OpenSSL命令系列

Posted 骏马金龙

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了OpenSSL命令系列相关的知识,希望对你有一定的参考价值。

1.1 ssl命令系列前言

openssl命令的格式是"openssl command command-options args",command部分有很多种命令,这些命令需要依赖于openssl命令才能执行,所以称为伪命令(pseudo-command),每个伪命令都有各自的功能,可以直接man command查看命令的用法和功能。想搞明白openssl命令,需要搞懂这些伪命令先。

1.2 openssl总指挥

以下是openssl命令的用法。常用命令加粗显示了,在文末附上了我对这些命令用法的整理链接。

[[email protected] tmp]# openssl -h
openssl:Error: -h is an invalid command.

/*支持的标准命令,即伪命令的一部分*/
Standard commands  
asn1parse         ca                ciphers           cms               
crl               crl2pkcs7         dgst              dh                
dhparam           dsa               dsaparam          ec                
ecparam           enc               engine            errstr            
gendh             gendsa            genpkey           genrsa            
nseq              ocsp              passwd            pkcs12            
pkcs7             pkcs8             pkey              pkeyparam         
pkeyutl           prime             rand              req               
rsa               rsautl            s_client          s_server          
s_time            sess_id           smime             speed             
spkac             ts                verify            version           
x509              

/*指定“dgst”命令时计算特征码支持的算法*/
Message Digest commands (see the dgst command for more details)
md2               md4               md5               rmd160            
sha               sha1              

/*指定对称加密“enc”时支持的对称加密算法*/
Cipher commands (see the enc command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       base64            bf                
bf-cbc            bf-cfb            bf-ecb            bf-ofb            
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb  
camellia-256-cbc  camellia-256-ecb  cast              cast-cbc          
cast5-cbc         cast5-cfb         cast5-ecb         cast5-ofb         
des               des-cbc           des-cfb           des-ecb           
des-ede           des-ede-cbc       des-ede-cfb       des-ede-ofb       
des-ede3          des-ede3-cbc      des-ede3-cfb      des-ede3-ofb      
des-ofb           des3              desx              idea              
idea-cbc          idea-cfb          idea-ecb          idea-ofb          
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            seed              seed-cbc          seed-cfb          
seed-ecb          seed-ofb          zlib

以下是man openssl的部分文档。

SYNOPSIS
       openssl command [ command_opts ] [ command_args ]

       openssl [ list-standard-commands | list-message-digest-commands | list-
       cipher-commands | list-cipher-algorithms | list-message-digest-
       algorithms | list-public-key-algorithms]

       openssl no-XXX [ arbitrary options ]

/* 这几个伪命令:list-standard-commands、list-message-digest-commands和list-cipher-commands分别输出standard、message digest和cipher的所有命令名称列表。
如:[[email protected] ~]# openssl list-standard-commands将列出所有支持的standard命令。 */

/* 伪命令list-cipher-algorithms和list-message-digest-algothms列出所有密码和摘要信息支持的算法名称,即"dgst"命令和"enc"命令支持的算法。每行一个条目,别名被列出为from ==> to的形式 */

/* 伪命令list-public-key-algorithms列出所有支持的公钥算法,即非对称加密算法 */

/* 伪命令no-XXX用于测试命令是否可用,如果命令可用,则输出命令名称XXX,不输出no部分,如果命令不可用,则输出no-XXX */

/*伪命令*/
STANDARD COMMANDS
       asn1parse Parse an ASN.1 sequence.
       ca        Certificate Authority (CA) Management.
/* CA管理 */
       ciphers   Cipher Suite Description Determination.
       cms       CMS (Cryptographic Message Syntax) utility
       crl       Certificate Revocation List (CRL) Management.
/* 证书吊销列表管理 */
       crl2pkcs7 CRL to PKCS#7 Conversion.
       dgst      Message Digest Calculation.
/* 单向加密计算摘要信息(特征码) */
       dh        Diffie-Hellman Parameter Management.  Obsoleted by dhparam.
       dhparam   Generation and Management of Diffie-Hellman Parameters.
                 Superseded by genpkey and pkeyparam
       dsa       DSA Data Management.
       dsaparam  DSA Parameter Generation and Management. Superseded by
                 genpkey and pkeyparam
       ec        EC (Elliptic curve) key processing
       ecparam   EC parameter manipulation and generation
       enc       Encoding with Ciphers.
/* 指定对称加密算法,对称加密更多信息请查man enc */
       engine    Engine (loadble module) information and manipulation.
       errstr    Error Number to Error String Conversion.
       gendh     Generation of Diffie-Hellman Parameters.  Obsoleted by
                 dhparam.
       gendsa    Generation of DSA Private Key from Parameters. Superseded by
                 genpkey and pkey
       genpkey   Generation of Private Key or Parameters.
/* 生成各种类型的私钥或参数 */
       genrsa    Generation of RSA Private Key. Superceded by genpkey.
/* 生成RSA私钥,被genpkey取代 */
       nseq      Create or examine a netscape certificate sequence
       ocsp      Online Certificate Status Protocol utility.
       passwd    Generation of hashed passwords.
/* 生成哈希加密后的密码 */
       pkcs12    PKCS#12 Data Management.
       pkcs7     PKCS#7 Data Management.
       pkey      Public and private key management.
/* 公钥和私钥管理工具 */
       pkeyparam Public key algorithm parameter management.
       pkeyutl   Public key algorithm cryptographic operation utility.
/* 公钥算法加密操作工具 */
       rand      Generate pseudo-random bytes.
/* 生成伪随机数 */
       req       PKCS#10 X.509 Certificate Signing Request (CSR) Management.
/* x509格式的证书签名请求程序 */
       rsa       RSA key management.
/* RSA密钥管理工具 */
       rsautl    RSA utility for signing, verification, encryption, and
                 decryption. Superseded by  pkeyutl
       s_client  This implements a generic SSL/TLS client which can establish
                 a transparent connection to a remote server speaking SSL/TLS.
                 It’s intended for testing purposes only and provides only
                 rudimentary interface functionality but internally uses
                 mostly all functionality of the OpenSSL ssl library.
       s_server  This implements a generic SSL/TLS server which accepts
                 connections from remote clients speaking SSL/TLS. It’s
                 intended for testing purposes only and provides only
                 rudimentary interface functionality but internally uses
                 mostly all functionality of the OpenSSL ssl library.  It
                 provides both an own command line oriented protocol for
                 testing SSL functions and a simple HTTP response facility to
                 emulate an SSL/TLS-aware webserver.
       s_time    SSL Connection Timer.

       sess_id   SSL Session Data Management.
       smime     S/MIME mail processing.
       speed     Algorithm Speed Measurement.
/* 算法速度测量工具 */
       spkac     SPKAC printing and generating utility
       ts        Time Stamping Authority tool (client/server)
       verify    X.509 Certificate Verification.
/* 验证x509证书 */
       version   OpenSSL Version Information.
       x509      X.509 Certificate Data Management.
/* x509格式的证书数据管理工具 */

   MESSAGE DIGEST COMMANDS
/* 以下是“dgst”命令单向加密时支持的算法*/
       md2       MD2 Digest
       md5       MD5 Digest
       mdc2      MDC2 Digest
       rmd160    RMD-160 Digest
       sha       SHA Digest
       sha1      SHA-1 Digest
       sha224    SHA-224 Digest
       sha256    SHA-256 Digest
       sha384    SHA-384 Digest
       sha512    SHA-512 Digest

   ENCODING AND CIPHER COMMANDS
/* 以下为"enc"命令对称加密时支持的算法 */
       base64    Base64 Encoding
       bf bf-cbc bf-cfb bf-ecb bf-ofb
                 Blowfish Cipher
       cast cast-cbc
                 CAST Cipher
       cast5-cbc cast5-cfb cast5-ecb cast5-ofb
                 CAST5 Cipher
       des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb
       des-ofb
                 DES Cipher
       des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
                 Triple-DES Cipher
       idea idea-cbc idea-cfb idea-ecb idea-ofb
                 IDEA Cipher
       rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb
                 RC2 Cipher
       rc4       RC4 Cipher
       rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb
                 RC5 Cipher

PASS PHRASE ARGUMENTS
/* 密码参数的格式 */

       pass:password
                 the actual password is password. Since the password is
                 visible to utilities (like ’ps’ under Unix) this form should
                 only be used where security is not important.
       env:var   obtain the password from the environment variable var. Since
                 the environment of other processes is visible on certain
                 platforms (e.g. ps under certain Unix OSes) this option
                 should be used with caution.
       file:pathname
                 the first line of pathname is the password. If the same
                 pathname argument is supplied to -passin and -passout
                 arguments then the first line will be used for the input
                 password and the next line for the output password. pathname
                 need not refer to a regular file: it could for example refer
                 to a device or named pipe.
       fd:number read the password from the file descriptor number. This can
                 be used to send the data via a pipe for example.
       stdin     read the password from standard input.

看上去非常复杂?其实不复杂,只是伪命令多点而已,而且很多伪命令经常用到的选项也就1到两个。

以上是关于OpenSSL命令系列的主要内容,如果未能解决你的问题,请参考以下文章

如何使用BASH命令解密PHP Openssl加密

MySQL系列:kafka停止命令

OpenSSL 入门:密码学基础知识

使用OpenSSL进行Base64编码和解码

Redis 6.0 系列 | TLS源码分析

什么是equivelant openssl命令在Java代码中执行以下操作