1, X.509 standard
x509 developed by the International Telecommunication Union (ITU-T) standard for digital certificates; contains a public key and a user identifier, CA and the like;
x509 is standardized digital certificates, P7 and P12 are two packages; the X.509 certificate format is common general. All certificates are to meet the international standard ITU-T x509 Public key Infrastructure developed.
PKCS # 7 is commonly used suffixes: P7B, P7C, SPC
PKCS # 12 commonly used suffixes are: P12, PFX
X. 509 DER encoding (ASCII) suffix is: DER CER CRT
X. 509PEM encoding (base64) suffix is: PEM CER CRT
After pem certificate format is base64 encoded, der format DER-encoded certificate;
The certificate and export operations support four file formats.
- Personal Information Exchange (PKCS # 12)
The Personal Information Exchange format (PFX, also called PKCS # 12) supports secure storage of certificates and private keys for all certificates in the certification path. PKCS # 12 is the only file format that can be used to export the certificate and private key. - Cryptographic Message Syntax Standard (PKCS # 7)
All certificates PKCS # 7 format supports storage of certificates and certification path - DER encoded binary X.509
Distinguished Encoding Rules (DER) format supports storage of a single certificate. The format does not support storing the private key or certification path. - X.509 Base64 encoding
Base64 format supports storage of a single certificate. The format does not support storing the private key or certification path.
cer / crt Certificate: means for storing the public key certificate format, which is stored in binary, non-private key can not be introduced into the personal store, because the individual storage area storing a private key associated with the digital certificate; cer, crt format just a suffix, the suffix can pem certificate may also be encoded der encoded;
pfx / p12 certificate: contains the corresponding private key and certificate, may be introduced IE, personal certificate store;
P12 certificate format is generally used to distribute a certificate, which contains the certificate and the corresponding private key;
Because the Proxy Apache Prefer PEM format is not supported by DER-encoded certificate, and therefore, the certificate through transcoding, the transcoding of PEM DER, then by Apache.
Of DER encoded certificate, but DER-encoded file is in binary format is not conducive to read and spread, so the DER encoding BASE64 encoded data formed PEM.
2, PKCS series of standards
By the PKCS RSA Digital Security, but it's more developed, certificate request, update, CRL, DS and so on;
Wherein PKCS7, defines a generic message syntax, including encryption and digital signature, are compatible with the PEM, transformed into each other;
PKCS12, Personal Information Exchange Syntax description, packing public, private keys, certificates, and other information;
PKCS stands for Public-Key Cryptography Standards, by RSA Laboratories and other security systems developer for the development of public key cryptography and developed a series of standards, PKCS currently released a total of over 15 standards. Commonly used are:
the PKCS # Cryptographic the Message Syntax Standard. 7
the PKCS # 10 Certification Standard the Request
the PKCS # 12 is the Exchange Syntax Standard Personal Information
Compare:
P7 is generally divided into two files the certificate, a private key a public key, there are two kinds of PEM and DER encoding. PEM is more common, is plain text, P7 is generally used to distribute public keys, see is a bunch of visible strings, extension often .crt, .cer, .key and so on. DER is a binary encoding.
P12 is pressed into a file the certificate, .pfx. Mainly on account of distribution certificate, the private key is to be kept strictly confidential and can not be spread casually in text mode. So P7 format is not suitable for distribution. .pfx can be password-protected, so relatively safe.
In practice, to the user credentials are on the USB Key in distribution, or a file server certificates often distribute. Server and user certificates, X509 certificates are, that is, inside the property are different.
3, Openssl source code analysis
1 Introduction
Open source SSL security tools, comprising a SSL protocol, a large number of soft algorithm (symmetric / asymmetric / summary), an asymmetric key generation algorithm, the ASN.1 codec library, a certificate request (pscs10) codec, a digital certificate, CRL codecs , OCSP protocol, pkcs7 standard implementation and realization pkcs12 personal digital certificate format and other functions;
Using C language development, cross-platform location;
2. source framework
Mainly by eay base library, ssl libraries, tools, demo and test composition;
Eay source code, under the crypto directory, including:
1) asn.1 DER codec (crypto / asn.1 directory), the request comprising a digital certificate, CRL revocation list and pkcs8 codec function;
2) Abstract IO (BIO, crypto / bio directory), the abstract contains various input and output, a file, memory, stdio, socket, SSL;
3) large numbers operation (crypto / bn directory), asymmetric algorithms for key generation and encryption and decryption variety;
4) character buffer (crypto / buffer directory);
5) reads the configuration file (crypto / conf directory), the main configuration file to openssl.cnf. Catalog change to achieve read configuration file format;
6) DSO Dynamic Shared Object (crypto / dso directory), an abstract of each platform dynamic library loading functions, providing a unified interface;
7) hardware engines (crypto / engine directory), provides the interface requirements;
8) Error handling (cryto / err directory), the interface providing processing; stack to display an error;
9) symmetric algorithms, asymmetric algorithms and digest algorithms package (crypto / evp directory)
10) HMAC (crypto / hmac directory), MAC Based symmetric algorithm;
11) Hash table (crypto / lhash directory), to achieve a hash table data structure;
12) OCSP online digital certificate authentication (crypto / ocsp directory), protocols, codec ocsp the like;
13 is) PEM file format being handled (crypto / pem directory), and reading generated PEM file;
14) Pkcs7 message syntax (crypto / pkcs7 directory), and configured to achieve PKCS7 message parsing;
15) Pkcs12 personal certificate format (crypto / pkcs12 directory), and configured to achieve pkcs12 certificate parsing;
16) queues (crypto / pqueue directory), queue data structure, for a DTLS;
17) the random number (crypto / rand directory), pseudo-random number generator, to support user-defined;
18) the stack (crypto / rand directory) realized stack data structure;
19) thread support (crypto / threads), openssl support multithreading, but the user must implement the relevant interfaces;
20) text database (crypto / txt_db directory);
21) X509 digital certificate (crypto / x509 directory), comprising a digital certificate request, the certificate and CRL signature verification and structural analysis;
22) symmetric algorithm (crypto / aes, crypto / bf, crypto / cast, crypto / omp and crypto / des, etc.);
23) asymmetric algorithm (crypto / dh, crypto / dsa, crytpo / ec and crypto / ecdh);
24) Digest algorithm (crypto / md2 / 4/5 / sha) and key exchange / authentication algorithm (crypto / dh and crypto / krb5);
In SSL library source code directory ssl, comprising sslv2, sslv3, tlsv1 and DTLS source; source comprises a client, server source code, common, underlying package, and a method of calculating the source protocol associated keys;
Source tools in crypto / apps directory; demo source code in hardware engines engines; test source in the test;
Excerpt: https://www.cnblogs.com/testlife007/p/6699566.html
More analysis of the source code can refer to: "Openssl Programming"