OpenSSL中crypto的简单应用(命令篇)
2014-11-19 wcdj
OpenSSL中crypto的简单应用
author:gerry
目录
一些命令...1
一些问题...3
一些测试...4
The OpenSSL crypto library implements awide range of cryptographic algorithms used in various Internet standards. Theservices provided by this library are used by the OpenSSL implementations ofSSL, TLS and S/MIME, and they have also been used to implement SSH, OpenPGP,and other cryptographic standards.
libcrypto consists of a number of sub-libraries that implement the individual algorithms.
The functionality includes symmetric encryption, public key cryptography and key agreement, certificate handling, cryptographic hash functions and a cryptographic pseudo-random number generator.
https://www.openssl.org/docs/crypto/crypto.html
https://www.openssl.org/docs/crypto/rsa.html#
一些命令
生成RSA私钥
./openssl genrsa -out privatekey.pem 1024
从RSA私钥导出公钥
./openssl rsa -in privatekey.pem -outpublic.pem -outform PEM -pubout
使用RSA公钥加密对数据进行加密
./openssl rsautl -encrypt -inkey public.pem-pubin -in file.txt -out file.ssl
使用RSA私钥对公钥加密的数据解密
./openssl rsautl -decrypt -inkeyprivatekey.pem -in file.ssl -out decrypted.txt
在终端打印输出RSA私钥的结构信息
./openssl rsa -in privatekey.pem -text-noout
产生一个随机对称加密算法密钥
dd if=/dev/random of=secretkey bs=16count=1
使用对称加密算法对数据进行加密
./openssl enc -blowfish -pass file:secretkey-in file.txt -out file.bf
使用对称加密算法对数据进行解密
./openssl enc -d -blowfish -passfile:secretkey -in file.bf -out decrypt.bf
官方关于rsa命令的帮助页面也提供了一些EXAMPLES。
https://www.openssl.org/docs/apps/rsa.html#
备注:
更多关于命令的帮助可以参考:manopenssl or http://www.openssl.org/docs/apps/rsa.html
更多关于RSA算法可以参考:RFC 2437 - PKCS #1: RSACryptography Specifications Version 2.0 - rfc2http://tools.ietf.org/pdf/rfc2437.pdf
SYNOPSIS(命令的语法)
openssl command [ command_opts ] [command_args ]
COMMAND(常用的命令)
genrsa Generation of RSA Private Key. Superceded by genpkey.
rsa RSA key management.
rsautl RSA utility for signing, verification, encryption, and decryption.Superseded by pkeyutl
enc Encoding with Ciphers.
COMMAND OPTIONS(常用的命令选项)
-pubin
by default a private key is read from the input file: with this option a publickey is read instead.
-pubout
by default a private key is output: with this option a public key will beoutput instead. This option is automatically set if the input is a public key.
-inform DER|NET|PEM
This specifies the input format. The DER option uses an ASN1 DER encoded formcompatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format. ThePEM form is the default format: it consists of the DER format base64 encodedwith additional header and footer lines. On input PKCS#8 format private keysare also accepted. The NET form is a format is described in the NOTES section.
-outform DER|NET|PEM
This specifies the output format, the options have the same meaning as the-inform option.
-in filename
This specifies the input filename to read a key from or standard input if thisoption is not specified. If the key is encrypted a pass phrase will be promptedfor.
-out filename
This specifies the output filename to write a key to or standard output if thisoption is not specified. If any encryption options are set then a pass phrasewill be prompted for. The output filename should not be the same as the inputfilename.
关于支持的加密算法选项
一些问题
(1) 关于RSA密钥(包括公钥和私钥)格式的问题。
The PEM private key format uses the header and footer lines:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
The PEM public key format uses the header and footer lines:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
The PEM RSAPublicKey format uses the header and footer lines:
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
https://www.openssl.org/docs/apps/rsa.html#
说明:Java默认使用DER格式,而C/C++默认使用PEM格式,因此在不同的场景下可以相互转化使用。
(1) 将PEM转换成DER格式
openssl rsa –in key.pem –outform DER –outkeyout.der
(2) 将DER转换成PEM格式
openssl rsa -inform DER -inres_privatekey.key -outform PEM -out rsa_privatekey.pem
AndPEM can easily be distinguished by the dash lines:
RSAPublicKey is "BEGIN/END RSA PUBLIC KEY" while RSA_PUBKEY
(and also DSA_PUBKEY etc) is "BEGIN/END PUBLIC KEY".
http://openssl.6102.n7.nabble.com/PEM-read-RSA-PUBKEY-amp-PEM-read-RSAPublicKey-td46350.html
tryusing PEM_read_PrivateKey, PEM_read_PupblicKey and friends since the keys arein PEM format. There's lots of friends, and they are listed at pem(3) in theOpenSSL docs.
http://stackoverflow.com/questions/21980495/generate-rsa-1024-key-pair-using-openssl/21983426#21983426
(2)Use RSA private key to generate publickey?
opensslgenrsa -out mykey.pem 1024
will actually produce a public - private key pair. The pair is stored in thegenerated mykey.pem file
openssl rsa -in mykey.pem -pubout > mykey.pub
will extract the public key and print that out. Here[1] is a link to a pagethat describes this better.
EDIT: Check the examples section here. To just output the public part of aprivate key:
openssl rsa -in key.pem -pubout -out pubkey.pem
http://stackoverflow.com/questions/5244129/use-rsa-private-key-to-generate-public-key/5246045#5246045
[1] http://www.devco.net/archives/2006/02/13/public_-_private_key_encryption_using_openssl.php
[2] http://www.openssl.org/docs/apps/rsa.html
https://www.openssl.org/docs/apps/rsa.html
http://www.devco.net/archives/2006/02/13/public_-_private_key_encryption_using_openssl.php
(3)API接口PEM_read_RSA_PUBKEY() 和PEM_read_RSAPublicKey()的区别
Thepem manual pages gives information:
TheRSAPublicKey functions process an RSA public key using an RSA structure. Thepublic key is encoded using a PKCS#1 RSAPublicKey structure.
The RSA_PUBKEY functions also process an RSA public key using an RSA structure.However the public key is encoded using a SubjectPublicKeyInfo structure and anerror occurs if the public key is not RSA.
The default public key file format generated by openssl is the PEM format.
PEM_read_RSA_PUBKEY() reads the PEM format. PEM_read_RSAPublicKey() reads thePKCS#1 format.
So if you want to stick to PEM_read_RSAPublicKey() you could generate thepublic key file using the PKCS#1 format by specifying the -outform DER optionwhen generating the public key.
https://www.openssl.org/docs/crypto/pem.html
http://openssl.6102.n7.nabble.com/PEM-read-RSA-PUBKEY-amp-PEM-read-RSAPublicKey-td46350.html
http://stackoverflow.com/questions/7818117/why-i-cant-read-openssl-generated-rsa-pub-key-with-pem-read-rsapublickey
(4) 只有PEM_read_RSAPrivateKey,为什么没有PEM_read_RSA_PRIVATEKEY
The RSAPrivateKey functions process an RSA private key using an RSA structure. It handles the same formats as the PrivateKey functions but an error occurs if the private key is not RSA.
https://www.openssl.org/docs/crypto/pem.html
一些测试
(1) RSA非对称加密测试
$./openssl genrsa -out privatekey.pem 1024
Generating RSA private key, 1024 bit longmodulus
....................++++++
......++++++
e is 65537 (0x10001)
$ls
c_rehash openssl privatekey.pem
$cat privatekey.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDYEHqcrcJSftHc+viTQoJMu9q2N0pkcBYmhPgtmYc9I2sUPQ4c
aPs1dDzJFB8gfZ7ML4KIamUXIeqoNf/djqGI9+NNKdmMvvb9NljNSEtZX4MqLjLN
WH710OGv7NXgLCGkX/orxV9/v00nvgSzpyJV7A9aPg9lxscGqGA0Vkv04QIDAQAB
AoGAJqbsCFNdS/y79lg/V7iyLp/8hFRnzofurn1jGGU6uEk5wqkZeSOerPVaWm5r
Exjl64kkRNsjsnuyyty+JRh69P1SvmWDqr0M4W+lAE8MFLjbImGBGYdI57Jnw8VT
u6dgpoBBCja/pKipdNVBfu42rQt51CoDXd88jAU+xykmWfECQQD/rHW8brx4cL/j
TH3sAkoYR/R1YDbDghFQQ84nMjPfimjnvqz4J/fi7x/iP/GbKCgxgg99yWKEKdmo
yWGTBWoDAkEA2FcTsBoEOnq+UT9+WXtfszB7wafPyGEYqSe/bDY2O2Cwk2fmC3OM
OKRO+69a5ui59Aw1RLHLp1qjIh2VXOCiSwJADzz2H27yKLN/nEp4ztIsHFpdhYlg
ejKMWZ5Q8SEa2l3jdrx0jq3DJnFeExwAiGDSVHEN/087YekkodyuxhZyhQJAeEoy
kEBnCX0mRVbgkjCfTasvpMYCKpCSfbu0HB8omGtywwOKTeO5m+UAZcFi8fGFM8V1
+PRDIJKtElMQscvVcQJBANm7FtogYfC5uIh6O+rLZxf5N2jPO9MXFEeJDpyDcnpg
DtrXtvrBUOJGgE+JV7zRgmLlcuzTs2I+J6Fz36PLKlY=
-----END RSA PRIVATE KEY-----
$./openssl rsa -in privatekey.pem -outpublic.pem -outform PEM -pubout
writing RSA key
$ls
c_rehash openssl privatekey.pem public.pem
$cat public.pem
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYEHqcrcJSftHc+viTQoJMu9q2
N0pkcBYmhPgtmYc9I2sUPQ4caPs1dDzJFB8gfZ7ML4KIamUXIeqoNf/djqGI9+NN
KdmMvvb9NljNSEtZX4MqLjLNWH710OGv7NXgLCGkX/orxV9/v00nvgSzpyJV7A9a
Pg9lxscGqGA0Vkv04QIDAQAB
-----END PUBLIC KEY-----
$ls
c_rehash openssl privatekey.pem public.pem
$echo "too many secrets" >file.txt
$cat file.txt
too many secrets
$ls
c_rehash file.txt openssl privatekey.pem public.pem
$./openssl rsautl -encrypt -inkeypublic.pem -pubin -in file.txt -out file.ssl
$ls
c_rehash file.ssl file.txt openssl privatekey.pem public.pem
$cat file.ssl
{Pu艟瑓[謀湘X鯨l磤啺k-1\L囟4gí鄺籓3笜xO
絁v雌`>+A?鲲睲锠i瓐 騽-堈/i=燖爈幟X K
$od -x file.ssl
0000000 6b5e 2c12 be63 acd8 1e85 5b1d 5cd6e6cf
0000020 9258 b51b f61f fb4c 6cbc 80b4 b086a66b
0000040 9a3a 2d51 5c31 d84c 34b6 a867 e0aabb97
0000060 334f 98b8 4f78 7b0d 7550 bef4 cf0ad626
0000100 bd86 074a 04f2 1093 b476 b6c6 250f60e6
0000120 b83e 170e 2bc7 3f41 eff6 4db2 0016a0e8
0000140 0f69 88ad f209 2d84 d588 692f a03d1e40
0000160 6ca0 c38e 13b7 e4b6 cb58 970a 5aae4b08
0000200
$./openssl rsautl -decrypt -inkey privatekey.pem-in file.ssl -out decrypted.txt
$ls
c_rehash decrypted.txt file.ssl file.txt openssl privatekey.pem public.pem
$cat decrypted.txt
too many secrets
$./openssl rsa -in privatekey.pem -text-noout
Private-Key: (1024 bit)
modulus:
00:d8:10:7a:9c:ad:c2:52:7e:d1:dc:fa:f8:93:42:
82:4c:bb:da:b6:37:4a:64:70:16:26:84:f8:2d:99:
87:3d:23:6b:14:3d:0e:1c:68:fb:35:74:3c:c9:14:
1f:20:7d:9e:cc:2f:82:88:6a:65:17:21:ea:a8:35:
ff:dd:8e:a1:88:f7:e3:4d:29:d9:8c:be:f6:fd:36:
58:cd:48:4b:59:5f:83:2a:2e:32:cd:58:7e:f5:d0:
e1:af:ec:d5:e0:2c:21:a4:5f:fa:2b:c5:5f:7f:bf:
4d:27:be:04:b3:a7:22:55:ec:0f:5a:3e:0f:65:c6:
c7:06:a8:60:34:56:4b:f4:e1
publicExponent: 65537 (0x10001)
privateExponent:
26:a6:ec:08:53:5d:4b:fc:bb:f6:58:3f:57:b8:b2:
2e:9f:fc:84:54:67:ce:87:ee:ae:7d:63:18:65:3a:
b8:49:39:c2:a9:19:79:23:9e:ac:f5:5a:5a:6e:6b:
13:18:e5:eb:89:24:44:db:23:b2:7b:b2:ca:dc:be:
25:18:7a:f4:fd:52:be:65:83:aa:bd:0c:e1:6f:a5:
00:4f:0c:14:b8:db:22:61:81:19:87:48:e7:b2:67:
c3:c5:53:bb:a7:60:a6:80:41:0a:36:bf:a4:a8:a9:
74:d5:41:7e:ee:36:ad:0b:79:d4:2a:03:5d:df:3c:
8c:05:3e:c7:29:26:59:f1
prime1:
00:ff:ac:75:bc:6e:bc:78:70:bf:e3:4c:7d:ec:02:
4a:18:47:f4:75:60:36:c3:82:11:50:43:ce:27:32:
33:df:8a:68:e7:be:ac:f8:27:f7:e2:ef:1f:e2:3f:
f1:9b:28:28:31:82:0f:7d:c9:62:84:29:d9:a8:c9:
61:93:05:6a:03
prime2:
00:d8:57:13:b0:1a:04:3a:7a:be:51:3f:7e:59:7b:
5f:b3:30:7b:c1:a7:cf:c8:61:18:a9:27:bf:6c:36:
36:3b:60:b0:93:67:e6:0b:73:8c:38:a4:4e:fb:af:
5a:e6:e8:b9:f4:0c:35:44:b1:cb:a7:5a:a3:22:1d:
95:5c:e0:a2:4b
exponent1:
0f:3c:f6:1f:6e:f2:28:b3:7f:9c:4a:78:ce:d2:2c:
1c:5a:5d:85:89:60:7a:32:8c:59:9e:50:f1:21:1a:
da:5d:e3:76:bc:74:8e:ad:c3:26:71:5e:13:1c:00:
88:60:d2:54:71:0d:ff:4f:3b:61:e9:24:a1:dc:ae:
c6:16:72:85
exponent2:
78:4a:32:90:40:67:09:7d:26:45:56:e0:92:30:9f:
4d:ab:2f:a4:c6:02:2a:90:92:7d:bb:b4:1c:1f:28:
98:6b:72:c3:03:8a:4d:e3:b9:9b:e5:00:65:c1:62:
f1:f1:85:33:c5:75:f8:f4:43:20:92:ad:12:53:10:
b1:cb:d5:71
coefficient:
00:d9:bb:16:da:20:61:f0:b9:b8:88:7a:3b:ea:cb:
67:17:f9:37:68:cf:3b:d3:17:14:47:89:0e:9c:83:
72:7a:60:0e:da:d7:b6:fa:c1:50:e2:46:80:4f:89:
57:bc:d1:82:62:e5:72:ec:d3:b3:62:3e:27:a1:73:
df:a3:cb:2a:56
(2) 对称加密测试
$dd if=/dev/random of=secretkey bs=16count=1
1+0 records in
1+0 records out
16 bytes (16 B) copied, 5.5024e-05 s, 291kB/s
$od -x secretkey
0000000 5c92 5c0c c3f0 010f 98dd 09b6 726cb8f5
0000020
$ls
c_rehash decrypted.txt file.ssl file.txt openssl privatekey.pem public.pem secretkey
$./openssl enc -blowfish -passfile:secretkey -in file.txt -out file.bf
$ls
c_rehash decrypted.txt file.bf file.ssl file.txt openssl privatekey.pem public.pem secretkey
$cat file.bf
Salted__崊l阳/^0kU0l閎鵞篼EW
$od -x file.bf
0000000 6153 746c 6465 5f5f 858d d16c 11f45e2f
0000020 6b30 3055 006c 62e9 2ff4 b556 5bf9fbf3
0000040 7fe8 5338 81a6 5745
0000050
$./openssl enc -d -blowfish -passfile:secretkey -in file.bf
too many secrets
$./openssl enc -d -blowfish -passfile:secretkey -in file.bf -out decrypt.bf
$ls
c_rehash decrypt.bf decrypted.txt file.bf file.ssl file.txt openssl privatekey.pem public.pem secretkey
$cat decrypt.bf
too many secrets
curl的测试
-k, --insecure
(SSL) This option explicitly allows curl toperform "insecure" SSL connections and transfers. All SSL connectionsare attempted to be made secure by using the CA certificate bundle installed bydefault. This makes all connections considered "insecure" fail unless-k, --insecure is used.
See this online resource for furtherdetails: http://curl.haxx.se/docs/sslcerts.html
-E, --cert
(SSL) Tells curl to use the specifiedclient certificate file when getting a file with HTTPS, FTPS or anotherSSL-based protocol. The certificate must be in PKCS#12 format if using Secure Transport, or PEM format if using any otherengine. If the optional password isn't specified, it will be queried for on theterminal.
Note that this option assumesa "certificate" file that is the private key and the privatecertificate concatenated! See --cert and --key to specify them independently.
If curl is built against the NSS SSLlibrary then this option can tell curl the nickname of the certificate to usewithin the NSS database defined by the environment variable SSL_DIR (or by default /etc/pki/nssdb).
If the NSS PEM PKCS#11 module(libnsspem.so) is available then PEM files may be loaded.
If you want to use a file from the current directory,please precede it with "./" prefix, in order to avoid confusion witha nickname. If the nickname contains ":", it needs to be preceded by"\" so that it is not recognized as password delimiter. If thenickname contains "\", it needs to be escaped as "\\" sothat it is not recognized as an escape character.
(iOS and Mac OS X only) If curl is builtagainst Secure Transport, then the certificate string can either be the name ofa certificate/private key in the system or user key-chain, or the path to aPKCS#12-encoded certificate and private key. If you want to use a file from thecurrent directory, please precede it with "./" prefix, in order to avoidconfusion with a nickname.
If this option is used several times, thelast one will be used.
curl -kv -E ./privatekey.pem:20141011 https://127.0.0.1/test
也可参考:curl+个人证书(又叫客户端证书)访问https站点