption (1.2.840.113549.1.1.1) then the payload is RSAPrivateKey, if it's id-dsa (1.2.840.10040.4.1) then the payload is an INTEGER representing the private key (and the context parameters are in privateKeyAlgorithm.Parameters), if it's id-ecPublicKey (1.2.840.10045.2.1) (yes "public", 'cuz names) then the payload is an ECPrivateKey, et cetera.
这篇关于RSACng和CngKeyBlobFormat导入和导出格式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
