OpenSSL 是一个加密工具包,用于执行 Secure Sockets Layer (SSL, 安全套接字层)
和 Transport Layer Security (TLS, 传输层安全)
网络协议及其所需的相关加密标准。
介绍
用途(更多参考 man openssl
)
- 创建和管理私钥、公钥和参数
- 公钥加密操作
- 创建 X.509 证书、CSR 和 CRL
- 计算报文摘要和报文验证码
- 使用密码进行加密和解密
- SSL/TLS 客户端和服务器测试,参考SSL/TLS 原理详解
- 处理 S/MIME 签名或加密邮件
- 时间戳请求、生成和验证
安装
源码安装
tar zxvf openssl-1.0.2l.tar.gz
mkdir /usr/local/openssl12
cd openssl-1.0.2l/
./config --prefix=/usr/local/openssl12/
make && make install
ubuntu
apt install openssl
help
$ openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
$ openssl --help
help:
Standard commands
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst
dhparam dsa dsaparam ec
ecparam enc engine errstr
fipsinstall gendsa genpkey genrsa
help info kdf list
mac nseq ocsp passwd
pkcs12 pkcs7 pkcs8 pkey
pkeyparam pkeyutl prime rand
rehash req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac srp
storeutl ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 md4 md5
rmd160 sha1 sha224 sha256
sha3-224 sha3-256 sha3-384 sha3-512
sha384 sha512 sha512-224 sha512-256
shake128 shake256 sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb
使用示例
openssl s_client -connect google.com:443
openssl speed -evp aes-256-gcm
openssl base64 -A < "/root/ca.crt"
base64 | tr -d '\n'
rsa
openssl rsa
RSA 对称密钥的处理工具openssl pkey
通用非对称密钥处理工具
openssl rsa [-in filename] [-passin arg] [-passout arg] [-out filename] [-des|-des3|-idea] [-text] [-noout] [-pubin] [-pubout] [-check]
openssl pkey [-in filename] [-passin arg] [-passout arg] [-out filename] [-cipher] [-text] [-noout] [-pubin] [-pubout]
说明:
# 生成不加密的私钥
$ openssl genrsa -out private.pem 2048
# 查看私钥
$ cat private.pem
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
# 读取私钥
$ openssl rsa -in private.pem
writing RSA key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
# 读取加密私钥
$ openssl rsa -in private.pem -passin pass:123456
# 以文本格式输出私钥
$ openssl rsa -in private.pem -text
Private-Key: (2048 bit, 2 primes)
modulus:
00:9c:9b:47:58:85:e8:e7:36:cc:4c:12:f4:fb:c2:
...
publicExponent: 65537 (0x10001)
privateExponent:
01:fd:44:f8:3e:67:39:7c:ac:36:b1:2c:f4:7f:c1:
...
prime1:
00:d9:28:6c:9f:f3:02:d4:1f:b9:e6:fc:eb:05:cd:
...
prime2:
00:b8:9e:3b:52:c1:f9:a0:fa:02:8a:28:53:62:ad:
...
exponent1:
5b:30:1e:6d:0c:1e:a3:f4:ae:9b:d0:98:e0:56:c9:
...
exponent2:
00:86:63:58:57:a3:af:ed:08:50:b4:f5:29:cd:d9:
...
coefficient:
00:cb:17:9f:4c:1d:f8:3a:60:8e:3e:74:d7:f5:15:
...
writing RSA key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
# 不输出私钥内容
$ openssl rsa -in private.pem -text -noout
# 从私钥中提取公钥
$ openssl rsa -in private.pem -pubout -out public.pem
writing RSA key
$ cat public.pem
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
# 读取公钥
$ openssl rsa -pubin -in public.pem
writing RSA key
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
# 以文本格式输出公钥
$ openssl rsa -pubin -in public.pem -text
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
# 不输出公钥内容
$ openssl rsa -pubin -in public.pem -text -noout
# 添加密码
openssl rsa -in private.pem -passout pass:123456
# 检测私钥文件的一致性(是否被修改)
$ openssl rsa -in private.pem -check
RSA key ok
writing RSA key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Elliptic Curve/EC
- openssl ecparam 是一个用于
椭圆曲线(Elliptic Curve,EC)
密钥参数生成及操作的命令行工具- 椭圆曲线密码学(ECC)相对于传统的 RSA 等算法,在提供相同安全强度的情况下,所需的密钥长度更短,因此更节省存储空间和计算资源
- openssl ecparam 生成的椭圆曲线密钥参数遵循国际标准和最佳实践,确保了密钥的安全性和可靠性
help
$ openssl ecparam --help
Usage: ecparam [options]
Valid options are:
-help Display this summary
-inform PEM|DER Input format - default PEM (DER or PEM)
-outform PEM|DER Output format - default PEM
-in infile Input file - default stdin
-out outfile Output file - default stdout
-text Print the ec parameters in text form
-C Print a 'C' function creating the parameters
-check Validate the ec parameters
-list_curves Prints a list of all curve 'short names'
-no_seed If 'explicit' parameters are chosen do not use the seed
-noout Do not print the ec parameter
-name val Use the ec parameters with specified 'short name'
-conv_form val Specifies the point conversion form
-param_enc val Specifies the way the ec parameters are encoded
-genkey Generate ec key
-rand val Load the file(s) into the random number generator
-writerand outfile Write random data to the specified file
-engine val Use engine, possibly a hardware device
说明:
-inform PEM|DER
输入文件格式- DER 格式采用 ASN1 的 DER 标准格式
- PEM 格式采用 base64 编码格式(使用较多)
-in filename
输入的椭圆曲线密钥文件,默认为标准输入-out filename
椭圆曲线密钥输出文件,默认为标准输出-noout
不打印参数编码的版本信息-text
打印椭圆曲线密钥参数信息值-C
以 C 语言风格打印信息-check
检查椭圆曲线密钥参数-name arg
:采用短名字,打印所有椭圆曲线 短名称
的列表
$ openssl ecparam -list_curves
secp224r1 : NIST/SECG curve over a 224 bit prime field
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
使用示例
$ openssl ecparam -genkey -name prime256v1 -out server.key
$ cat server.key
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJvikw5C8JZk645GiT2rfoYm1svhTtVR8FinUgzT+7TgoAoGCCqGSM49
AwEHoUQDQgAEJU88pkrY7XodDRfVmx3x2UqSJTfCF/iFOSw/hd92//tD2ct94yj2
G4cOBtYcB4LhsTpPvXv3d+DxoazoW87RfQ==
-----END EC PRIVATE KEY-----
# csr: 需要输入国家、组织、CN(通用名称,通常是你的域名或IP地址)
$ openssl req -new -key server.key -out server.csr
# 生成自签证书
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = XX, L = Default City, O = Default Company Ltd
Getting Private key
# openssl ecparam -name prime256v1 -genkey -noout > eckey
# openssl req -new -x509 -sha256 -key eckey -out server.pem -days 10000 -subj '/C=CN/ST=SH/L=SH/O=IT/OU=IT/CN=xiexianbin.cn/emailAddress=me@xiexianbin.cn'
# create ca
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 7200 -key ca.key -out ca.pem
$ cat san.cnf
subjectAltName = @alt_names
[alt_names]
DNS.1 = xiexianbin.cn
# 生成 SSL 证书
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -sha256 -CA ca.pem -CAkey ca.key -CAcreateserial -days 3650 -in server.csr -out server.crt -extfile san.cnf
# 查看证书
openssl x509 -in server.crt --noout -text
$ openssl ecparam -genkey -name secp256k1 -out eckey.pem
$ cat eckey.pem
-----BEGIN EC PARAMETERS-----
BgUrgQQACg==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIBXpqqvKqukB9dtDa9/TWpd+wM34l2wtKvc2cqcp2KukoAcGBSuBBAAK
oUQDQgAEDzaDWpfyQ9nnxSfkcK+LlDaSnNn+Y50wBL+HhOT5khB3Ke7ayjlrekV9
xs8taudj5wtCLgzLnylSbus/NEgYuw==
-----END EC PRIVATE KEY-----
# 查看椭圆曲线参数
$ openssl ecparam -in eckey.pem -text -noout
ASN1 OID: secp256k1
# 检查
$ openssl ecparam -in eckey.pem --check
checking elliptic curve parameters: ok
-----BEGIN EC PARAMETERS-----
BgUrgQQACg==
-----END EC PARAMETERS-----