°ø°³Å° ¾Ïȣȴ ºñ´ëĪ ¾ÏÈ£ÈÀÌ´Ù.
¾Ïº¹È£È¸¦ ¼öÇàÇÒ ¶§ ÇϳªÀÇ °³ÀÎÅ° ¹Û¿¡ ¾ø´Â ´ëĪ ¾ÏÈ£È¿Í ´ëÁ¶ÀûÀ¸·Î ºñ´ëĪ ¾Ïȣȴ 2°³ÀÇ Å°°¡ ÇÊ¿äÇÏ´Ù.
°ø°³Å°(public key)´Â Æò¹®À» ¾ÏÈ£È ÇÏ°í,
°³ÀÎÅ°(private key)´Â ¾ÏÈ£¹®À» Æò¹®À¸·Î º¹È£È ÇÑ´Ù.
ÇϳªÀÇ µµ¸ÞÀÎ(À¥»çÀÌÆ®³ª ¾îÇø®ÄÉÀ̼Ç)¿¡¼´Â ÀϹÝÀûÀ¸·Î ´ëĪ ¾ÏȣȰ¡ ÀûÇÕÇÏÁö¸¸,
¿©·¯°³ÀÇ µµ¸ÞÀÎÀ̳ª ±×·ìÀ» ´Ù·ç´Â °æ¿ì ºñ´ëĪ ¾ÏȣȰ¡ ÀûÇÕÇÏ´Ù.
°ø°³Å°´Â ¸ðµÎ¿¡°Ô °øÀ¯µÇÁö¸¸, °³ÀÎÅ°´Â ÇϳªÀÇ ±×·ì¸¸ Á¦¿ÜÇÏ°í ¸ðµÎ¿¡°Ô ºñ°ø°³ÀÌ´Ù.
¡Ü RSA Private Key
[shell] openssl genrsa -out private.pem 2048
1) key Æ÷¸Ë °ü·Ã
À§ ¸í·É¾î´Â openssl À» »ç¿ëÇÏ¿© pem ÆÄÀÏÀ» »ý¼ºÇÑ´Ù.
Àб⠽¬¿î ASCII À̱⠶§¹®¿¡ º¹»ç/ºÙ¿©³Ö±â °£ÆíÇÏ°í, °ËÁõÇϱ⠽±´Ù.
java ´Â PEM Æ÷¸ËÀ¸·Î´Â ÀÛ¾÷Çϱ⠾î·Á¿ì´Ï ´ë½Å binary ÀÎ DER Æ÷¸ËÀ» ±ÇÀåÇÑ´Ù. (¼Õ½±°Ô º¯È¯ °¡´ÉÇÏ´Ù)
2) key ±æÀÌ °ü·Ã
¸í·É¾î ³¡¿¡ ÀÖ´Â ¼ýÀÚ(2048)Àε¥ bit ´ÜÀ§ Å° ±æÀÌÀÌ´Ù.
ÀÌ´Â RSA °ø°³Å° ¾ÏÈ£È Å° ±æÀ̿͵µ °ü·ÃÀÌ ÀÖÀ¸¸ç,
¾ÏÈ£È ÇÒ ¼ö ÀÖ´Â µ¥ÀÌÅÍ ±æÀ̸¦ ¶æÇϱ⵵ ÇÏ°í °³ÀÎÅ°°¡ ¾ó¸¶³ª °·ÂÇÑÁö¸¦ ÀǹÌÇϱ⵵ ÇÑ´Ù.
Á»´õ °·ÂÇÏ°Ô ¸¸µé±â À§ÇØ 4096 À̳ª 8192 ·Î ÇÏ¸é ¾ÈµÉ±î?
ÀÌ´Â ¾Ïº¹È£È ¼º´É°ú °ü·ÃÀÌ Àֱ⠶§¹®¿¡
¾î¶² ¾îÇø®ÄÉÀ̼ǿ¡¼´Â °ø°³Å° ¾Ïȣȿ¡ ÁöÁ¤ÇÑ Å° ±æÀ̸¸ »ç¿ëÇÏ´Â °æ¿ìµµ ÀÖ´Ù.
µû¶ó¼ key pair ¸¦ »ç¿ëÇÏ´Â µµ¸ÞÀÎÀÇ ¿Ã¹Ù¸¥ Å° ±æÀ̸¦ ¾Ë¾Æ¾ß¸¸ ÇÑ´Ù.
´ëºÎºÐÀÇ °æ¿ì 2048 Å° ±æÀÌ°¡ ÀûÇÕÇÏÁö¸¸... ÇÊ¿ä¿¡ µû¶ó¼ ´õ °·ÂÇÑ Å°¸¦ ¸Í±Û¾î¶ó....
¡Ü Public Key
[shell] openssl rsa -in private.pem -inform pem -out public.key -outform der -pubout
ÀÌ ¸í·É¾î´Â ±×³ÉºÁµµ ´ë·« ¾Ë ¼ö ÀÖ´Ù.
¾Õ¼± ¸í·É¾î¿Í Å©°Ô ´Ù¸¥ Á¡Àº -outform ÀÎÀÚ¸¦ ÁÖ¾î DER Æ÷¸ËÀ» »ç¿ëÇϵµ·Ï Çß´Ù´Â °ÍÀÌ´Ù.
ƯÈ÷ ÀÌ´Â X.509 public key infrastructure standards Ç¥ÁØÀ» µû¸¥´Ù.
È®ÀåÀÚ´Â ".key" ¸¦ »ç¿ëÇßÁö¸¸, ".cer, .crt" ³ª ".der" ¸¦ »ç¿ëÇصµ ÁÁ´Ù. (È®ÀåÀÚ´Â Æ÷¸Ë¿¡ ¿µÇâÀ» ÁÖÁö ¾ÊÀ¸´Ï±î...)
ÇÏÁö¸¸, È®½ÇÈ÷ ¾Ë¾ÆµÎ¾î¾ß ÇÒ °ÍÀº ÀÌ ÆÄÀÏÀÌ ½ÇÁ¦ X.509 certificate °¡ ¾Æ´Ï¶ó´Â °ÍÀÌ´Ù.
ÀÌ ÆÄÀÏÀº °ø°³Å° ÀÏ »ÓÀÌ´Ù.
¡Ü DER Private Key
°ø°³Å°°¡ DER Æ÷¸ËÀÌ´Ï ÀÌÁ¦ °³ÀÎÅ°¸¦ binary ÀÎ DER Æ÷¸ËÀ¸·Î º¯È¯ÇÏ´Â °É ¾Ë¾Æº¸ÀÚ.
ÀÌ´Â PKCS#8 public-key cryptography standard Ç¥ÁØÀ» µû¸¥´Ù.
[shell] openssl rsa -in private.pem -inform pem -out private.key -outform der
¡Ü PEM Private Key
º¸¾ÈÀ» À§ÇØ PEM ÆÄÀÏÀº »èÁ¦ÇÏÀÚ.
´Ù½Ã PEM ÆÄÀÏÀÌ ÇÊ¿äÇÏ´Ù¸é DER ÆÄÀϷκÎÅÍ PEM À» ¸¸µé¾î³»¸é µÈ´Ù.
[shell] openssl pkcs8 -inform der -nocrypt < private.key > private.pem (¿¡·¯ ³²)
[shell] openssl pkcs8 -topk8 -in private.key -inform der -out private.pem -outform pem
ÀÌ PEM ÆÄÀÏÀ» »ç¿ëÇÏ¿© °ø°³Å°¸¦ ¶Ç ¸¸µé¾î ³¾ ¼ö ÀÖ´Ù.
¿ªÁÖ)
ÀÌ·¸°Ô Å°¸¦ ¸¸µå´Â ÀÌÀ¯´Â #2/3 ¿¡¼ ¾ð±ÞÇÒ "java ¾ÏÈ£È API" ¸¦ »ç¿ëÇÏ¿© ¾Ïº¹È£ÈÇÒ ¶§ »ç¿ëÇÒ Å°¸¦ ¸¸µé±â À§ÇÔÀÌ´Ù.
Çåµ¥, À§¿¡¼ ¾ð±ÞÇÑ openssl ¸í·É¾î Áß ¸¶Áö¸· der Æ÷¸ËÀÇ private.key ÆÄÀÏ¿¡ ¹®Á¦°¡ ÀÖ´Ù.
(#2/3 ÀÇ ¼Ò½º¿¡¼ ¾Ïº¹È£È½Ã openssl ¸í·ÉÀ» ÅëÇØ ¸¸µé¾î³½ private.key ¸¦ »ç¿ëÇÏ¿© º¹È£ÈÇϸé Å° ¿¡·¯°¡ ¹ß»ýÇÑ´Ù)
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : algid parse error, not a sequence
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
at kr.zany.sample.spring.common.crypto.RSACipher.decrypt(RSACipher.java:73)
at kr.zany.sample.spring.common.crypto.RSACipher.decrypt(RSACipher.java:52)
at kr.zany.sample.spring.common.crypto.RSACipherTest.encryptDecryptWithKeyPairFiles(RSACipherTest.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:117)
at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:42)
at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:262)
at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:84)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)
Caused by: java.security.InvalidKeyException: IOException : algid parse error, not a sequence
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:351)
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356)
at sun.security.rsa.RSAPrivateCrtKeyImpl.(RSAPrivateCrtKeyImpl.java:91)
at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75)
at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316)
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213)
... 31 more
ÀÌ ¶§¹®¿¡ ¿ø¹®(http://www.reindel.com/asymmetric-public-key-encryption-using-rsa-java-openssl)ÀÇ
´ñ±ÛÀ» º¸¸é ¿©·¯ ³íÀÇ°¡ ÀÌ·ç¾îÁö´Âµ¥... Á¤¸®ÇÏ¸é ¾Æ·¡¿Í °°´Ù.
¡Ü openssl ¸í·ÉÀ» »ç¿ëÇÑ RSA Public/Private Key »ý¼º (BEFORE)
[1. private key (pem) ] openssl genrsa -out private.pem 2048
[2. public key ] openssl rsa -in private.pem -inform pem -out public.key -outform der -pubout
[3. private key (pem-der)] openssl rsa -in private.pem -inform pem -out private.key -outform der
[4. private key (der-pem)] openssl pkcs8 -topk8 -in private.key -inform der -out private.pem -outform pem -nocrypt
¡Ü openssl ¸í·ÉÀ» »ç¿ëÇÑ RSA Public/Private Key »ý¼º (AFTER)
[1. private key (pem) ] openssl genrsa -out private.pem 2048
[2. private key (pem-der)] openssl rsa -in private.pem -inform pem -out private.der -outform der
[3. private key (pkcs8) ] openssl pkcs8 -topk8 -in private.der -inform der -out private.key -outform der -nocrypt
[4. public key ] openssl rsa -in private.pem -inform pem -out public.key -outform der -pubout
3¹ø¿¡¼ -nocrypt ¿É¼ÇÀ» Á¦°ÅÇϸé private.key ¿¡ ºñ¹Ð¹øÈ£¸¦ ¼³Á¤ÇÒ ¼ö ÀÖ´Ù.
AFTER ¿¡ ¿°ÅµÈ ¸í·É¾î¸¦ »ç¿ëÇÏ¿© DER Æ÷¸ËÀÇ public.key, private.key ¸¦ »ý¼ºÇϸé,
#2/3 ÀÇ ÀÚ¹Ù ¼Ò½º¿¡¼ ÇØ´ç Å°¸¦ »ç¿ëÇÏ¿© ¾Ïº¹È£È°¡ Á¤»óÀûÀ¸·Î ¼öÇà µÊÀ» ¾Ë ¼ö ÀÖ´Ù.
2,3¹ø °úÁ¤À» ÇÕÃļ ¾Æ·¡¿Í °°Àº ¸í·ÉÀ¸·Î DER Æ÷¸ËÀÇ private key ¸¦ »ý¼ºÇÒ ¼öµµ ÀÖ´Ù.
(¿ø±ÛÀ» ÀÛ¼ºÇÑ Brian Reindel ¾¾ÀÇ ¸»´ë·Î DER Æ÷¸ËÀÇ private key ¸¦ »ý¼ºÇÏ°í³ª¸é º¸¾ÈÀ» À§ÇØ private.pem ÆÄÀÏÀº »èÁ¦ÇÏÀÚ)
openssl pkcs8 -topk8 -in private.pem -inform pem -out private.key -outform der -nocrypt
À§ ³»¿ëÀÌ ÀÌÇØ°¡ µÇÁö ¾Ê´Â´Ù ÇÏ´õ¶óµµ °ÆÁ¤ÇÏÁö ¾Ê¾Æµµ µÈ´Ù.
#2/3 ¿¡¼ java ¾ÏÈ£È API ¸¦ ÅëÇØ Public/Private Key ¸¦ »ý¼ºÇÏ°í,
ÇØ´ç Key ¸¦ ÅëÇØ ¾Ïº¹È£È¸¦ ¼öÇàÇÏ´Â ¹æ¹ý¿¡ ´ëÇØ ¾ð±ÞÇÏ°í ÀÖ´Ù.
|