openssl命令的使用

查看openssl的安装包：
[root@miner_k ~]# rpm -qa | grep openssl
openssl-1.0.1e-48.el6_8.3.x86_64

openssl的配置文件

[root@miner_k ~]# rpm -ql openssl
/etc/pki/CA             #工作目录
/etc/pki/CA/certs       #客户端证书
/etc/pki/CA/crl         #证书吊销列表
/etc/pki/CA/newcerts    #新签署的证书
/etc/pki/CA/private     #私钥存放位置
/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/certs/Makefile  #redhat提供的使用make命令生成CA、签署证书等

1.openssl下的子命令帮助：

[root@miner_k ~]# openssl -h
openssl:Error: '-h' is an invalid command.

Standard commands
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             ts                verify            version           
x509              

Message Digest commands (see the `dgst' command for more details)
md2               md4               md5               rmd160            
sha               sha1              

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              idea              
idea-cbc          idea-cfb          idea-ecb          idea-ofb          
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            seed              seed-cbc          seed-cfb          
seed-ecb          seed-ofb          zlib              

子命令的帮助手册查看：

• 子命令和系统命令不冲突：

[root@miner_k ~]# whatis ca
ca                   (1ssl)  - sample minimal CA application
ca-legacy            (8)  - Manage the system configuration for legacy CA certificates
[root@miner_k ~]# man ca

• 子命令和系统命令冲突

[root@miner_k ~]# whatis passwd
passwd               (1)  - update user's authentication tokens
passwd [sslpasswd]   (1ssl)  - compute password hashes
[root@miner_k ~]# man sslpasswd

2. openssl 测试des的加密的速度

[root@miner_k ~]# openssl speed des
Doing des cbc for 3s on 16 size blocks: 9396926 des cbc's in 2.94s
Doing des cbc for 3s on 64 size blocks: 2420945 des cbc's in 2.96s
Doing des cbc for 3s on 256 size blocks: 607810 des cbc's in 2.96s
Doing des cbc for 3s on 1024 size blocks: 152797 des cbc's in 2.98s
Doing des cbc for 3s on 8192 size blocks: 18994 des cbc's in 2.95s
Doing des ede3 for 3s on 16 size blocks: 3537558 des ede3's in 2.92s
Doing des ede3 for 3s on 64 size blocks: 911650 des ede3's in 2.98s
Doing des ede3 for 3s on 256 size blocks: 227075 des ede3's in 2.96s
Doing des ede3 for 3s on 1024 size blocks: 56604 des ede3's in 2.95s
Doing des ede3 for 3s on 8192 size blocks: 7090 des ede3's in 2.96s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Sep 27 12:27:19 UTC 2016
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
des cbc          51139.73k    52344.76k    52567.35k    52504.74k    52745.37k
des ede3         19383.88k    19579.06k    19638.92k    19648.30k    19622.05k

3. 对称加密与解密

加密：

[root@miner_k ~]# openssl enc -des3 -salt -a -in passwd -out passwd.dsc3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@miner_k ~]# ls passwd
passwd       passwd.dsc3  

解密：

[root@miner_k ~]# openssl enc -d -des3 -salt -a -in passwd.dsc3 -out passwd

参数：

enc 对称加密
-des3 加密算法
-salt 使用的加密的盐
-a base64 process the data
-in 需要加密的文件
-out 输出的文件

4.查看校验码（提取特征码）

[root@miner_k ~]# md5sum passwd
497a36ebc9cb278e74ffa07cc4a98ac1  passwd

[root@miner_k ~]# sha1sum passwd
2ee237104e448eac368e9e86fd69e298955b4a89  passwd

[root@miner_k ~]# openssl dgst -sha1 passwd
SHA1(passwd)= 2ee237104e448eac368e9e86fd69e298955b4a89
[root@miner_k ~]# openssl dgst -md5 passwd
MD5(passwd)= 497a36ebc9cb278e74ffa07cc4a98ac1

5.加密密码

[root@miner_k ~]# openssl passwd -1
Password: 
Verifying - Password: 
$1$S98LGqIe$jfx3pyQV41eM9Co4zEFle1


通过命令可以看出密码
[root@miner_k ~]# openssl passwd -1 -salt S98LGqIe
Password: 
$1$S98LGqIe$jfx3pyQV41eM9Co4zEFle1

参数：
-1 MD5加密
-salt 加密的盐

6.生成随机数

[root@miner_k ~]# openssl rand -base64 16
hAEtkTbvKCZuk8LuESHq2g==
[root@miner_k ~]# openssl rand -base64 12
slWW8NfrEf5tYYcp

7.非对称加密