记不住每次都翻文档比较繁琐,在此集中记录下线索。
#encoding:utf-8
#Hash
require 'digest'
md5 = Digest::MD5.new
md5.update 'message 1'
md5 << 'message 2'
puts md5.hexdigest
sha256 = Digest::SHA256.new
puts sha256.digest 'message'
puts sha256.hexdigest 'message'
puts sha256.base64digest 'message'
puts sha256.file File.dirname(__FILE__)+File::Separator+'a.txt'
require 'digest/bubblebabble'
puts Digest::SHA256.bubblebabble 'message'
#Base64
require 'base64'
msg = 'hello'
puts Base64.encode64 msg
puts Base64.decode64 Base64.encode64 msg
#AES
require 'openssl'
def aes_encrypt(key, iv, plain_string)
aes = OpenSSL::Cipher::AES.new(128, :CBC)
aes.encrypt
aes.key = key
aes.iv = iv
txt = aes.update(plain_string) << aes.final
txt.unpack('H*')[0].upcase
end
def aes_dicrypt(key, iv, dicrypted_string)
aes = OpenSSL::Cipher::AES.new(128, :CBC)
aes.decrypt
aes.key = key
aes.iv = iv
aes.update([dicrypted_string].pack('H*')) << aes.final
end
#RSA
require 'openssl'
#生成密钥对
key = OpenSSL::PKey::RSA.new 2048
open 'private_key.pem', 'w' do |io| io.write key.to_pem end
open 'public_key.pem', 'w' do |io| io.write key.public_key.to_pem end
#加密密钥文件
cipher = OpenSSL::Cipher.new 'AES-128-CBC'
pass_phrase = 'my secure pass phrase goes here'
key_secure = key.export cipher, pass_phrase
open 'private.secure.pem', 'w' do |io|
io.write key_secure
end
#载入密钥
key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem'
key2.public? # => true
key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem'
key3.private? # => false
#载入加密密钥
key4_pem = File.read 'private.secure.pem'
key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
#加解密
wrapped_key = key.public_encrypt key
original_key = key.private_decrypt wrapped_key
#签名
digest = OpenSSL::Digest::SHA256.new
signature = key.sign digest, document
digest = OpenSSL::Digest::SHA256.new
if key.verify digest, signature, document
puts 'Valid'
else
puts 'Invalid'
end
#PBKDF2
# 加密
cipher = OpenSSL::Cipher.new 'AES-128-CBC'
cipher.encrypt
iv = cipher.random_iv
pwd = 'some hopefully not to easily guessable password'
salt = OpenSSL::Random.random_bytes 16
iter = 20000
key_len = cipher.key_len
digest = OpenSSL::Digest::SHA256.new
key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
cipher.key = key
encrypted = cipher.update document
encrypted << cipher.final
#解密
cipher = OpenSSL::Cipher.new 'AES-128-CBC'
cipher.decrypt
cipher.iv = iv # the one generated with #random_iv
pwd = 'some hopefully not to easily guessable password'
iter = 20000
key_len = cipher.key_len
digest = OpenSSL::Digest::SHA256.new
key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest)
cipher.key = key
decrypted = cipher.update encrypted
decrypted << cipher.final
#PKCS #5
pass_phrase = 'my secure pass phrase goes here'
salt = '8 octets'
#加密
encryptor = OpenSSL::Cipher.new 'AES-128-CBC'
encryptor.encrypt
encryptor.pkcs5_keyivgen pass_phrase, salt
#解密
decryptor = OpenSSL::Cipher.new 'AES-128-CBC'
decryptor.decrypt
decryptor.pkcs5_keyivgen pass_phrase, salt
plain = decryptor.update encrypted
plain << decryptor.final
#X509证书
# 创建自签名证书
name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example'
cert = OpenSSL::X509::Certificate.new
cert.version = 2
cert.serial = 0
cert.not_before = Time.now
cert.not_after = Time.now + 3600
cert.public_key = key.public_key
cert.subject = name
extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert
cert.add_extension extension_factory.create_extension('basicConstraints', 'CA:FALSE', true)
cert.add_extension extension_factory.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
cert.add_extension extension_factory.create_extension('subjectKeyIdentifier', 'hash')
#为证书签名
cert.issuer = name
cert.sign key, OpenSSL::Digest::SHA1.new
open 'certificate.pem', 'w' do |io| io.write cert.to_pem end
#载入证书
cert2 = OpenSSL::X509::Certificate.new File.read 'certificate.pem'
#校验证书
raise 'certificate can not be verified' unless cert2.verify key
#加密保存证书key
ca_key = OpenSSL::PKey::RSA.new 2048
cipher = OpenSSL::Cipher::Cipher.new 'AES-128-CBC'
open 'ca_key.pem', 'w', 0400 do |io|
io.write ca_key.export(cipher, pass_phrase)
end
#加密保存证书key,使用扩展
ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example'
ca_cert = OpenSSL::X509::Certificate.new
ca_cert.serial = 0
ca_cert.version = 2
ca_cert.not_before = Time.now
ca_cert.not_after = Time.now + 86400
ca_cert.public_key = ca_key.public_key
ca_cert.subject = ca_name
ca_cert.issuer = ca_name
extension_factory = OpenSSL::X509::ExtensionFactory.new
extension_factory.subject_certificate = ca_cert
extension_factory.issuer_certificate = ca_cert
ca_cert.add_extension extension_factory.create_extension('subjectKeyIdentifier', 'hash')
ca_cert.add_extension extension_factory.create_extension('basicConstraints', 'CA:TRUE', true)
ca_cert.add_extension extension_factory.create_extension('keyUsage', 'cRLSign,keyCertSign', true)
#根证书自签名
ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new
#导出发行证书
open 'ca_cert.pem', 'w' do |io|
io.write ca_cert.to_pem
end
#证书注册请求
csr = OpenSSL::X509::Request.new
csr.version = 0
csr.subject = name
csr.public_key = key.public_key
csr.sign key, OpenSSL::Digest::SHA1.new
open 'csr.pem', 'w' do |io|
io.write csr.to_pem
end
#验证CSR
csr = OpenSSL::X509::Request.new File.read 'csr.pem'
raise 'CSR can not be verified' unless csr.verify csr.public_key
#颁发证书
csr_cert = OpenSSL::X509::Certificate.new
csr_cert.serial = 0
csr_cert.version = 2
csr_cert.not_before = Time.now
csr_cert.not_after = Time.now + 600
csr_cert.subject = csr.subject
csr_cert.public_key = csr.public_key
csr_cert.issuer = ca_cert.subject
extension_factory = OpenSSL::X509::ExtensionFactory.new
extension_factory.subject_certificate = csr_cert
extension_factory.issuer_certificate = ca_cert
csr_cert.add_extension extension_factory.create_extension('basicConstraints', 'CA:FALSE')
csr_cert.add_extension extension_factory.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')
csr_cert.add_extension extension_factory.create_extension('subjectKeyIdentifier', 'hash')
csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new
open 'csr_cert.pem', 'w' do |io|
io.write csr_cert.to_pem
end
#SSL服务器
context = OpenSSL::SSL::SSLContext.new
context.cert = cert
context.key = key
require 'socket'
tcp_server = TCPServer.new 5000
ssl_server = OpenSSL::SSL::SSLServer.new tcp_server, context
loop do
ssl_connection = ssl_server.accept
data = connection.gets
response = "I got #{data.dump}"
puts response
connection.puts "I got #{data.dump}"
connection.close
end
#SSL客户端
require 'socket'
tcp_client = TCPSocket.new 'localhost', 5000
ssl_client = OpenSSL::SSL::SSLSocket.new client_socket, context
ssl_client.connect
ssl_client.puts "hello server!"
puts ssl_client.gets
#对端验证
context.ca_file = 'ca_cert.pem'
context.verify_mode = OpenSSL::SSL::VERIFY_PEER
require 'socket'
tcp_client = TCPSocket.new 'localhost', 5000
ssl_client = OpenSSL::SSL::SSLSocket.new client_socket, context
ssl_client.connect
ssl_client.puts "hello server!"
puts ssl_client.gets