開(kāi)發(fā)中常用的加密方式和實(shí)際應(yīng)用

既然說(shuō)到加密,必然和隱私相關(guān),那么就從網(wǎng)絡(luò)開(kāi)發(fā)兩大原則說(shuō)起:

1-網(wǎng)絡(luò)上不允許傳輸用戶(hù)的明文隱私數(shù)據(jù)。
2-本地不允許保存用戶(hù)的額明文隱私數(shù)據(jù)。

那么既然不能使用明文進(jìn)行傳輸和保存,我們同時(shí)又需要進(jìn)行相關(guān)操作的話(huà),就必須要使用下面說(shuō)到的各種加密了。
首先,市面上常用的加密方式分為對(duì)稱(chēng)加密,非對(duì)稱(chēng)加密哈希加密。

1.對(duì)稱(chēng)加密:

文件加密和解密使用相同的密鑰,即加密密鑰也可以用作解密密鑰。
常用加密算法有DES,3DES,AES等.

DES  數(shù)據(jù)加密標(biāo)準(zhǔn)(用的比較少,因?yàn)閺?qiáng)度不夠).
3DES 使用3個(gè)密鑰,對(duì)相同的數(shù)據(jù)執(zhí)行三次加密,強(qiáng)度增強(qiáng).
AES  高級(jí)加密標(biāo)準(zhǔn),目前美國(guó)國(guó)家安全局使用AES加密,蘋(píng)果的鑰匙串訪(fǎng)問(wèn)就是使用AES加密。

而對(duì)稱(chēng)加密一般分為四種模式:ECB,CBC,CFBOFB,最為常見(jiàn)的是前兩種。

ECB的特點(diǎn):
加密文件會(huì)被分為若干個(gè)加密塊,
每個(gè)塊都是獨(dú)立進(jìn)行加密,互不影響。
所以,如果變動(dòng)數(shù)據(jù)中的某一個(gè)地方,
加密之后其對(duì)應(yīng)得塊也會(huì)發(fā)生變化,
缺點(diǎn)是一旦被破解某個(gè)模塊,就可以進(jìn)行推理,
進(jìn)而有機(jī)會(huì)獲取到重要數(shù)據(jù)。

關(guān)于ECB的終端操作代碼:

加密: $ openssl enc -des-ecb -K 616263 -nosalt -in 
msg.txt -out msgLock.bin
解密:$ openssl enc -des-ecb -K 616263 -nosalt -in 
msgLock.bin -out msg.txt -d
查看加密之后的二進(jìn)制文件:$ xxd msgLock.bin
CBC的特點(diǎn):
使用一個(gè)密鑰和一個(gè)初始化向量 (IV)對(duì)數(shù)據(jù)執(zhí)
行加密轉(zhuǎn)換。
加密文件同樣會(huì)被分為若干個(gè)加密塊,
每個(gè)塊都依賴(lài)于上一個(gè)加密塊進(jìn)行加密,互相牽制。
所以,如果變動(dòng)數(shù)據(jù)中的某一個(gè)地方,
加密之后整體數(shù)據(jù)都會(huì)發(fā)生變化。
可以有效地保證密文的完整性

關(guān)于CBC的終端操作代碼:

加密: $ openssl enc -des-cbc -K 616263 -iv 
0000000000000000 -nosalt -in a.txt -out 
msg1.bin
解密:$ openssl enc -des-cbc -K 616263 -iv 
0000000000000000 -nosalt -in msg1.bin -out 
msg4.txt -d
查看加密之后的二進(jìn)制文件:$ xxd msg1.bin

2.非對(duì)稱(chēng)加密

與對(duì)稱(chēng)加密算法不同,非對(duì)稱(chēng)加密算法需要兩個(gè)密鑰:公開(kāi)密鑰(publickey)和私有密鑰(privatekey)。也就是公鑰加密,私鑰解密或者私鑰加密,公鑰解密。常見(jiàn)的非對(duì)稱(chēng)加密算法有RSA(加密,證書(shū)生成),DSA(數(shù)字簽名)等,非對(duì)稱(chēng)加密算法的保密性比較好,但加密和解密花費(fèi)時(shí)間長(zhǎng)、速度慢,它不適合于對(duì)文件加密而只適用于對(duì)少量數(shù)據(jù)進(jìn)行加密。

使用openssl生成密鑰加密的步驟:
生成強(qiáng)度是 512 的 RSA 私鑰:$ openssl genrsa -out private.pem 512
以明文輸出私鑰內(nèi)容:$ openssl rsa -in private.pem -text -out 
private.txt
校驗(yàn)私鑰文件:$ openssl rsa -in private.pem -check
從私鑰中提取公鑰:$ openssl rsa -in private.pem -out public.pem 
-outform PEM -pubout
以明文輸出公鑰內(nèi)容:$ openssl rsa -in public.pem -out public.txt 
-pubin -pubout -text 
使用公鑰加密小文件:$ openssl rsautl -encrypt -pubin -inkey 
public.pem -in msg.txt -out msg.bin
使用私鑰解密小文件:$ openssl rsautl -decrypt -inkey private.pem 
-in msg.bin -out a.txt
將私鑰轉(zhuǎn)換成 DER 格式:$ openssl rsa -in private.pem -out private.der 
-outform der
將公鑰轉(zhuǎn)換成 DER 格式:$ openssl rsa -in public.pem -out public.der 
-pubin -outform der
程序開(kāi)發(fā)數(shù)字證書(shū)的生成:
生成私鑰:openssl genrsa -out ca.key 1024
創(chuàng)建證書(shū)請(qǐng)求:openssl req -new -key ca.key -out rsacert.csr
生成證書(shū)并簽名,有效期10年:openssl x509 -req -days 3650 -in rsacert.csr 
-signkey ca.key -out rsacert.crt
轉(zhuǎn)換格式(將 openssl默認(rèn)生成的PEM 格式文件轉(zhuǎn)換成iOS支持的DER 格式):openssl x509 -outform der -in rsacert.crt -out 
rsacert.der
導(dǎo)入P12文件:openssl pkcs12 -export -out p.p12 -inkey 
ca.key -in rsacert.crt
iOS開(kāi)發(fā)中相關(guān)的函數(shù):
使用公鑰對(duì)數(shù)據(jù)加密:SecKeyEncrypt
使用私鑰對(duì)數(shù)據(jù)解密:SecKeyDecrypt
使用公鑰對(duì)數(shù)字簽名進(jìn)行驗(yàn)證:SecKeyRawVerify
使用私鑰生成數(shù)字簽名:SecKeyRawSign

3.HASH加密

Hash算法特別的地方在于它是一種單向算法,用戶(hù)可以通過(guò)Hash算法對(duì)目標(biāo)信息生成一段特定長(zhǎng)度(32個(gè)字符)的唯一的Hash值,卻不能通過(guò)這個(gè)Hash值重新獲得目標(biāo)信息。對(duì)用相同數(shù)據(jù),加密之后的密文相同。
常見(jiàn)的Hash算法有MD5SHA。
由于加密結(jié)果固定,所以基本上原始的哈希加密已經(jīng)不再安全,于是衍生出了加鹽的方式。

加鹽:先對(duì)原始數(shù)據(jù)拼接固定的字符串再進(jìn)行加密。
HMAC:也叫隨機(jī)鹽,給定一個(gè)密鑰,對(duì)明文進(jìn)行拼接,
并且做兩次散列。其中密鑰由服務(wù)器在用戶(hù)注冊(cè)時(shí)候返回給客戶(hù)端。
iOS對(duì)稱(chēng)加密代碼:
 //AES - ECB 加密
    NSString * key = @"hk";
    //加密
    NSLog(@"加密: %@",[[EncryptionTools sharedEncryptionTools] encryptString:@"hello" keyString:key iv:nil]);
    //解密
    NSLog(@"解密: %@",[[EncryptionTools sharedEncryptionTools] decryptString:@"cKRPM1ALLG+0q5qCjADoaQ==" keyString:key iv:nil]);

//AES - CBC 加密
    uint8_t iv[8] = {2,3,4,5,6,7,0,0}; //直接影響加密結(jié)果!
    NSData * ivData = [NSData dataWithBytes:iv length:sizeof(iv)];
    
    NSLog(@"CBC加密: %@",[[EncryptionTools sharedEncryptionTools] encryptString:@"hello" keyString:key iv:ivData]);
    
    NSLog(@"CBC解密: %@", [[EncryptionTools sharedEncryptionTools] decryptString:@"+dv/u4juE0WE3S9XSFyibA==" keyString:key iv:ivData]);

 //DES - ECB 加密
    [EncryptionTools sharedEncryptionTools].algorithm = kCCAlgorithmDES;
    NSLog(@"DES 加密%@",[[EncryptionTools sharedEncryptionTools] encryptString:@"hello" keyString:key iv:nil]);
    NSLog(@"DES 解密: %@", [[EncryptionTools sharedEncryptionTools] decryptString:@"vTuv8E5AlWQ=" keyString:key iv:nil]);

其中EncryptionTools文件如下:

#import <Foundation/Foundation.h>
#import <CommonCrypto/CommonCrypto.h>

/**
 *  終端測(cè)試指令
 *
 *  DES(ECB)加密
 *  $ echo -n hello | openssl enc -des-ecb -K 616263 -nosalt | base64
 *
  * DES(CBC)加密
 *  $ echo -n hello | openssl enc -des-cbc -iv 0102030405060708 -K 616263 -nosalt | base64
 *
 *  AES(ECB)加密
 *  $ echo -n hello | openssl enc -aes-128-ecb -K 616263 -nosalt | base64
 *
 *  AES(CBC)加密
 *  $ echo -n hello | openssl enc -aes-128-cbc -iv 0102030405060708 -K 616263 -nosalt | base64
 *
 *  DES(ECB)解密
 *  $ echo -n HQr0Oij2kbo= | base64 -D | openssl enc -des-ecb -K 616263 -nosalt -d
 *
 *  DES(CBC)解密
 *  $ echo -n alvrvb3Gz88= | base64 -D | openssl enc -des-cbc -iv 0102030405060708 -K 616263 -nosalt -d
 *
 *  AES(ECB)解密
 *  $ echo -n d1QG4T2tivoi0Kiu3NEmZQ== | base64 -D | openssl enc -aes-128-ecb -K 616263 -nosalt -d
 *
 *  AES(CBC)解密
 *  $ echo -n u3W/N816uzFpcg6pZ+kbdg== | base64 -D | openssl enc -aes-128-cbc -iv 0102030405060708 -K 616263 -nosalt -d
 *
 *  提示:
 *      1> 加密過(guò)程是先加密,再base64編碼
 *      2> 解密過(guò)程是先base64解碼,再解密
 */
@interface EncryptionTools : NSObject

+ (instancetype)sharedEncryptionTools;

/**
 @constant   kCCAlgorithmAES     高級(jí)加密標(biāo)準(zhǔn),128位(默認(rèn))
 @constant   kCCAlgorithmDES     數(shù)據(jù)加密標(biāo)準(zhǔn)
 */
@property (nonatomic, assign) uint32_t algorithm;

/**
 *  加密字符串并返回base64編碼字符串
 *
 *  @param string    要加密的字符串
 *  @param keyString 加密密鑰
 *  @param iv        初始化向量(8個(gè)字節(jié))
 *
 *  @return 返回加密后的base64編碼字符串
 */
- (NSString *)encryptString:(NSString *)string keyString:(NSString *)keyString iv:(NSData *)iv;

/**
 *  解密字符串
 *
 *  @param string    加密并base64編碼后的字符串
 *  @param keyString 解密密鑰
 *  @param iv        初始化向量(8個(gè)字節(jié))
 *
 *  @return 返回解密后的字符串
 */
- (NSString *)decryptString:(NSString *)string keyString:(NSString *)keyString iv:(NSData *)iv;

@end

#import "EncryptionTools.h"

@interface EncryptionTools()
@property (nonatomic, assign) int keySize;
@property (nonatomic, assign) int blockSize;
@end

@implementation EncryptionTools

+ (instancetype)sharedEncryptionTools {
    static EncryptionTools *instance;
    
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        instance = [[self alloc] init];
        instance.algorithm = kCCAlgorithmAES;
    });
    
    return instance;
}

- (void)setAlgorithm:(uint32_t)algorithm {
    _algorithm = algorithm;
    switch (algorithm) {
        case kCCAlgorithmAES:
            self.keySize = kCCKeySizeAES128;
            self.blockSize = kCCBlockSizeAES128;
            break;
        case kCCAlgorithmDES:
            self.keySize = kCCKeySizeDES;
            self.blockSize = kCCBlockSizeDES;
            break;
        default:
            break;
    }
}

- (NSString *)encryptString:(NSString *)string keyString:(NSString *)keyString iv:(NSData *)iv {
    
    // 設(shè)置秘鑰
    NSData *keyData = [keyString dataUsingEncoding:NSUTF8StringEncoding];
    uint8_t cKey[self.keySize];
    bzero(cKey, sizeof(cKey));
    [keyData getBytes:cKey length:self.keySize];
    
    // 設(shè)置iv
    /*
     kCCOptionPKCS7Padding                      CBC 的加密方式
     kCCOptionPKCS7Padding | kCCOptionECBMode   ECB 的加密方式
     */
    uint8_t cIv[self.blockSize];
    bzero(cIv, self.blockSize);
    int option = 0;
    if (iv) {
        [iv getBytes:cIv length:self.blockSize];
        option = kCCOptionPKCS7Padding;
    } else {
        option = kCCOptionPKCS7Padding | kCCOptionECBMode;
    }
    
    // 設(shè)置輸出緩沖區(qū)
    NSData *data = [string dataUsingEncoding:NSUTF8StringEncoding];
    size_t bufferSize = [data length] + self.blockSize;
    void *buffer = malloc(bufferSize);
    
    // 開(kāi)始加密
    size_t encryptedSize = 0;
    /***
     CCCrypt 對(duì)稱(chēng)加密算法的核心函數(shù)(加密/解密)
     參數(shù):
     1.kCCEncrypt  加密/kCCDecrypt 解密
     2.加密算法,默認(rèn)使用的是  AES/DES
     3.加密選項(xiàng)  ECB/CBC 
         kCCOptionPKCS7Padding                      CBC 的加密方式
         kCCOptionPKCS7Padding | kCCOptionECBMode   ECB 的加密方式
     4.加密密鑰
     5.密鑰長(zhǎng)度
     6.iv 初始化向量,ECB 不需要指定
     7.加密的數(shù)據(jù)
     8.加密的數(shù)據(jù)的長(zhǎng)度
     9.密文的內(nèi)存地址
     10.密文緩沖區(qū)的大小
     11.加密結(jié)果大小
     */
    CCCryptorStatus cryptStatus = CCCrypt(kCCEncrypt,
                                          self.algorithm,
                                          option,
                                          cKey,
                                          self.keySize,
                                          cIv,
                                          [data bytes],
                                          [data length],
                                          buffer,
                                          bufferSize,
                                          &encryptedSize);
    
    NSData *result = nil;
    if (cryptStatus == kCCSuccess) {
        result = [NSData dataWithBytesNoCopy:buffer length:encryptedSize];
    } else {    
        free(buffer);
        NSLog(@"[錯(cuò)誤] 加密失敗|狀態(tài)編碼: %d", cryptStatus);
    }
    
    return [result base64EncodedStringWithOptions:0];
}

- (NSString *)decryptString:(NSString *)string keyString:(NSString *)keyString iv:(NSData *)iv {
    
    // 設(shè)置秘鑰
    NSData *keyData = [keyString dataUsingEncoding:NSUTF8StringEncoding];
    uint8_t cKey[self.keySize];
    bzero(cKey, sizeof(cKey));
    [keyData getBytes:cKey length:self.keySize];
    
    // 設(shè)置iv
    uint8_t cIv[self.blockSize];
    bzero(cIv, self.blockSize);
    int option = 0;
    if (iv) {
        [iv getBytes:cIv length:self.blockSize];
        option = kCCOptionPKCS7Padding;
    } else {
        option = kCCOptionPKCS7Padding | kCCOptionECBMode;
    }
    
    // 設(shè)置輸出緩沖區(qū)
    NSData *data = [[NSData alloc] initWithBase64EncodedString:string options:0];
    size_t bufferSize = [data length] + self.blockSize;
    void *buffer = malloc(bufferSize);
    
    // 開(kāi)始解密
    size_t decryptedSize = 0;
    CCCryptorStatus cryptStatus = CCCrypt(kCCDecrypt,
                                          self.algorithm,
                                          option,
                                          cKey,
                                          self.keySize,
                                          cIv,
                                          [data bytes],
                                          [data length],
                                          buffer,
                                          bufferSize,
                                          &decryptedSize);
    
    NSData *result = nil;
    if (cryptStatus == kCCSuccess) {
        result = [NSData dataWithBytesNoCopy:buffer length:decryptedSize];
    } else {
        free(buffer);
        NSLog(@"[錯(cuò)誤] 解密失敗|狀態(tài)編碼: %d", cryptStatus);
    }
    
    return [[NSString alloc] initWithData:result encoding:NSUTF8StringEncoding];
}

@end
iOS RSA加密代碼:
- (void)viewDidLoad {
    [super viewDidLoad];
    //1.加載公鑰
    [[RSACryptor sharedRSACryptor] loadPublicKey:[[NSBundle mainBundle] pathForResource:@"rsacert.der" ofType:nil]];
    //2. 加載私鑰 - P12的文件  password : 生成P12 的時(shí)候設(shè)置的密碼
    [[RSACryptor sharedRSACryptor] loadPrivateKey:[[NSBundle mainBundle] pathForResource:@"p.p12" ofType:nil] password:@"123456"];
}


- (void)touchesBegan:(NSSet<UITouch *> *)touches withEvent:(UIEvent *)event {
    
    NSData * reault = [[RSACryptor sharedRSACryptor] encryptData:[@"hello" dataUsingEncoding:NSUTF8StringEncoding]];
    //base64 編碼
    NSString * base64 = [reault base64EncodedStringWithOptions:0];
    NSLog(@"加密的信息: %@",base64);
    
    //解密
    NSData * jiemi = [[RSACryptor sharedRSACryptor] decryptData:reault];
    NSLog(@"%@",[[NSString alloc]initWithData:jiemi encoding:NSUTF8StringEncoding]);
    
}

RSACryptor文件如下:

#import <Foundation/Foundation.h>

@interface RSACryptor : NSObject

+ (instancetype)sharedRSACryptor;

/**
 *  生成密鑰對(duì)
 *
 *  @param keySize 密鑰尺寸,可選數(shù)值(512/1024/2048)
 */
- (void)generateKeyPair:(NSUInteger)keySize;

/**
 *  加載公鑰
 *
 *  @param publicKeyPath 公鑰路徑
 *
 @code
 # 生成證書(shū)
 $ openssl genrsa -out ca.key 1024
 # 創(chuàng)建證書(shū)請(qǐng)求
 $ openssl req -new -key ca.key -out rsacert.csr
 # 生成證書(shū)并簽名
 $ openssl x509 -req -days 3650 -in rsacert.csr -signkey ca.key -out rsacert.crt
 # 轉(zhuǎn)換格式
 $ openssl x509 -outform der -in rsacert.crt -out rsacert.der
 @endcode
 */
- (void)loadPublicKey:(NSString *)publicKeyPath;

/**
 *  加載私鑰
 *
 *  @param privateKeyPath p12文件路徑
 *  @param password       p12文件密碼
 *
 @code
 openssl pkcs12 -export -out p.p12 -inkey ca.key -in rsacert.crt
 @endcode
 */
- (void)loadPrivateKey:(NSString *)privateKeyPath password:(NSString *)password;

/**
 *  加密數(shù)據(jù)
 *
 *  @param plainData 明文數(shù)據(jù)
 *
 *  @return 密文數(shù)據(jù)
 */
- (NSData *)encryptData:(NSData *)plainData;

/**
 *  解密數(shù)據(jù)
 *
 *  @param cipherData 密文數(shù)據(jù)
 *
 *  @return 明文數(shù)據(jù)
 */
- (NSData *)decryptData:(NSData *)cipherData;

@end


#import "RSACryptor.h"

// 填充模式
// kSecPaddingNone 每次加密結(jié)果是固定的   kSecPaddingPKCS1 是隨機(jī)的
#define kTypeOfWrapPadding      kSecPaddingPKCS1

// 公鑰/私鑰標(biāo)簽
#define kPublicKeyTag           "com.itheima.sample.publickey"
#define kPrivateKeyTag          "com.itheima.sample.privatekey"

static const uint8_t publicKeyIdentifier[]      = kPublicKeyTag;
static const uint8_t privateKeyIdentifier[]     = kPrivateKeyTag;

@interface RSACryptor() {
    SecKeyRef publicKeyRef;                             // 公鑰引用
    SecKeyRef privateKeyRef;                            // 私鑰引用
}

@property (nonatomic, retain) NSData *publicTag;        // 公鑰標(biāo)簽
@property (nonatomic, retain) NSData *privateTag;       // 私鑰標(biāo)簽

@end

@implementation RSACryptor

+ (instancetype)sharedRSACryptor {
    static id instance;
    
    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        instance = [[self alloc] init];
    });
    return instance;
}

- (instancetype)init {
    self = [super init];
    if (self) {
        // 查詢(xún)密鑰的標(biāo)簽
        _privateTag = [[NSData alloc] initWithBytes:privateKeyIdentifier length:sizeof(privateKeyIdentifier)];
        _publicTag = [[NSData alloc] initWithBytes:publicKeyIdentifier length:sizeof(publicKeyIdentifier)];
    }
    return self;
}

#pragma mark - 加密 & 解密數(shù)據(jù)
- (NSData *)encryptData:(NSData *)plainData {
    OSStatus sanityCheck = noErr;
    size_t cipherBufferSize = 0;
    size_t keyBufferSize = 0;
    
    NSAssert(plainData != nil, @"明文數(shù)據(jù)為空");
    NSAssert(publicKeyRef != nil, @"公鑰為空");
    
    NSData *cipher = nil;
    uint8_t *cipherBuffer = NULL;
    
    // 計(jì)算緩沖區(qū)大小
    cipherBufferSize = SecKeyGetBlockSize(publicKeyRef);
    keyBufferSize = [plainData length];
    
    if (kTypeOfWrapPadding == kSecPaddingNone) {
        NSAssert(keyBufferSize <= cipherBufferSize, @"加密內(nèi)容太大");
    } else {
        NSAssert(keyBufferSize <= (cipherBufferSize - 11), @"加密內(nèi)容太大");
    }
    
    // 分配緩沖區(qū)
    cipherBuffer = malloc(cipherBufferSize * sizeof(uint8_t));
    memset((void *)cipherBuffer, 0x0, cipherBufferSize);
    
    // 使用公鑰加密
    sanityCheck = SecKeyEncrypt(publicKeyRef,
                                kTypeOfWrapPadding,
                                (const uint8_t *)[plainData bytes],
                                keyBufferSize,
                                cipherBuffer,
                                &cipherBufferSize
                                );
    
    NSAssert(sanityCheck == noErr, @"加密錯(cuò)誤,OSStatus == %d", sanityCheck);
    
    // 生成密文數(shù)據(jù)
    cipher = [NSData dataWithBytes:(const void *)cipherBuffer length:(NSUInteger)cipherBufferSize];
    
    if (cipherBuffer) free(cipherBuffer);
    
    return cipher;
}

- (NSData *)decryptData:(NSData *)cipherData {
    OSStatus sanityCheck = noErr;
    size_t cipherBufferSize = 0;
    size_t keyBufferSize = 0;
    
    NSData *key = nil;
    uint8_t *keyBuffer = NULL;
    
    SecKeyRef privateKey = NULL;
    
    privateKey = [self getPrivateKeyRef];
    NSAssert(privateKey != NULL, @"私鑰不存在");
    
    // 計(jì)算緩沖區(qū)大小
    cipherBufferSize = SecKeyGetBlockSize(privateKey);
    keyBufferSize = [cipherData length];
    
    NSAssert(keyBufferSize <= cipherBufferSize, @"解密內(nèi)容太大");
    
    // 分配緩沖區(qū)
    keyBuffer = malloc(keyBufferSize * sizeof(uint8_t));
    memset((void *)keyBuffer, 0x0, keyBufferSize);
    
    // 使用私鑰解密
    sanityCheck = SecKeyDecrypt(privateKey,
                                kTypeOfWrapPadding,
                                (const uint8_t *)[cipherData bytes],
                                cipherBufferSize,
                                keyBuffer,
                                &keyBufferSize
                                );
    
    NSAssert1(sanityCheck == noErr, @"解密錯(cuò)誤,OSStatus == %d", sanityCheck);
    
    // 生成明文數(shù)據(jù)
    key = [NSData dataWithBytes:(const void *)keyBuffer length:(NSUInteger)keyBufferSize];
    
    if (keyBuffer) free(keyBuffer);
    
    return key;
}

#pragma mark - 密鑰處理
/**
 *  生成密鑰對(duì)
 */
- (void)generateKeyPair:(NSUInteger)keySize {
    OSStatus sanityCheck = noErr;
    publicKeyRef = NULL;
    privateKeyRef = NULL;
    
    NSAssert1((keySize == 512 || keySize == 1024 || keySize == 2048), @"密鑰尺寸無(wú)效 %tu", keySize);
    
    // 刪除當(dāng)前密鑰對(duì)
    [self deleteAsymmetricKeys];
    
    // 容器字典
    NSMutableDictionary *privateKeyAttr = [[NSMutableDictionary alloc] init];
    NSMutableDictionary *publicKeyAttr = [[NSMutableDictionary alloc] init];
    NSMutableDictionary *keyPairAttr = [[NSMutableDictionary alloc] init];
    
    // 設(shè)置密鑰對(duì)的頂級(jí)字典
    [keyPairAttr setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];
    [keyPairAttr setObject:[NSNumber numberWithUnsignedInteger:keySize] forKey:(__bridge id)kSecAttrKeySizeInBits];
    
    // 設(shè)置私鑰字典
    [privateKeyAttr setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecAttrIsPermanent];
    [privateKeyAttr setObject:_privateTag forKey:(__bridge id)kSecAttrApplicationTag];
    
    // 設(shè)置公鑰字典
    [publicKeyAttr setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecAttrIsPermanent];
    [publicKeyAttr setObject:_publicTag forKey:(__bridge id)kSecAttrApplicationTag];
    
    // 設(shè)置頂級(jí)字典屬性
    [keyPairAttr setObject:privateKeyAttr forKey:(__bridge id)kSecPrivateKeyAttrs];
    [keyPairAttr setObject:publicKeyAttr forKey:(__bridge id)kSecPublicKeyAttrs];
    
    // SecKeyGeneratePair 返回密鑰對(duì)引用
    sanityCheck = SecKeyGeneratePair((__bridge CFDictionaryRef)keyPairAttr, &publicKeyRef, &privateKeyRef);
    NSAssert((sanityCheck == noErr && publicKeyRef != NULL && privateKeyRef != NULL), @"生成密鑰對(duì)失敗");
}

/**
 *  加載公鑰
 */
- (void)loadPublicKey:(NSString *)publicKeyPath {
    
    NSAssert(publicKeyPath.length != 0, @"公鑰路徑為空");
    
    // 刪除當(dāng)前公鑰
    if (publicKeyRef) CFRelease(publicKeyRef);
    
    // 從一個(gè) DER 表示的證書(shū)創(chuàng)建一個(gè)證書(shū)對(duì)象
    NSData *certificateData = [NSData dataWithContentsOfFile:publicKeyPath];
    SecCertificateRef certificateRef = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)certificateData);
    NSAssert(certificateRef != NULL, @"公鑰文件錯(cuò)誤");
    
    // 返回一個(gè)默認(rèn) X509 策略的公鑰對(duì)象,使用之后需要調(diào)用 CFRelease 釋放
    SecPolicyRef policyRef = SecPolicyCreateBasicX509();
    // 包含信任管理信息的結(jié)構(gòu)體
    SecTrustRef trustRef;
    
    // 基于證書(shū)和策略創(chuàng)建一個(gè)信任管理對(duì)象
    OSStatus status = SecTrustCreateWithCertificates(certificateRef, policyRef, &trustRef);
    NSAssert(status == errSecSuccess, @"創(chuàng)建信任管理對(duì)象失敗");
    
    // 信任結(jié)果
    SecTrustResultType trustResult;
    // 評(píng)估指定證書(shū)和策略的信任管理是否有效
    status = SecTrustEvaluate(trustRef, &trustResult);
    NSAssert(status == errSecSuccess, @"信任評(píng)估失敗");
    
    // 評(píng)估之后返回公鑰子證書(shū)
    publicKeyRef = SecTrustCopyPublicKey(trustRef);
    NSAssert(publicKeyRef != NULL, @"公鑰創(chuàng)建失敗");
    
    if (certificateRef) CFRelease(certificateRef);
    if (policyRef) CFRelease(policyRef);
    if (trustRef) CFRelease(trustRef);
}

/**
 *  加載私鑰
 */
- (void)loadPrivateKey:(NSString *)privateKeyPath password:(NSString *)password {
    
    NSAssert(privateKeyPath.length != 0, @"私鑰路徑為空");
    
    // 刪除當(dāng)前私鑰
    if (privateKeyRef) CFRelease(privateKeyRef);
    
    NSData *PKCS12Data = [NSData dataWithContentsOfFile:privateKeyPath];
    CFDataRef inPKCS12Data = (__bridge CFDataRef)PKCS12Data;
    CFStringRef passwordRef = (__bridge CFStringRef)password;
    
    // 從 PKCS #12 證書(shū)中提取標(biāo)示和證書(shū)
    SecIdentityRef myIdentity;
    SecTrustRef myTrust;
    const void *keys[] =   {kSecImportExportPassphrase};
    const void *values[] = {passwordRef};
    CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);
    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
    
    // 返回 PKCS #12 格式數(shù)據(jù)中的標(biāo)示和證書(shū)
    OSStatus status = SecPKCS12Import(inPKCS12Data, optionsDictionary, &items);
    
    if (status == noErr) {
        CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex(items, 0);
        myIdentity = (SecIdentityRef)CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemIdentity);
        myTrust = (SecTrustRef)CFDictionaryGetValue(myIdentityAndTrust, kSecImportItemTrust);
    }
    
    if (optionsDictionary) CFRelease(optionsDictionary);
    
    NSAssert(status == noErr, @"提取身份和信任失敗");
    
    SecTrustResultType trustResult;
    // 評(píng)估指定證書(shū)和策略的信任管理是否有效
    status = SecTrustEvaluate(myTrust, &trustResult);
    NSAssert(status == errSecSuccess, @"信任評(píng)估失敗");
    
    // 提取私鑰
    status = SecIdentityCopyPrivateKey(myIdentity, &privateKeyRef);
    NSAssert(status == errSecSuccess, @"私鑰創(chuàng)建失敗");
}

/**
 *  刪除非對(duì)稱(chēng)密鑰
 */
- (void)deleteAsymmetricKeys {
    OSStatus sanityCheck = noErr;
    NSMutableDictionary *queryPublicKey = [[NSMutableDictionary alloc] init];
    NSMutableDictionary *queryPrivateKey = [[NSMutableDictionary alloc] init];
    
    // 設(shè)置公鑰查詢(xún)字典
    [queryPublicKey setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass];
    [queryPublicKey setObject:_publicTag forKey:(__bridge id)kSecAttrApplicationTag];
    [queryPublicKey setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];
    
    // 設(shè)置私鑰查詢(xún)字典
    [queryPrivateKey setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass];
    [queryPrivateKey setObject:_privateTag forKey:(__bridge id)kSecAttrApplicationTag];
    [queryPrivateKey setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];
    
    // 刪除私鑰
    sanityCheck = SecItemDelete((__bridge CFDictionaryRef)queryPrivateKey);
    NSAssert1((sanityCheck == noErr || sanityCheck == errSecItemNotFound), @"刪除私鑰錯(cuò)誤,OSStatus == %d", sanityCheck);
    
    // 刪除公鑰
    sanityCheck = SecItemDelete((__bridge CFDictionaryRef)queryPublicKey);
    NSAssert1((sanityCheck == noErr || sanityCheck == errSecItemNotFound), @"刪除公鑰錯(cuò)誤,OSStatus == %d", sanityCheck);
    
    if (publicKeyRef) CFRelease(publicKeyRef);
    if (privateKeyRef) CFRelease(privateKeyRef);
}

/**
 *  獲得私鑰引用
 */
- (SecKeyRef)getPrivateKeyRef {
    OSStatus sanityCheck = noErr;
    SecKeyRef privateKeyReference = NULL;
    
    if (privateKeyRef == NULL) {
        NSMutableDictionary * queryPrivateKey = [[NSMutableDictionary alloc] init];
        
        // 設(shè)置私鑰查詢(xún)字典
        [queryPrivateKey setObject:(__bridge id)kSecClassKey forKey:(__bridge id)kSecClass];
        [queryPrivateKey setObject:_privateTag forKey:(__bridge id)kSecAttrApplicationTag];
        [queryPrivateKey setObject:(__bridge id)kSecAttrKeyTypeRSA forKey:(__bridge id)kSecAttrKeyType];
        [queryPrivateKey setObject:[NSNumber numberWithBool:YES] forKey:(__bridge id)kSecReturnRef];
        
        // 獲得密鑰
        sanityCheck = SecItemCopyMatching((__bridge CFDictionaryRef)queryPrivateKey, (CFTypeRef *)&privateKeyReference);
        
        if (sanityCheck != noErr) {
            privateKeyReference = NULL;
        }
    } else {
        privateKeyReference = privateKeyRef;
    }
    
    return privateKeyReference;
}

@end
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀(guān)點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 本文主要介紹移動(dòng)端的加解密算法的分類(lèi)、其優(yōu)缺點(diǎn)特性及應(yīng)用,幫助讀者由淺入深地了解和選擇加解密算法。文中會(huì)包含算法的...
    蘋(píng)果粉閱讀 11,671評(píng)論 5 29
  • 2018-Read-Record 記錄我的2018學(xué)習(xí)歷程 文中首先解釋了加密解密的一些基礎(chǔ)知識(shí)和概念,然后通過(guò)一...
    NinthDay閱讀 11,444評(píng)論 8 105
  • 這篇文章主要講述在Mobile BI(移動(dòng)商務(wù)智能)開(kāi)發(fā)過(guò)程中,在網(wǎng)絡(luò)通信、數(shù)據(jù)存儲(chǔ)、登錄驗(yàn)證這幾個(gè)方面涉及的加密...
    雨_樹(shù)閱讀 3,018評(píng)論 0 6
  • 概述 之前一直對(duì)加密相關(guān)的算法知之甚少,只知道類(lèi)似DES、RSA等加密算法能對(duì)數(shù)據(jù)傳輸進(jìn)行加密,且各種加密算法各有...
    Henryzhu閱讀 3,208評(píng)論 0 14
  • 今日三只青蛙: 1.冥想。 2.時(shí)間管理100講第27講。? 3.簡(jiǎn)書(shū)總結(jié)90天收獲。 時(shí)間管理第27講 今日感悟:
    Eason媽咪閱讀 220評(píng)論 0 0

友情鏈接更多精彩內(nèi)容