OpenSSL介绍
- OpenSSL 是一个开源且功能强大的包含丰富的密码算法和 SSL/TLS 协议的库,主要包括的密码算法、常用的密钥和证书封装管理功能及 SSL 协议,并提供了多用途的命令行工具。使用 c 语言编写,跨平台性能好,支持 Linux、Windows、BDS、Mac、VMS 等平台。
- Openssl由3部分组成
- The Crypto library(密码学算法库) : 主要提供对称加解密、非对称加解密、证书管理、数据签名、数据摘要等接口供用户调用。
- The SSL library(SSL/TLS协议库) : 主要提供SSL/TLS接口、用于HTTPS通信。
- Command line tool(命令行工具) : 可以在终端使用命令行实现加解密等一些列操作。
- OpenSSL被广泛应用在密码学以及网络安全相关领域
- 本文章主要介绍下OpenSSL各个版本的安装步骤以及使用命令行工具进行加解密和证书生成的一些功能。
资源
linux平台安装
- 命令行安装
- sudo apt-get install openssl
- sudo apt-get install libssl-dev
- 命令行卸载
- sudo apt-get remove openssl
- 安装包安装
- 查看版本
- openssl version
windows平台安装
- 最新版本
- windows平台我只找到了3.1和1.1版本,1.0版本没找到
- 安装时直接下载安装包双击安装就可以了
对称加解密
-
enc是openssl提供的一个对称加解密命令行工具。安装openssl后,执行命令openssl enc -list,可以看到enc支持的所有对称加密算法
-
Supported ciphers: -aes-128-cbc -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-ofb -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr -aes-192-ecb -aes-192-ofb -aes-256-cbc -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr -aes-256-ecb -aes-256-ofb -aes128 -aes128-wrap -aes192 -aes192-wrap -aes256 -aes256-wrap -aria-128-cbc -aria-128-cfb -aria-128-cfb1 -aria-128-cfb8 -aria-128-ctr -aria-128-ecb -aria-128-ofb -aria-192-cbc -aria-192-cfb -aria-192-cfb1 -aria-192-cfb8 -aria-192-ctr -aria-192-ecb -aria-192-ofb -aria-256-cbc -aria-256-cfb -aria-256-cfb1 -aria-256-cfb8 -aria-256-ctr -aria-256-ecb -aria-256-ofb -aria128 -aria192 -aria256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ctr -camellia-128-ecb -camellia-128-ofb -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ctr -camellia-192-ecb -camellia-192-ofb -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ctr -camellia-256-ecb -camellia-256-ofb -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc -cast5-cfb -cast5-ecb -cast5-ofb -chacha20 -des -des-cbc -des-cfb -des-cfb1 -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ecb -des-ede-ofb -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ecb -des-ede3-ofb -des-ofb -des3 -des3-wrap -desx -desx-cbc -id-aes128-wrap -id-aes128-wrap-pad -id-aes192-wrap -id-aes192-wrap-pad -id-aes256-wrap -id-aes256-wrap-pad -id-smime-alg-CMS3DESwrap -rc2 -rc2-128 -rc2-40 -rc2-40-cbc -rc2-64 -rc2-64-cbc -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -seed -seed-cbc -seed-cfb -seed-ecb -seed-ofb -sm4 -sm4-cbc -sm4-cfb -sm4-ctr -sm4-ecb -sm4-ofb
-
enc完整命令
- openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e ] [-d ] [-a ] [-A] [-k password ] [-kfile filename] [-K key] [-iv IV] [-p] [-P] [-bufsize number] [-nopad] [-debug]
- -ciphername:对称算法名称(就是上面执行openssl enc -list命令后展示的那些)
- -in filename:输入文件,默认为标准输入。
- -out filename:输出文件,默认为标准输出。
- -pass arg:输入文件如果有密码保护,指定密码来源。
- -e:进行加密操作,默认操作。
- -d:进行解密操作。
- -a:当进行加解密时,它只对数据进行运算,有时需要进行base64转换。设置此选项后,加密结果进行base64编码;解密前先进行base64解码。
- -A:默认情况下,base64编码结果在文件中是多行的。如果要将生成的结果在文件中只有一行,需设置此选项;解密时,必须采用同样的设置,否则读取数据时会出错。
- -k password:指定加密口令,不设置此项时,程序会提示用户输入口令。
- -kfile filename:指定口令存放的文件。
- -K key:密钥,为16进制。
- -iv IV:初始化向量,为16进制。
- -p:打印出使用的salt、口令以及初始化向量IV。
- -P:打印使用的salt、口令以及IV,不做加密和解密操作。
- -bufsize number:设置I/O操作的缓冲区大小,因为一个文件可能很大,每次读取的数据是有限的。
- -debug:打印调试信息。
-
AES加解密
- 加密
- openssl enc -aes-128-cbc -in in.txt -out out.txt -a -K 001122334455BBCCDDEEFF0011223344 -iv 0123456789ABCDEF0123456789ABCDEF
- 解密
- openssl enc -aes-128-cbc -in out.txt -out inin.txt -d -a -K 001122334455BBCCDDEEFF0011223344 -iv 0123456789ABCDEF0123456789ABCDEF
- 我们选择的密钥长度为128位,从上面列表可以知道,密钥长度可以选取128位,192位,256位。选择的加密模式为cbc,加密模式可以选取ecb,cbc,cfb,ofb,ctr。
- 如果你要阅读密文,要指定参数-a进行base64编码,否则密文是二进制文件,解密时也要指定-a参数,先进行base64解码,再进行解密。默认是加密操作,加密时可以不指定参数,但解密时我们要指定参数-d。ecb模式是没有初始化向量的,所以ecb模式我们不用指定-iv参数
-
DES加解密
- 加密
- openssl enc -des-ecb -K 0123456789AAAAAA -in in.txt -out out.txt -a
- 解密
- openssl enc -des-ecb -d -K 0123456789AAAAAA -in out.txt -out inin.txt -a
- des密钥长度是固定的,为64位,所以我们只需要选择加密模式。
-
其他对称加解密算法这里就不演示,用法基本都一样。
非对称加解密
-
RSA
- 生成私钥 2048为密钥位数
openssl genrsa -out private.key 2048
- 从私钥文件中导出公钥
openssl rsa -in private.key -pubout -out public.key
- RSA公钥加密 in.txt为源文件,out.txt为加密后的文件
openssl rsautl -encrypt -pubin -inkey public.key -in in.txt -out out.txt
- RSA私钥解密 inin.txt为解密后的文件
openssl rsautl -decrypt -inkey private.key -in out.txt -out inin.txt
-
ECC
- 查看支持的椭圆曲线
- openssl ecparam -list_curves
- 可以看到支持的所有椭圆曲线,最前面就是曲线名称
-
secp112r1 : SECG/WTLS curve over a 112 bit prime field secp112r2 : SECG curve over a 112 bit prime field secp128r1 : SECG curve over a 128 bit prime field secp128r2 : SECG curve over a 128 bit prime field secp160k1 : SECG curve over a 160 bit prime field secp160r1 : SECG curve over a 160 bit prime field secp160r2 : SECG/WTLS curve over a 160 bit prime field secp192k1 : SECG curve over a 192 bit prime field secp224k1 : SECG curve over a 224 bit prime field secp224r1 : NIST/SECG curve over a 224 bit prime field secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field prime192v2: X9.62 curve over a 192 bit prime field prime192v3: X9.62 curve over a 192 bit prime field prime239v1: X9.62 curve over a 239 bit prime field prime239v2: X9.62 curve over a 239 bit prime field prime239v3: X9.62 curve over a 239 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field sect113r1 : SECG curve over a 113 bit binary field sect113r2 : SECG curve over a 113 bit binary field sect131r1 : SECG/WTLS curve over a 131 bit binary field sect131r2 : SECG curve over a 131 bit binary field sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field sect163r1 : SECG curve over a 163 bit binary field sect163r2 : NIST/SECG curve over a 163 bit binary field sect193r1 : SECG curve over a 193 bit binary field sect193r2 : SECG curve over a 193 bit binary field sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field sect239k1 : SECG curve over a 239 bit binary field sect283k1 : NIST/SECG curve over a 283 bit binary field sect283r1 : NIST/SECG curve over a 283 bit binary field sect409k1 : NIST/SECG curve over a 409 bit binary field sect409r1 : NIST/SECG curve over a 409 bit binary field sect571k1 : NIST/SECG curve over a 571 bit binary field sect571r1 : NIST/SECG curve over a 571 bit binary field c2pnb163v1: X9.62 curve over a 163 bit binary field c2pnb163v2: X9.62 curve over a 163 bit binary field c2pnb163v3: X9.62 curve over a 163 bit binary field c2pnb176v1: X9.62 curve over a 176 bit binary field c2tnb191v1: X9.62 curve over a 191 bit binary field c2tnb191v2: X9.62 curve over a 191 bit binary field c2tnb191v3: X9.62 curve over a 191 bit binary field c2pnb208w1: X9.62 curve over a 208 bit binary field c2tnb239v1: X9.62 curve over a 239 bit binary field c2tnb239v2: X9.62 curve over a 239 bit binary field c2tnb239v3: X9.62 curve over a 239 bit binary field c2pnb272w1: X9.62 curve over a 272 bit binary field c2pnb304w1: X9.62 curve over a 304 bit binary field c2tnb359v1: X9.62 curve over a 359 bit binary field c2pnb368w1: X9.62 curve over a 368 bit binary field c2tnb431r1: X9.62 curve over a 431 bit binary field wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field Oakley-EC2N-3: IPSec/IKE/Oakley curve #3 over a 155 bit binary field. Not suitable for ECDSA. Questionable extension field! Oakley-EC2N-4: IPSec/IKE/Oakley curve #4 over a 185 bit binary field. Not suitable for ECDSA. Questionable extension field! brainpoolP160r1: RFC 5639 curve over a 160 bit prime field brainpoolP160t1: RFC 5639 curve over a 160 bit prime field brainpoolP192r1: RFC 5639 curve over a 192 bit prime field brainpoolP192t1: RFC 5639 curve over a 192 bit prime field brainpoolP224r1: RFC 5639 curve over a 224 bit prime field brainpoolP224t1: RFC 5639 curve over a 224 bit prime field brainpoolP256r1: RFC 5639 curve over a 256 bit prime field brainpoolP256t1: RFC 5639 curve over a 256 bit prime field brainpoolP320r1: RFC 5639 curve over a 320 bit prime field brainpoolP320t1: RFC 5639 curve over a 320 bit prime field brainpoolP384r1: RFC 5639 curve over a 384 bit prime field brainpoolP384t1: RFC 5639 curve over a 384 bit prime field brainpoolP512r1: RFC 5639 curve over a 512 bit prime field brainpoolP512t1: RFC 5639 curve over a 512 bit prime field SM2 : SM2 curve over a 256 bit prime field
-
生成参数文件
- openssl ecparam -name secp256k1 -out secp256k1.pem
-
显示参数文件参数
- openssl ecparam -in secp256k1.pem -text -param_enc explicit -noout
-
使用参数文件生成私钥
- openssl ecparam -in secp256k1.pem -genkey -out secp256k1-key.key
-
从私钥中导出公钥
- openssl ec -in secp256k1-key.key -pubout -out public.key
-
备注:使用命令行工具我只查到了如何生成ECC公私钥,没有找到加解密的功能。ECC椭圆曲线比较常用的两种,SM2和secp256k1,SM2在国内的商用密码产品中已经广泛使用,secp256k1主要用于区块链和比特币领域。
证书
- 生成虚拟CA证书
- 生成RSA私钥
- openssl genrsa -out ca.key 1024
- 说明:1024为密钥位数
- 执行命令后,就会在当前目录下生成一个ca.key文件,其中记录RSA私钥。可以直接查看内容
-
-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDDu6lkJcarc1lmBebpPmluRTf6awjDibqU/zTDBmQCBhwnQi3P LSZ12YFA8vo7DOKhABztZXNxEV08WFgqPB43GhJohYDeDybAwXukKSxmJab5ekvr rNr4szExWCNb2Id1ZOmkbjakHwZStwd54haOa395xVtl5xCZUn4t0K82uwIDAQAB AoGAFyAR6FoqOdF8C3jBCmesTzHwZi7FL00TdU0dr7kOkcqlAuJnxSWBeMUE52aN t/JSyFDaGhY1aHNzv5B0gjDuJMGErAdBaTIXTXc25AOTgMhW/RT1SUzLhZh2IfMN /wSTRlO3trU+mzumY2DbdFG5e4CYv9zRUpRqjnNT/w3Md3ECQQDqrk54+a3acZcC eXioouIVb4VZ3L6xuSM55jdFw+/XFDADpPIBMiLgy7xwIrwQEGfx5uCO5H5FJ+UN j2ccB4zJAkEA1YOXhac16Lblnv4Ygk4wyPmt/LcLUjDMUO7aKR8MLDkVvNlc/qVW FqqAWT+fmICjUJ+xEJorQM0RkwsybckdYwJASGJXBe1M+FGM2FCLLMiAn0f0g5EY qEyIVvVxGu2ibl5lqNoZYtEJ/PgaOSQdiX7l8LDblndXkxEJDzOqA/U4MQJBAMni HhAa1adP4HfgDC6RXiF5q6BrNwIk79uKrK77E1hxNXOWFw8UJ/1QhAFfXjklUMZ3 6EUpcMJZ5Ecj7C/QXL8CQFBpVXikMCE7WwAkNlyOO97cVrLOkDcopi5W1WdfGzt4 uWF56WpDo9ZJb/eevGUqcIa304nxnV80g+myJlRVbHI= -----END RSA PRIVATE KEY-----
- 生成CA证书
- openssl req -new -x509 -key ca.key -out ca.crt -days 365
- 说明 : -days指定证书有效期
- 输入命令后,需要填写以下信息
-
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CH #国家名 State or Province Name (full name) [Some-State]:ShanXi #省份名 Locality Name (eg, city) []:XiAn #城市名 Organization Name (eg, company) [Internet Widgits Pty Ltd]:csdn #公司名 Organizational Unit Name (eg, section) []:csdn #部门 Common Name (e.g. server FQDN or YOUR name) []:CA Email Address []:
- 输入以上信息后,就会生成一个ca.crt的证书文件,可以使用以下命令查看证书内容
- openssl x509 -noout -text -in ca.crt
-
Certificate: Data: Version: 3 (0x2) Serial Number: 17:55:d5:5e:1c:bb:92:cc:09:08:64:c7:1b:b0:e5:27:f6:76:e6:31 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CH, ST = ShanXi, L = XiAn, O = csdn, OU = csdn, CN = CA Validity Not Before: Jan 1 10:30:58 2022 GMT Not After : Jan 1 10:30:58 2023 GMT Subject: C = CH, ST = ShanXi, L = XiAn, O = csdn, OU = csdn, CN = CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (1024 bit) Modulus: 00:c3:bb:a9:64:25:c6:ab:73:59:66:05:e6:e9:3e: 69:6e:45:37:fa:6b:08:c3:89:ba:94:ff:34:c3:06: 64:02:06:1c:27:42:2d:cf:2d:26:75:d9:81:40:f2: fa:3b:0c:e2:a1:00:1c:ed:65:73:71:11:5d:3c:58: 58:2a:3c:1e:37:1a:12:68:85:80:de:0f:26:c0:c1: 7b:a4:29:2c:66:25:a6:f9:7a:4b:eb:ac:da:f8:b3: 31:31:58:23:5b:d8:87:75:64:e9:a4:6e:36:a4:1f: 06:52:b7:07:79:e2:16:8e:6b:7f:79:c5:5b:65:e7: 10:99:52:7e:2d:d0:af:36:bb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: FB:C8:7A:FA:ED:91:C1:60:0A:54:A4:22:F4:6D:BC:9C:47:DE:76:AF X509v3 Authority Key Identifier: keyid:FB:C8:7A:FA:ED:91:C1:60:0A:54:A4:22:F4:6D:BC:9C:47:DE:76:AF X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 0c:4c:be:50:27:dc:fe:b8:dc:cf:f6:9f:85:26:ec:25:34:d6: 3f:54:32:a7:16:78:11:ff:28:4a:c9:43:db:22:c0:ff:8f:fb: 54:1f:ab:8c:3d:a4:21:bc:a7:ea:88:32:c9:31:16:49:96:86: 7a:b2:c3:cf:50:25:ee:bd:dd:61:00:97:88:86:10:4a:93:e0: 16:eb:ce:89:77:c3:f0:fc:4e:73:9f:7f:82:fa:76:52:1f:4d: a7:a7:5c:fe:f6:b5:5a:a5:4b:2d:19:e1:80:b8:63:02:b2:2f: 83:5b:1b:8d:6a:9e:93:3e:70:9b:bc:4d:bd:24:ae:ed:f6:52: 2b:65
- 可以把证书文件后缀名改为.cer或.der,然后拷贝到windows系统上,可以直接双击查看证书内容。
- 使用CA证书签发普通证书
- 生成RSA私钥
- openssl genrsa -out server.key 1024
- 生成证书请求文件
- openssl req -new -key server.key -out server.csr
- 使用CA证书签发普通证书
- openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -days 365
- 到这里,我们就成功构造出一张由模拟CA机构签发的一张数字证书server.crt
- 使用以下命令查看证书内容
- openssl x509 -noout -text -in server.crt
-
Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = CH, ST = ShanXi, L = XiAn, O = csdn, OU = csdn, CN = CA Validity Not Before: Jan 1 11:40:40 2022 GMT Not After : Jan 1 11:40:40 2023 GMT Subject: C = CH, ST = ShanXi, L = Xian, O = dacaoyuan, OU = dacaoyuan, CN = xll Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (1024 bit) Modulus: 00:c2:82:90:cd:dc:77:3a:10:d0:50:f0:f5:71:f3: bc:30:df:02:42:4d:21:cb:34:f1:7e:ca:c8:de:ed: 3e:49:36:3f:98:48:05:7f:3a:73:22:89:91:53:76: c1:3b:5f:48:a6:03:7c:15:04:01:16:ab:26:7e:3f: 17:a4:74:90:12:d2:3f:e0:84:d4:0b:d2:f0:3c:8e: a9:4c:e3:f4:74:1d:c0:71:3e:8b:85:4b:66:8f:bb: 1c:61:2e:40:2d:e8:05:ec:1f:ea:8d:d7:66:3a:2d: 83:5d:5a:69:1a:e7:69:9f:01:2a:a6:98:e3:53:eb: ef:19:33:df:33:9e:67:a6:df Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 71:c0:e7:13:63:2a:b7:44:15:d8:a2:7c:15:82:21:70:74:ae: 1f:93:24:d5:a1:6c:eb:ac:32:ed:ea:aa:d2:64:f4:5b:59:7f: 85:1f:1e:9f:a3:d9:b7:9d:80:80:44:5b:4b:fa:f3:b4:ae:ff: 11:c0:23:20:e2:60:58:c3:ba:d8:36:b7:6a:7d:97:f1:2b:50: 45:4d:c9:20:1b:01:34:88:5e:be:5c:ce:54:66:1f:72:e7:a9: 1b:96:41:48:14:f7:e1:2b:89:93:45:e3:a5:7a:5d:f1:43:d7: 8b:d5:90:07:d6:20:3b:bb:47:ff:92:20:36:8d:5e:16:89:17: e8:12
- 可以把CA证书和普通证书进行下比对,可以看到CA证书的颁发者和使用者都是CA,而普通证书的颁发者是CA,使用者是自己。