OpenSSL 介绍

OpenSSL 是一个加密工具包，用于执行 Secure Sockets Layer (SSL, 安全套接字层) 和 Transport Layer Security (TLS, 传输层安全) 网络协议及其所需的相关加密标准。

介绍

用途（更多参考 man openssl）

• 创建和管理私钥、公钥和参数
• 公钥加密操作
• 创建 X.509 证书、CSR 和 CRL
• 计算报文摘要和报文验证码
• 使用密码进行加密和解密
• SSL/TLS 客户端和服务器测试，参考SSL/TLS 原理详解
• 处理 S/MIME 签名或加密邮件
• 时间戳请求、生成和验证

安装

源码安装

• 源码下载: https://www.openssl.org/source/
• 编译

tar zxvf openssl-1.0.2l.tar.gz
mkdir /usr/local/openssl12
cd openssl-1.0.2l/
./config --prefix=/usr/local/openssl12/
make && make install

ubuntu

apt install openssl

help

$ openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
$ openssl --help
help:

Standard commands
asn1parse         ca                ciphers           cmp
cms               crl               crl2pkcs7         dgst
dhparam           dsa               dsaparam          ec
ecparam           enc               engine            errstr
fipsinstall       gendsa            genpkey           genrsa
help              info              kdf               list
mac               nseq              ocsp              passwd
pkcs12            pkcs7             pkcs8             pkey
pkeyparam         pkeyutl           prime             rand
rehash            req               rsa               rsautl
s_client          s_server          s_time            sess_id
smime             speed             spkac             srp
storeutl          ts                verify            version
x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        md4               md5
rmd160            sha1              sha224            sha256
sha3-224          sha3-256          sha3-384          sha3-512
sha384            sha512            sha512-224        sha512-256
shake128          shake256          sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb
sm4-ctr           sm4-ecb           sm4-ofb

使用

openssl s_client -connect google.com:443

openssl speed -evp aes-256-gcm

openssl base64 -A < "/root/ca.crt"
base64 | tr -d '\n'

rsa

• openssl rsa RSA对称密钥的处理工具
• openssl pkey 通用非对称密钥处理工具

openssl rsa  [-in filename] [-passin arg] [-passout arg] [-out filename] [-des|-des3|-idea] [-text] [-noout] [-pubin] [-pubout] [-check]

openssl pkey [-in filename] [-passin arg] [-passout arg] [-out filename] [-cipher]          [-text] [-noout] [-pubin] [-pubout]

说明：

• -in filename 输入的密钥文件

  • 当指定 -pubin 选项是，表示读取公钥
    • 公钥文件：一般以 -----BEGIN PUBLIC KEY----- 开头和以 -----END PUBLIC KEY----- 结尾
  • 当不指定时，从 stdin 读取

• -passin arg 解密密钥文件的密码

• -passout arg 加密输出文件的密码

• -out filename 输出的文件

• -des|-des3|-idea 加密输出文件

• -text 转换输入和输出的密钥文件格式为纯文本格式

• -noout 不输出任何密钥信息

• -pubout 从私钥中提取公钥

• -check 检查RSA密钥是否完整未被修改过，只能检测私钥

• 示例

# 生成不加密的私钥
$ openssl  genrsa -out private.pem 2048

# 查看私钥
$ cat private.pem
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

# 读取私钥
$ openssl rsa -in private.pem
writing RSA key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

# 读取加密私钥
$ openssl rsa -in private.pem -passin pass:123456

# 以文本格式输出私钥
$ openssl rsa -in private.pem -text
Private-Key: (2048 bit, 2 primes)
modulus:
    00:9c:9b:47:58:85:e8:e7:36:cc:4c:12:f4:fb:c2:
    ...
publicExponent: 65537 (0x10001)
privateExponent:
    01:fd:44:f8:3e:67:39:7c:ac:36:b1:2c:f4:7f:c1:
    ...
prime1:
    00:d9:28:6c:9f:f3:02:d4:1f:b9:e6:fc:eb:05:cd:
    ...
prime2:
    00:b8:9e:3b:52:c1:f9:a0:fa:02:8a:28:53:62:ad:
    ...
exponent1:
    5b:30:1e:6d:0c:1e:a3:f4:ae:9b:d0:98:e0:56:c9:
    ...
exponent2:
    00:86:63:58:57:a3:af:ed:08:50:b4:f5:29:cd:d9:
    ...
coefficient:
    00:cb:17:9f:4c:1d:f8:3a:60:8e:3e:74:d7:f5:15:
    ...
writing RSA key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

# 不输出私钥内容
$ openssl rsa -in private.pem -text -noout

# 从私钥中提取公钥
$ openssl rsa -in private.pem -pubout -out public.pem
writing RSA key
$ cat public.pem
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----

# 读取公钥
$ openssl rsa  -pubin -in public.pem
writing RSA key
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----

# 以文本格式输出公钥
$ openssl rsa -pubin -in public.pem -text
Public-Key: (2048 bit)
Modulus:
    ...
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----

# 不输出公钥内容
$ openssl rsa -pubin -in public.pem -text -noout

# 添加密码
openssl rsa -in private.pem -passout pass:123456

# 检测私钥文件的一致性（是否被修改）
$ openssl rsa -in private.pem -check
RSA key ok
writing RSA key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----