前言:
iOS常用的加密有很多种,前两天在工作中遇到了RSA加密,现在把代吗分享出来。
RSA基本原理
RSA使用"秘匙对"对数据进行加密解密.在加密解密数据前,需要先生成公钥(public key)和私钥(private key).
- 公钥(public key): 用于加密数据. 用于公开, 一般存放在数据提供方, 例如iOS客户端.
- 私钥(private key): 用于解密数据. 必须保密, 私钥泄露会造成安全问题
第一步:公钥、私钥的生成
iOS开发者可直接在Mac终端生成,命令如下,生成公钥der文件的时候需要填写国家地区等基本信息,也可直接忽略不填。生成私p12文件的时候需要填写密码,这个必填而且要记住,后面会用得着。
// 生成1024位私钥
openssl genrsa -out private_key.pem 1024
// 根据私钥生成CSR文件
openssl req -new -key private_key.pem -out rsaCertReq.csr
// 根据私钥和CSR文件生成crt文件
openssl x509 -req -days 3650 -in rsaCertReq.csr -signkey private_key.pem -out rsaCert.crt
// 为IOS端生成公钥der文件
openssl x509 -outform der -in rsaCert.crt -out public_key.der
// 将私钥导出为这p12文件
openssl pkcs12 -export -out private_key.p12 -inkey private_key.pem -in rsaCert.crt
第二步:加密相关的代码
在加密加密的时候需要定义公有变量公钥和私钥
SecKeyRef _publicKey;
SecKeyRef _privateKey;
加密相关的代码
#pragma mark - 加密相关
//用本地证书加载公钥
- (void)loadPublicKeyWithPath:(NSString *)derFilePath
{
NSData *derData = [[NSData alloc] initWithContentsOfFile:derFilePath];
if (derData.length > )
{
[self loadPublicKeyWithData:derData];
}
else
{
NSLog(@"load public key fail with path: %@", derFilePath);
}
}
//加载公钥方法
- (void)loadPublicKeyWithData:(NSData *)derData
{
SecCertificateRef myCertificate = SecCertificateCreateWithData(kCFAllocatorDefault, (__bridge CFDataRef)derData);
SecPolicyRef myPolicy = SecPolicyCreateBasicX509();
SecTrustRef myTrust;
OSStatus status = SecTrustCreateWithCertificates(myCertificate,myPolicy,&myTrust);
SecTrustResultType trustResult;
if (status == noErr) {
status = SecTrustEvaluate(myTrust, &trustResult);
} SecKeyRef securityKey = SecTrustCopyPublicKey(myTrust); CFRelease(myCertificate); CFRelease(myPolicy); CFRelease(myTrust); _publicKey = securityKey;
} //将文本内容加密
- (NSString *)rsaEncryptText:(NSString *)text
{
NSData *encryptedData = [self rsaEncryptData:[text dataUsingEncoding:NSUTF8StringEncoding]];
NSString *base64EncryptedString = [encryptedData base64EncodedStringWithOptions:];
return base64EncryptedString;
} //分段再加密数据
- (NSData *)rsaEncryptData:(NSData *)data
{
SecKeyRef key = _publicKey; size_t cipherBufferSize = SecKeyGetBlockSize(key);
uint8_t *cipherBuffer = malloc(cipherBufferSize * sizeof(uint8_t));
size_t blockSize = cipherBufferSize - ;
size_t blockCount = (size_t)ceil([data length] / (double)blockSize);
NSMutableData *encryptedData = [[NSMutableData alloc] init] ;
for (int i = ; i < blockCount; i++)
{
size_t bufferSize = MIN(blockSize,[data length] - i * blockSize);
NSData *buffer = [data subdataWithRange:NSMakeRange(i * blockSize, bufferSize)];
OSStatus status = SecKeyEncrypt(key, kSecPaddingPKCS1,(const uint8_t *)[buffer bytes],[buffer length],cipherBuffer,&cipherBufferSize);
if (status == noErr)
{
NSData *encryptedBytes = [[NSData alloc] initWithBytes:(const void *)cipherBuffer length: cipherBufferSize];
[encryptedData appendData:encryptedBytes];
}
else
{
if (cipherBuffer) {
free(cipherBuffer);
} return nil;
} }
if (cipherBuffer)
{
free(cipherBuffer); }
return encryptedData;
}
第三步:解密相关代码
#pragma mark - 解密相关
- (void)loadPrivateKeyWithPath:(NSString *)p12FilePath password:(NSString *)p12Password
{
NSData *data = [NSData dataWithContentsOfFile:p12FilePath];
if (data.length > )
{
[self loadPrivateKeyWithData:data password:p12Password];
}
else
{ NSLog(@"load private key fail with path: %@", p12FilePath);
}
}
//生成私钥
- (void)loadPrivateKeyWithData:(NSData *)p12Data password:(NSString *)p12Password
{
SecKeyRef privateKeyRef = NULL;
NSMutableDictionary * options = [[NSMutableDictionary alloc] init]; [options setObject:p12Password forKey:(__bridge id)kSecImportExportPassphrase]; CFArrayRef items = CFArrayCreate(NULL, , , NULL);
OSStatus securityError = SecPKCS12Import((__bridge CFDataRef)p12Data,
(__bridge CFDictionaryRef)options,
&items); if (securityError == noErr && CFArrayGetCount(items) > ) { CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, );
SecIdentityRef identityApp = (SecIdentityRef)CFDictionaryGetValue(identityDict,
kSecImportItemIdentity);
securityError = SecIdentityCopyPrivateKey(identityApp, &privateKeyRef); if (securityError != noErr) {
privateKeyRef = NULL;
}
} _privateKey = privateKeyRef;
CFRelease(items);
} //调用下面方法进行解密,最后返回一个字符串
- (NSString *)rsaDecryptText:(NSString *)text
{
NSData *data = [[NSData alloc] initWithBase64EncodedString:text options:];
NSData *decryptData = [self rsaDecryptData:data];
NSString *result = [[NSString alloc] initWithData:decryptData encoding:NSUTF8StringEncoding];
return result;
} //用私钥解密的方法,被上面方法调用
- (NSData *)rsaDecryptData:(NSData *)data
{
SecKeyRef key = _privateKey; size_t cipherLen = [data length];
void *cipher = malloc(cipherLen); [data getBytes:cipher length:cipherLen];
size_t plainLen = SecKeyGetBlockSize(key) - ;
void *plain = malloc(plainLen);
OSStatus status = SecKeyDecrypt(key, kSecPaddingPKCS1, cipher, cipherLen, plain, &plainLen);
if (status != noErr)
{
return nil;
}
NSData *decryptedData = [[NSData alloc] initWithBytes:(const void *)plain length:plainLen];
return decryptedData;
}
第四步:RSA加密解密的应用
在加密活解密之前一定要闲加载证书,然后再调用加密方法,直接上代码
- (IBAction)decryptionBtnClick:(id)sender {
NSString *path = [[NSBundle mainBundle] pathForResource:@"public_key" ofType:@"der"];
[self loadPublicKeyWithPath:path];
path = [[NSBundle mainBundle] pathForResource:@"private_key" ofType:@"p12"];
[self loadPrivateKeyWithPath:path password:@"bestnet"];
NSString *encryptStr = self.encryptTextFeild.text;
if (encryptStr.length > )
{
NSString *miwen = [self rsaEncryptText:encryptStr];
self.miWenLabel.text = [NSString stringWithFormat:@"加密结果:%@", miwen];
if (miwen.length > )
{
self.decryptionTextFeild.text = [self rsaDecryptText:miwen];
}
}
}
效果图
