我将以下证书导入Azure密钥库
-----BEGIN CERTIFICATE-----
MIICbDCCAhKgAwIBAgIGAXQ5qjdkMAoGCCqGSM49BAMCMDUxMzAxBgNVBAMTKmNh
LmhsZjA2MThvcmRlcmVyLm1pY3Jvc29mdC5ibG9ja2NoYWluLmNvbTAeFw0yMDA4
MjkxMDAxMzBaFw0yMTA4MjkxMDAxMzBaMIGDMVIwUAYDVQQDDEk3MmY5ODhiZi04
NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcuMjRkN2IwNmYtZWRmMy00MjJiLTll
MjQtMTljNjZmMmViYWU1MQ4wDAYDVQQLDAV0ZWFtMTENMAsGA1UECwwEb3JnMTEO
MAwGA1UECwwFYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR5kpzf9KLu
FMI1DYF+a/YXucDPdL+X4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzM
GLOXnpoZ6JzOo4G+MIG7MA4GA1UdDwEB/wQEAwIAgDAMBgNVHRMBAf8EAjAAMB8G
A1UdIwQYMBaAFAPv72m50bw6Uz0kfAjHA7nS0fSUMB0GA1UdDgQWBBTaOaPuXmtL
DTJVv++VYBiQr9gHCTBbBggqAwQFBgcIAQRPeyJhdHRycyI6eyJhbGxvd19pbnZv
a2UiOnRydWUsImhmLlR5cGUiOiJhZG1pbiIsImhmLkFmZmlsaWF0aW9uIjoib3Jn
MS50ZWFtMSJ9fTAKBggqhkjOPQQDAgNIADBFAiBoMtxoHXqQrgoQgYAMb5uOZFxD
d/rcwbIRMCswVaqMpgIhANGfg4EHvT4gdOVtmRajXLyzyiNAPEyiEwMQ7RoeyK+g
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKlUqQnd/R70FJPSX
RLii3o7t0//f37fIVgU4fvI6SY6hRANCAAR5kpzf9KLuFMI1DYF+a/YXucDPdL+X
4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzMGLOXnpoZ6JzO
-----END PRIVATE KEY-----
当我将证书下载为pem时,私钥被更改为
az keyvault secret download --file "./text" --id https://myvault.vault.azure.net/secrets/sample/6d5505d2d0cd4d2285c80dc5a259c61c
我有一把不同的私钥。
-----BEGIN PRIVATE KEY-----
MIGiAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgKlUqQnd/R70FJPSX
RLii3o7t0//f37fIVgU4fvI6SY6gCgYIKoZIzj0DAQehRANCAAR5kpzf9KLuFMI1
DYF+a/YXucDPdL+X4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzMGLOX
npoZ6JzOoA0wCwYDVR0PMQQDAgCA
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICbDCCAhKgAwIBAgIGAXQ5qjdkMAoGCCqGSM49BAMCMDUxMzAxBgNVBAMTKmNh
LmhsZjA2MThvcmRlcmVyLm1pY3Jvc29mdC5ibG9ja2NoYWluLmNvbTAeFw0yMDA4
MjkxMDAxMzBaFw0yMTA4MjkxMDAxMzBaMIGDMVIwUAYDVQQDDEk3MmY5ODhiZi04
NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcuMjRkN2IwNmYtZWRmMy00MjJiLTll
MjQtMTljNjZmMmViYWU1MQ4wDAYDVQQLDAV0ZWFtMTENMAsGA1UECwwEb3JnMTEO
MAwGA1UECwwFYWRtaW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR5kpzf9KLu
FMI1DYF+a/YXucDPdL+X4zeflzyIDC0hjh149s+OUcRSfwoJbbvP/LgwZEPNdkzM
GLOXnpoZ6JzOo4G+MIG7MA4GA1UdDwEB/wQEAwIAgDAMBgNVHRMBAf8EAjAAMB8G
A1UdIwQYMBaAFAPv72m50bw6Uz0kfAjHA7nS0fSUMB0GA1UdDgQWBBTaOaPuXmtL
DTJVv++VYBiQr9gHCTBbBggqAwQFBgcIAQRPeyJhdHRycyI6eyJhbGxvd19pbnZv
a2UiOnRydWUsImhmLlR5cGUiOiJhZG1pbiIsImhmLkFmZmlsaWF0aW9uIjoib3Jn
MS50ZWFtMSJ9fTAKBggqhkjOPQQDAgNIADBFAiBoMtxoHXqQrgoQgYAMb5uOZFxD
d/rcwbIRMCswVaqMpgIhANGfg4EHvT4gdOVtmRajXLyzyiNAPEyiEwMQ7RoeyK+g
-----END CERTIFICATE-----
为什么私钥在更改?如何获得与导入的私钥相同的私钥?
根据您提供的az命令,您将证书导入为azure密钥保管库机密。
如果是这样,您发送的证书内容将与您获得的机密值相同。
由于我有测试,所以当我将证书作为机密导入时。然后我检索相同的秘密值。
因此,尝试重新创建一个新的秘密并再次导入。
延迟,但--它是相同的密钥,编码不同
您的输入是
$ openssl asn1parse <63646197.1 -i -dump
0:d=0 hl=3 l= 135 cons: SEQUENCE
3:d=1 hl=2 l= 1 prim: INTEGER :00
6:d=1 hl=2 l= 19 cons: SEQUENCE
8:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
17:d=2 hl=2 l= 8 prim: OBJECT :prime256v1
27:d=1 hl=2 l= 109 prim: OCTET STRING
0000 - 30 6b 02 01 01 04 20 2a-55 2a 42 77 7f 47 bd 05 0k.... *U*Bw.G..
0010 - 24 f4 97 44 b8 a2 de 8e-ed d3 ff df df b7 c8 56 $..D...........V
0020 - 05 38 7e f2 3a 49 8e a1-44 03 42 00 04 79 92 9c .8~.:I..D.B..y..
0030 - df f4 a2 ee 14 c2 35 0d-81 7e 6b f6 17 b9 c0 cf ......5..~k.....
0040 - 74 bf 97 e3 37 9f 97 3c-88 0c 2d 21 8e 1d 78 f6 t...7..<..-!..x.
0050 - cf 8e 51 c4 52 7f 0a 09-6d bb cf fc b8 30 64 43 ..Q.R...m....0dC
0060 - cd 76 4c cc 18 b3 97 9e-9a 19 e8 9c ce .vL..........
使用SEC1和(更方便地(rfc5915 定义的EC的每算法数据
$ openssl asn1parse <63646197.1 -i -dump -strparse 27
0:d=0 hl=2 l= 107 cons: SEQUENCE
2:d=1 hl=2 l= 1 prim: INTEGER :01
5:d=1 hl=2 l= 32 prim: OCTET STRING
0000 - 2a 55 2a 42 77 7f 47 bd-05 24 f4 97 44 b8 a2 de *U*Bw.G..$..D...
0010 - 8e ed d3 ff df df b7 c8-56 05 38 7e f2 3a 49 8e ........V.8~.:I.
39:d=1 hl=2 l= 68 cons: cont [ 1 ]
41:d=2 hl=2 l= 66 prim: BIT STRING
0000 - 00 04 79 92 9c df f4 a2-ee 14 c2 35 0d 81 7e 6b ..y........5..~k
0010 - f6 17 b9 c0 cf 74 bf 97-e3 37 9f 97 3c 88 0c 2d .....t...7..<..-
0020 - 21 8e 1d 78 f6 cf 8e 51-c4 52 7f 0a 09 6d bb cf !..x...Q.R...m..
0030 - fc b8 30 64 43 cd 76 4c-cc 18 b3 97 9e 9a 19 e8 ..0dC.vL........
0040 - 9c ce ..
正如您所看到的,它没有可选的context-0标记参数字段。
相反,输出是
$ openssl asn1parse <63646197.2 -i -dump
0:d=0 hl=3 l= 162 cons: SEQUENCE
3:d=1 hl=2 l= 1 prim: INTEGER :00
6:d=1 hl=2 l= 19 cons: SEQUENCE
8:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
17:d=2 hl=2 l= 8 prim: OBJECT :prime256v1
27:d=1 hl=2 l= 121 prim: OCTET STRING
0000 - 30 77 02 01 01 04 20 2a-55 2a 42 77 7f 47 bd 05 0w.... *U*Bw.G..
0010 - 24 f4 97 44 b8 a2 de 8e-ed d3 ff df df b7 c8 56 $..D...........V
0020 - 05 38 7e f2 3a 49 8e a0-0a 06 08 2a 86 48 ce 3d .8~.:I.....*.H.=
0030 - 03 01 07 a1 44 03 42 00-04 79 92 9c df f4 a2 ee ....D.B..y......
0040 - 14 c2 35 0d 81 7e 6b f6-17 b9 c0 cf 74 bf 97 e3 ..5..~k.....t...
0050 - 37 9f 97 3c 88 0c 2d 21-8e 1d 78 f6 cf 8e 51 c4 7..<..-!..x...Q.
0060 - 52 7f 0a 09 6d bb cf fc-b8 30 64 43 cd 76 4c cc R...m....0dC.vL.
0070 - 18 b3 97 9e 9a 19 e8 9c-ce .........
150:d=1 hl=2 l= 13 cons: cont [ 0 ]
152:d=2 hl=2 l= 11 cons: SEQUENCE
154:d=3 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
159:d=3 hl=2 l= 4 cons: SET
161:d=4 hl=2 l= 2 prim: BIT STRING
0000 - 00 80 ..
$ openssl asn1parse <63646197.2 -i -dump -strparse 27
0:d=0 hl=2 l= 119 cons: SEQUENCE
2:d=1 hl=2 l= 1 prim: INTEGER :01
5:d=1 hl=2 l= 32 prim: OCTET STRING
0000 - 2a 55 2a 42 77 7f 47 bd-05 24 f4 97 44 b8 a2 de *U*Bw.G..$..D...
0010 - 8e ed d3 ff df df b7 c8-56 05 38 7e f2 3a 49 8e ........V.8~.:I.
39:d=1 hl=2 l= 10 cons: cont [ 0 ]
41:d=2 hl=2 l= 8 prim: OBJECT :prime256v1
51:d=1 hl=2 l= 68 cons: cont [ 1 ]
53:d=2 hl=2 l= 66 prim: BIT STRING
0000 - 00 04 79 92 9c df f4 a2-ee 14 c2 35 0d 81 7e 6b ..y........5..~k
0010 - f6 17 b9 c0 cf 74 bf 97-e3 37 9f 97 3c 88 0c 2d .....t...7..<..-
0020 - 21 8e 1d 78 f6 cf 8e 51-c4 52 7f 0a 09 6d bb cf !..x...Q.R...m..
0030 - fc b8 30 64 43 cd 76 4c-cc 18 b3 97 9e 9a 19 e8 ..0dC.vL........
0040 - 9c ce ..
它确实具有context-0标记的参数字段,当在PKCS8中使用时,该字段是多余的,如这里所示;同样在PKCS8级别,它有可选的context-0标记属性字段,其中包含一个id为KeyUsage和值为digitalSignature的属性。(OpenSSL显示了BITSTRING编码的实际值字段,包括为"未使用的位"保留的第一个八位字节,这里是00,所以编码的位是80,即位#0=数字签名。(这在技术上是多余的,因为它已经在证书中了,但我想Azure觉得在这里有一个副本很方便。
用于加密目的的实际密钥是曲线id;d";在SEC1数据中的偏移5处;Q";在SEC1数据中的context-1-标记处,您可以确认这三个标记在输出中与输入相同。