SSL/TLS深度解析--OpenSSL的基本使用

摘要算法

[[email protected] ~]# openssl dgst -help       #默认sha256
Usage: dgst [options] [file...]
  file... files to digest (default is stdin)
 -help               Display this summary
 -c                  Print the digest with separating colons
 -r                  Print the digest in coreutils format
 -out outfile        Output to filename rather than stdout
 -passin val         Input file pass phrase source
 -sign val           Sign digest using private key      #签名,使用RSA DSA ECDSA私钥签名
 -verify val         Verify a signature using public key   #使用公钥验证签名
 -prverify val       Verify a signature using private key
 -signature infile   File with signature to verify    #签名文件(与verify合用)
 -keyform format     Key file format (PEM or ENGINE)
 -hex                Print as hex dump   #十六进制输出,默认就是-hex
 -binary             Print in binary form
 -d                  Print debug info
 -debug              Print debug info
 -fips-fingerprint   Compute HMAC with the key used in OpenSSL-FIPS fingerprint
 -hmac val           Create hashed MAC with key
 -mac val            Create MAC (not necessarily HMAC)
 -sigopt val         Signature parameter in n:v form
 -macopt val         MAC algorithm parameters in n:v form or key
 -*                  Any supported digest
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file
 -engine val         Use engine e, possibly a hardware device

 [[email protected] ~]# echo ‘redhat‘ | openssl dgst -md5
(stdin)= bdb52aae3b5566607f3e6023ef2e74e5
[[email protected] ~]# echo ‘redhat‘ | openssl dgst -sha256
(stdin)= 75fa176aecdc7a1b6b53778b38eac87c7152d5c916a755cb56071a93c01e040d
[[email protected] ~]# echo ‘redhat‘ | openssl dgst -sha512
(stdin)= 20641bd9d93708c844f59bf5f5d5bfb16fd5c3cece84127f56072579f778e6aca04ca7985eb4a7f555bd9532115205884d11fc5323534618da7596c300b4666d
[[email protected] ~]# echo ‘Redhat‘ | openssl dgst -md5
(stdin)= a2025805f5419fba99ba023354149090
[[email protected] ~]# echo ‘Redhat‘ | openssl dgst -sha256
(stdin)= e06c5bb14a7e3b1bd58a4ff61a4cbe2c4fc61c172bdff7899be50adf2b4d3563
[[email protected] ~]# echo ‘Redhat‘ | openssl dgst -sha512
(stdin)= 3005c755cba891b42c96ad7ab382f0fac402055b11cdedba7bcbdb33a7b47f55e1774ae25ec14874559c6b01691988b6f587f48c3be3fc7339a084ef51735df9

对称加密

[[email protected] ~]# openssl enc -help
Usage: enc [options]
Valid options are:
 -help               Display this summary
 -ciphers            List ciphers
 -in infile          Input file
 -out outfile        Output file
 -pass val           Passphrase source
 -e                  Encrypt
 -d                  Decrypt
 -p                  Print the iv/key
 -P                  Print the iv/key and exit
 -v                  Verbose output
 -nopad              Disable standard block padding
 -salt               Use salt in the KDF (default)
 -nosalt             Do not use salt in the KDF
 -debug              Print debug info
 -a                  Base64 encode/decode, depending on encryption flag
 -base64             Same as option -a
 -A                  Used with -[base64|a] to specify base64 buffer as a single line
 -bufsize val        Buffer size
 -k val              Passphrase
 -kfile infile       Read passphrase from file
 -K val              Raw key, in hex
 -S val              Salt, in hex
 -iv val             IV in hex
 -md val             Use specified digest to create a key from the passphrase
 -iter +int          Specify the iteration count and force use of PBKDF2
 -pbkdf2             Use password-based key derivation function 2
 -none               Don‘t encrypt
 -*                  Any supported cipher
 -rand val           Load the file(s) into the random number generator
 -writerand outfile  Write random data to the specified file
 -z                  Use zlib as the ‘encryption‘
 -engine val         Use engine, possibly a hardware device

[[email protected] ~]# openssl enc -ciphers
Supported ciphers:
-aes-128-cbc               -aes-128-cfb               -aes-128-cfb1
-aes-128-cfb8              -aes-128-ctr               -aes-128-ecb
-aes-128-ofb               -aes-192-cbc               -aes-192-cfb
-aes-192-cfb1              -aes-192-cfb8              -aes-192-ctr
-aes-192-ecb               -aes-192-ofb               -aes-256-cbc
-aes-256-cfb               -aes-256-cfb1              -aes-256-cfb8
-aes-256-ctr               -aes-256-ecb               -aes-256-ofb
-aes128                    -aes128-wrap               -aes192
-aes192-wrap               -aes256                    -aes256-wrap
-aria-128-cbc              -aria-128-cfb              -aria-128-cfb1
-aria-128-cfb8             -aria-128-ctr              -aria-128-ecb
-aria-128-ofb              -aria-192-cbc              -aria-192-cfb
-aria-192-cfb1             -aria-192-cfb8             -aria-192-ctr
-aria-192-ecb              -aria-192-ofb              -aria-256-cbc
-aria-256-cfb              -aria-256-cfb1             -aria-256-cfb8
-aria-256-ctr              -aria-256-ecb              -aria-256-ofb
-aria128                   -aria192                   -aria256
-bf                        -bf-cbc                    -bf-cfb
-bf-ecb                    -bf-ofb                    -blowfish
-camellia-128-cbc          -camellia-128-cfb          -camellia-128-cfb1
-camellia-128-cfb8         -camellia-128-ctr          -camellia-128-ecb
-camellia-128-ofb          -camellia-192-cbc          -camellia-192-cfb
-camellia-192-cfb1         -camellia-192-cfb8         -camellia-192-ctr
-camellia-192-ecb          -camellia-192-ofb          -camellia-256-cbc
-camellia-256-cfb          -camellia-256-cfb1         -camellia-256-cfb8
-camellia-256-ctr          -camellia-256-ecb          -camellia-256-ofb
-camellia128               -camellia192               -camellia256
-cast                      -cast-cbc                  -cast5-cbc
-cast5-cfb                 -cast5-ecb                 -cast5-ofb
-chacha20                  -des                       -des-cbc
-des-cfb                   -des-cfb1                  -des-cfb8
-des-ecb                   -des-ede                   -des-ede-cbc
-des-ede-cfb               -des-ede-ecb               -des-ede-ofb
-des-ede3                  -des-ede3-cbc              -des-ede3-cfb
-des-ede3-cfb1             -des-ede3-cfb8             -des-ede3-ecb
-des-ede3-ofb              -des-ofb                   -des3
-des3-wrap                 -desx                      -desx-cbc
-id-aes128-wrap            -id-aes128-wrap-pad        -id-aes192-wrap
-id-aes192-wrap-pad        -id-aes256-wrap            -id-aes256-wrap-pad
-id-smime-alg-CMS3DESwrap  -idea                      -idea-cbc
-idea-cfb                  -idea-ecb                  -idea-ofb
-rc2                       -rc2-128                   -rc2-40
-rc2-40-cbc                -rc2-64                    -rc2-64-cbc
-rc2-cbc                   -rc2-cfb                   -rc2-ecb
-rc2-ofb                   -rc4                       -rc4-40
-seed                      -seed-cbc                  -seed-cfb
-seed-ecb                  -seed-ofb                  -sm4
-sm4-cbc                   -sm4-cfb                   -sm4-ctr
-sm4-ecb                   -sm4-ofb 
[[email protected] ~]# cat test
0123456789
alnkldljkdldjslflslsls
ldljfdsnjldsjlffsdlfj
fldfjdsfflsdfjsdljflsdfjl
jlfjldsfjjodsfjwej2o99ojkl
[[email protected] ~]# openssl enc -e -aes128 -a -k 123456789 -in test -out test_enc -pbkdf2
[[email protected] ~]# cat test_enc
U2FsdGVkX1/Y3xaAkBV42ZQXSrMuasKjq9jYRonHmE3YXv5qcv7rzxOpNxX09DrR
JmBbjzGF6dMmLBfaPIfm6x0ajzHzBojlfRM4Ulq+KUximcCe8X7+sm00ldtvVe21
KnTP85W/vFtmIR0cgARVhrWf94sboXm+ubIV+Qo1jK0=
[[email protected] ~]# openssl enc -d -aes128 -a -k 123456789 -in test_enc -out test_des   #解密
[[email protected] ~]# openssl enc -e -aes128 -a -pass pass:123456789 -in test -out test_enc1 -pbkdf2
[[email protected] ~]# openssl enc -d -aes128 -a -pass pass:123456789 -in test_enc1 -out test_des1
[[email protected] ~]# openssl enc -e -aes128 -a -pass pass:123456789 -in test -out test_enc1 -p
salt=3834AB80CB0D45C9
key=25E62D924ACE8BD4F8CC4429CCD54875
iv =072829CEACAD01641D63EAEF58723C01
# -pass pass:123456 对应-k
# -pass file:passwd.txt 对应-kfile
# -pass env:passwd:使用环境变量;env表示环境变量
# -pass stdin     使用标准输入,默认是使用标准输入
# -pass fd:1      使用文件描述符,fd表示文件描述符

RSA非对称加密

  1. 生成私钥

    使用 genrsa 来生成私钥
    -aes256 是使用aes256加密这个私钥
    -passout 是加密的密钥
    -out 指明输出文件
    2048是私钥的长度,这个2048 是放在最后的。老版本默认是1024位
    还有DER格式,生成的私钥是Base64编码的,perm格式使用的是base64编码。

[[email protected] ~]# mkdir rsa
[[email protected] ~]# cd rsa
[[email protected] rsa]# openssl genrsa -aes256 -passout pass:test123 -out test_rsa_aes_prikey 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................................................+++++
......................+++++
e is 65537 (0x010001)                  #公钥指数, e值表示公用指数,默认情况下会被设置为65537。这是所谓的短公用指数(short public exponent),它可以显著提高RSA的验证性能。

[[email protected] rsa]# cat test_rsa_aes_prikey
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,EE88B4C778CCBFE0ADCA542815FAD479

lWXpOQOSHHmjHi7bRJTfuocwVw3r485E+zqnxOoMe3b5UW07L/3He5MKn6LwS7qc
jiHqoDKwXp00E5vOvegnR6LPK/pO3GPB5P+B0FiAn/wWv2pZ+OvIiq7xF3IQ+l5u
qazf2qLnR4nPlVn9slLNFNhun6gDDWLMkW+4GoD5CelAGlqEVX3XmhAfHv5SnCqV
tL3cT2lH8Y39jztgak7BEmDrLMBlGV0kK537otQW+8LgAtGqQbnmG6HXe15zm64o
WmF0abQ2iopOjGIoq0G+LpdezHiCvo/HWA6Rrle/Le0wN7ri7btOR5MBr8dT94rd
q+OiHixti124+GIJoPPCDCuCjJhNObXMYPRnRHZxP29eM4RKaRzy9bJ53ygnf37P
ozOK+qoIl0qWALuqPOq5DG+8MzMyUO6mOaWtyxWnQkYwz9SrqGVsdFZnMJtW1Ys/
/LAxiZ61M/U5Bf4YhPriz0U3eltZt0m/CGGXy61bEXS+ezZ/bQckbXgsKsk7LhiI
v0Qhufhw5lCzGpYu+RAmMq/+DeGqYtmf3G4tC3xo6k+iqZ52pX2OUPzYgsaQl1k0
YUMWn3NrWfWYwdI6xcZ/UXESbcVfaMQgu5NFxaXOqmO0Fw7qkMVR18GtbIjpkST4
GG+N2x+jxziPau6/3aFX7jgLl/ctyLr5xIzX7B5QEVLQkiwzunInqZpStYQj2h1H
Tc+vS/51QBFL6pTv2QbTfROJG471183sqt77wq+EPKyuAUSMo/6FmUOS5tdhShmT
+ucH7uqDKLPM5etXsA/1uUFQJALJtuy1AIDljyuXOswtjU7bCmrfEDjVIzOpgpQ+
CTPsWT42Cp1ylH7vPFqIdvSTM887XDDbX/c5UEeejlreTBF9J5pZJ+v9WQ4risqp
3rhhvtm3o4ud7DOXVFeDNURJ+QFjxb+Bw2mf0WDldP/c6EBDotqxL0Uo5q4FiUvF
jIh3AU7uVkiOPS/33jwUXOaobmEcS5ibj74ubrE8Ka5cVoQCleaMWnxYZV+O3Ovy
YFBaDV8o6luiMpCYy4Ba+veHLT6Neye0D1NlHdC/NcAr1frWLFpgyro+rJ7gEFII
1CtR3Nvw/PPK9Jd6pXCIY6d4MMZDrYIafhDGRnASW4e2rv5N20mHjg8qu7laLNl/
UlbuLfBWZUpX5KaBLPFMm7POnktZHaKiDpNUHvfS84ZnF22HAdhz3Bbru1CrKhyI
U4APHrLR+dKuHP+xg4fSPvcgy61ouhnP0X7Q2ibPP2my1M2rPjGxY74bQlwf5HnA
luWzGd5MvYn71/ovMZqi6XY7c2VjEBPYH4dss6EmEiAHXRRYpkSBXq7R2xNRtjHx
AQYg97KxqJzJqk2iKERktZSVkOppMl9aQfezZvIK5toYB1a6gKkqjyOD8TbMWfp/
uPJnJE6JtcOh1ba++nFlUvUKZ6MdskdDahOdl3rixuxUBx/Q8RRF7VMLIk1dXb8k
l3fS1sqzfwEMJjLay2eU1BPCkvkxKGBtwZlo0LByjzKZseyH13G222XUOJv4p+uk
tgXPdC74B3DBkRR/X7JfIfa/yrg6FJvIXzasH3QHlz9ECoxe90xDFMOt+0wD9a4X
-----END RSA PRIVATE KEY-----
[[email protected] rsa]# openssl rsa -in test_rsa_aes_prikey
Enter pass phrase for test_rsa_aes_prikey:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAm4J/cx6HD/AUTkRum6fOwsyuP6GO8iIhFemCZVXIPAMLq+I6
RJI1rre4DQUe8JN0/WeLE/8V3v7SLSqY/hKpheR62CnUn5VQuxk56sCPgBV0HfBg
NnUjP30G57N5OREpRUvgkg13YXCFGxm+gBoIfpcKgFsTvcx18GvXmorpwZjmjuf+
dSftwYeyJ2Ylk8uAWvJFQziN6WBjhiPnIHauUxAvSKPWvvZYocxKh2FALLKoop2+
G7NWP4NuvQw+bo1vgJwxWJUgUx3v2amvMNs1iOqYU496RFLHygCjUQ+zEblCbrwo
d4RNUNpA4ApTXyVd/o11x2tf6b4DferPAM6dNwIDAQABAoIBAGvQvQYWSzOskpd0
8G6wmDQMbl6lZxLOwLuNap9RKwMYZXYk4Zr694cLzuoP+9R1l2285PrXJtW1PAie
ePXmAGxY7SaDUevWPOOK6NGt8Y+u0BOVvU7kRazVxPzNPKVpFYD6y1bXSUZgGZih
b6cm5W7GzzwQaQ50++vVCOUXnFtgzwI99dSviilsomxsekdgVTdaU5VOErcUg/kc
6+QUUBJRJKnp0O+3gGDiY1QcyeTDIZ7CjaHjow1q+s5bxRRo9n4tHUWoaf3izvDm
5SWYwCkuFWb8Pc7o0X2c2wC2zWq4JaraswXsXfQ8Y3m9zFafeyyKHJNJnBt4vnGc
dg9OmZkCgYEAyXzuUrJKMYINpgzGG+jnKOuYT1Ieogin9q4iBgIfzaqM581j8LOD
TK3EeGI6v0iTavI49bG6udu0+15Wi1a/aiIZFNqZGzEnc4NxVw+hyZT+cUczFHC0
Rd+WzO4VkALhshG8SiWknVO3hFQptOb7g5VEo1Epm/TY3jFaLFrPub0CgYEAxZUc
Yfd+Ljuvo/HXBIkfdpaNCl4lon3oLh1upxkH5CdNlez9V8uzrnDP2vzqhaM6O24r
KmPHFMlHGvIAMTIx68t9llf9RdbnzdNT7z3ALmZcyaUBBhzH8dBHuYUAwxI8fJk8
7qwdOX+sBTtuXmgM/v5s0uegcJ2OEevQwn58MAMCgYB/mb7UYFTcRaCfKDfONREv
uQQcN8VumEzGzEB/zZiWhwv1QP2p0gW06dci5hKOUUgK0pt//a5jReC30Ga+l5Fh
hXac3lNYBSkW3odIu32aS+FXm9+dckK4fYDjB2Rgb3K/crvruSsm932hMCu5hQ6D
pmRxiVTwj39IN7kDnf8vgQKBgCWcI6H2VXuBewaPE2nWnDmboM9XanyK0PZuPdDq
79ibLqaaTQM4UESlTruVpyK3Fm+XofnYsl2fjrxvUmAK+Pu0aXyD1T9FECzazEBf
FcT/USxFD3PVaK38Apsq2SFIyGDDXpjkBFAcoGcCkBjCX67uSVLAKoclRpTcuYk8
QHF3AoGBAIla5lKv5mpAx8WZBJGnifEwXDiizzbrFiCyzgUTL3zn1Idr+V8OAfGZ
aYBa89DO4bP176L3ptKt/PK09o/2NTQSuYGCMeBQuC9SRdvviMyPyrGdPVuCFTU7
Y5zWioAOGECglWjwvQyw07+Tg27vyt+hLemXCArwosBElqqFYBv9
-----END RSA PRIVATE KEY-----
[[email protected] rsa]# openssl rsa -pubout -in test_rsa_aes_prikey
Enter pass phrase for test_rsa_aes_prikey:
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm4J/cx6HD/AUTkRum6fO
wsyuP6GO8iIhFemCZVXIPAMLq+I6RJI1rre4DQUe8JN0/WeLE/8V3v7SLSqY/hKp
heR62CnUn5VQuxk56sCPgBV0HfBgNnUjP30G57N5OREpRUvgkg13YXCFGxm+gBoI
fpcKgFsTvcx18GvXmorpwZjmjuf+dSftwYeyJ2Ylk8uAWvJFQziN6WBjhiPnIHau
UxAvSKPWvvZYocxKh2FALLKoop2+G7NWP4NuvQw+bo1vgJwxWJUgUx3v2amvMNs1
iOqYU496RFLHygCjUQ+zEblCbrwod4RNUNpA4ApTXyVd/o11x2tf6b4DferPAM6d
NwIDAQAB
-----END PUBLIC KEY-----
[[email protected] rsa]# openssl rsa --help
Usage: rsa [options]
Valid options are:
 -help              Display this summary
 -inform format     Input format, one of DER NET PEM
 -outform format    Output format, one of DER NET PEM PVK
 -in val            Input file    #指定输入文件;默认in后面指定的是一个私钥信息
 -out outfile       Output file   #指定输出的文件
 -pubin             Expect a public key in input file  #读取公钥信息 ;如果-in指定的是一个公钥;默认in指定的是一个私钥信息
 -pubout            Output a public key #输出公钥信息;根据私钥的信息得出公钥
 -passout val       Output file pass phrase source  #私钥密码;用于将非加密的私钥转换成加密的私钥

 -passin val        Input file pass phrase source #私钥生成时的私钥密码 ; 用于将加密的私钥解密
 -RSAPublicKey_in   Input is an RSAPublicKey
 -RSAPublicKey_out  Output is an RSAPublicKey
 -noout             Don‘t print key out    #不输出私钥(或公钥)本身
 -text              Print the key in text  #以文本形式显示
 -modulus           Print the RSA key modulus
 -check             Verify key consistency
 -*                 Any supported cipher
 -pvk-strong        Enable ‘Strong‘ PVK encoding level (default)
 -pvk-weak          Enable ‘Weak‘ PVK encoding level
 -pvk-none          Don‘t enforce PVK encoding
 -engine val        Use engine, possibly a hardware device

 [[email protected] rsa]# openssl rsa -in test_rsa_aes_prikey  -passout pass:test123 -out enc_rsa_2048_prikey
Enter pass phrase for test_rsa_aes_prikey:
writing RSA key
[[email protected] rsa]# openssl rsa -pubout -in enc_rsa_2048_prikey
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm4J/cx6HD/AUTkRum6fO
wsyuP6GO8iIhFemCZVXIPAMLq+I6RJI1rre4DQUe8JN0/WeLE/8V3v7SLSqY/hKp
heR62CnUn5VQuxk56sCPgBV0HfBgNnUjP30G57N5OREpRUvgkg13YXCFGxm+gBoI
fpcKgFsTvcx18GvXmorpwZjmjuf+dSftwYeyJ2Ylk8uAWvJFQziN6WBjhiPnIHau
UxAvSKPWvvZYocxKh2FALLKoop2+G7NWP4NuvQw+bo1vgJwxWJUgUx3v2amvMNs1
iOqYU496RFLHygCjUQ+zEblCbrwod4RNUNpA4ApTXyVd/o11x2tf6b4DferPAM6d
NwIDAQAB
-----END PUBLIC KEY-----
[[email protected] rsa]# openssl rsa -in test_rsa_aes_prikey  -ase128 -passout pass:test123 -out enc_rsa_2048_prikey

#私钥是否加密是可以生成之后再改变的
  1. 格式转换
#默认是pem 格式 转换成der格式
[[email protected] rsa]# openssl rsa -in test_rsa_aes_prikey -outform der -out 2048prikey.der
Enter pass phrase for test_rsa_aes_prikey:
writing RSA key

#将der格式转换为pem格式
[[email protected] rsa]# openssl rsa -in 2048prikey.der -inform der -outform pem -out 2048prikey.pem
writing RSA key

#pkcs8 格式转换   默认 pem 格式
[[email protected] rsa]# openssl pkcs8 -topk8 -inform pem -in test_rsa_aes_prikey -outform pem -nocrypt
Enter pass phrase for test_rsa_aes_prikey:

3.使用公钥和私钥进行解密解密

[[email protected] rsa]# openssl rsautl -help
Usage: rsautl [options]
Valid options are:
 -help                    Display this summary
 -in infile               Input file  #输入文件(待加密或待解密的文件)
 -out outfile             Output file #输出文件,加密解密后的文件
 -inkey val               Input key  #密钥输入
 -keyform PEM|DER|ENGINE  Private key format - default PEM     #私钥格式
 -pubin                   Input is an RSA public   #表明输入的是公钥(默认是私钥)
 -certin                  Input is a cert carrying an RSA public key  #指定证书(从证书读取公钥)
 -ssl                     Use SSL v2 padding
 -raw                     Use no padding  #无填充,加密的文件要是117或 245字节(正好117或245个字节)
 -pkcs                    Use PKCS#1 v1.5 padding (default)
 -oaep                    Use PKCS#1 OAEP
 -sign                    Sign with private key #表明使用私钥签名
 -verify                  Verify with public key #表明使用公钥验证签名
 -asn1parse               Run output through asn1parse; useful with -verify
 -hexdump                 Hex dump output  #以十六进制形式输出
 -x931                    Use ANSI X9.31 padding
 -rev                     Reverse the order of the input buffer
 -encrypt                 Encrypt with public key #使用公钥加密
 -decrypt                 Decrypt with private key  #使用私钥解密
 -passin val              Input file pass phrase source  #输入文件的自身的密码
 -rand val                Load the file(s) into the random number generator
 -writerand outfile       Write random data to the specified file
 -engine val              Use engine, possibly a hardware device

使用公钥加密一个文件 能加密的文件的大小和公钥的大小有关,2048位的公钥可以加密 (2048) / 8-11 = 245 字节的明文 ,而 1024位的密钥可以加密 (1024)/ 8 -11 = 117 字节的明文。11 字节是填充信息的元数据。加密后的文件和密钥的长度一致。如果待加密的文件很小,那么会使用填充,已达到2048或1024位。

4.ECDSA

生成 ecdsa 私钥,ecdsa 无法设定密钥位数,要选择一个椭圆曲线(-name)
选择了曲线也就选择了位数,secp256k1(prime256v1) 就是生成 256位的ECDSA密钥,openssl有很多条可供选择的曲线,使用-list_curves选项可以查看所有的椭圆曲线,但是大多数web服务器只支持prime256v1和secp384r1 。256位的密钥在安全和效率上都很好了,是个平衡的选择。

  • 生成ecdsa私钥
[[email protected] rsa]# openssl ecparam -genkey -name secp256k1 -out ecprikey.pem
[[email protected] rsa]# ll ecprikey.pem
-rw-------. 1 root root 294 10月 24 10:55 ecprikey.pem
[[email protected] rsa]# openssl ecparam -in ecprikey.pem -text
ASN1 OID: secp256k1
-----BEGIN EC PARAMETERS-----
BgUrgQQACg==
-----END EC PARAMETERS-----
#查看ECDSA私钥和公钥
[[email protected] rsa]# openssl ec -in ecprikey.pem -text
read EC key
Private-Key: (256 bit)
priv:
    82:40:8c:42:88:34:7e:11:f1:da:0c:e5:db:3b:c2:
    5c:6b:54:75:04:56:de:be:13:9f:44:42:d4:4f:bd:
    78:60
pub:
    04:ee:fa:a7:ab:dd:96:e6:9a:cc:af:32:54:92:65:
    2a:57:f1:d5:7e:30:7a:f0:b8:ce:de:84:e5:1a:d9:
    b8:5f:40:93:4c:55:98:3a:ea:9b:3b:b7:48:ac:26:
    e3:23:5a:68:89:c4:dc:df:f8:40:d0:a1:10:09:a0:
    58:35:22:33:f5
ASN1 OID: secp256k1
writing EC key
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIIJAjEKINH4R8doM5ds7wlxrVHUEVt6+E59EQtRPvXhgoAcGBSuBBAAK
oUQDQgAE7vqnq92W5prMrzJUkmUqV/HVfjB68LjO3oTlGtm4X0CTTFWYOuqbO7dI
rCbjI1poicTc3/hA0KEQCaBYNSIz9Q==
-----END EC PRIVATE KEY-----
#提取公钥
[[email protected] rsa]# openssl ec -in ecprikey.pem -pubout -out ecpubkey.pem
read EC key
writing EC key
[[email protected] rsa]# cat ecpubkey.pem
-----BEGIN PUBLIC KEY-----
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAE7vqnq92W5prMrzJUkmUqV/HVfjB68LjO
3oTlGtm4X0CTTFWYOuqbO7dIrCbjI1poicTc3/hA0KEQCaBYNSIz9Q==
-----END PUBLIC KEY-----



5.数字签名

[[email protected] rsa]# cat test
dflslsdfjljlasjlsaf
jdsljlsadfljlsdfjljlsdjlsadfl
kldkjfjjflsadjljlsdfjl
12jlk2309933l990kjldsjs
jdljldsljfdljdslfjlsdjlf
lsldjjlsdfjljlsdjdsjkkldjfjkldsjllfdsjlsadjljlkds
[[email protected] rsa]# openssl dgst -sign 2048prikey.pem -sha256 -out sha256_rsa_sign.test test

6.其他一些命令

[[email protected] rsa]# openssl speed sha1
Doing sha1 for 3s on 16 size blocks: 18537221 sha1‘s in 2.99s
Doing sha1 for 3s on 64 size blocks: 13406053 sha1‘s in 3.00s
Doing sha1 for 3s on 256 size blocks: 6720935 sha1‘s in 2.99s
Doing sha1 for 3s on 1024 size blocks: 2231335 sha1‘s in 3.00s
Doing sha1 for 3s on 8192 size blocks: 310411 sha1‘s in 2.99s
Doing sha1 for 3s on 16384 size blocks: 159209 sha1‘s in 3.00s
OpenSSL 1.1.1  11 Sep 2018
built on: Sat Oct 20 07:24:19 2018 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG
The ‘numbers‘ are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
sha1             99195.83k   285995.80k   575437.91k   761629.01k   850463.85k   869493.42k
[[email protected] rsa]# openssl speed sha256
Doing sha256 for 3s on 16 size blocks: 13126781 sha256‘s in 2.99s
Doing sha256 for 3s on 64 size blocks: 7492471 sha256‘s in 3.00s
Doing sha256 for 3s on 256 size blocks: 3480299 sha256‘s in 2.99s
Doing sha256 for 3s on 1024 size blocks: 1063047 sha256‘s in 3.00s
Doing sha256 for 3s on 8192 size blocks: 146308 sha256‘s in 2.99s
Doing sha256 for 3s on 16384 size blocks: 73537 sha256‘s in 3.00s
OpenSSL 1.1.1  11 Sep 2018
built on: Sat Oct 20 07:24:19 2018 UTC
options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG
The ‘numbers‘ are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
sha256           70243.64k   159839.38k   297978.78k   362853.38k   400854.56k   401610.07k
[[email protected] rsa]# openssl rand -hex 16
882b85d660d91c5e85cb5b6ea05ca67c
[[email protected] rsa]# openssl rand -base64 16
lGtlf+yGA0EDF85sAl8XEA==
[[email protected] rsa]# openssl rand -hex -out rand.txt 32
[[email protected] rsa]# cat rand.txt
6ae37cf3b7850b9532e153888ab38bd3ca985360ccc4b977d4c07fbeb5d7f49d

原文地址:http://blog.51cto.com/stuart/2310547

时间: 2024-11-01 10:55:01

SSL/TLS深度解析--OpenSSL的基本使用的相关文章

SSL/TLS深度解析--OpenSSL s_client测试子命令

#下载第三方的最新的PEM(privacy-enhanced mail)格式的可信证书库 [[email protected] ~]# wget --no-check-certificate https://curl.haxx.se/ca/cacert.pem 使用s_client 命令进行测试 [[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -msg CONN

SSL/TLS深度解析--OpenSSL 生成自签证书

密钥算法 OpenSSL 支持 RSA.DSA 和 ECDSA 密钥,但是在实际场景中只是用 RSA 和 ECDSA 密钥.例如 Web 服务器的密钥,都使用RSA或ECDSA,因为DSA效率问题会限制在1024位(相对旧版本浏览器不支持更长的DSA密钥),ECDSA还没有全面范围的普及.比如SSH,一般都是使用DSA和RSA,而不是所有的客户端(不只是浏览器)都支持ECDSA算法. 密钥长度 默认的密钥长度一般都不够安全,老版本的 OpenSSL 默认 RSA 私钥是1024位,所以我们需要指

SSL/TLS深度解析--测试TLS/SSL加密

项目地址 https://github.com/drwetter/testssl.sh testssl.sh 是一个免费且开源的功能丰富的命令行工具,用于在 Linux/BSD 服务器上检查支持加密,协议和一些加密缺陷的支持 TLS/SSL 加密的服务. testssl git clone --depth 1 --branch 2.9.5 https://github.com/drwetter/testssl.sh.git 错误 Fatal error: Neither "dig",

SSL/TLS深度解析--在 Nginx 上部署 TLS

利用 openssl 源代码安装 Nginx [[email protected] software]# tar xf nginx-1.15.5.tar.gz [[email protected] software]# cd nginx-1.15.5/ [[email protected] nginx-1.15.5]# groupadd nginx [[email protected] nginx-1.15.5]# useradd nginx -M -s /sbin/nologin -g ngi

SSL/TLS深度解析--在Nginx上配置证书链及多域名证书

生成私钥与自签根证书(这次使用aes256加密,密码是redhat) # 进行简单处理 [[email protected] ~]# cd /usr/local/openssl/ [[email protected] openssl]# mkdir root-CA sub-CA [[email protected] openssl]# cp -rf CA/* root-CA/ [[email protected] root-CA]# rm -rf root_cacert_ecc.pem crln

SSL/TLS深度解析--在 Nginx上配置 HSTS、CSP 与其他

在 Nginx 上配置 HSTS HTTP响应中包含 Strict-Transport-Security 头实现网站HSTS,像下面这样配置: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload,就实现了HSTS,即-- HTTP Strict Transport Security,HTTP严格传输安全.假设TLS连接没有错误,兼容的浏览器将会在 max-age 参数指定的保留期内激活HSTS. 一旦站点

SSL/TLS算法流程解析

SSL/TLS 早已不是陌生的词汇,然而其原理及细则却不是太容易记住.本文将试图通过一些简单图示呈现其流程原理,希望读者有所收获. 一.相关版本 Version Source Description   Browser Support SSL v2.0 Vendor Standard (from Netscape Corp.) [SSL2] First SSL protocol for which implementations exist - NS Navigator 1.x/2.x - MS

加密与解密、OpenSSL(SSL/TLS)、OpenSSH(ssh)、dropbear

下面介绍的是Linux的加密与解密.OpenSSL(SSL/TLS).OpenSSH(ssh).dropbear. 一.数据的加密与解密 1.进程间通信基础 (1).进程间通信方式 同一主机间进程间的通信方式:signal.shm.semaphore.message queue(MQ.RabbitMQ). 不同主机进程间的通信方式:socket-pair. (2).套接字 -------IP:PORT 套接字Socket:IP:PORT 套接字,是进程的地址标识,一个套接字就是指特定主机上的特定

SSL/TLS原理详解

本文大部分整理自网络,相关文章请见文后参考. 关于证书授权中心CA以及数字证书等概念,请移步 OpenSSL 与 SSL 数字证书概念贴 ,如果你想快速自建CA然后签发数字证书,请移步 基于OpenSSL自建CA和颁发SSL证书. SSL/TLS作为一种互联网安全加密技术,原理较为复杂,枯燥而无味,我也是试图理解之后重新整理,尽量做到层次清晰.正文开始. 1. SSL/TLS概览 1.1 整体结构 SSL是一个介于HTTP协议与TCP之间的一个可选层,其位置大致如下: SSL:(Secure S