如何以PEM格式从DH键中提取DH参数

Question

我使用某些g和p参数生成了Diffie-Hellman密钥，如下所示：

$ cat dhparam.pem
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAnc5+uXl2K09Nrp1oxN/KbIcIYLg8HXCu9UNW7gFknkHil7OVAKHR
Km0Dc8IjqhJpDfoNKFoDo2Vd0KB9moSkDmhFmidcXO7Q8zSq0Z4BXFTO61OMukdd
dul1ovbleqfH4DcbCjH4LiZGICFUyGseiBakt3e2BORyjSA3IEg4hm9WvdCevWPW
Njc9reFgL6Vua8HkOGkLB+EvRP1YT4v5hGGP/6A7WxRevx5EjF9VgojyDLMPN26C
3c17KY2jNV0W1GEcKEciWS61QInUDBDPYNuQzTl0LucbOpJyV3BFr6pokRBaO3bI
ZYUPhjA2WSxJUeeJboJfisr+CQa9kc1dYwIBAg==
-----END DH PARAMETERS-----
$ openssl genpkey -paramfile dhparam.pem -out dh.pem
$ cat dh.pem
-----BEGIN PRIVATE KEY-----
MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAJ3Ofrl5ditPTa6daMTfymyH
CGC4PB1wrvVDVu4BZJ5B4pezlQCh0SptA3PCI6oSaQ36DShaA6NlXdCgfZqEpA5o
RZonXFzu0PM0qtGeAVxUzutTjLpHXXbpdaL25Xqnx+A3Gwox+C4mRiAhVMhrHogW
pLd3tgTkco0gNyBIOIZvVr3Qnr1j1jY3Pa3hYC+lbmvB5DhpCwfhL0T9WE+L+YRh
j/+gO1sUXr8eRIxfVYKI8gyzDzdugt3NeymNozVdFtRhHChHIlkutUCJ1AwQz2Db
kM05dC7nGzqScldwRa+qaJEQWjt2yGWFD4YwNlksSVHniW6CX4rK/gkGvZHNXWMC
AQIEggEEAoIBAGJBY5qzXPRi62hzho+ebCeZMdVqGQrlc9h/1hmrlzXlna8Mu8WF
0hp/ol8s3AAvuG2w8sMHH/D0kHj2Ptf92khH2WObWAzyybf3IubpVumw6d2KSe1j
LhW0cJum/lbyhyGJNgdNrVlwyNcId2Z53K9TK1BQnb3/gJjM+cRZ1yyoPDTXZpLl
1dmLz3lw+kmowyNXtl/wgzDclR16/w7JSvM+tOFCs4X1ZZF9TbQi7czc0ov101gP
bJjbUaYNOLUQrI/vVEDmCzYIL3PDLV07gQu0FeLHnRChgdjal3xVIsp0oV+2cN7K
/UX4xqCSBXp8ieAoJ+r7zZD44JqhMVF+d5A=
-----END PRIVATE KEY-----

我的理解是，密钥文件dh.pem不仅包括密钥的秘密部分，还包括生成密钥的非机密g和p参数--也就是说，dh.pem是dhparam.pem的超集。

我想重建dhparam.pem，只给dh.pem。也就是说，给定一个DH密钥文件，以PEM格式转储它的参数。

似乎openssl本身并不直接支持这一点，但是也许有一些不太可怕的方法可以用shell脚本或其他什么来提取信息呢？openssl dhparam说：

这个程序操纵DH参数，而不是键。 BUGS:应该有一种方法来生成和操作DH键。

关联：OpenSSL:显示DH参数 -但在这个问题上，他们是从证书开始的，而不是私钥。(我不知道把我的钥匙变成证书的咒语。)

Answer 1

PEM文件是base64 64编码的德雷序列化ASN.1文件，具有页眉和页脚保护。具有正确模式的ASN.1解析器可以对它们进行解码。碰巧的是，openssl有这样一个有用的内置：

$ openssl asn1parse <dhparam.pem
    0:d=0  hl=4 l= 264 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :9DCE7EB979762B4F4DAE9D68C4DFCA6C870860B83C1D70AEF54356EE01649E41E297B39500A1D12A6D0373C223AA12690DFA0D285A03A3655DD0A07D9A84A40E68459A275C5CEED0F334AAD19E015C54CEEB538CBA475D76E975A2F6E57AA7C7E0371B0A31F82E2646202154C86B1E8816A4B777B604E4728D2037204838866F56BDD09EBD63D636373DADE1602FA56E6BC1E438690B07E12F44FD584F8BF984618FFFA03B5B145EBF1E448C5F558288F20CB30F376E82DDCD7B298DA3355D16D4611C284722592EB54089D40C10CF60DB90CD39742EE71B3A9272577045AFAA6891105A3B76C865850F863036592C4951E7896E825F8ACAFE0906BD91CD5D63
  265:d=1  hl=2 l=   1 prim: INTEGER           :02

$ openssl asn1parse <dh.pem
    0:d=0  hl=4 l= 550 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=4 l= 279 cons: SEQUENCE
   11:d=2  hl=2 l=   9 prim: OBJECT            :dhKeyAgreement
   22:d=2  hl=4 l= 264 cons: SEQUENCE
   26:d=3  hl=4 l= 257 prim: INTEGER           :9DCE7EB979762B4F4DAE9D68C4DFCA6C870860B83C1D70AEF54356EE01649E41E297B39500A1D12A6D0373C223AA12690DFA0D285A03A3655DD0A07D9A84A40E68459A275C5CEED0F334AAD19E015C54CEEB538CBA475D76E975A2F6E57AA7C7E0371B0A31F82E2646202154C86B1E8816A4B777B604E4728D2037204838866F56BDD09EBD63D636373DADE1602FA56E6BC1E438690B07E12F44FD584F8BF984618FFFA03B5B145EBF1E448C5F558288F20CB30F376E82DDCD7B298DA3355D16D4611C284722592EB54089D40C10CF60DB90CD39742EE71B3A9272577045AFAA6891105A3B76C865850F863036592C4951E7896E825F8ACAFE0906BD91CD5D63
  287:d=3  hl=2 l=   1 prim: INTEGER           :02
  290:d=1  hl=4 l= 260 prim: OCTET STRING      [HEX DUMP]:028201006241639AB35CF462EB6873868F9E6C279931D56A190AE573D87FD619AB9735E59DAF0CBBC585D21A7FA25F2CDC002FB86DB0F2C3071FF0F49078F63ED7FDDA4847D9639B580CF2C9B7F722E6E956E9B0E9DD8A49ED632E15B4709BA6FE56F287218936074DAD5970C8D708776679DCAF532B50509DBDFF8098CCF9C459D72CA83C34D76692E5D5D98BCF7970FA49A8C32357B65FF08330DC951D7AFF0EC94AF33EB4E142B385F565917D4DB422EDCCDCD28BF5D3580F6C98DB51A60D38B510AC8FEF5440E60B36082F73C32D5D3B810BB415E2C79D10A181D8DA977C5522CA74A15FB670DECAFD45F8C6A092057A7C89E02827EAFBCD90F8E09AA131517E7790

鲍勃是你叔叔。