解密openssl证书

时间:2017-07-24 13:58:50

标签: ssl encryption openssl certificate pkcs#8

我使用这个脚本生成了3个密钥/证书:

#!/bin/sh
AUTH='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
if [ "$1" == "" ]; then
        echo "Create a test certificate key."
        echo "Usage: $0 NAME"
        echo "Will generate NAME.pk8 and NAME.x509.pem"
        echo "  $AUTH"
        exit
fi

openssl genrsa -3 -out $1.pem 2048

openssl req -new -x509 -key $1.pem -out $1.x509.pem -days 10000 \
    -subj "$AUTH"

echo "Please enter the password for this key:"
openssl pkcs8 -in $1.pem -topk8 -outform DER -out $1.pk8 -passout stdin

输出结果为:

releasekey.pem
releasekey.pk8
releasekey.x509.pem

然后我尝试使用此命令解密它:

openssl pkcs8 -in ~/.android-certs/releasekey.pk8 -inform DER

所以,输出是

alex-garmas-osx:android alex-garmash$ openssl pkcs8 -in ~/.android-

certs/releasekey.pk8 -inform DER
Enter Password:
-----BEGIN PRIVATE KEY-----
CONTENT OF PRIVATE KEY HERE
-----END PRIVATE KEY-----

它运作正常。 releasekey.pk8没有密码短语

当我对命令执行相同操作时:

openssl pkcs8 -in ~/.android-certs/releasekey.pk8 -inform DER -nocrypt

我有一个错误:

140735885419528:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1200:
140735885419528:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:768:
140735885419528:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:700:Field=version, Type=PKCS8_PRIV_KEY_INFO

documentation我看到我可以使用选项-nocrypt,但为什么会失败?

更新

非常感谢 @bartonjs 的解释。要解决此问题,您需要将 -nocrypt 标志添加到脚本的最后一个命令,然后您可以使用上面的命令来解密生成的密钥

#!/bin/sh
AUTH='/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
if [ "$1" == "" ]; then
        echo "Create a test certificate key."
        echo "Usage: $0 NAME"
        echo "Will generate NAME.pk8 and NAME.x509.pem"
        echo "  $AUTH"
        exit
fi

openssl genrsa -3 -out $1.pem 2048

openssl req -new -x509 -key $1.pem -out $1.x509.pem -days 10000 \
    -subj "$AUTH"

echo "Please enter the password for this key:"
openssl pkcs8 -in $1.pem -topk8 -outform DER -out $1.pk8 -passout stdin -nocrypt

1 个答案:

答案 0 :(得分:2)

系统会提示您输入空密码,但成功,-nocrypt失败。

"用空密码加密""和#34;未加密" (虽然对于一个粗暴的人来说,并不是一个人)。

未加密的PKCS#8 blob看起来像(ASN.1):

PrivateKeyInfo ::= SEQUENCE {
    version                   Version,
    privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
    privateKey                PrivateKey,
    attributes           [0]  IMPLICIT Attributes OPTIONAL }

如果已加密,那么

EncryptedPrivateKeyInfo ::= SEQUENCE {
    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
    encryptedData        EncryptedData }

EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier

EncryptedData ::= OCTET STRING

所以-nocrypt告诉OpenSSL它应该直接期望第一个结构,而你的看起来像第二个(特别是,SEQUENCE的第一个孩子不是INTEGER,而是另一个SEQUENCE)。 / p>

并说你的数据是用空密码加密的,并不代表它是用某种空密钥加密的。 PKCS#8文件的创建者几乎肯定经历了为PBKDF2算法选择随机盐的麻烦,然后将其与空密码结合以产生输出。那些数据仍然是噪音,只是......比正常情况更容易发出强力噪音。