M2Crypto:PKey 是对公钥还是私钥的引用?
在 M2Crypto python 包(Python 的 OpenSSL 包装器)的 PKey 类文档中,据说 PKey 是对公钥的引用。
我的观点是,它是对私钥的引用,因为 PKey 类的 init 方法调用 evp_pkey_new openssl 函数,从此链接: http://linux.die.net/man/3/evp_pkey_new ,应该分配对私钥结构的新引用!
只有两种可能的解释:M2Crypto 文档是错误的,或者我报告的链接有错误的信息。
有人可以帮助我找到真相吗?
In the PKey class documentation of the M2Crypto python package (an OpenSSL wrapper for Python) it is said that PKey is a reference to a Public key.
My opinion is instead that it's a reference to a Private Key because the init method of the PKey class calls the evp_pkey_new openssl function that, from this link: http://linux.die.net/man/3/evp_pkey_new , should allocate a new reference to a private key structure!
There are two only possible explaination: The M2Crypto documentation is wrong or the link I've reported has wrong informations.
Can someone help me to find the truth?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
EVP_PKEY_new 的文档直接说明了它用于存储私钥。我迷失了,因为原始海报是因为 x509foo.get_pubkey() 仅返回一个 EVP.PKey 实例,并且将该实例存储为 pem 显示私钥。我无法假装知道 M2Crypto 团队的意图,因为许多使用 PKey 的函数都没有记录。例如,x509 请求对象有一个 verify(self,pkey) 但没有告诉我 pkey 是什么类型的对象。同样还有任何文档。我和原作者一样困惑,因为我认为 RSA 至少有 nn 个术语
(e,n)#公钥
(d,n)#私钥
,我最多想到的是私钥
(d,n,p,q,dp,dq,qinv,t) 其中
p 和 q 是大素数 dp 和 dq 和 qinv 是额外系数
解密速度更快,t 作为 totient 函数。
文档中应更清楚地说明区别的原因是有时您希望使用私钥进行加密(在签名的情况下),以便其他人可以通过使用公钥进行解密来进行验证。
h = 哈希值(m)
sig = h^d (mod n)
只有知道 d(私钥)的人才能创建签名。
完成验证,
通过h = sig^e (mod n)
如果两个哈希值匹配,则
您就知道该消息是真实的。我遇到的问题是 EVP.Pkey 声称代表公钥
它的 allocate_rsa() 方法声明它接受 RSA 密钥对(“我假设这意味着此时的私钥”。到目前为止我发现的任何示例仅用于创建自签名证书(包括 M2Crypto 自己的单元测试)我没有看到任何接受第三方 x509 请求并使用自己的 ca 证书和密钥对其进行签名的测试,就像我们通常在现实中看到的那样,单元测试无法帮助我弄清楚如何进行一般签名。自 X509 请求以来的 CSR 不会包含私钥,但单元测试示例工作正常,因为它是自签名的,并且签名者已经可以访问私钥。 MKREQ方法
它生成 x509 请求。
M2Crypto 文档很令人困惑,因为他们使用了这些术语
pk、pkey 甚至 pubkey 可以互换。
The documentation for EVP_PKEY_new directly states its used to store private keys. And I'm lost as the original poster is since x509foo.get_pubkey() just returns a EVP.PKey instance and that storeing the instance as pem shows PRIVATE KEY. I can't pretend to know the intention of the M2Crypto team since many functions that use PKey are not documented. For example an x509 request object has a verify(self,pkey) yet tells me nothing about what kind of object pkey is. Likewise there or any documentation. I'm just as confused as the original auther since I think of RSA at the very least nn terms of
(e,n)#Public key
(d,n)#Private key
and at best I think of Privatekeys
(d,n,p,q,dp,dq,qinv,t) where
p and q are the large primes dp and dq and qinv are extra coeficiants to make
decrypting faster and t as the totient function.
The reason the distinction should have been made clearer in the documentation is sometimes you want to encrypt with the private keys(In the case of a signature) so that every one else can verify by decrupting using the public key.
h = hash(m)
sig = h^d (mod n)
only some one that knows d (The private key) could create the signature.
Verification is done by
h = sig^e (mod n)
if the two hashes match you know the message is authentic.
The issue I'm having is EVP.Pkey claimes to be representing a public key yet
its assign_rsa() method declares it takes in an RSA key pair ("I'm assuming this means private key at this point". Any examples I've found so far are only for creating a self cigned cert (Including M2Crypto's own unit tests. I don't see any tests that take a third party x509 request and sign it with its own ca cert and key like we would normally see in reality. The unit tests doesn't help me in terms of figuring out how to sign general CSRs since X509 Requests won't contain the private key. Yet the unit tests examples work fine since its self signed and the signer already had access to the private keys. Infact the test_mkcert test does exactly that it takes the private key handed back by the mkreq method
which generates the x509 request.
The M2Crypto docs are confuseing since they use the terms
pk,pkey and even pubkey interchangably.
OpenSSL 文档不完整 - 由
EVP_PKEY_new()分配的EVP_PKEY结构用于存储私钥或公钥。键的类型由您稍后加载到结构中的内容决定。(例如,
EVP_SealInit()和EVP_OpenInit均采用EVP_PKEY参数)。The OpenSSL documentation is incomplete - the
EVP_PKEYstructure allocated byEVP_PKEY_new()is used to store either private or public keys. The type of key is determined by what you later load into the structure.(Eg. both
EVP_SealInit()andEVP_OpenInittakeEVP_PKEYparameters).