本篇是本系列的第一篇:
术语表
- SSL – Secure Socket Layer
- CA - Certificate Authority
- CSR – Certificate Signing Request
- TLS – Transport Layer Security
- PEM – Privacy Enhanced Mail
- DER – Distinguished Encoding Rules
- SHA – Secure Hash Algorithm
- PKCS – Public-Key Cryptography Standards
生成RSA密钥对
生成RSA私钥
用以下指令生成2048位的RSA私钥
openssl genrsa -out private.key 2048
生成的private.key文件其实是个文本文件,内容如下:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDLPEHSgudXxYSz
SJ0mcQykZBccZX1cF36RvFN1FTdtCxJeBWQNppwpO6I1IFwIHfU5MeBxL/zubO/A
aZN8QBx5PuXaW67Whqye+5HDeanJlg6oZPFCtTtKeqEnlRB3iuEs/aZFYjeh94y/
grT/krHOLR9ELx62xU+Xk1fO2N6mEw36DTdUXxOiLRXPfD+lmac4qBOMRsF1RPpT
LgSo66+EcZWDe4nhbgyAmnRKdvpEd1s76HTQuYALXlSZfVKePXccDdQELJCXeRI0
JI8wFKvskWxSjly2SWxN8RJkjBfkGL7lQ6RUmwm/0GcoghsEaAewOpl1VlpIKUNk
kqJR8/TBAgMBAAECggEAANBkeRniIFVfszIiwwEn6k6mUwxLBL/pV18YPHtRxgOJ
1suRu4ZD0Nx2yVywUa4BCfIbsohdLH1ONoiVuSUumAO6+vVsDVrrvRVH368QkYii
1WTWHIzKSIGWPKjZsIjjXwFDFbsPevwZWbkFzZJCWQ+QNP81UckXiQVjkCYJOkQO
cYGGIaa/EdZTm61zGBOUX8mxy99rWdxbSv7I4v7gdXkBnWp8HeeTSLs6+sWA5bMA
zXDnSDnyxx4ipzEzjhKQQ4vv2AJzQBlhMpZBPM4WjKSTBAyhfByku+rbeHddAJlU
jx9Ez6ShN2kwwEZKb4ZxVA9Re3QW6XDsQ7ryRdmxOQKBgQDZ3v+mZ9/1WxxBbJOV
+AXN1Sa6GO4VYzGC1WJjTrxfSr8BIkYcuxa8X7Tlh6xWzeLuVUe92AO0RTeqxsGc
a3YESdRrZjkS0Dw3GVfuP4gN2beUPxASXl4xg47N8Msia096S691Od1QRQdAXKsN
nn0opE5l+ry+XcKHt0GWr/PLxQKBgQDuzY2tCOXKU1t9GTja5vJ+0iC3+6tZY8sm
NBbWt4z7CfHieX4MtYOAl1++i7UEyg9Nv2rb52svq+d/FLQoCLpxQDr6d6FRW1jZ
L9A2lI8yknyN1mXgSx2ayshJ/O/NCUjeu+FK/BQrivfOFW4CXMV3qzsngtHRCUhM
1o74U4cozQKBgFo+flJlMGUm6htHaBJ0e6L4qWPoM6X0QmvZCznrQSePhHJpyfTY
oeBBHGL+wanq+haSiHbgZRhkm1xHm6a49FduZWhfHUDntCl2e++ZrTdfeSUUwgl5
wTZtMden59xH6tHTS8gYwc0f6pMET24CugD9neOr6kZH++3PQIG0PB2pAoGAG+0N
1F5mAPMej9KTQ4YedZY9HUbhEuMIrr8IrLNqWTEgiEuM4g+YAUGygKX11UmL4Jux
82Vss3Z26/WP296pbvUD8KZsxwbXrQ5aWwekd1WKG0wnPcOLAr8UDRL3OBMN4n42
Kn6wHSdzMzZuVvhiX0w27rftsXRUcCfnMEMUW0ECgYEAq/pDNIBPI/tA1WiyYMkD
apIfyBMGSyVqEa95mUagmp1C1+DT2sJAey5pByX+M17HQiyUbGgATOcU7mL5PDbz
cBEqRRuc4UmLjoZDxRnsuzgXzL5ojk/BxWDg+9c9PHAx3dfrtZEJOYFSefumIwCv
kNmZKMMR3cyYPMnlFZebSPk=
-----END PRIVATE KEY-----
用RSA私钥生成公钥
用上述步骤的私钥生成公钥
openssl rsa -in private.key -pubout -out public.key
生成的公钥文件public.key也是个文本文件,内容如下:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyzxB0oLnV8WEs0idJnEM
pGQXHGV9XBd+kbxTdRU3bQsSXgVkDaacKTuiNSBcCB31OTHgcS/87mzvwGmTfEAc
eT7l2luu1oasnvuRw3mpyZYOqGTxQrU7SnqhJ5UQd4rhLP2mRWI3ofeMv4K0/5Kx
zi0fRC8etsVPl5NXztjephMN+g03VF8Toi0Vz3w/pZmnOKgTjEbBdUT6Uy4EqOuv
hHGVg3uJ4W4MgJp0Snb6RHdbO+h00LmAC15UmX1Snj13HA3UBCyQl3kSNCSPMBSr
7JFsUo5ctklsTfESZIwX5Bi+5UOkVJsJv9BnKIIbBGgHsDqZdVZaSClDZJKiUfP0
wQIDAQAB
-----END PUBLIC KEY-----
公,公都有点短^_^
查看公私钥
以上步骤生成的密钥对其实都是文本文件,可用openssl命令查看详情
查看私钥
执行如下指令查看私钥
openssl rsa -in private.key -noout -text
其输出内容如下
Private-Key: (2048 bit, 2 primes)
modulus:
00:cb:3c:41:d2:82:e7:57:c5:84:b3:48:9d:26:71:
0c:a4:64:17:1c:65:7d:5c:17:7e:91:bc:53:75:15:
37:6d:0b:12:5e:05:64:0d:a6:9c:29:3b:a2:35:20:
5c:08:1d:f5:39:31:e0:71:2f:fc:ee:6c:ef:c0:69:
93:7c:40:1c:79:3e:e5:da:5b:ae:d6:86:ac:9e:fb:
91:c3:79:a9:c9:96:0e:a8:64:f1:42:b5:3b:4a:7a:
a1:27:95:10:77:8a:e1:2c:fd:a6:45:62:37:a1:f7:
8c:bf:82:b4:ff:92:b1:ce:2d:1f:44:2f:1e:b6:c5:
4f:97:93:57:ce:d8:de:a6:13:0d:fa:0d:37:54:5f:
13:a2:2d:15:cf:7c:3f:a5:99:a7:38:a8:13:8c:46:
c1:75:44:fa:53:2e:04:a8:eb:af:84:71:95:83:7b:
89:e1:6e:0c:80:9a:74:4a:76:fa:44:77:5b:3b:e8:
74:d0:b9:80:0b:5e:54:99:7d:52:9e:3d:77:1c:0d:
d4:04:2c:90:97:79:12:34:24:8f:30:14:ab:ec:91:
6c:52:8e:5c:b6:49:6c:4d:f1:12:64:8c:17:e4:18:
be:e5:43:a4:54:9b:09:bf:d0:67:28:82:1b:04:68:
07:b0:3a:99:75:56:5a:48:29:43:64:92:a2:51:f3:
f4:c1
publicExponent: 65537 (0x10001)
privateExponent:
00:d0:64:79:19:e2:20:55:5f:b3:32:22:c3:01:27:
ea:4e:a6:53:0c:4b:04:bf:e9:57:5f:18:3c:7b:51:...
查看公钥
执行如下指令查看公钥
openssl rsa -pubin -in public.key -noout -text
公钥内容较少,完整输出如下:
Public-Key: (2048 bit)
Modulus:
00:cb:3c:41:d2:82:e7:57:c5:84:b3:48:9d:26:71:
0c:a4:64:17:1c:65:7d:5c:17:7e:91:bc:53:75:15:
37:6d:0b:12:5e:05:64:0d:a6:9c:29:3b:a2:35:20:
5c:08:1d:f5:39:31:e0:71:2f:fc:ee:6c:ef:c0:69:
93:7c:40:1c:79:3e:e5:da:5b:ae:d6:86:ac:9e:fb:
91:c3:79:a9:c9:96:0e:a8:64:f1:42:b5:3b:4a:7a:
a1:27:95:10:77:8a:e1:2c:fd:a6:45:62:37:a1:f7:
8c:bf:82:b4:ff:92:b1:ce:2d:1f:44:2f:1e:b6:c5:
4f:97:93:57:ce:d8:de:a6:13:0d:fa:0d:37:54:5f:
13:a2:2d:15:cf:7c:3f:a5:99:a7:38:a8:13:8c:46:
c1:75:44:fa:53:2e:04:a8:eb:af:84:71:95:83:7b:
89:e1:6e:0c:80:9a:74:4a:76:fa:44:77:5b:3b:e8:
74:d0:b9:80:0b:5e:54:99:7d:52:9e:3d:77:1c:0d:
d4:04:2c:90:97:79:12:34:24:8f:30:14:ab:ec:91:
6c:52:8e:5c:b6:49:6c:4d:f1:12:64:8c:17:e4:18:
be:e5:43:a4:54:9b:09:bf:d0:67:28:82:1b:04:68:
07:b0:3a:99:75:56:5a:48:29:43:64:92:a2:51:f3:
f4:c1
Exponent: 65537 (0x10001)
生成用密码保护的公私钥
在前述章节中描述了如何生成公私钥对,但对私钥没有任何保护,一旦私钥文件泄露就没有任何安全性可言。执行如下指令生成用AES256加密算法保护的私钥文件
openssl genrsa -aes256 -out private.key 2048
会提示输入和确认密码:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
或者直接在参数中指定密码,其中123456是密码,不过这种方法不推荐
openssl genrsa -aes256 -passout pass:123456 -out private.key 2048
私钥去掉或设置密码
去掉私钥的密码
执行如下指令可从带密码的私钥文件private_aes.key生成不带密码的私钥文件private.key
openssl rsa -in private_aes.key -out private.key
会提示输入原有私钥文件的密码
Enter pass phrase for private_aes.key:
或直接在参数中指定密码,其中123456是密码
openssl rsa -in private_aes.key -passin pass:123456 -out private.key
设置私钥的密码
执行如下指令
openssl rsa -in private.key -aes256 -out private_aes.key
小结
加密是互联网数据安全的基础,openssl是一个好用且强大的工具,本章中涉及了RSA、AES加密算法,最好能了解一下这两种加密算法的区别,会有助于了理解加解密是如何工作的。
用公私钥加解密
公钥加密,私钥解密
先产生一个文本文件text.txt
echo "abcd1234" > text.txt
公钥加密数据
用公钥对text.txt加密,生成加密后的文件text.enc
openssl pkeyutl -encrypt -in text.txt -inkey public.key -pubin -out text.enc
早期的openssl版本(1.0.1e)命令不一样:
openssl rsautl -encrypt -in text.txt -inkey public.key -pubin -out text.enc
用私钥解密数据
用私钥对加密文件text.enc进行解密
openssl pkeyutl -decrypt -in text.enc -inkey private.key -out text.dec
查看text.dec文件内容,符合预期,得到了原文本
cat text.dec
abcd1234
早期的openssl版本命令不一样:
openssl rsautl -decrypt -in text.enc -inkey private.key -out text.dec
私钥签名,公钥验证
用私钥对内容进行签名
执行命令如下,生成的text.sig是一个加密文件
# generate the hash of the content
openssl sha256 -binary -out hash text.txt
# signature the hash with the private key
openssl pkeyutl -sign -inkey private.key -in hash -out sig
【Note】早期版本需用rsautl 替换 pkeyutl。
用公钥进行验证
执行如下命令,对sig进行验证
openssl pkeyutl -verify -pubin -inkey public.key -in hash -sigfile sig
其输出如下:
Signature Verified Successfully