1 | openssl req -x509 -out public_key.der -outform der -new -newkey rsa:1024 -keyout private_key.pem |
按照提示,填入私钥的密码,签名证书的组织名、邮件等信息之后,就会生成包含有公钥的证书文件public_key.der合私钥文件 private_key.pem。public_key.der文件用于分发到ios客户端进行公钥加解密,而private_key.pem文件留在服 务器端供php使用。当然,如果为了在服务器端进行加解密测试,那么我们还可以生成一个服务器端PHP使用的pem公钥文件:
1 | openssl rsa - in private_key.pem -pubout -out public_key.pem |
上面这个命令就会根据输入的私钥文件生成pem格式的公钥文件了。从这里也可以看到,根据私钥,我们是可以生成相对应的公钥的,这也就是为什么我们要把公钥放在客户端,而不是私钥放在客户端的原因了。
闲话不多说,贴一段代码,肯定能看懂的了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
class
RSAEncryptTest {
const
PRIVATE_KEY = "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI2aEhi35m/scCAggA
MBQGCCqGSIb3DQMHBAihDOZw68gfKwSCAoAu2E/d2a9FgHDWoinhK2nMc2MlrgL+
kpWcZ5YyUEWUw87DFKrG7dkpAYOgLIpyDatXUVFy2EekZH0Iplqo+yswtho8NtpJ
7T7KJ0nbUXo4we658Ez0EHAnWw+xZegsmJGk2+5QRCALDFyYEIMp3UvqxBjPjfDM
1rEZ0j2o9U40ouDqUVxTpq7ZwHkx/EkB8xHwKpFexz8J0s6gjPy6yLUjX2ut63LD
6X4YPBQLCJIcaLZORoAQ01cxCaM+78WTLUjdhcaFvff9f1xkiUU3XrQQTpuM/3YH
MQ6SMYDAgiOLqSCiMc0VABwf0/kdBnxu9/C/CK82ehA29cVAe8o7HgKg+WszCzTE
+QRCJ2fa7nOd7UXzCDfKh5Hhq1RjLFocVK8OW7tIgW3ircltM1ow30FfEzIdvzmv
LP0QhfGI3o9VT7r5qihGxtXtnGeUEGwvK0j0ozznfsNej7sVFP0Jfw39TdUlEENh
OPjtuBBBHv/oafQ3jqYnrI4R12ZrEU0acm85vRJm32K1RT1ROMFpc5sU20S8nMGC
I3iCzUlJPQF0t07bKexayvfWlJVAwEqBBCPTnvfTMBEt33iC72dQELbzMAM/n7th
TcY/sReO/J4beGk3
//c7PImKIOcIvKF9Gp99l/+BM/LMZ7Thd/qwMOV6Eb3T4BvY
ItC+P5Lr29XeINmLRHXKwr27uTxX0fwDpmpwkPbGreVXA2cCxHnEzkh2WP3qGa7q
+Cwi03ISTEcZbNxLRGArtFUOIvNpz4+FS07OLWVKGl6K6bTffBx1tlZ492SqyNAC
7aP4/4I9Malnt0VjRKYPBCkTvVhoWBG+ThoOav5IV+w7ZDy8mtcrcAII
-----
END
ENCRYPTED PRIVATE KEY-----";
const
PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAqjJs08oHvNdhlWC+kGBd90PD
7CVjClhRTk3nn+2NNaP4Bi5N/A18rdrV6clNAGUz4i/5q/VQXeLiGYYqgmAkKCJe
gReMsfcnoOSWu+Tvxih/48pu1hwBrmMLFZPOOUWQ9YjQEo7SYBe0HKoEl6XMqNwz
HV7sk9x6BKz9QeLi5QIDAQAB
-----
END
PUBLIC KEY-----";
private
static
$private_key
;
private
static
$public_key
;
public
static
function
private_encrypt(
$str
){
self::setup_key();
if
(openssl_private_encrypt(
$str
,
$encrypted
, self::
$private_key
))
return
$encrypted
;
}
public
static
function
private_decrypt(
$str
){
self::setup_key();
if
(openssl_private_decrypt(
$str
,
$decrypted
, self::
$private_key
))
return
$decrypted
;
}
public
static
function
public_decrypt(
$str
){
self::setup_key();
if
(openssl_public_decrypt(
$str
,
$decrypted
, self::
$public_key
))
return
$decrypted
;
}
public
static
function
public_encrypt(
$str
){
self::setup_key();
if
(openssl_public_encrypt(
$str
,
$encrypted
, self::
$public_key
))
return
$encrypted
;
}
private
static
function
setup_key(){
if
(!self::
$private_key
){
// 这里的test就是在生成证书的时候设置的私钥密码
self::
$private_key
= openssl_pkey_get_private(self::PRIVATE_KEY,
"test"
);
}
if
(!self::
$public_key
)
self::
$public_key
= openssl_pkey_get_public(self::PUBLIC_KEY);
}
}
|
首先我们需要导入Security.framework,在ios中,我们主要关注四个函数
从这几个函数中,我们可以看到,我们使用公钥能做的事情就有两个:加密数据,以及对服务器端发来的数据进行签名认证,但是如果你想跟我之前想的一 样,要使用公钥来对数据进行解密,那就没有自带API了。如果想在服务器端使用私钥加密数据,然后再在客户端使用公钥进行解密,以图这样来对交互数据进行 加密,看来是行不通的。其实也应该是这样,公钥是公开的,因为他可以编译到二进制文本里面就认为他不能被获取其实是不对的。同时,RSA因为都是做大数的 运算,算法性能上比较差,如果做大数据量的加解密,对IOS来讲,肯定也是不合适的。
这里就把使用公钥进行加密的代码贴出来:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
// 我们在前面使用openssl生成的public_key.der文件的base64值,用你自己的替换掉这里
#define RSA_KEY_BASE64 @"MIIC5DCCAk2gAwIBAgIJALUk4hrYth9oMA0GCSqGSIb3DQEBBQUAMIGKMQswCQYDVQQGEwJ\
DTjERMA8GA1UECAwIU2hhbmdoYWkxETAPBgNVBAcMCFNoYW5naGFpMQ4wDAYDVQQKDAVCYWl5aTEOMAwGA1UECwwFQmFpeWk\
xEDAOBgNVBAMMB1lvcmsuR3UxIzAhBgkqhkiG9w0BCQEWFGd5cTUzMTk5MjBAZ21haWwuY29tMB4XDTExMTAyNjAyNDUzMlo\
XDTExMTEyNTAyNDUzM1owgYoxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTERMA8GA1UEBwwIU2hhbmdoYWkxDjA\
MBgNVBAoMBUJhaXlpMQ4wDAYDVQQLDAVCYWl5aTEQMA4GA1UEAwwHWW9yay5HdTEjMCEGCSqGSIb3DQEJARYUZ3lxNTMxOTk\
yMEBnbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK3cKya7oOi8jVMkRGVuNn/SiSS1y5knKLh6t98JukB\
DJZqo30LVPXXL9nHcYXBTulJgzutCOGQxw8ODfAKvXYxmX7QvLwlJRFEzrqzi3eAM2FYtZZeKbgV6PximOwCG6DqaFqd8X0W\
ezP1B2eWKz4kLIuSUKOmt0h3RpIPkatPBAgMBAAGjUDBOMB0GA1UdDgQWBBSIiLi2mehEgi/MwRZOld1mLlhl7TAfBgNVHSM\
EGDAWgBSIiLi2mehEgi/MwRZOld1mLlhl7TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAB0GUsssoVEDs9vQxk0\
DzNr8pB0idfI+Farl46OZnW5ZwPu3dvSmhQ+yRdh7Ba54JCyvRy0JcWB+fZgO4QorNRbVVbBSuPg6wLzPuasy9TpmaaYaLLK\
Iena6Z60aFWRwhazd6+hIsKTMTExaWjndblEbhAsjdpg6QMsKurs9+izr"
static
SecKeyRef
_public_key=
nil
;
+ (
SecKeyRef
) getPublicKey{
// 从公钥证书文件中获取到公钥的SecKeyRef指针
if
(_public_key ==
nil
){
NSData
*certificateData = [Base64 decode:RSA_KEY_BASE64];
SecCertificateRef
myCertificate = SecCertificateCreateWithData(kCFAllocatorDefault, (CFDataRef)certificateData);
SecPolicyRef
myPolicy = SecPolicyCreateBasicX509();
SecTrustRef
myTrust;
OSStatus
status = SecTrustCreateWithCertificates(myCertificate,myPolicy,&myTrust);
SecTrustResultType trustResult;
if
(status == noErr) {
status = SecTrustEvaluate(myTrust, &trustResult);
}
_public_key = SecTrustCopyPublicKey(myTrust);
CFRelease
(myCertificate);
CFRelease
(myPolicy);
CFRelease
(myTrust);
}
return
_public_key;
}
+ (
NSData
*) rsaEncryptString:(
NSString
*) string{
SecKeyRef
key = [
self
getPublicKey];
size_t
cipherBufferSize = SecKeyGetBlockSize(key);
uint8_t
*cipherBuffer = malloc(cipherBufferSize *
sizeof
(
uint8_t
));
NSData
*stringBytes = [string dataUsingEncoding:
NSUTF8StringEncoding
];
size_t
blockSize = cipherBufferSize - 11;
size_t
blockCount = (
size_t
)ceil([stringBytes length] / (
double
)blockSize);
NSMutableData
*encryptedData = [[[
NSMutableData
alloc] init] autorelease];
for
(
int
i=0; i<blockCount; i++) {
int
bufferSize = MIN(blockSize,[stringBytes length] - i * blockSize);
NSData
*buffer = [stringBytes subdataWithRange:
NSMakeRange
(i * blockSize, bufferSize)];
OSStatus
status = SecKeyEncrypt(key, kSecPaddingPKCS1, (
const
uint8_t
*)[buffer bytes],
[buffer length], cipherBuffer, &cipherBufferSize);
if
(status == noErr){
NSData
*encryptedBytes = [[
NSData
alloc] initWithBytes:(
const
void
*)cipherBuffer length:cipherBufferSize];
[encryptedData appendData:encryptedBytes];
[encryptedBytes release];
}
else
{
if
(cipherBuffer) free(cipherBuffer);
return
nil
;
}
}
if
(cipherBuffer) free(cipherBuffer);
// NSLog(@"Encrypted text (%d bytes): %@", [encryptedData length], [encryptedData description]);
// NSLog(@"Encrypted text base64: %@", [Base64 encode:encryptedData]);
return
encryptedData;
}
|