OpenSSL encoding rules
1. data encoding format
Openssl data encoding rules are based on ans.1. What is ans.1? An Explanation on top of the project
ASN.1 (Abstract Syntax Notation One) is a structured Description Language, which consists of two parts: Data Description Language and data encoding rules, and data description language standards: the language standard allows you to customize basic data types and make up more complex data types through simple data types. Data Encoding Rules: These encoding methods define a set of rules for converting a digital object into a binary form that can be processed, saved, and transmitted by an application. Standard ASN.1 Encoding Rules include standard Encoding Rules (CER, Canonical Encoding Rules), unique Encoding Rules (DER, Distinguished Encoding Rules), and compressed Encoding Rules (PER, Packed Encoding Rules) and XML Encoding Rules (XER, XML Encoding Rules ).
Did not understand? Well, I don't understand either. After searching for numerous materials, I want to explain my understanding. please correct me if there is anything wrong.
We know that there are many data structures in computer languages, including lists, sets, arrays, and so on. However, for applications, especially networks, these data structures are binary data streams. How can we convert these different data structures into data streams that can be recognized by other applications. This requires a standard, that is, the ans.1 we are talking about. Everyone must abide by this standard and can naturally coexist peacefully. OK. What is this standard?
This question will be answered later. Now let's think about how to send data from a binary tree in the form of a stream. for basic types such as integer and string, we can directly insert them into the data stream, but for this complicated structure, this method is not displayed. What should I do? We introduce the concept of a Digital Object. How can we convert the data structure into a digital object? This uses the first part of the asn.1 standard-the data description language standard, which defines some basic data types. If we use a complex data structure, asn.1 also allows a complex data type (x.509) through a simple data type ).
The number object has been created. How can we convert this data object into a binary stream? This requires the second part of ans.1-encoding rules, the encoding method specifies a set of rules for converting a digital object into a binary format that can be processed, saved, and transmitted by an application.
Now you can answer the above question. Simply put, this standard sets out the method of converting data into data objects and encoding data objects into binary streams.
Openssl uses the der encoding rules of asn.1 to ensure that the binary encoding produced by each asn.1 object using der is unique.
Openssl uses pem as the basic file encoding format. What is the relationship between pem and der? As shown in, several encryption links are optional.
In essence, openssl is pem encoding, Which is Base64 encoding Based on der encoding technology. Then, some header and tail information are added. der and pem can be converted using the openssl command.
2. Certificate encoding format
Common certificate encoding formats include three types of X.509 certificates: PKCS #12 certificates PKCS #7 certificates.
X.509 Certificate: The most common certificate format. It only contains public key information and no private key information. An openssl issued PEM-encoded X.509 Certificate looks as follows
-----BEGIN CERTIFICATE-----XXX-----END CERTIFICATE-----
The intermediate part is the PEM-encoded X509 Certificate. In addition to the header and tail formats, the following two different identifiers may appear:
----- BEGIN X.509 CERTIFICATE----XXX-----END X.509 CERTIFICATE ----- or ----- begin trusted certificate---end trusted certificate -----
The suffix of X.509 certificate files is often der, cer, or crt. The openssl command x509 provides a method to convert the format of X.509 certificates.
PKCS #12 certificate: the PKCS12 certificate can contain one or more certificates, and can also contain the private key of the certificate. The pkcs12 command of openssl can encapsulate certificates and private keys in X.509 format into certificates in PKCS #12 format, or convert PKCS #12 certificates into X.509 certificates.
PKCS #12 certificate suffix is usually p12 or pdx
PKCS #7 certificate: PKCS #7 can encapsulate one or more X.509 certificates or PKCS #6 certificates, and can contain CRL information. The PKCS #7 certificate does not contain the private key information. Openssl provides the crl2pkcs7 and pkcs7 commands to generate and process the PKCS #7 files. They can be used to convert and process the files between the X.509 Certificate and the PKCS #7 certificate.
PKCS #7 the suffix of the certificate is p7b.
3. key code
Openssl has multiple forms of keys. openssl provides PEM and DER encoding methods to encode these keys, and provides instructions for conversion between the two formats.
Openssl keys can be divided into two types: public keys, such as public keys and private keys. Reflected in encoding, some keys need to be encrypted, and some keys do not need to be encrypted. An encrypted PEM key file adds some header information to the PEM file, indicating the encryption status, encryption algorithm, initialization vector, and other information of the key.
Openssl commands provide key encryption functions and multiple optional symmetric encryption algorithms, such as DES and DES3. When you encrypt a key, you usually need to enter a password. The password here is not directly used as the encryption key, instead, the password uses a series of HASH operations to generate a key for the user to encrypt the key data. When reading such keys, you also need to enter the same password.
For more information about OpenSSL, see the following links:
Use OpenSSL command line to build CA and Certificate
Install OpenSSL in Ubuntu
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
Use OpenSSL to generate certificates in Linux
Use OpenSSL to sign multi-domain certificates
Add a custom encryption algorithm to OpenSSL
OpenSSL details: click here
OpenSSL: click here
This article permanently updates the link address: