OpenSSL 是一个加密工具包,用于执行 Secure Sockets Layer (SSL, 安全套接字层)
和 Transport Layer Security (TLS, 传输层安全)
网络协议及其所需的相关加密标准。
介绍
用途(更多参考 man openssl
)
- 创建和管理私钥、公钥和参数
- 公钥加密操作
- 创建 X.509 证书、CSR 和 CRL
- 计算报文摘要和报文验证码
- 使用密码进行加密和解密
- SSL/TLS 客户端和服务器测试,参考SSL/TLS 原理详解
- 处理 S/MIME 签名或加密邮件
- 时间戳请求、生成和验证
安装
源码安装
tar zxvf openssl-1.0.2l.tar.gz
mkdir /usr/local/openssl12
cd openssl-1.0.2l/
./config --prefix=/usr/local/openssl12/
make && make install
ubuntu
apt install openssl
help
$ openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
$ openssl --help
help:
Standard commands
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst
dhparam dsa dsaparam ec
ecparam enc engine errstr
fipsinstall gendsa genpkey genrsa
help info kdf list
mac nseq ocsp passwd
pkcs12 pkcs7 pkcs8 pkey
pkeyparam pkeyutl prime rand
rehash req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac srp
storeutl ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb
使用
openssl s_client -connect google.com:443
openssl speed -evp aes-256-gcm
openssl base64 -A < "/root/ca.crt"
base64 | tr -d '\n'
rsa
openssl rsa
RSA对称密钥的处理工具
openssl pkey
通用非对称密钥处理工具
openssl rsa [-in filename] [-passin arg] [-passout arg] [-out filename] [-des|-des3|-idea] [-text] [-noout] [-pubin] [-pubout] [-check]
openssl pkey [-in filename] [-passin arg] [-passout arg] [-out filename] [-cipher] [-text] [-noout] [-pubin] [-pubout]
说明:
# 生成不加密的私钥
$ openssl genrsa -out private.pem 2048
# 查看私钥
$ cat private.pem
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
# 读取私钥
$ openssl rsa -in private.pem
writing RSA key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
# 读取加密私钥
$ openssl rsa -in private.pem -passin pass:123456
# 以文本格式输出私钥
$ openssl rsa -in private.pem -text
Private-Key: (2048 bit, 2 primes)
modulus:
00:9c:9b:47:58:85:e8:e7:36:cc:4c:12:f4:fb:c2:
...
publicExponent: 65537 (0x10001)
privateExponent:
01:fd:44:f8:3e:67:39:7c:ac:36:b1:2c:f4:7f:c1:
...
prime1:
00:d9:28:6c:9f:f3:02:d4:1f:b9:e6:fc:eb:05:cd:
...
prime2:
00:b8:9e:3b:52:c1:f9:a0:fa:02:8a:28:53:62:ad:
...
exponent1:
5b:30:1e:6d:0c:1e:a3:f4:ae:9b:d0:98:e0:56:c9:
...
exponent2:
00:86:63:58:57:a3:af:ed:08:50:b4:f5:29:cd:d9:
...
coefficient:
00:cb:17:9f:4c:1d:f8:3a:60:8e:3e:74:d7:f5:15:
...
writing RSA key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
# 不输出私钥内容
$ openssl rsa -in private.pem -text -noout
# 从私钥中提取公钥
$ openssl rsa -in private.pem -pubout -out public.pem
writing RSA key
$ cat public.pem
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
# 读取公钥
$ openssl rsa -pubin -in public.pem
writing RSA key
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
# 以文本格式输出公钥
$ openssl rsa -pubin -in public.pem -text
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
# 不输出公钥内容
$ openssl rsa -pubin -in public.pem -text -noout
# 添加密码
openssl rsa -in private.pem -passout pass:123456
# 检测私钥文件的一致性(是否被修改)
$ openssl rsa -in private.pem -check
RSA key ok
writing RSA key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----