OpenSSL

Posted by Mathew on 2016-08-19

OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

NAME

openssl - OpenSSL command line tool

SYNOPSIS

openssl command [ command_opts ] [ command_args ]

openssl list [ standard-commands | digest-commands | cipher-commands | cipher-algoruthms | digest-algorithms | public-key-algorithms ]

openssl no-XXX [ arbitrary options ]

DESCRIPTION

OpenSSL is criptography toolkit implementing the Secure Socket Layer(SSL v2/v3) and Transport Layer Security(TLS v1) network protocols and related cryptography standrards required by them.

The openssl program is a command line tool for using the various cpyptograph functions of OpenSSL’s crypto library from the shell. It can be used for

1
2
3
4
5
6
7
8
Creation and management of private keys,public keys and parameters
Public key cryptographic operations
Creation of x.509 certificates, CSRS and CRLS
Calculation of Message Digests
Encryprion and Decryption with Ciphers
SSL/TLS Client and Server Tests
Handling of S/MIME signed or encrypted mail
Time Stamp requests, generation and verification

COMMAND SUMMARY

The openssl program provides a rich varisty commands(command in the SYNOPSIS above), each of which often has a wealth of options and arguments(command_ops and command_args in the SYNOPSIS).

The list parameters standard-commands,digest-commands,and cipher-commands output a list(one entry per line) of the names of all standard commands,message digest commands,or cipher commands,respectively,that are available in the persent openssl utility.

Openssl Command

Standard-Commands

1
enc,ca,req.....

Degist-Commands(消息摘要命令)

1
md2,md5,sha,sha1,ssh256......

Cipher-Commands

1
bf,base64,cast,des,des3,rc4.....

Symmetrical encryption(对称加密)

tools : openssl enc, gpg

arithmetic : 3des,aes,blowfish,twofish
enc-command
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
[root@daniel ~]# cat fstab

#
# /etc/fstab
# Created by anaconda on Fri Aug 12 02:42:00 2016
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=cc252675-e948-4475-ad1f-d321cebfe5a0 / ext4 defaults 1 1
UUID=46200ffa-4ed2-4c47-8090-8a5567a4dd6e /boot ext4 defaults 1 2
UUID=2b07c099-36d9-47a8-af92-56c790d53c8c /home ext4 defaults 1 2
UUID=56634dcf-7270-4852-b36f-67933f412c90 swap swap defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
[root@daniel ~]# cat fstab.ciphertext
U2FsdGVkX18MCA3O8FkzvsRjSEcIUAdIEIK9AY4lJ8MVbHFbTzNi9DLa1bnAThfk
v7mcmldxv67yk+A1QYJgxVyufXNm0cr74/23093+vn3TukFSfhdLyldq+sVd+ENz
xkvEIepuk+DPLGDQBPy9gM3v5fCBxA6WytXb8aqEKAedCd8F5awocaYnmUGbOpAq
k3Z8WE0l/86JmIK+KLz5Qc6oP1V7ZLodp/yA3Wx1uL14SL4MVkF2UvAtAAswBPPE
/vJwpjV7aWSE1veGr7AO+qiIyLc9pKhXPMVw1I+aByY7OJ0nyNyWBRZQr7ipQMx+
9adLbkeRvehpTXj8XFRxaBJzfDZOhIbwgfEAR1oOOOpom6vwERpYXNY5k+ZkE5+H
ce+b6LJZJoSm/lfcEOECdGhL1+hzx4N3WgaINaVhUsoyTW359d+1Mv9BrzAQtErO
mmGcPlQcoZd7PUiVV5kfFCtBdEutlF0Sx0j88r7BkEhjs6NhCga7/b7+Fnm/sp63
rMjggaI8/anES1ZSqSoi6cM3kxtzrOFom4qnQ5OOk+fXwKfVF9Q4llAWLJQr/0Ss
RNbXfAIvrvl3P0QyGjZnvk/gnoPW6oaDKPWDGc8n3fK4t2iwzT4CD1Zq/cw01EYU
CEUJNQCDM92Xx7h8Ci4iizyM8FRZdoXHqwvSKcvZNXmihwxVazhMf+49VUyaF+L6
GKxiy2cNi80tIHHYFP5BKhtWA6DTfRLoJ9eci4WFw7iEZ2L5qhSRpk0kEMaBnybu
2BoSVywMUNG8hzjmlZ7yDPRfFypxgiUold0yjna7zgjRO/mJemydEHmX6pk+T0J+
EkFfh9LzjKWc1TiwMtN5C2AJvMn2aYckXm5z9R6mK7bZWelbhHhuIB3Zmt1mXVGt
dMC5McZe7T4cVa8dPoSt0RVn8/gK07TXYcA9IMrwYlyXAYezqePKyG+KrewlpBaC
tGKXHwnIUMEOdr3rh9qii5r+Qw8/FMFvRxGAueC6qOYWNLBsderClMyWcF3kggHF
B0+LqyEsOaHlaqtBhH92V+afglsk5WK/a5IRCLTITvdwxFwqAQu71qtYOGKa18qR
IQ7DJDG62ngLlCAqNiJ77lbbmjpCGVjO//v7wgBoWKj8e6mHSyrvCA/2d+axCYEn
/zy1UAOmG8p5x3V2fhoxGgqbq5XyAgPIIcjRY91FQk8c6GaEyneaZy9jJiG9ws8m
6eEnikiO8cE=
[root@daniel ~]# rm fstab
rm: remove regular file `fstab'? y
[root@daniel ~]#
[root@daniel ~]#
[root@daniel ~]# openssl enc -d -des3 -a -salt -in fstab.ciphertext -out fstab
enter des-ede3-cbc decryption password:
[root@daniel ~]#
[root@daniel ~]#
[root@daniel ~]# ll
total 8800
-rw-------. 1 root root 961 Aug 12 02:45 anaconda-ks.cfg
-rw-r--r-- 1 root root 899 Aug 19 09:03 fstab
-rw-r--r-- 1 root root 1248 Aug 19 09:02 fstab.ciphertext
-rw-r--r--. 1 root root 9545 Aug 12 02:44 install.log
-rw-r--r--. 1 root root 3161 Aug 12 02:43 install.log.syslog
drwxr-xr-x. 9 1001 1001 4096 Aug 12 18:00 nginx-1.4.7
-rw-r--r--. 1 root root 769153 Aug 12 18:00 nginx-1.4.7.tar.gz
drwxr-xr-x 5 nobody 65534 4096 May 17 21:12 wordpress
-rw-r--r-- 1 root root 8203318 May 17 21:12 wordpress-4.5.2-zh_CN.tar.gz
[root@daniel ~]# cat fstab

#
# /etc/fstab
# Created by anaconda on Fri Aug 12 02:42:00 2016
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=cc252675-e948-4475-ad1f-d321cebfe5a0 / ext4 defaults 1 1
UUID=46200ffa-4ed2-4c47-8090-8a5567a4dd6e /boot ext4 defaults 1 2
UUID=2b07c099-36d9-47a8-af92-56c790d53c8c /home ext4 defaults 1 2
UUID=56634dcf-7270-4852-b36f-67933f412c90 swap swap defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
[root@daniel ~]#

单项加密

工具: md5sum,sha1sum,sha224sum,sha256sum,…,openssl dgst
dgst 命令:
1
openssl dgst -md5 /PATH/TO/SOMEFILE
MAC:Message Authentication Code,单向加密的一种延伸应用,用于实现在网络通信中保证所传输的额数据的完整性。
	机制:
		CBC-MAC
		HMAC: 使用md5或sha1算法
生成用户密码:

passwd命令:

1
2
3
[root@daniel ~]# openssl passwd -1 -salt ruoshui
Password:
$1$ruoshui$rmpDO4r36HiDWnJU54cbF.
生成随机数:
1
2
[root@daniel ~]# openssl rand -base64 16
PNu69PsSgQvcDMXFBZBiCg==
公钥加密:
	加密:
		算法:RSA,ELGAMAL
		工具:gpg,openssl rsautl
	数字签名:
		算法:RSA,DSA,ELGamal
	密钥交换
		算法:dh
DSA: Digital Signature Algorithm
DSS: Digital Signature Standard
RSA:
生成密钥对儿
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
[root@daniel ~]# openssl genrsa -out ./private.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
..............................+++
e is 65537 (0x10001)
[root@daniel ~]# cat private.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAu+9wDhsMidFEo8X4jNaBuNRF3yZJui3moWtBUGWePZISka3w
DSLMvvs8vGo+Zyr4ObDOR1TOxeEIQDRZ53X11vEeUI7pede4d4nFgO885mSOooHe
TdkgdeWEdZrQf/QISWOmIO/gmhddmUzFUgpwsdqDwQk9zjQ1OnTWJJoVdhfw447V
+DBxaM5duxc/nMmktHrMEDn/9qJE5zwZ+0sfW5WghvjLCh7htQFTOKnXYHYUV1/y
IjEgIiFupbrT+Ne/f1G4G8AuvUnDxnSQDc7yvY0jRiavGEeJX/cAPMTU+uKiwBFn
ykJBbXZsRLGtCQaqF7cqyEfPxokg2gomYdyZ+QIDAQABAoIBAHFA+6AkgMvUxq6D
MSN+aTI/CdROOIPwAVopTnTqqA+mpXYRAeaIoCY/NPy+cdiuNmRdvhGSdAEfeV9n
rP4lQf9D0ubtGJoKe+ndpp3qjiKxWptn89WqETu7ErXkk91n7E59tLGInSt/BTLK
5uZn0D391wRPU2WeZK1Tl3D7Qg+ll5ChObNbnI0/NaTBbTybIEpoMCi5J0/DIqwc
bbSjun7Obhm24nKeFxduXH//EPG/x1EmonKEFWMTV0G2fo+VDyva5G3Jjei4JMmv
GKDF7Oxd/NnCnAQQWizExhtB4yecEyPkV/HhljUhPxeT08yVEB6hSOSpddyk7I7d
NZkAdgECgYEA9xiLoMVxFDq2y4fjK/gCJGcxZupQsGU0833h2I3uyTwLygMhEnbl
E0qCzIBZARjntZEYC6F6D79BGbtdSjYH7Wwn+v/WZWC/mejiKXKYsRTCDFHpShrt
IEJSEfVnoIjdKlCSlKagptmNfrR81a24L//vQGA8xPwLdbImZ5pjCpkCgYEAwrUj
HCyHfWCGCBGh+Pn9Qc415MJ+tSk04gefchL6uSAxj2tmLmh3kZQ96gWY0esXnPTw
R4STLigyUFhnxyUex4d5wCoEpmICmix4tELvv03y3kbwzf5f+8vPM2BsbAMohS3p
9dRSEbMDl+5HuInhbqXOKtnMxc8TNqMF7aSGBmECgYAwvS+1e5yNb/NkfB5MKvRJ
N+2frjJSSPRD3x2wOHbUTLrKkwlv+fG/d2ALdHmZ5M63mrISgTxxZLkzmSiSncu8
giv0r4gboRTKCAysPkVuEHkiMvoAOwVw6oQDtNNG8Bgn45K2LZPctWbaikFhaI2/
Mg2ANjtmY4zjH0vB/crxaQKBgA53MK2WLVbGRg7xaGw7/nHWJTDitlE1R4WHdXQf
Ltt0Jdp26zeFcWSyc8sgMVNfOPjjRbq6gcjLGbnYZ5VnD5tZWFVLid7mpzTXGvyh
gHhhDSswcBGN1Ym6gaFah5OaxHboi1pFNPe1qg2umUt/iu0SineqiMklclL716Pp
Nj/hAoGAH5AJCrMCWNbsxGBth7lDp0XDVhf3SzX9C2XCSmLaXdtWOly0dom+GtCj
T4ESe1lR2m5rv1XPCYAPkLEtHMnEesg5ChgNuq48Us9l7BW3Nbau6ZETUOgcGuU9
2QuoKjqdDtaapI/IeKgVSYJlgweiJ7rmmWEDx9xfgy/fyNing8Q=
-----END RSA PRIVATE KEY-----
```

##### 提取出公钥
[root@daniel ~]# openssl rsa -in private.key -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+9wDhsMidFEo8X4jNaB
uNRF3yZJui3moWtBUGWePZISka3wDSLMvvs8vGo+Zyr4ObDOR1TOxeEIQDRZ53X1
1vEeUI7pede4d4nFgO885mSOooHeTdkgdeWEdZrQf/QISWOmIO/gmhddmUzFUgpw
sdqDwQk9zjQ1OnTWJJoVdhfw447V+DBxaM5duxc/nMmktHrMEDn/9qJE5zwZ+0sf
W5WghvjLCh7htQFTOKnXYHYUV1/yIjEgIiFupbrT+Ne/f1G4G8AuvUnDxnSQDc7y
vY0jRiavGEeJX/cAPMTU+uKiwBFnykJBbXZsRLGtCQaqF7cqyEfPxokg2gomYdyZ
+QIDAQAB
-----END PUBLIC KEY-----
随机数生成器
1
2
/dev/random: 仅从熵池返回随机数;随机数用尽,阻塞
/dev/urandom: 从熵池返回随机数;随机数用尽,会利用软件生成伪随机数

未完待续…