In [None]:
# The ASN.1 spec for the PKCS1 RSA private key format is as follows:
#
# RSAPrivateKey ::= SEQUENCE {
#     version           Version,
#     modulus           INTEGER,  -- n
#     publicExponent    INTEGER,  -- e
#     privateExponent   INTEGER,  -- d
#     prime1            INTEGER,  -- p
#     prime2            INTEGER,  -- q
#     exponent1         INTEGER,  -- d mod (p-1)
#     exponent2         INTEGER,  -- d mod (q-1)
#     coefficient       INTEGER,  -- (inverse of q) mod p
#     otherPrimeInfos   OtherPrimeInfos OPTIONAL
# }
#

In [13]:
%%latex
\begin{equation}
\textit{coefficient = (inverse of q) mod p} \\
\textit{when p is prime} \\
coefficient = q^{p-2} \bmod{p}
\end{equation}

<IPython.core.display.Latex object>

In [14]:
# Basic Certificate Fileds, TBSCertificate Fileds
#
# Certificate  ::=  SEQUENCE  {
#         tbsCertificate       TBSCertificate,
#         signatureAlgorithm   AlgorithmIdentifier,
#         signatureValue       BIT STRING
# }
# 
# TBSCertificate  ::=  SEQUENCE  {
#     version         [0]  EXPLICIT Version DEFAULT v1,
#     serialNumber         CertificateSerialNumber,
#     signature            AlgorithmIdentifier,
#     issuer               Name,
#     validity             Validity,
#     subject              Name,
#     subjectPublicKeyInfo SubjectPublicKeyInfo,
#     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
#                          -- If present, version MUST be v2 or v3
#     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
#                          -- If present, version MUST be v2 or v3
#     extensions      [3]  EXPLICIT Extensions OPTIONAL
#                          -- If present, version MUST be v3
# }
#

In [15]:
# PKCS 12
# In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. 
# It is commonly used to bundle a private key with its X.509 certificate 
# or to bundle all the members of a chain of trust. 
# 
# The full PKCS #12 standard is very complex. 
# It enables buckets of complex objects such as PKCS #8 structures, nested deeply. 
# But in practice it is normally used to store just one private key and its associated certificate chain.
#
# A simpler, alternative format to PKCS #12 is PEM which just lists the certificates and possibly 
# private keys as Base 64 strings in a text file. 
#

In [16]:
# rsa, dsa, ec key, req, x509 usage examples
#
# rsa encrypt, decrypt
# openssl genrsa -out rsa_1024.key 1024
# openssl rsa -in rsa_1024.key -pubout -out rsa_1024.pubkey
# openssl rsa -in rsa_1024.pubkey -pubin -text
# openssl rsautl -in rsa.helloworld -out rsa.helloworld.e -inkey rsa_1024.key -encrypt
# openssl rsautl -in rsa.helloworld.e -out rsa.helloworld.e.d -inkey rsa_1024.key -decrypt
#
# self-signed certificate
# openssl genrsa -out x_ca.key 2048
# openssl req -new -x509 -key x_ca.key -out x_ca.crt -subj /C=CN/ST=JiangSu/L=SuZhou/O=O_X/OU=OU_X/CN=X_CA/ -days 3650 -set_serial 1
#
# openssl req -new -key lile.ca.rsa -out lile.ca.csr -subj '/C=CN/ST=JiangSu/L=SuZhou/O=YXT/OU=BDAI/CN=ydc-*/'
# openssl x509 -req -in lile.ca.csr -out lile.ca.crt -signkey lile.ca.key -days 3650 -set_serial 100
# 
# ca-signed certificate
# openssl genrsa -out rsa_1024.key 1024
# openssl req -new -key rsa_1024.key -out rsa_1024.csr -subj /C=CN/ST=JiangSu/L=SuZhou/O=O_X/OU=OU_X/CN=rsa_1024/
# openssl x509 -req -in rsa_1024.csr -out rsa_1024.crt -CA x_ca.crt -CAkey x_ca.key -days 3650 -set_serial 100
# 
# textout key, csr, crt
# openssl rsa -in rsa_1024.key -text
# openssl rsa -in rsa_1024.pubkey -pubin -text
# openssl req -in rsa_1024.csr -text
# openssl x509 -in rsa_1024.crt -text
#
# s_server, s_client
# openssl s_client -host dashboard.yxt.com -port 443
# openssl s_server -cert rsa_1024.crt -key rsa_1024.key -accept 7777
# openssl s_client -connect localhost:7777 -CAfile x_ca.crt
# 
# openssl s_server -cert rsa_1024.crt -key rsa_1024.key -accept 7777 -Verify 1
# openssl s_client -connect localhost:7777 -cert rsa_1024.crt -key rsa_1024.key -CAfile x_ca.crt
#  -showcerts

# s_time
# openssl s_time -connect localhost:7777 -new
# openssl s_time -connect localhost:7777 -reuse
#
# speed
# openssl speed rsa1024
# openssl speed md5
# openssl speed aes-256-cbc
#
# dsa generation, shown, sign, verify
# openssl dsaparam -out dsa_1024.param 1024
# openssl gendsa -out dsa_1024.key dsa_1024.param
# openssl dsa -in dsa_1024.key -pubout -out dsa_1024.pubkey
# 
# openssl dsaparam -in dsa_1024.param -text
# openssl dsa -in dsa_1024.key -text
# openssl dsa -in dsa_1024.pubkey -pubin -text
# 
# echo -n 'hello_world' | openssl dgst -sign dsa_1024.key > hello_world.dsa_sign
# echo -n 'hello_world' | openssl dgst -verify dsa_1024.pubkey -signature hello_world.dsa_sign
# 
# ec, ecparam
# two common curves: prime256v1, secp384r1
# openssl ecparam -list_curves
# openssl ecparam -out ecparam.prime256v1 -name prime256v1
# openssl ecparam -in ecparam.prime256v1 -genkey -out ecparam.prime256v1.key
# openssl ecparam -in ecparam.prime256v1 -genkey -param_enc explicit -out ecparam.prime256v1.key
# openssl ecparam -in ecparam.prime256v1 -text
# openssl ecparam -in ecparam.prime256v1.key -text
# openssl ecparam -in ecparam.prime256v1.key -text -param_enc explicit
# openssl ecparam -name prime256v1 -text -param_enc explicit
# 
# openssl ec -in ecparam.prime256v1.key -pubout -out ecparam.prime256v1.pubkey
# openssl ec -in ecparam.prime256v1.key -text
# openssl ec -in ecparam.prime256v1.pubkey -pubin -text
# openssl req -new -key ecparam.prime256v1.key -out ecparam.prime256v1.csr -subj /C=CN/ST=JiangSu/L=SuZhou/O=O_X/CN=ecparam_prime256v1_1/
# openssl x509 -req -in ecparam.prime256v1.csr -out ecparam.prime256v1.crt -CA x_ca.crt -CAkey x_ca.key -days 3650 -set_serial 99
#
# ECDSA: message signature
# ECDH: security key negotiation/exchange
#

In [16]:
# keytools, pkcs12 usage
# https://www.jianshu.com/p/e5f46dcf4664
# https://blog.csdn.net/sayyy/article/details/78351512
# 
# openssl pkcs12 -export -in uydc-101.crt -inkey uydc-101.key -out uydc-101.p12 -name uydc-101 -CAfile yxt-ca.crt -caname yxtca -passout pass:123456
# openssl pkcs12 -in ydc.p12 -password file:pass -passin file:pass -nokeys
# openssl pkcs12 -in ydc.p12 -password pass:pass -passin pass:pass -nokeys 
# keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore uydc-101.jks -srckeystore uydc-101.pkcs12 -srcstoretype PKCS12 -srcstorepass 123456 -alias uydc-101
# openssl pkcs12 -info -in uydc-101.pkcs12 -passin pass:123456
#  
# keytool example
# Create keystore and certificate
# keytool \
# -genkeypair \
# -alias uydc-102.hbase.thrift \
# -keyalg RSA \
# -keysize 2048 \
# -keypass 123456 \
# -sigalg SHA256withRSA \
# -dname "CN=uydc-102,OU=data,O=yxt,L=SuZhou,ST=JiangSu,C=CN" \
# -validity 3650 \
# -keystore uydc-102_keystore.jks \
# -storetype JKS \
# -storepass 123456
# 
# Generate CSR - Certificate Signing Request
# keytool \
# -certreq \
# -alias uydc-102.hbase.thrift \
# -keyalg RSA \
# -keypass 123456 \
# -keystore uydc-102_keystore.jks \
# -storetype JKS \
# -storepass 123456 \
# -file uydc-102.hbase.thrift.csr
# 
# Import Certificate Sign Authority ROOT Certificate
# keytool \
# -import \
# -trustcacerts \
# -alias ca_root_GlobalSign \
# -keypass 123456 \
# -keystore uydc-102_keystore.jks \
# -storepass 123456 \
# -file GlobalSign_cert.cer
# 
# Import Signed Certificate base on above CSR
# keytool \
# -import \
# -trustcacerts \
# -alias uydc-102.hbase.thrift \
# -keypass 123456 \
# -keystore uydc-102_keystore.jks \
# -storepass 123456 \
# -file uydc-102.hbase.thrift.cer


In [1]:
# reference:
#
# https://en.wikipedia.org/wiki/X.509
# https://zh.wikipedia.org/wiki/RSA%E5%8A%A0%E5%AF%86%E6%BC%94%E7%AE%97%E6%B3%95
# https://en.wikipedia.org/wiki/RSA_(cryptosystem)
# https://zhuanlan.zhihu.com/p/33580225
# https://tools.ietf.org/html/rfc3447
# https://tools.ietf.org/html/rfc5280
# https://tools.ietf.org/html/rfc5280
# https://zhuanlan.zhihu.com/p/36326221
# https://andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-a-gentle-introduction/
#