OPENSSL

OPENSSL常见用法

输入openssl后面随意跟一个错误选项即可调出选项列表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[root@station51 ~]# openssl -
openssl:Error: '-' is an invalid command.
#标准命令
Standard commands
asn1parse ca(常用) ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc(常用) engine errstr
gendh gendsa(常用) genpkey genrsa
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req(常用)
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509
#消息摘要类命令
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160
sha sha1
#加解密命令
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb zlib

对称加密:

工具:openssl  enc,  gpg
支持的算法:3des, aes, blowfish, towfish

加密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#以/etc/fstab文件举例
[root@station51 ~]# cd /etc
[root@station51 etc]# openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@station51 etc]# cat fstab.ciphertext
U2FsdGVkX1/C0Rj1Zt+/RbCihTNFSlIW/JQ0fds493+tVA1E972inpvhi7/Oi50v
9vjYfse07fyZgBf2hQALx57j+Bl/8gZoQofs8tTj2uMYqpAiePeDYzKAoXFG+XSf
7bkDnlw3akbD6FGnbF0UblcD90Dz6+OSDQ01/xkIJZFfymwvW0YesKBWzK38dbp7
IW3Hi8LRSs17ND4UHhLP24TQfbEDqure21Zuo3GqOnHa5IhKOtfm1vYePd5fHN/o
miYvjpayk8tsLdBTO8pL/Z5Fi07DR9FywhxQ7pdpKQD3wiMm79pIqBm2ZktuQ2cw
uK4BwSv0wqeAQiBgAWSAUSijcQ+mC4lh9SI8GwYxyyDRHH06J2mzqnyN7vXesaj6
R3gqbwIK9wDQmXE+j/kahMlzP80WIPvPlJdpJMMPMriv7dW55b3AvZ4AJ+D1jmSF
NxctZ+sng18h4nd/f2Ko3bHMdSnDEQzwmUfYKiIEygUlwg8c8HRySp7Q30gDyzy+
k5Q5kjOgSRZEvvCutIxDTwPiZ0Ssapw1Y3UMAc7TdlOuzZxU/3JSU7R31r6jAc4w
LQTLzflfEe1bGH5FLkWUg+9B8jZozHp/7EmnMgxi888r3z3JF+qO8K8XdkQSrN2p
xbjkdYPCmwhun19XViHMeyFctItbqL8KGzOyGSBbhzq+uE4Qeruu+ogf8EQRzcyG
utfE+Rzcvc71WKk2uinIcMG6DsUmKtmvd5gJtVBVhWq4s2JVJ8t/CbHS+8ZUs35a
F7eNfUnSae1P2jN/Cad8FwtRClCGTIxGR+g9un76wbscFYR3OLO51w==
[root@station51 etc]#

说明:

openssl enc -e -des3 -a -salt -in fstab -out fstab.ciphertext
openssl enc -d -des3 -a -salt -in fstab.ciphertext -out fstab
-e encrypt加密   <-->   -d decrypt解密
-des3 使用des3加密算法
-a 基于文本格式输出加密后文件内容
-salt 在加密过程中添加一段随机数
-in 对哪个文件加密
-out 加密后的文件输出到哪里

单向加密:

工具:openssl dgst, md5sum, sha1sum, sha224sum, ...
支持算法:md2、md4、md5、rmd160、sha、sha1

加密:

1
2
3
4
5
6
7
8
9
[root@station51 etc]# openssl dgst -md5 /etc/fstab
MD5(/etc/fstab)= ec48e5270ea9c035c72aa1519432af8c
[root@station51 etc]# md5sum /etc/fstab
ec48e5270ea9c035c72aa1519432af8c /etc/fstab
···································································
[root@station51 etc]# openssl dgst -sha1 /etc/fstab
SHA1(/etc/fstab)= 43133334e56e2a58245cd0a9e5174f6bebe325a1
[root@station51 etc]# sha1sum /etc/fstab
43133334e56e2a58245cd0a9e5174f6bebe325a1 /etc/fstab

说明:

dgst命令:
    ~]# openssl  dgst  -md5  /PATH/TO/SOMEFILE

生成用户密码:

工具:passwd, openssl  passwd
1
2
3
4
5
6
7
8
9
[root@station51 etc]# openssl passwd -1 -salt 123456 hello
$1$123456$HQ125.2GLsY4GcwH9Mm1P/
[root@station51 etc]# openssl passwd -1 -salt 123456 hello
$1$123456$HQ125.2GLsY4GcwH9Mm1P/
[root@station51 etc]# openssl passwd -1 -salt 123456 helloworld
$1$123456$jBay/ZlxBUiEX3gCH5Pba.
[root@station51 etc]# openssl passwd -1 -salt 12345678 hello
$1$12345678$SWwdAXyU/e6YSg8pQlz4D/
[root@station51 etc]#

说明:

语法格式:openssl  passwd  -1  -salt  SALT  文件
salt自己指定,salt相同字符串相同,多次加密后生成密码相同
salt自己指定,salt相同字符串不相同,加密后生成密码不同
salt自己指定,salt不同字符串相同,多次加密后生成密码不同

生成随机数:

工具:openssl  rand 类型 字符串长度
1
2
3
4
[root@station51 etc]# openssl rand -hex 4
2f1e3fb3
[root@station51 etc]# openssl rand -base64 4
HLmG0w==

说明:

语法格式:openssl  rand 类型 字符串长度

结合:生成用户密码+生成随机数

1
2
[root@station51 etc]# openssl passwd -1 -salt $(openssl rand -hex 4) hello
$1$874b43cc$yVoAMU.vR5/KJS5VXNDxG.

公钥加密:

加密解密:
    算法:RSA,ELGamal
    工具:openssl  rsautl, gpg
数字签名:
    算法:RSA, DSA, ELGamal
    工具:
密钥交换:
    算法:DH

生成私钥:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@station51 /]# openssl genrsa -out mykey.key 1024
Generating RSA private key, 1024 bit long modulus
........++++++
........++++++
........++++++
e is 65537 (0x10001)
[root@station51 /]# cat mykey.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDB2PBAFQGSVrHFnWBn1iAbwdZRRSIK9usxh3Tq0czeWraJCcqT
YpHL9+I6U//fMUaNb57t/JphnnAsJ29ToTPtrf4y5y9xsbZpo7vnSSeBw1cUVsd0
KIxnk9KT1dFW5X3lwo3DkNmgLIWGOB2R/nl5LYC4bnvHI7l+JIsU/8OHiwIDAQAB
AoGAbWU5SGDSbzx/vK8w7ciYfDGq+lhSeu+YEW6JW8+kl0OISdP9v6lb8EjnIdWv
y8xqLX11qobotPiOA00J9Z8+xwElSrvCK24HKdK85uWjU7RZhbGO2IzmAQFjYhhk
cy2PK2J+9DQxbJ6pBofL1/bX6k/QRfFt8avZi1IMo9jM/dkCQQD7goyrng5gRuYs
FsR66zScQSY/o5+upE5msRFQ6DWNXdlZ/xxOF6Pp/b9WVnbse13I9quSMlsJUocr
WMOyEcC/AkEAxU7cFVcECEMOa/MCBUTFbUNybudY4jaT2OldSCeoPBjCoc+4O1jf
lSTEZ7s3Q78uNvu7/TbX+soIwhYHevFgNQJBAIY0IQ+qJQ2mh0dbVrgoLUh7Uwd+
LcSok9UkApNjdL/cJhBpmhbpcmN3LNPLC2YgZejIBsDZ8c3Fpa6xjKrF4k0CQQCd
VG6Fzab3d5DuXw2Daf0LTTbYXD0x1Fc8JYkuWgD6OrwoDtxW5l0SLgk2tcAxkyak
zUJvfOXnomYtbSd1zzbpAkBmGmzPrntM5O11x1dwMYg4XzHQoxdNaNmuJaq/jBVq
0vy+wvkDn88goH7Wq99kcrUYz1zo7UcL8GA6aOjK1Y9Y
-----END RSA PRIVATE KEY-----

说明:

生成私钥: ~]# openssl  genrsa  -out  mykey.key  1024
提出公钥: ~]#  openssl  rsa  -in  mykey.key  -pubout

提取公钥:

只输出公钥不输入私钥
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[root@station51 /]# openssl rsa -in mykey.key -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDB2PBAFQGSVrHFnWBn1iAbwdZR
RSIK9usxh3Tq0czeWraJCcqTYpHL9+I6U//fMUaNb57t/JphnnAsJ29ToTPtrf4y
5y9xsbZpo7vnSSeBw1cUVsd0KIxnk9KT1dFW5X3lwo3DkNmgLIWGOB2R/nl5LYC4
bnvHI7l+JIsU/8OHiwIDAQAB
-----END PUBLIC KEY-----
[root@station51 /]# cat mykey.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDB2PBAFQGSVrHFnWBn1iAbwdZRRSIK9usxh3Tq0czeWraJCcqT
YpHL9+I6U//fMUaNb57t/JphnnAsJ29ToTPtrf4y5y9xsbZpo7vnSSeBw1cUVsd0
KIxnk9KT1dFW5X3lwo3DkNmgLIWGOB2R/nl5LYC4bnvHI7l+JIsU/8OHiwIDAQAB
AoGAbWU5SGDSbzx/vK8w7ciYfDGq+lhSeu+YEW6JW8+kl0OISdP9v6lb8EjnIdWv
y8xqLX11qobotPiOA00J9Z8+xwElSrvCK24HKdK85uWjU7RZhbGO2IzmAQFjYhhk
cy2PK2J+9DQxbJ6pBofL1/bX6k/QRfFt8avZi1IMo9jM/dkCQQD7goyrng5gRuYs
FsR66zScQSY/o5+upE5msRFQ6DWNXdlZ/xxOF6Pp/b9WVnbse13I9quSMlsJUocr
WMOyEcC/AkEAxU7cFVcECEMOa/MCBUTFbUNybudY4jaT2OldSCeoPBjCoc+4O1jf
lSTEZ7s3Q78uNvu7/TbX+soIwhYHevFgNQJBAIY0IQ+qJQ2mh0dbVrgoLUh7Uwd+
LcSok9UkApNjdL/cJhBpmhbpcmN3LNPLC2YgZejIBsDZ8c3Fpa6xjKrF4k0CQQCd
VG6Fzab3d5DuXw2Daf0LTTbYXD0x1Fc8JYkuWgD6OrwoDtxW5l0SLgk2tcAxkyak
zUJvfOXnomYtbSd1zzbpAkBmGmzPrntM5O11x1dwMYg4XzHQoxdNaNmuJaq/jBVq
0vy+wvkDn88goH7Wq99kcrUYz1zo7UcL8GA6aOjK1Y9Y
-----END RSA PRIVATE KEY-----

为了避免私钥被其他用户窃取,建议加密时顺便修改文件权限:

~]#(umask 077;  openssl  genrsa  -out  test.key  1024)
1
2
3
4
5
6
7
8
[root@station51 /]# (umask 077; openssl genrsa -out test.key 1024)
Generating RSA private key, 1024 bit long modulus
...................++++++
.................................................++++++
e is 65537 (0x10001)
[root@station51 /]# ll
-rw-r--r-- 1 root root 887 May 29 16:07 mykey.key
-rw------- 1 root root 887 May 29 16:13 test.key
<% if (theme.canvas_nest) { %> <% } %> s