linux常用加解密程序
1.ssh-keygen
ssh 公钥认证是ssh认证的方式之一。通过公钥认证可实现ssh免密码登陆,git的ssh方式也是通过公钥进行认证的。
在用户目录的home目录下,有一个.ssh的目录,和当前用户ssh配置认证相关的文件,几乎都在这个目录下。
ssh-keygen 可用来生成ssh公钥认证所需的公钥和私钥文件。
使用 ssh-keygen 时,请先进入到 ~/.ssh 目录,不存在的话,请先创建。并且保证 ~/.ssh 以及所有父目录的权限不能大于 711
生成的文件名和文件位置
使用 ssh-kengen 会在~/.ssh/目录下生成两个文件,不指定文件名和密钥类型的时候,默认生成的两个文件是:
- id_rsa 私钥文件
- id_rsa.pub 公钥文件
假设存在两台机器
机器ip | 机器描述 |
---|---|
192.168.41.131 | 远程登录主机 |
192.168.41.132 | 被登录主机 |
131生成公私密钥对
[root@localhost ~]# ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 保存位置 /root/.ssh 文件名id_rsa
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 进入私钥的保护密码
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:rB/3anAA4ySHEcdJlR6PEQxokgbI8sdWJI4WuLq9W3U root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|+o..+O==oo |
|+.++=oO = |
|.+o+.* + = |
|... + ..+ . |
|. o . E. |
|. . o. . |
| o . . .o. |
|. .. . o.. |
| oo ..... |
+----[SHA256]-----+
查看公私密钥
[root@localhost ~]# cd .ssh
[root@localhost .ssh]# ll
总用量 8
-rw------- 1 root root 1679 2月 18 12:46 id_rsa
-rw-r--r-- 1 root root 408 2月 18 12:46 id_rsa.pub
[root@localhost .ssh]# more id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1hlIOe6uah0Nj+xZDA81XuDJmsjY7oeCT0fuUYpGoFiKuXoU
9+/b0zKmH/jSNGmCYZ4w0GKfwMsaWCV0OoT4HdtHrkEToSe+HB29xMfxIlW+Whmq
LzNTDCknUZ9tTmpQ5zbBGMtGBbTijXPkG35IsR1052ifZMdzUeq/QQjqQQ/BDeuD
3KZl27fBCNDSf3TW8TV1B0lPrslKBeZO1swvv2Ih5GNMMRRYIFWpEiT2zdWQNWoR
zx4hEnnRPKGK9y5/vmtfJcMn2XKfPYxlq19Eye9MrrYNfA4i8+R6tpRz2UpPd6RP
kIMn/M/OUNBlMEG0EWcQ0EJiSgmTDqwU1d5MEQIDAQABAoIBAQC3i0UYJT7xSabu
07gjVoZyqFMtlzIii5lzTj9JODoEDOQgzkBbrg3OqYUxs6bBuBJGjc9bVrGOHpCf
MLzLzmLHdc2l3bRuXBvnDrg5kw9uWAOwSoBTprRzoHRMzVhv+UUScyZnkxycl84B
ZnEQANtgu9gU6uR7CWIbwBvmLTZmPwCA2shxbs+29JGVelLxMdXEWdTxLshWPBW6
IFs0ZcCIA/HtuKVOPIFGXW4xVuqnlW6nguoKIjChCKCcZOC+E1VO9aShSJvsGR1k
+bdoaZjlAvNJ69CpR5sNIx7gkTkgwjlbvQmrUHrwE/LZp9gs6hFRqxNrVhlLyp5f
VL9XIq7hAoGBAP5Q7pNGjProbV3dv2RDPTrAGB/2MPVz89X+BWnMqpyRI0pSaipt
BBCCmZgu0K890LDQ2Naz8niCpR6UZ87vT2/zJuRudrzThSjw52UjOucaaCsykRsv
hXDfFByNMCceFkZbT7MhNe/2bXps856VJ2zw7vT2c1dpvmFJTtjwf2b3AoGBANeE
Lm9rPEv6A73Zw1lnwVRH72W2IZqwoBs+IJaAREEjXMvl6NxUn2QlDJEha2h8ObL4
4cgwAGoIVZVdEtqG/wOufmJ7BSGf4F6BUjyhggEa0vLp+i1KfdA0iQN9VuoMLv7g
hUktdcwpdKZIIO6brPelK22CgAfXkF6rpsyqDfs3AoGBAPGOm91lsLkOFfuHiahJ
OZpZJVEOfdhWh6+ltSyWCyPls9h/SXn8zFSGSC/Fn9Aj7dpUtPHSQCf5J69RFPz4
T8Ks+S8WQU//tUZ6878b5HHoojMNt8hTrfLU4PxxmuA88rlnN9+UVvATaE9Vt1zU
nXsbqk0g3dOUjBFKGUtzu/9nAoGAMmVRanJ8BhQvncx3NsfhWHD91R3y27Zjqhss
CaVy0HyRbYiUnDkZkJRtTN6wvB0YbPZv7Zzz69eJE8VQ7FLW/Shnm2XC/GrjT5YU
AeOOf+2i2HTIMKETrIUsaOl9UnuI3cboxATiX9xtz5hcQw+aMcqozhHPGIZa1xhy
h7dYT58CgYBsh8M12tfXNYbsXdEc3WwHu/Z5zxeCDAv6j2LxksuVlcc2el2iVWVK
gT8UEkRtsdhPd7LvfMkaLZIVqt5DjK0nOfj3cVNxywQ9AhXfS/q7vsF1J/nBpF42
Sfy7x5Mzuun9fReh8DfqHbbdRW4V07hikoDyKXLuOMp0XcloAkYQvw==
-----END RSA PRIVATE KEY-----
[root@localhost .ssh]# more id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWGUg57q5qHQ2P7FkMDzVe4MmayNjuh4JPR+5RikagWIq5ehT379vTMqYf+NI0aYJhnjDQYp/AyxpYJXQ6hPgd20euQROhJ74cHb3Ex/EiVb5aGaovM1MMKSdRn21OalDnNsEYy0YFtOKNc+QbfkixHXTnaJ9kx3NR6r9BCOpBD8EN64PcpmXbt8EI0NJ/dNbxNXUH
SU+uyUoF5k7WzC+/YiHkY0wxFFggVakSJPbN1ZA1ahHPHiESedE8oYr3Ln++a18lwyfZcp89jGWrX0TJ70yutg18DiLz5Hq2lHPZSk93pE+Qgyf8z85Q0GUwQbQRZxDQQmJKCZMOrBTV3kwR root@localhost.localdomain
将公钥拷贝到132 添加到受信任列表(就是131的公钥追加到132的/root/.ssh/authorized_keys中)
ssh-copy-id root@192.168.41.132 #需要确认输入132密码
#ssh-copy-id等价于scp命令拷贝id_psb.pub到132上 ,执行追加
# scp ~/.ssh/id_rsa.pub root@192.168.41.132:/root (131执行)
# cat ~/root/id_rsa.pub >> ~/.ssh/authorized_keys (132执行)
在131上尝试登录41.132(免密登录)
[root@localhost ~]# ssh 192.168.41.132
Last login: Mon Feb 18 12:56:17 2019 from 192.168.41.1
[root@localhost ~]# ip addr
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:3b:80:ec brd ff:ff:ff:ff:ff:ff
inet 192.168.41.132/24 brd 192.168.41.255 scope global noprefixroute dynamic ens33
将我们的公钥假如github中也可以直接登录github操作远程仓库
具体 参考https://blog.csdn.net/liaomin416100569/article/details/78463851
2.openssl
penssl的加密算法库提供了丰富的对称加密算法,我们可以通过openssl提供的对称加密算法指令的方式使用,也可以通过调用openssl提供的API的方式使用。
不同算法 参考:https://blog.csdn.net/liaomin416100569/article/details/75646029
对称加密
使用opensll查看所有支持的对称加密算法
openssl enc -help
使用openssl使用des算法加解密文件
[root@localhost enc]# openssl des-cbc -in a.txt -out a_des.txt -e -pass pass:123456
[root@localhost enc]# more a_des.txt
Salted__
[root@localhost enc]# openssl des-cbc -in a_des.txt -out a_t.txt -d -pass pass:123456
其中-pass后面的pass表示字符串密码,其他
指定密码的输入方式,共有五种方式:命令行输入(stdin)、文件输入(file)、环境变量输入(var)、文件描述符输入(fd)、标准输入(stdin)。默认是标准输入,及从键盘输入。
如果使用其他对称加密算法 可以直接使用enc密令再指定算法名称 比如des算法
openssl enc -des-cbc -in a.txt -out a_des.txt -pass pass:12345678
base64编解码
[root@localhost enc]# openssl base64 -in a.txt -out a_base.txt -e
[root@localhost enc]# more a_base.txt
aGVsbG8K
[root@localhost enc]# openssl base64 -in a_base.txt -out a_1.txt -d
[root@localhost enc]# more a_1.txt
hello
非对称加密算法
密钥对处理
直接生成密钥对打印
[root@swarm01 enc]# openssl genrsa
输出到文件
[root@swarm01 enc]# openssl genrsa -out pri.pem
Generating RSA private key, 2048 bit long modulus
.+++
..+++
e is 65537 (0x10001)
[root@swarm01 enc]# more pri.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAspi+e8b2aKe3wqfTkdPO6wyPLYpxPSwRP26/zIcG6mFMBUpl
mzlHpD1rjxZ+XQuJJ93FkPoApp/qy0+K0f9kZKZwiKAK8bZcM++ggPx4fLncOu4t
D7mRFxHom+HuyAh2HTDXoqa8cml4dsDQX1IBvYKNMFvH8d9g3u6XQzil+S8jSPR6
4//nsclVL3+49Vador4MtObCjUkwdOAp3mKAvgVvpHsOp68Gk1tS6WE9DaLhJfkO
zqv2WxDqa5e7M4N7FiifR7Z6+EVo21MtLNEec/uy19YnN0A76R+5tsDdRvYrxqnr
r09G0oZhgRXTnZ4P5AZg0PS2z1tii7uZgL6x9QIDAQABAoIBAGcLlFQsbv3hTzhj
xsGL+QZLX80B5OZLp8P2rXlfqxDOhKNE0q0l9nz/5zBO5SfgQQmcfqJwbLG28SzP
PyR8+7rLAYEC/m2KL1bT+sKRaR9lyXjC9YLuKZWrAo/2YuRNZYDgLnqtQ2usCRJT
m6Zz1Yc3bSkqu4mFvgnClcn2RGUp41DtoCc/Dy6YP6Ew6a7LXS6XAgil8chPRAWJ
/L9xDMiOK9Q+b3YLPO8FkWUm/Agbh7iasCbkR+m8gztnGG2Tf7omhA40ec3Y12Yi
f7u6n5ZekwIwo34Y1K4uFwBa7GGaI3h+Ggl8dJDmw4eOKuAcQPGH0hxT/Gk2YvTt
OlG1ekECgYEA4cVjx0eVWVy/SlsZ2liZO0LiqCYiCDQBAXxflasxoYNuLQKnWBiT
AvPxgXfLmRzsjPm+2ZuVZYiuEy1CABO0YrTIDpe9+iw+ih9SXeDyhDSN+mHsT7y+
uoayVs1JZizEtbmQXyThnnCbdLGY5D3FrkjVuZXYcf9MQfFGs5ThA+UCgYEAyoJj
O5A8O04oZ6p3d1Cu+j/tentWmEeT4pkOd0gea/nzHziticcno3+MsfbfcomuHiVf
ikT6jxMzYde+lOAFYhG0T4bIxEQlOBEZFOfUzdDsyzqkoe2qAYlnlwMZV22OswMd
4Nh1Nn/OQdyhhlxPcpuHuEwmd2efvlpJrrtANNECgYEAxDXD7WCszyjnpjteUIBH
S1VpnjDlyrNHXH82ouBRFckfa0avIMTanuparOXrr3mPq0UxM/Ue9Uq/3jKq9V4q
ms36P5Roqo7hGzD1aFki6vqxmTSZJwMlzv1Y6E8oxv+JRVWrvsRSwFuk/tmJwnJc
5oauF8e+f/Qb1gNWKqPsmnECgYEAjKT53khSTK3/id/ukMNMgyka+dHnVmN/5gR+
84D2/+7cV3a5r9LNSNQxFvhqP9Y3Q2CZdiJqEiw3p2B7UFI16uJ45DKsBQN/Be16
Cfbo6PiNPKhB5uR1ChQwCcVxODMyxEkJ2zr6TRt+WGevFu3Nj79NB0Z8ALnLTBzQ
x7Xs5cECgYEA4TX7Is2MzHxsfdjERNEr7a7aUQHtTVBUKT/9CUwDI2viPeS4TCHB
pGti1U04DgBS4kcxfF2EMJ4DpxmGMm0Ww4XNfxGVvzjU+KPIwCJm56B3Igs7asPP
sCtHDZWzwEMYP6ICswidRaiPuoR3gt1pCtsKXATfb1BTsordb7RB6sc=
-----END RSA PRIVATE KEY-----
对生成秘钥对加密 指定使用aes128加密 密码是123456 生成私钥长度是1024字节 不指定默认2048字节
[root@swarm01 enc]# openssl genrsa -aes128 -passout pass:123456 -out pri.pem 1024
Generating RSA private key, 1024 bit long modulus
......++++++
............................................................++++++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,5CC261335E05F05294869536445126D1
LJLJKGslZi4cTgejsxEIwVMFtRpDckhH4TlkAWu2xN50V5CB5r4ezAKjXF8kMX6q
GEFRbOrrTk6Y3BblnLVinK+YnwKLL8UgvT3Qfkx4iVPD8UH42Py8ONVWNPqU1HeH
O0V1AsomRsjapW6XYBLDdEdcv870eQRGRMHmQKIwvdu2FzetsdXnwUQzZ4SHAWDo
cgB3AO6E6Lb6G6c4TNy0x3psIpHi7g4eVVatjLw9m02iIGX54AJJn24lS30Q4HTE
RHT21XulMCK/AZc2zYH+Eh3S26+H1hW/GgpoKaJVUI/9LvafDnb+7CGSvHekcw3t
JqqVjuLHjMzBBSxwKBMAT5KlVHdpgk9pi/heheCkPoOd/BmM3nlWyn3aAcYi8Nw/
VAbq4xrttZIpl5NfiGzjrrphHCZulqAb8hhMyDca4sJkibBVTxHrO1ihhtTP6iOQ
xwVeO8VXOTlB+bOtEZJRcuXKmcg7TGe9zhgi0J/gHKDci8hvY06lSLq9NnHcE5+3
1bCsbYj4j1G9+n6Gtd4QktpzQ2favyrV2DLGbPcvoADOh7tAJfoOfQhqPklGEb7d
pzSFYQqrjp4d1PaCNUfcPGs4zXhlxG7aU76GHCJgK8jd86PbLld5XzdrqZ8qOGwp
pX+duOjkynhIS/evocamzqZWm26B9N9ki3WejhEjvXAH9H+v+4pVZmFQHARmYOFz
5s6vz6toV5+HGfyD1TpDiDFB8NNR6KJANPJgUQgTXZVHol4pw/yHsbPYdoPsbO3M
ji2pn4yuTjQEJW1o8K2v77C4bNqpXn+aWJrLQJFXqtbfMlDOVHWapPvGMOqg4reD
-----END RSA PRIVATE KEY-----
通过rsa命令修改rsa秘钥对
生成秘钥对 密码123456
openssl genrsa -aes128 -passout pass:123456 -out pri.pem 1024
修改密码 passin表示输入的密码 passout表示修改的密码 如果passin输入错误是无法解析的
[root@swarm01 enc]# openssl rsa -passin pass:123456 -passout pass:654321 -in pri.pem -out pri1.pem
writing RSA key
去除密码
[root@swarm01 enc]# openssl rsa -passin pass:123456 -in pri.pem -out pri2.pem
writing RSA key
查看公私钥信息
root@swarm01 enc]# openssl rsa -passin pass:123456 -in pri.pem -text
非对称加解密
rsautl 生成公私钥密码,导出公钥
[root@swarm01 enc]# openssl genrsa -out pri.pem
[root@swarm01 enc]# openssl rsa -in pri.pem -pubout -out pub.pem
writing RSA key
加解密
[root@swarm01 enc]# openssl rsautl -inkey pri.pem -in 1.txt -out 1_enc.txt -encrypt 自动提取公钥加密
[root@swarm01 enc]# openssl rsautl -inkey pri.pem -in 1_enc.txt -out 2.txt -decrypt 自动提取私钥解密
[root@swarm01 enc]# diff 1.txt 2.txt
也可以直接使用公钥加密
[root@swarm01 enc]# openssl rsautl -inkey pub.pem -pubin -in 1.txt -out 2_enc.txt -encrypt
[root@swarm01 enc]# openssl rsautl -inkey pri.pem -in 2_enc.txt -out 3.txt -decrypt
[root@swarm01 enc]# diff 1.txt 3.txt
使用rsautl进行签名和验证操作
/*提取PCKS8格式的私钥*/
openssl pkcs8 -topk8 -in RSA.pem -passin pass:123456 -out pri.pem -nocrypt
/*使用RSA密钥进行签名,实际上使用私钥进行加密*/
openssl rsautl -sign -in plain.txt -inkey RSA.pem -passin pass:123456 -out sign.txt
/*使用RSA密钥进行验证,实际上使用公钥进行解密*/
openssl rsautl -verify -in sign.txt -inkey RSA.pem -passin pass:123456 -out replain.txt
/*对比原始文件和签名解密后的文件*/
diff plain.txt replain.txt
/*使用私钥进行签名*/
openssl rsautl -sign -in plain.txt -inkey pri.pem -out sign1.txt
/*使用公钥进行验证*/
openssl rsautl -verify -in sign1.txt -inkey pub.pem -pubin -out replain1.txt
/*对比原始文件和签名解密后的文件*/
cat plain replain1.txt
要注意这里的签名和验证过程其本质上是加解密操作,不是标准意义上的签名和验证。标准意义上签名和验证是需要增加摘要操作的
证书
生成自签名证书
关于证书和公私钥作用参考
方法1:
# Generate CA 私钥 --->ca.key
openssl genrsa -out ca.key 2048
# Generate CSR 证书真情 --->ca.csr
openssl req -new -key ca.key -out ca.csr
# Generate Self Signed certificate(CA 根证书) ---> ca.crt
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
方法2:
在得到key文件后,执行以下命令:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
如果不想填写那些注册信息,执行以下命令:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt subj "/C=GB/L=London/O=Feisty Duck Ltd/CN=www.feistyduck.com
签发证书
使用ca签名server.csr
# private key --->server.key
openssl genrsa -out server.key 1024
# generate csr --->server.csr
openssl req -new -key server.key -out server.csr
# generate certificate --->server.crt
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
签发证书出现错误问题
对于下面的问题,执行该命令解决:sudo touch /etc/pki/CA/index.txt
[centos@ip ssl]$ sudo openssl ca -in certificate.csr -out certificate.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139981965662096:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
139981965662096:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
对于下面的问题,执行该命令解决:echo 01 | sudo tee /etc/pki/CA/serial
[centos@ip ssl]$ sudo openssl ca -in certificate.csr -out certificate.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
139630067787664:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
139630067787664:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
nginx使用自签发服务器证书
生成根证书
openssl genrsa -out ca.key 2048 && openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj /C=CN/ST=广东省/L=深圳市/O=深圳芥舟科技有限公司/OU=研发部/CN=gvt/emailAddress=lixin1112003@126com
生成服务器证书
证书支持域名
浏览器访问指定域名时自动匹配域名和证书dns指定域名,需要生成时配置好,让浏览器适配
拷贝/etc/pki/tls/openssl.cnf
mkdir ca && cd ca
cp /etc/pki/tls/openssl.cnf ./
编辑 openssl.cnf 配置
打开 req_extensions = v3_req
[ v3_req ]下添加 (表示当前生成的证书对哪些域名有效)
subjectAltName=@alt_names
[ alt_names ]
DNS.1=*.gvtdev.com
DNS.2=*.gvtfat.com
DNS.3=*.gvtuat.com
生成服务器证书
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr -config ./openssl.cnf -extensions v3_req -subj /C=CN/ST=广东省/L=深圳市/O=深圳芥舟科技有限公司/OU=研发部/CN=gvtweb/emailAddress=lixin1112003@126com
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config ./openssl.cnf -extensions v3_req
如果出现错误
failed to update database
TXT_DB error number 2
删除重建
rm -rf /etc/pki/CA/index.txt
rm -rf /etc/pki/CA/index.txt.old
touch /etc/pki/CA/index.txt
配置nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name gateway.gvtdev.com apos.gvtdev.com management.gvtdev.com;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
#ssl_certificate /home/cent/nginx.cer;
ssl_certificate /application/openresty/nginx/conf/ca/server.crt;
ssl_certificate_key /application/openresty/nginx/conf/ca/server.key;
#ssl_certificate_key /home/cent/nginx.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
ssl_dhparam /home/cent/dhparam.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
location / {
proxy_pass http://docker-app;
proxy_set_header Host $host; #这里看情况是否要将443端口带到后端如果只需要发送域名就这样
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
浏览器安装根证书
将之前生成的ca.crt文件拷到访问浏览器 点击chrome-设置-高级-管理HTTPS/SSL证书和设置
点击选择页签 受信任的根证书颁发机构 点击导入选择ca.crt导入即可
摘要算法
支持的摘要算法
[root@swarm01 ~]# openssl dgst --help
unknown option '--help'
options are
-c to output the digest with separating colons
-r to output the digest in coreutils format
-d to output debug info
-hex output as hex dump
-binary output in binary form
-hmac arg set the HMAC key to arg
-non-fips-allow allow use of non FIPS digest
-sign file sign digest using private key in file
-verify file verify a signature using public key in file
-prverify file verify a signature using private key in file
-keyform arg key file format (PEM or ENGINE)
-out filename output to filename rather than stdout
-signature file signature to verify
-sigopt nm:v signature parameter
-hmac key create hashed MAC with key
-mac algorithm create MAC (not neccessarily HMAC)
-macopt nm:v MAC algorithm parameters or key
-engine e use engine e, possibly a hardware device.
-md4 to use the md4 message digest algorithm
-md5 to use the md5 message digest algorithm
-ripemd160 to use the ripemd160 message digest algorithm
-sha to use the sha message digest algorithm
-sha1 to use the sha1 message digest algorithm
-sha224 to use the sha224 message digest algorithm
-sha256 to use the sha256 message digest algorithm
-sha384 to use the sha384 message digest algorithm
-sha512 to use the sha512 message digest algorithm
-whirlpool to use the whirlpool message digest algorithm
测试
[root@swarm01 enc]# openssl dgst -md5 1.txt
MD5(1.txt)= b1946ac92492d2347c6235b4d2611184
[root@swarm01 enc]# openssl dgst -sha1 1.txt
SHA1(1.txt)= f572d396fae9206628714fb2ce00f72e94f2258f
[root@swarm01 enc]# openssl dgst -sha256 1.txt
SHA256(1.txt)= 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03
签名和验证
使用RSA密钥进行签名验证操作
/*摘要算法选取sha256,密钥RSA密钥,对file.txt进行签名*/
openssl dgst -sign RSA.pem -sha256 -out sign.txt file.txt
/*使用RSA密钥验证签名(prverify参数),验证成功*/
openssl dgst -prverify RSA.pem -sha256 -signature sign.txt file.txt
Verified OKt
使用DSA密钥进行签名验证操作
/*使用DSA算法,摘要算法sha256,对file.txt进行签名*/
openssl dgst -sign DSA.pem -sha256 -out sign.txt file.txt
/*使用DSA密钥验证签名*/
openssl dgst -prverify DSA.pem -sha256 -signature sign.txt file.txt
Verified OK
3.gpg
GPG简介
1991年,程序员Phil Zimmermann为了避开政府监视,开发了加密软件PGP。这个软件非常好用,迅速流传开来,成了许多程序员的必备工具。但是,它是商业软件,不能自由使用。所以,自由软件基金会决定,开发一个PGP的替代品,取名为GnuPG。这就是GPG的由来。
目前centos系统 自带了gnupg,如果没有 安装教程
yum install gnupg
秘钥管理
管理秘钥
[root@swarm01 enc]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/root/.gnupg/secring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: jiaozi 输入用户名 是唯一标识
Email address: lixin1112003@126.com
Comment: jiaozi
You selected this USER-ID:
"jiaozi (jiaozi) <lixin1112003@126.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
之后弹出输入密码框 重复输入两次密码
如果界面一直卡住 ,不关闭之前窗口 打开一个客户端窗口 执行
[root@swarm01 ~]# yum -y install rng-tool
执行命令产生随机数
[root@swarm01 ~]# rngd -r /dev/urandom
Initalizing available sources
Enabling RDSEED rng support
Enabling JITTER rng support
查看所有秘钥
[root@swarm01 enc]# gpg --list-keys
/root/.gnupg/pubring.gpg 删除所有秘钥删除这个文件即可
------------------------
pub 2048R/C5D38BAB 2019-02-16
uid jiaozi (jiaozi) <lixin1112003@126.com>
sub 2048R/6C64275E 2019-02-16
删除公钥和私钥 (必须先删除私钥再删除公钥)
[root@swarm01 enc]# gpg --delete-secret-keys jiaozi 通过用户id删除私钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec 2048R/C5D38BAB 2019-02-16 jiaozi (jiaozi) <lixin1112003@126.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@swarm01 enc]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/C5D38BAB 2019-02-16
uid jiaozi (jiaozi) <lixin1112003@126.com>
sub 2048R/6C64275E 2019-02-16
[root@swarm01 enc]# gpg --delete-keys jiaozi 通过用户id删除公钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 2048R/C5D38BAB 2019-02-16 jiaozi (jiaozi) <lixin1112003@126.com>
Delete this key from the keyring? (y/N) y
[root@swarm01 enc]# gpg --list-keys
gpg: checking the trustdb
gpg: no ultimately trusted keys found
导出私钥
[root@swarm01 enc]# gpg --armor --output gpri-key.txt --export-secret-key
导出公钥
[root@swarm01 enc]# gpg --armor --output gpub-key.txt --export
上传公钥
公钥服务器是网络上专门储存用户公钥的服务器。send-keys参数可以将公钥上传到服务器。
现在网络上有很多公钥服务器,而且都是互相同步的。比如:
- http://keyserver.ubuntu.com:11371
- http://pgp.mit.edu/
- http://wwwkeys.pgp.net:11371
- http://subkeys.pgp.net
上传公钥到keyserver.ubuntu.com
[root@swarm01 enc]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/8D6D985E 2019-02-16 这里8D6D985E就是公钥id
uid jiaozi (jiaozi) <jiaozi@126.com>
sub 2048R/F2DC2948 2019-02-16
gpg --keyserver hkp://keyserver.ubuntu.com:11371 --send-keys 8D6D985E 只能使用公钥id
由于公钥服务器没有检查机制,任何人都可以用你的名义上传公钥,所以没有办法保证服务器上的公钥的可靠性。通常,你可以在网站上公布一个公钥指纹,让其他人核对下载到的公钥是否为真。fingerprint参数生成公钥指纹。
[root@swarm01 enc]# gpg --fingerprint 8D6D985E
pub 2048R/8D6D985E 2019-02-16
Key fingerprint = C8E8 4526 0275 EE82 BC7F 7C7B FBAE 3AB8 8D6D 985E
uid jiaozi (jiaozi) <jiaozi@126.com>
sub 2048R/F2DC2948 2019-02-16
公钥服务器搜索key(注意是用户名才能搜索到)
[root@swarm01 enc]# gpg --keyserver hkp://keyserver.ubuntu.com:11371 --search-keys jiaozi
gpg: searching for "jiaozi" from hkp server keyserver.ubuntu.com
(1) jiaozi (jiaozi) <jiaozi@126.com>
2048 bit RSA key 8D6D985E, created: 2019-02-16
Keys 1-1 of 1 for "jiaozi". Enter number(s), N)ext, or Q)uit >
gpg: signal Interrupt caught ... exiting
从keyserver上恢复到本地(这里只能用公钥id)
[root@swarm01 enc]# gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 8D6D985E
除了生成自己的密钥,还需要将他人的公钥或者你的其他密钥输入系统。这时可以使用import参数。
gpg --import [密钥文件]
加密和解密
加密
假定有一个文本文件demo.txt,怎样对它加密呢?
encrypt参数用于加密。
gpg --recipient [用户ID] --output demo.en.txt --encrypt demo.txt
recipient参数指定接收者的公钥,output参数指定加密后的文件名,encrypt参数指定源文件。运行上面的命令后,demo.en.txt就是已加密的文件,可以把它发给对方。
解密
对方收到加密文件以后,就用自己的私钥解密。
gpg --decrypt demo.en.txt --output demo.de.txt
decrypt参数指定需要解密的文件,output参数指定解密后生成的文件。运行上面的命令,demo.de.txt就是解密后的文件。
GPG允许省略decrypt参数。
gpg demo.en.txt
运行上面的命令以后,解密后的文件内容直接显示在标准输出。
签名和验证
对文件签名
有时,我们不需要加密文件,只需要对文件签名,表示这个文件确实是我本人发出的。sign参数用来签名。
gpg --sign demo.txt
运行上面的命令后,当前目录下生成demo.txt.gpg文件,这就是签名后的文件。这个文件默认采用二进制储存,如果想生成ASCII码的签名文件,可以使用clearsign参数。
gpg --clearsign demo.txt
运行上面的命令后 ,当前目录下生成demo.txt.asc文件,后缀名asc表示该文件是ASCII码形式的。
如果想生成单独的签名文件,与文件内容分开存放,可以使用detach-sign参数。
gpg --detach-sign demo.txt
运行上面的命令后,当前目录下生成一个单独的签名文件demo.txt.sig。该文件是二进制形式的,如果想采用ASCII码形式,要加上armor参数。
gpg --armor --detach-sign demo.txt
签名+加密
上一节的参数,都是只签名不加密。如果想同时签名和加密,可以使用下面的命令。
gpg --local-user [发信者ID] --recipient [接收者ID] --armor --sign --encrypt demo.txt
local-user参数指定用发信者的私钥签名,recipient参数指定用接收者的公钥加密,armor参数表示采用ASCII码形式显示,sign参数表示需要签名,encrypt参数表示指定源文件。
验证签名
我们收到别人签名后的文件,需要用对方的公钥验证签名是否为真。verify参数用来验证。
gpg --verify demo.txt.asc demo.txt
window常用的gui gpg软件 可以使用Gpg4win