PEM 文件格式在哪里指定? [英] Where is the PEM file format specified?

问题描述

我需要解析 .PEM 文件.
我知道隐私增强电子邮件"的标准在 RFC 1421-24 中定义.但他们似乎没有提到我在 OpenSSL .pem 文件中找到的一些文本(例如关键属性"、开始证书"等...)这是特定于 OpenSSL 的格式吗?

I need to parse .PEM files.
I know that the standard for "Privacy-enhanced Electronic Mail" is defined in RFCs 1421-24. But they don't seem to mention some text I find inside OpenSSL .pem files (eg. "Key Attributes", "BEGIN CERTIFICATE", etc...) Is this an OpenSSL-specific format?

推荐答案

很长一段时间以来，关于加密信息交换的 PEM 格式没有正式的规范.PEM 是文本编码，但实际编码的内容取决于上下文.2015 年 4 月，IETF 批准了RFC 7468，其中最后记录了各种实现如何使用 PEM 文本编码交换数据.以下列表直接取自 RFC，描述了用于以下场景的 PEM 格式:

For quite a long time, there was no formal specification of the PEM format with regards to cryptographic exchange of information. PEM is the textual encoding, but what is actually being encoded depends on the context. In April 2015, the IETF approved RFC 7468, which finally documents how various implementations exchange data using PEM textual encoding. The following list, taken directly from the RFC, describes the PEM format used for the following scenarios:

1. 证书、证书吊销列表 (CRL) 和主题Internet X.509 公钥中的公钥信息结构基础设施证书和证书吊销列表 (CRL)个人资料 [RFC5280].
2. PKCS #10:认证请求语法 [RFC2986].
3. PKCS #7:加密消息语法 [RFC2315].
4. 加密消息语法 [RFC5652].
5. PKCS #8:私钥信息语法 [RFC5208]，重命名为一非对称密钥包中的非对称密钥 [RFC5958] 和加密相同文档中的私钥信息语法.
6. 互联网属性证书中的属性证书授权配置文件 [RFC5755].

1. Certificates, Certificate Revocation Lists (CRLs), and Subject Public Key Info structures in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile [RFC5280].
2. PKCS #10: Certification Request Syntax [RFC2986].
3. PKCS #7: Cryptographic Message Syntax [RFC2315].
4. Cryptographic Message Syntax [RFC5652].
5. PKCS #8: Private-Key Information Syntax [RFC5208], renamed to One Asymmetric Key in Asymmetric Key Package [RFC5958], and Encrypted Private-Key Information Syntax in the same documents.
6. Attribute Certificates in An Internet Attribute Certificate Profile for Authorization [RFC5755].

根据此 RFC，对于上述情况，您可以预期以下标签位于 BEGIN 页眉和 END 页脚内.RFC 的图 4 有更多详细信息，包括相应的 ASN.1 类型.

According to this RFC, for the above scenarios you can expect the following labels to be within the BEGIN header and END footer. Figure 4 of the RFC has more detail, including corresponding ASN.1 types.

• 证书 [RFC5280]
• X509 CRL [RFC5280]
• 证书申请[RFC2986]
• PKCS7 [RFC2315]
• CMS [RFC5652]
• 私钥 [RFC5208] [RFC5958]
• 加密私钥 [RFC5958]
• 属性证书[RFC5755]
• 公钥 [RFC5280]

• CERTIFICATE [RFC5280]
• X509 CRL [RFC5280]
• CERTIFICATE REQUEST [RFC2986]
• PKCS7 [RFC2315]
• CMS [RFC5652]
• PRIVATE KEY [RFC5208] [RFC5958]
• ENCRYPTED PRIVATE KEY [RFC5958]
• ATTRIBUTE CERTIFICATE [RFC5755]
• PUBLIC KEY [RFC5280]

不过，这还不是全部.RFC 是通过查看现有实现并记录它们所做的事情而编写的.RFC 不是首先编写的，也不是基于某些现有的权威文档编写的.因此，如果您最终想要与某些实现进行互操作，您可能需要查看实现的源代码，以确定它们支持什么.

That's not the full story, though. The RFC was written by looking at existing implementations and documenting what they did. The RFC wasn't written first, nor was it written based on some existing authoritative documentation. So if you end up in a situation where you want to inter-operate with some implementation, you may have to look into the implementation's source code to figure out what they support.

例如，OpenSSL 在 中定义了这些 BEGIN 和 END 标记加密/pem/pem.h.这是头文件的摘录，其中包含它们支持的所有 BEGIN 和 END 标签.

For example, OpenSSL defines these BEGIN and END markers in crypto/pem/pem.h. Here is an excerpt from the header file with all the BEGIN and END labels that they support.

# define PEM_STRING_X509_OLD     "X509 CERTIFICATE"
# define PEM_STRING_X509         "CERTIFICATE"
# define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE"
# define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST"
# define PEM_STRING_X509_REQ     "CERTIFICATE REQUEST"
# define PEM_STRING_X509_CRL     "X509 CRL"
# define PEM_STRING_EVP_PKEY     "ANY PRIVATE KEY"
# define PEM_STRING_PUBLIC       "PUBLIC KEY"
# define PEM_STRING_RSA          "RSA PRIVATE KEY"
# define PEM_STRING_RSA_PUBLIC   "RSA PUBLIC KEY"
# define PEM_STRING_DSA          "DSA PRIVATE KEY"
# define PEM_STRING_DSA_PUBLIC   "DSA PUBLIC KEY"
# define PEM_STRING_PKCS7        "PKCS7"
# define PEM_STRING_PKCS7_SIGNED "PKCS #7 SIGNED DATA"
# define PEM_STRING_PKCS8        "ENCRYPTED PRIVATE KEY"
# define PEM_STRING_PKCS8INF     "PRIVATE KEY"
# define PEM_STRING_DHPARAMS     "DH PARAMETERS"
# define PEM_STRING_DHXPARAMS    "X9.42 DH PARAMETERS"
# define PEM_STRING_SSL_SESSION  "SSL SESSION PARAMETERS"
# define PEM_STRING_DSAPARAMS    "DSA PARAMETERS"
# define PEM_STRING_ECDSA_PUBLIC "ECDSA PUBLIC KEY"
# define PEM_STRING_ECPARAMETERS "EC PARAMETERS"
# define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY"
# define PEM_STRING_PARAMETERS   "PARAMETERS"
# define PEM_STRING_CMS          "CMS"

这些标签只是一个开始，但您仍然需要研究实现如何对标签之间的数据进行编码.没有一个正确的答案.

These labels are a start, but you still have to look into how the implementation encodes the data between the labels. There's not one correct answer for everything.

这篇关于PEM 文件格式在哪里指定?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！