OpenSSL 命令集

sky_mouse 贡献于2012-04-18

作者 conezxy  创建于2005-07-04 02:05:00   修改者多鸟房间里的鱼  修改于2010-04-12 11:59:00字数10494

文档摘要:OpenSSL是用于安全通信的最著名的开放库。在Google 中搜索“SSL library”得到的返回结果中,列表最上方就是 OpenSSL。它诞生于 1998 年,源自 Eric Young 和 Tim Hudson 开发的 SSLeay 库,
关键词:

 OpenSSL系列培训—— 命令集 密级:普通/秘密/绝密 所属项目: 开发培训 日期:2005/7/4 作者: 掌晓愚 关键字: 1 OpenSSL简介 3 2 OpenSSL的命令集 3 2.1 机器性能测试 4 2.2 计算文件的hash值和B64编码 4 2.3 产生rsa密钥对 4 2.4 构造证书请求 5 2.5 解析证书请求 6 2.6 自签发根CA证书 6 2.7 签发用户证书 6 2.8 PEM和p12格式的互相转换 7 2.9 解析证书内容 7 2.10 检查私钥和证书的匹配性 9 2.11 验证证书链 10 2.12 检查证书用途 10 2.13 构造MIME格式的PKCS7签名 11 2.14 验证MIME格式的PKCS7签名 12 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com 2.15 构造MIME格式的数字信封 13 2.16 解密MIME格式的数字信封 14 1 OpenSSL简介 OpenSSL是用于安全通信的最著名的开放库。在Google 中搜索“SSL library”得到的返回结果中,列表最上方就是 OpenSSL。它诞生于 1998 年,源自 Eric Young 和 Tim Hudson 开发的 SSLeay 库,它的表现形式有以下两部分: 1. OpenSSL命令集 2. 加密算法库libcrypto和SSL协议库libssl.so 2 OpenSSL的命令集 OpenSSL命令集包括如下部分 Standard commands asn1parse ca ciphers crl crl2pkcs7 dgst dh dhparam dsa dsaparam enc errstr gendh gendsa genrsa nseq passwd pkcs12 pkcs7 pkcs8 rand req rsa rsautl s_client s_server s_time sess_id smime speed spkac verify version x509 Message Digest commands (see the `dgst' command for more details) md2 md4 md5 mdc2 rmd160 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com sha sha1 Cipher commands (see the `enc' command for more details) base64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 openssl命令集充分体现了unix编程的KISS精神——每个命令的功能都简单而且独立,通过脚本语言将其组合在一起就能实现强大的功能。 这里只简单介绍一些我们常用的命令,各个命令的详细帮助可以查阅对应的manpages,例如想知x509命令的用法就可以man x509(注:Digest和Cipher系列函数的用法基本相同,对应的manpages分为是man dgst和man enc)。 2.1 机器性能测试 openssl speed openssl speed rsa1024 这是单进程的测试,所以对于双CPU的机器,则只发挥了1/2的功效。 2.2 计算文件的hash值和B64编码 openssl dgst -md5 /lib/libc-2.2.5.so openssl dgst -sha1 /lib/libc-2.2.5.so openssl enc -base64 –in /etc/syslog.conf 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com 2.3 产生rsa密钥对 私钥不带密码保护 openssl genrsa –out mysite.key 1024 私钥带密码保护 openssl genrsa –out mysite.key –des3 –passout pass:123456 1024 2.4 构造证书请求 交互式输入,此时需要手工填写一些证书项,如CN,Email等 openssl req -key mysite.key -passin pass:123456 -new -out mysite.req 非交互式输入,此时需要先编辑一个配置文件mysite.cnf,其内容如下: [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = CN ST = SH L = Shanghai O = Koal Software OU = SSL Group CN = mysite emailAddress = ssl@koal.com 然后再用-config参数执行openssl req openssl req -key mysite.key -passin pass:123456 -new -config mysite.cnf -out mysite.req 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com 如果该证书需要有多个CN或OU,则cnf文件需要写成如下格式 [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = CN ST = SH L = Shanghai O = Koal Software 1.OU = Dept.DEV 2.OU = SSL Group 1.CN = koaltester 2.CN = mysite emailAddress = ssl@koal.com 2.5 解析证书请求 openssl req –in mysite.req -text 2.6 自签发根CA证书 根CA的证书是自己签发的,假设已经用openssl genrsa产生了根CA的密钥对testca.key,已经用openssl req产生了证书请求testca.req,则可以通过openssl x509命令进行自签发: openssl x509 -req -in testca.req -signkey testca.key -out testca.pem -passin pass:abcdef 2.7 签发用户证书 签发用户证书和自签发根CA证书是类似的,假设已经用openssl genrsa产生了根CA的密钥对mysite.key,已经用openssl req产生了证书请求mysite.req,则可以通过openssl x509命令进行签发: 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com openssl x509 -req -in mysite.req -CA testca.pem -CAkey testca.key -out mysite.pem -passin pass:abcdef -CAcreateserial 注:x509命令的 –days 参数可以指定证书的有效期。 2.8 PEM和p12格式的互相转换 PEM转为p12 openssl pkcs12 –export –inkey mysite.key –in mysite.pem –passin pass:123456 –passout pass:123456 –out mysite.p12 p12转为PEM 证书:openssl pkcs12 -in mysite.p12 -nokeys -passin pass:123456 -out mysite.pem 私钥:openssl pkcs12 -in mysite.p12 -nocerts -passin pass:123456 -passout pass:123123 -out mysite.key 2.9 解析证书内容 完整的证书内容 [kmc@conezxy-redhat-73 test]$ openssl x509 -in mysite.pem -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=CN, ST=SH, L=Shanghai, O=Koal Software, OU=SSL Group, CN=testca/Email=ssl@koal.com Validity 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com Not Before: Jul 13 07:11:05 2005 GMT Not After : Aug 12 07:11:05 2005 GMT Subject: C=CN, ST=SH, L=Shanghai, O=Koal Software, OU=SSL Group, CN=mysite/Email=ssl@koal.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:71:a4:69:6d:14:a1:8c:8c:a3:50:4e:e7:10: 51:f1:14:f2:a0:e1:39:1e:e6:28:d2:9c:33:ac:96: 09:e6:4a:44:6f:3f:65:97:f8:ef:57:cd:8c:2b:c2: 42:ce:3a:82:b9:7b:97:f4:f7:7b:dc:ea:4a:99:34: 4d:0a:db:fd:61:93:05:1c:fa:b1:28:b3:b3:f0:47: 47:25:ce:ff:ce:b3:c0:ed:ae:6e:68:03:f1:b8:cb: 26:e2:00:73:65:83:5a:05:b9:ba:5e:22:5e:ab:3f: a2:c4:16:0f:1b:b0:c6:c7:55:1a:92:42:d3:bb:25: 06:a3:03:5b:99:0d:ba:7d:93 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 81:ba:6f:e9:b2:6e:7d:7f:60:52:55:e0:d3:54:2d:23:52:a3: c7:4b:c5:53:ab:e7:af:b2:c5:c9:a4:37:15:2e:c3:1e:dc:0b: 6b:a4:58:f0:7a:23:d2:42:81:8c:a8:27:98:94:0c:25:94:c3: 79:49:f8:c7:84:85:a1:96:bf:ab:e3:8b:3a:61:e0:8b:c6:9f: 99:1c:78:fc:ac:43:7c:4b:71:de:91:9c:5d:c1:2a:b7:9b:00: 19:ce:02:d6:9c:a1:fb:fc:56:91:56:6f:3e:82:27:7b:c5:3b: 1f:98:b4:64:96:0e:a1:19:70:fc:b3:b1:75:ff:e1:9b:b4:fe: b9:66 证书中公钥对应的RSA模 [kmc@conezxy-redhat-73 test]$ openssl x509 -in mysite.pem -noout -modulus Modulus=CE71A4696D14A18C8CA3504EE71051F114F2A0E1391EE628D29C33AC9609E64A446F3F6597F8EF57CD8C2BC242CE3A82B97B97F4F77BDCEA4A99344D0ADBFD6193051CFAB128B3B3F0474725CEFFCEB3C0EDAE6E6803F1B8CB26E2007365835A05B9BA5E225EAB3FA2C4160F1BB0C6C7551A9242D3BB2506A3035B990DBA7D93 证书subject项(包括CN,C,L等) [kmc@conezxy-redhat-73 test]$ openssl x509 -in mysite.pem -noout -subject -nameopt multiline 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com subject= countryName = CN stateOrProvinceName = SH localityName = Shanghai organizationName = Koal Software organizationalUnitName = SSL Group commonName = mysite emailAddress = ssl@koal.com 证书issuer项(包括CN,C,L等) [kmc@conezxy-redhat-73 test]$ openssl x509 -in mysite.pem -noout -issuer -nameopt multiline issuer= countryName = CN stateOrProvinceName = SH localityName = Shanghai organizationName = Koal Software organizationalUnitName = SSL Group commonName = testca emailAddress = ssl@koal.com 2.10 检查私钥和证书的匹配性 从证书中获取公钥的RSA模 [kmc@conezxy-redhat-73 test]$ openssl x509 -in mysite.pem -noout -modulus Modulus=CE71A4696D14A18C8CA3504EE71051F114F2A0E1391EE628D29C33AC9609E64A446F3F6597F8EF57CD8C2BC242CE3A82B97B97F4F77BDCEA4A99344D0ADBFD6193051CFAB128B3B3F0474725CEFFCEB3C0EDAE6E6803F1B8CB26E2007365835A05B9BA5E225EAB3FA2C4160F1BB0C6C7551A9242D3BB2506A3035B990DBA7D93 从私钥中获取RSA模 [kmc@conezxy-redhat-73 test]$ openssl rsa -in mysite.key -passin pass:123456 -noout -modulus read RSA key Modulus=CE71A4696D14A18C8CA3504EE71051F114F2A0E1391EE628D29C33AC9609E64A446F3F6597F8EF57CD8C2BC242CE3A82B97B97F4F77BDCEA4A99344D0ADBFD6193051CFAB128B3B3F0474725CEFFCEB 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com 3C0EDAE6E6803F1B8CB26E2007365835A05B9BA5E225EAB3FA2C4160F1BB0C6C7551A9242D3BB2506A3035B990DBA7D93 2.11 验证证书链 证书链完整的情况 [kmc@conezxy-redhat-73 test]$ openssl verify -CAfile testca.pem mysite.pem mysite.pem: OK 证书链不完整的情况 [kmc@conezxy-redhat-73 test]$ openssl verify -CAfile DemoCA.pem 192.168.3.145.pem 192.168.3.145.pem: /C=\x00C\x00N/CN=\x00D\x00e\x00m\x00o\x00C\x00A/O=\x00k\x00o\x00a\x00l/ST=\x00k\x00o\x00a\x00l error 2 at 1 depth lookup:unable to get issuer certificate 2.12 检查证书用途 [kmc@conezxy-redhat-73 test]$ openssl x509 -purpose –noout -in 192.168.200.7.cer Certificate purposes: SSL client : Yes SSL client CA : No SSL server : No SSL server CA : No Netscape SSL server : No Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com SSL server : No表示该证书不能用作服务端证书,也即不能用作站点证书。 2.13 构造MIME格式的PKCS7签名 假设签名私钥为visitor.key,签名私钥对应的证书为visitor.pem,而明文文件register.txt的内容为: HARDDISK_SN=12345678 MAC=000000 KSSL-MAIN:~# openssl smime -sign -in register.txt -signer visitor.pem -inkey visitor.key -text -out register.sig MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----707B3E8CCDAA80B36C2C778223B7D65D" This is an S/MIME signed message ------707B3E8CCDAA80B36C2C778223B7D65D Content-Type: text/plain HARDDISK_SN=12345678 MAC=000000 ------707B3E8CCDAA80B36C2C778223B7D65D Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIExwYJKoZIhvcNAQcCoIIEuDCCBLQCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3 DQEHAaCCApswggKXMIICAAIJAIW0/cr4OM2/MA0GCSqGSIb3DQEBBQUAMIGLMQsw CQYDVQQGEwJDTjELMAkGA1UECBMCU0gxETAPBgNVBAcTCFNoYW5naGFpMRYwFAYD VQQKEw1Lb2FsIFNvZnR3YXJlMRIwEAYDVQQLEwlTU0wgR3JvdXAxEzARBgNVBAMT 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com ClNTTC1EZW1vQ0ExGzAZBgkqhkiG9w0BCQEWDHNzbEBrb2FsLmNvbTAeFw0wNTEw MjQxMTUwNTNaFw0zMzAzMTAxMTUwNTNaMIGTMQswCQYDVQQGEwJDTjELMAkGA1UE CBMCU0gxETAPBgNVBAcTCFNoYW5naGFpMRYwFAYDVQQKEw1Lb2FsIFNvZnR3YXJl MRIwEAYDVQQLEwlTU0wgR3JvdXAxGzAZBgNVBAMeEgBTAFMATG1Li9VUWAAwADAA MTEbMBkGCSqGSIb3DQEJARYMc3NsQGtvYWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCs5/liEi8mnyzpzzfV1Xwg5HHU7tJjdyxYUVgNq1qu8y27tpi/ hXidL77Vclkq78T9L53zvrUeMTFZqMRzk0G5iDLbmlHaJ1gJhSugbKn2z0DSy5xL I7ToIXju5osFrK/m7lqcpX1aqWoFomd9bPb3rIMKmx5rlbPREKxHj/MrxQIDAQAB MA0GCSqGSIb3DQEBBQUAA4GBABphXSQQ6jpSgtM13ToC6c/7CTPBOCp2pD6co5ok vSDprYFEWbgo6iW7WSHmugfv2m/rHAYlOgTsH65/VvCU/JUJ2oXXP2JqKCqiKrhk krXO05Wx9w6hnl+0TpR4IDo4Ww4lPV8ivDmWOcgGOL+tQ7cOliMZIhzUaf9l9EgW wrgbMYIB9DCCAfACAQEwgZkwgYsxCzAJBgNVBAYTAkNOMQswCQYDVQQIEwJTSDER MA8GA1UEBxMIU2hhbmdoYWkxFjAUBgNVBAoTDUtvYWwgU29mdHdhcmUxEjAQBgNV BAsTCVNTTCBHcm91cDETMBEGA1UEAxMKU1NMLURlbW9DQTEbMBkGCSqGSIb3DQEJ ARYMc3NsQGtvYWwuY29tAgkAhbT9yvg4zb8wCQYFKw4DAhoFAKCBsTAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjAzMzExNjAwMDNa MCMGCSqGSIb3DQEJBDEWBBQc0FfA8qoFFdaDekzeb+mv01RFoDBSBgkqhkiG9w0B CQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIB QDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASBgIui/9fb +dtBkPbkY7wQ8uK74ckeh0JE3mGLx+232w8c0hZyXsnRKuilZAWseMVz6NPIjWUg aB9iISAMBoM7aSQHpOJ74N6YhZGI5sV7QZhtUX9Uefxd6ppVLolbtnggKlWK9w6h 6pcuORPu20mC/bMlqrMShem5XlZrfZ7Y7blJ ------707B3E8CCDAA80B36C2C778223B7D65D-- 2.14 验证MIME格式的PKCS7签名 KSSL-MAIN:~# openssl smime -verify -in register.sig -CAfile SSL-DemoCA.pem -signer register.pem Content-Type: text/plain HARDDISK_SN=12345678 MAC=000000 Verification successful 参数-signer register.pem指明了将该签名对应的证书文件输出到register.pem中。 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com 2.15 构造MIME格式的数字信封 假设接收者证书为visitor.pem,该证书对应的私钥为visitor.key,需要进行数字信封的明文文件register.txt的内容为: HARDDISK_SN=12345678 MAC=000000 KSSL-MAIN:~# openssl smime -encrypt -in register.txt -out register.env -recip visitor.pem visitor.pem MIME-Version: 1.0 Content-Disposition: attachment; filename="smime.p7m" Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m" Content-Transfer-Encoding: base64 MIIBogYJKoZIhvcNAQcDoIIBkzCCAY8CAQAxggE1MIIBMQIBADCBmTCBizELMAkG A1UEBhMCQ04xCzAJBgNVBAgTAlNIMREwDwYDVQQHEwhTaGFuZ2hhaTEWMBQGA1UE ChMNS29hbCBTb2Z0d2FyZTESMBAGA1UECxMJU1NMIEdyb3VwMRMwEQYDVQQDEwpT U0wtRGVtb0NBMRswGQYJKoZIhvcNAQkBFgxzc2xAa29hbC5jb20CCQCFtP3K+DjN vzANBgkqhkiG9w0BAQEFAASBgDW1bA7BMaB1huy60ltlmAA7izhZgA/pR9eAnJsC SUXuIhssD9X1vwhc79smzQ9UjxUklTnEf/LdJyOQdaQkAhf56bOeDwKEqeQU16mN GZFw9qWfC83gSMK+DfrThysztydPMT2dxKiXex9GmAdTJBsYwPhpUxkirn18PLt1 UCepMFEGCSqGSIb3DQEHATAaBggqhkiG9w0DAjAOAgIAoAQInsEuNNcAM3yAKPQR oCQOKwmhPHkSXl4j6dojhBmj8GCjeHHbY23FbWFxwIWXAmqIoow= 注意:如果明文文件是一个二进制文件(如果jpg之类),这需要在加密时指定-binary(解密时无需再指定),如: KSSL-MAIN:~# openssl smime -encrypt –binary -in register.jpg -out register.env -recip visitor.pem visitor.pem 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com 2.16 解密MIME格式的数字信封 KSSL-MAIN:~# openssl smime -decrypt -in register.env -out register.out -inkey visitor.key 得到明文数据register.out的内容为: HARDDISK_SN=12345678 MAC=000000 上海格尔软件股份有限公司 上海市余姚路288号A楼4层 Tel: (86-021) 62327010 Fax: (86-021) 62327015 URL: http://www.koal.com

下载文档到电脑,查找使用更方便

文档的实际排版效果,会与网站的显示效果略有不同!!

需要 5 金币 [ 分享文档获得金币 ] 1 人已下载

下载文档