欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

OpenSSL命令之算法类大全 博客分类: 安全 对称算法DH摘要算法椭圆曲线算法RSA 

程序员文章站 2024-03-14 23:56:47
...

一 DH算法(Gendh/Dhparam/Dh)

1 gendh  
功能:用于生成DH参数。 
用法:openssl gendh [-out file ] [-rand ] [-engine e ]  
选项:
-out file 输出结果到file指定的文件,如果不指定,结果显示在屏幕屏幕上
-2 将2作为生成值,此为默认值
-5 将5作为生成值
-rand 指定随机数文件
-engine e 采用Engine生成;
例子1:将DH参数打印到屏幕
[root@localhost opensscommand]# openssl gendh
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
..........................++*++*++*++*++*++*
-----BEGIN DH PARAMETERS-----
MEYCQQD1x7k6EepYbX+TSDTsxGCA2rNxTgsFHg9nLXThBjU5hogTMfPcOGaZxJPL
W+gPiWmvCDmDa5T26Uy3lURwzrFLAgEC
-----END DH PARAMETERS-----
例子2:将DH参数打印到文件CA_dh.pem
[root@localhost opensscommand]# openssl gendh -5 -out CA_dh.pem 1024
Generating DH parameters, 1024 bit long safe prime, generator 5
This is going to take a long time
..........................
[root@localhost opensscommand]# cat CA_dh.pem 
-----BEGIN DH PARAMETERS-----
MIGHAoGBAOOBKbr4HYu9SUHVeWkIypXKdMo4NpgNtERK6tm56CaZ1PzRQhHx/0h8
5I5qK8V40R+xmGmXcEM6mg/CEkdcMN64Q9H22aakXqhiGDVXXjbFm/i+jXmD8L98
Js1+eh5MSuebpdDoHy6T3QVa77nVvwx03+JrI0shjUc9XLH2TyMfAgEF
-----END DH PARAMETERS-----
2 dhparam和dh 
功能:dhparam为dh参数操作和生成工具,dh命令与dhparam用法大致一致,下面只给出了dhparam的说明。
用法:openssl dhparam [-inform DER|PEM] [-outform DER|PEM] [-in filename] [-out filename] [-dsaparam] [-noout] [-check] [-text] [-C] [-2] [-5] [-rand file(s)] [-engine id] [numbits] 
选项:
-inform DER|PEM 输入文件格式,DER或者PEM格式。
-outform DER|PEM 输出文件格式,DER或者PEM格式。
-in filename 读取DH参数的文件,默认为标准输入。
-out filename dh参数输出文件,默认为标准输出。
-dsaparam 生成DSA参数,并转换为DH格式。
-noout 不输出信息。
-text 打印信息。
-check 检查dh参数。
-C 以C语言风格打印信息。
-2,-5 指定2或5为发生器,默认为2,如果指定这些项,输入DH参数文件将被忽略,自动生成DH参数。
-rand files 指定随机数种子文件。
-engine id 指定硬件引擎。
-numbits 指定素数bit数,默认为512。 
例子1:将DH参数输出到文件dhparam.pem 
[root@localhost opensscommand]# openssl dhparam -out dhparam.pem -text 512
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
...............................
[root@localhost opensscommand]# cat dhparam.pem 
    PKCS#3 DH Parameters: (512 bit)
        prime:
            00:8b:fa:d6:58:ab:93:69:ab:61:23:87:e4:7e:4e:
            26:8e:9b:c4:d4:03:12:56:22:ee:e7:ea:b8:e2:7a:
            d2:04:f6:f4:4f:d5:3e:11:70:63:8e:ec:d1:85:40:
            95:79:52:c5:7b:5f:06:46:19:b2:b0:35:e3:40:97:
            a0:de:c6:cf:d3
        generator: 2 (0x2)
-----BEGIN DH PARAMETERS-----
MEYCQQCL+tZYq5Npq2Ejh+R+TiaOm8TUAxJWIu7n6rjietIE9vRP1T4RcGOO7NGF
QJV5UsV7XwZGGbKwNeNAl6Dexs/TAgEC
-----END DH PARAMETERS-----
例子2:检查生成的DH参数
[root@localhost opensscommand]# openssl dhparam -in dhparam.pem -text -check
    PKCS#3 DH Parameters: (512 bit)
        prime:
            00:8b:fa:d6:58:ab:93:69:ab:61:23:87:e4:7e:4e:
            26:8e:9b:c4:d4:03:12:56:22:ee:e7:ea:b8:e2:7a:
            d2:04:f6:f4:4f:d5:3e:11:70:63:8e:ec:d1:85:40:
            95:79:52:c5:7b:5f:06:46:19:b2:b0:35:e3:40:97:
            a0:de:c6:cf:d3
        generator: 2 (0x2)
DH parameters appear to be ok.
-----BEGIN DH PARAMETERS-----
MEYCQQCL+tZYq5Npq2Ejh+R+TiaOm8TUAxJWIu7n6rjietIE9vRP1T4RcGOO7NGF
QJV5UsV7XwZGGbKwNeNAl6Dexs/TAgEC
-----END DH PARAMETERS-----
 
二 摘要算法(Dgst)
1 dgst
功能:用于数据摘要。
用法:openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1 ] [-c] [-d ] [-hex] [-binary] [-out filename] [-sign filename] [-passin arg] [-verify filename] [-prverify filename] 
[-signature filename ] [file...]
选项:
-d 打印调试信息。
-sign privatekeyfile 用privatekeyfile中的私钥签名。
-verify publickeyfile 用publickeyfile中的公钥验证签名。
-prverify  privatekeyfile 用privatekeyfile中的私钥验证签名。
-keyform PEM|ENGINE 密钥格式,PEM格式或者采用Engine。
-hex 显示ASCII编码的十六进制结果,默认选项。
-binary 显示二进制数据。
-engine e 采用引擎e来运算。
-md5 默认选项,用md5进行摘要。
-md4 用md4摘要。
-md2 用md2摘要。
-sha1 用sha1摘要。
-sha 用sha摘要。
-sha256 用-sha256摘要。
-sha512 用sha512摘要。
-mdc2 用mdc2摘要。
-ripemd160 用ripemd160摘要。
例子1:各种方式显示摘要值
[root@localhost opensscommand]# openssl dgst -hex a.txt
MD5(a.txt)= 65cf359cb255f94f9649133d6200b8b9
[root@localhost opensscommand]# openssl dgst -binary a.txt
e?.U..=b腹
[root@localhost opensscommand]# openssl dgst -hex -c a.txt
MD5(a.txt)= 65:cf:35:9c:b2:55:f9:4f:96:49:13:3d:62:00:b8:b9
例子2:将文件a.txt用sha512摘要,并用prikey.pem中的私钥签名。
[root@localhost opensscommand]# openssl dgst -sign prikey.pem -sha512 -out CA_sigDgst.pem a.txt
Enter pass phrase for prikey.pem:
[root@localhost opensscommand]# cat CA_sigDgst.pem 
5$.捻?ㄩL7.?颀.`%.5?T/x??Z?
                                     .5??F?=?.p.g..?l??OS.?架I耵饷|io:&Q??'.on
                                                                                                      nAv讧?L?0.妫.
三 RSA(Genrsa/Rsa/Rsautl)
1 Genrsa   
功能:生成RSA密钥 
用法:Openssl >genrsa [-out filename] [-passout arg] [-des3] [-rand files] [-engine id] [-numbits] 
选项:
-des/des3/idea/aes128/aes192/aes256  以des/des3/idea/aes128/aes192/aes256模式加密密钥
-out file 输出文件
-f4/3 指定E 为f4/3 
-rand file 指定随机数种子文件
-numbits 密钥长度,默认为512
例子1: 生成秘钥文件CA_rsa_key.pem,并要aes256模式加密秘钥文件。
openssl genrsa -aes256 -out CA_rsa_key.pem -f4 1024  
[root@localhost ~]# openssl genrsa -aes256 -out CA_rsa_key.pem -f4 1024
Generating RSA private key, 1024 bit long modulus
............++++++
.......................++++++
e is 65537 (0x10001)
Enter pass phrase for CA_rsa_key.pem:
Verifying - Enter pass phrase for CA_rsa_key.pem:
2 Rsa
功能:用于处理RSA密钥、格式转换和打印信息。
用法:openssl rsa [-inform PEM|NET|DER] [-outform PEM|NET|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] [-sgckey] [-des] [-des3] 
[-idea] [-text] [-noout] [-modulus] [-check] [-pubin] [-pubout] [-engine id]
选项:
-inform DER|PEM|NET 指定输入的格式,NET格式是与老的Netscape服务以及微软的IIS兼容的一种不太安全的格式。
-outform DER|PEM|NET 指定输出格式。
-in filename 输入文件名。
-passin arg 私钥保护密钥来源,比如:-passin file:pwd.txt。
-out filename 输出的文件名。
-des|-des3|-idea 指定私钥保护加密算法。
-text 打印密钥信息。
-noout 不打印任何信息。
-modulus 打印密钥模数。
-pubin 表明输入文件为公钥,默认的输入文件是私钥。
-pubout 表明输出文件为公钥。
-check 检查RSA私钥。
-engine id 指明硬件引擎。
例子1:生成明文私钥文件key.pem
[root@localhost opensscommand]# openssl genrsa -out key.pem
Generating RSA private key, 1024 bit long modulus
.++++++
..............++++++
e is 65537 (0x10001)
例子2:转换为DER编码文件key.der
[root@localhost opensscommand]# openssl rsa -in key.pem -outform der -out key.der
writing RSA key
例子3:将明文私钥文件转换为密码保护,输出到enckey.pem
[root@localhost opensscommand]# openssl rsa -inform der -in key.der -des3 -out enckey.pem
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
例子4:将公钥写入文件pubkey.pem
[root@localhost opensscommand]# openssl rsa -in key.pem -pubout -out pubkey.pem
writing RSA key
例子5:打印公钥信息到屏幕:
[root@localhost opensscommand]# openssl rsa -pubin -in pubkey.pem -text -modulus
Public-Key: (1024 bit)
Modulus:
    00:cd:93:d9:08:ca:97:2e:5a:91:3a:b8:33:7f:1f:
    84:8e:ba:16:94:ac:97:ce:b6:f5:57:5d:96:d3:fd:
    1f:2f:fb:32:6b:0e:cf:82:45:77:70:12:75:56:8c:
    79:a2:62:fe:07:e0:6c:8c:01:3a:41:a4:49:49:29:
    fa:51:1a:cc:b3:8c:f7:1f:17:c1:b3:46:09:13:ee:
    f6:1d:bc:3c:45:88:ca:5b:43:d2:18:b5:de:b9:61:
    ad:b5:d4:ca:d9:1b:02:1c:88:9f:aa:07:a8:e9:9c:
    27:46:e7:88:8d:02:3d:cb:62:91:e4:43:46:60:ac:
    87:66:29:8f:4e:36:85:cf:bd
Exponent: 65537 (0x10001)
Modulus=CD93D908CA972E5A913AB8337F1F848EBA1694AC97CEB6F5575D96D3FD1F2FFB326B0ECF824577701275568C79A262FE07E06C8C013A41A4494929FA511ACCB38CF71F17C1B3460913EEF61DBC3C4588CA5B43D218B5DEB961ADB5D4CAD91B021C889FAA07A8E99C2746E7888D023DCB6291E4434660AC8766298F4E3685CFBD
writing RSA key
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNk9kIypcuWpE6uDN/H4SOuhaU
rJfOtvVXXZbT/R8v+zJrDs+CRXdwEnVWjHmiYv4H4GyMATpBpElJKfpRGsyzjPcf
F8GzRgkT7vYdvDxFiMpbQ9IYtd65Ya211MrZGwIciJ+qB6jpnCdG54iNAj3LYpHk
Q0ZgrIdmKY9ONoXPvQIDAQAB
-----END PUBLIC KEY-----
例子6:显示私钥信息
[root@localhost opensscommand]# openssl rsa -in enckey.pem
Enter pass phrase for enckey.pem:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDNk9kIypcuWpE6uDN/H4SOuhaUrJfOtvVXXZbT/R8v+zJrDs+C
RXdwEnVWjHmiYv4H4GyMATpBpElJKfpRGsyzjPcfF8GzRgkT7vYdvDxFiMpbQ9IY
td65Ya211MrZGwIciJ+qB6jpnCdG54iNAj3LYpHkQ0ZgrIdmKY9ONoXPvQIDAQAB
AoGATsf45UiV9RqaCzGp8m6GoxenLaSSrJIqpSdldKnM+Ns/8A0F8rtiUR2Rv/An
cNaU2Tnk/yY9SAiIWTRwDALELN4OFhsWvAMOMDJ+vfCE133avWX9QLhSEpUCWLOr
zz0qrQ6k4yQ5YBPId8EVFuJZY2mRSqEfHlh4/muPJbp/POECQQD89zbYUnd54m4T
5Nw0tac9VOyTGnOiWqqBqUtw6p9ZgZ/mpD/kmghhl/O5kheaZwogUi5vPucwvf4g
eyOYzZkJAkEA0AseNVWy5VtDG6wGFJxmoh5CIPertMNG2tRmFqXMszOrVZXVDSXa
HMKE+jv52barX+dVf8aHi0RBPrrCf0CyFQJBAI5AnvDq/xDlii1Zx5NEi7VrqlXW
zCwCfFvJzgjDh7SXtknHF77/97KZ9o7mXquPQhyG2mHop627ScsONChbhbECQQCs
gWuNAgCS2betjFiGYqFfsANZXsSL4Jgx/4ifIt+3gBKDpvfALTDMRCcLbwvfkO5N
WX61sqLVwcTwBOAdsEF5AkEAt3fpT0ZWfdSlDKvcm6AI19c0W4G2erf9xuii0F+q
Omw/JD9diG+Z/QMVq5yoqgLKqmmzKmQRI/OYwgQONwY33A==
-----END RSA PRIVATE KEY-----
3 Rsatul
功能:rsautl为RSA工具,能够使用RSA算法签名,验证身份,加密/解密数据。
用法:openssl rsautl [-in file] [-out file] [-inkey file] [-pubin] [-certin] [-sign] [-verify] [-encrypt] [-decrypt] 
[-pkcs] [-ssl] [-raw] [-hexdump] [-engine e] [-passin arg]
选项: 
-in filename 指定输入文件名,缺省为标准输入。
-out filename 指定输入文件名,缺省为标准输出。
-inkey file 输入私钥文件名。
-pubin 表明我们输入的是一个公钥文件,默认输入为私钥文件。
-certin 表明我们输入的是一个证书文件。
-sign 给输入的数据签名。
-verify 对输入的数据进行验证。
-encrypt 用公钥对输入数据加密。
-decrypt 用私钥对输入数据解密。
-pkcs, -oaep, -ssl, -raw 指定填充方式,上述四个值分别代表:PKCS#1.5(默认值)、 PKCS#1OAEP、SSLv2以及不填充。
-hexdump 用十六进制输出数据。
-engine e 指定硬件引擎。
-passin arg 指定私钥保护口令的来源,比如:-passin file:pwd.txt。
例子1:生成RSA密钥文件prikey.pem
[root@localhost opensscommand]# openssl genrsa -des3 -out prikey.pem
Generating RSA private key, 1024 bit long modulus
..........................++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for prikey.pem:
Verifying - Enter pass phrase for prikey.pem:
例子2:分离出公钥文件pubkey.pem
[root@localhost opensscommand]# openssl rsa -in prikey.pem -pubout -out pubkey.pem
Enter pass phrase for prikey.pem:
writing RSA key
例子3:对a.txt文件签名,签名输出到屏幕
[root@localhost opensscommand]# openssl rsautl -sign -inkey prikey.pem -in a.txt -hexdump
Enter pass phrase for prikey.pem:
0000 - 0c 71 0b a2 d3 37 ee 96-15 b5 ae fe 78 66 06 84   .q...7......xf..
0010 - bb bb a6 15 5c 97 cd 3a-62 b3 ec 5a a2 10 e1 43   ....\..:b..Z...C
0020 - 45 8a 19 b0 d7 dd 42 3c-9d 6f d2 96 e4 22 99 89   E.....B<.o..."..
0030 - 5c 26 3f a8 e1 bb eb f8-1f 75 48 0d a4 20 b2 5e   \&?......uH.. .^
0040 - fc 04 06 5d 9b 1b 6f 36-88 26 ab 05 fa 0f 91 c2   ...]..o6.&......
0050 - 2c e9 aa cd d7 e5 52 98-f3 d3 27 91 e9 a0 ed 25   ,.....R...'....%
0060 - 78 bc e4 a9 52 9c df 1f-c5 ff 6c 8f 88 8b e2 8d   x...R.....l.....
0070 - cf 30 4e 0e 55 38 51 3a-ea 35 51 07 87 bf e1 d9   .0N.U8Q:.5Q.....
例子4:对a.txt文件签名,签名文件为sig.dat
[root@localhost opensscommand]# openssl rsautl -sign -inkey prikey.pem -in a.txt -out sig.dat
Enter pass phrase for prikey.pem:
例子5:验证签名
[root@localhost opensscommand]# openssl rsautl -verify -inkey prikey.pem -in sig.dat
Enter pass phrase for prikey.pem:
ttest
例子6:公钥加密a.txt,机密后的文件为b.txt
[root@localhost opensscommand]# openssl rsautl -encrypt -pubin -inkey pubkey.pem -in a.txt -out b.txt
例子7:私钥解密b.txt
[root@localhost opensscommand]# openssl rsautl -decrypt -inkey prikey.pem -in b.txt
Enter pass phrase for prikey.pem:
ttest
四 椭圆曲线算法(Ecparam/Ec)
1 ecparam
功能:椭圆曲线密钥参数生成及操作。
用法:openssl ecparam [-inform DER|PEM] [-outform DER|PEM] [-in filename] [-out filename] [-noout] [-text] [-C] 
[-check] [-name arg] [-list_curve] [-conv_form arg] [-param_enc arg] [-no_seed] [-rand file(s)] [-genkey] [-engine id]
选项:
-inform DER|PEM 输入文件格式。
-outform DER|PEM 输出文件格式。
-in filename 输入文件。
-out filename 输出文件。
-noout 不打印信息。
-text 打印信息。
-C 以C语言风格打印信息。
-check 检查参数。
-name arg 采用短名字。
-list_curves 打印所有可用的短名字。
-conv_form arg 指定信息存放方式,可以是compressed、uncompressed或者hybrid,默认为compressed。
-param_enc arg 指定参数编码方法,可以是named_curve和explicit,默认为named_curve。
-no_seed 如果-param_enc指定编码方式为explicit,不采用随机数种子。
-rand file(s) 指定随机数种子。
-genkey 生成密钥。
-engine id 指定硬件引擎。
例子1:打印所有可用的短名字
[root@localhost opensscommand]# openssl ecparam -list_curves
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field
例子2:生成椭圆曲线密钥,打印到屏幕
[root@localhost opensscommand]# openssl ecparam -name secp384r1 -genkey -text
ASN1 OID: secp384r1
-----BEGIN EC PARAMETERS-----
BgUrgQQAIg==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDDbMZ0LbFJsV04INQaDc5wJtXa83yCnu84BO/lDzeRi7l2Ce1xQu0qU
J4nktlZ1CDSgBwYFK4EEACKhZANiAARbG35i5AdcJ1ciCfbuH0VmTndhCFaL2AuN
wacjBxgExyc82U9efp6BmaWIBYwMIyZSkzfj2mZkKJvQXWfKPiKqXXJ37TeLIvgA
fMMCxFkiLkuJjL5m6an0d6JSDKGh5AE=
-----END EC PRIVATE KEY-----
例子3:生成椭圆曲线密钥,输出到secp384.pem
[root@localhost opensscommand]# openssl ecparam -name secp384r1 -out secp384.pem
例子4:更新生成密钥
[root@localhost opensscommand]# openssl req -newkey ec:secp384.pem
Generating a 384 bit EC private key
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:sd
Locality Name (eg, city) [Default City]:weiruan
Organization Name (eg, company) [Default Company Ltd]:re
Organizational Unit Name (eg, section) []:er
Common Name (eg, your name or your server's hostname) []:df
Email Address []:fd
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:df
string is too short, it needs to be at least 4 bytes long
A challenge password []:dfdf
An optional company name []:df
-----BEGIN CERTIFICATE REQUEST-----
MIIBhzCCAQ0CAQAwZjELMAkGA1UEBhMCY2gxCzAJBgNVBAgMAnNkMRAwDgYDVQQH
DAd3ZWlydWFuMQswCQYDVQQKDAJyZTELMAkGA1UECwwCZXIxCzAJBgNVBAMMAmRm
MREwDwYJKoZIhvcNAQkBFgJmZDB2MBAGByqGSM49AgEGBSuBBAAiA2IABAX6gY/U
ox4WPBROLLcwTqANALk0ey8loMxAp3VmD5k6jaqTq6xUXmpTDD/ow15bwmRjWCts
vuAZmZR4FpvMGtseIqanPx8a6nmIbq0vOxAbEM/PwPW7lSwbO2p1uL9r5qAoMBEG
CSqGSIb3DQEJAjEEDAJkZjATBgkqhkiG9w0BCQcxBgwEZGZkZjAKBggqhkjOPQQD
AgNoADBlAjEA+tRJYqwGyf6vbLSqHNyoZ06x91jqTYTdwM5K+QdGfde7ukAOquom
RcT1Vu4lVuAKAjAhf0fxjxQGREVlXMv+L+i33Bsb38rL986wiqKwcHmNPE3sLE2e
J0riEO/VOoi55lA=
-----END CERTIFICATE REQUEST-----
2 ec
功能:椭圆曲线密钥处理工具。
用法:openssl ec [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-passin arg] [-out filename] [-passout arg] 
[-des] [-des3] [-idea] [-text] [-noout] [-param_out] [-pubin] [-pubout] [-conv_form arg] [-param_enc arg] [-engine id]
选项:
-inform PEM|DER 输入文件格式。
-outform PEM|DER 输出文件格式。
-in filename 输入文件名。
-passin arg 私钥保护口令来源。
-out filename 输出文件名。
-passout arg 输出文件保护口令来源。
-des,-des3,-idea 私钥保护算法。
-noout 不输出信息。
-param_out 输出参数。
-pubin 输入的是公钥。
-pubout 输出公钥。
-conv_form arg 指定信息存放方式,可以是compressed、uncompressed或者hybrid,默认为compressed。
-param_enc arg 指定参数编码方法,可以是named_curve和explicit,默认为named_curve。
-engine id 指定硬件引擎。
例子1:生成ec私钥,输出到文件eckey.pem
[root@localhost opensscommand]# openssl ecparam -genkey -name secp384r1 -out eckey.pem -text
例子2:转换为DER编码,输出到eckey.der
[root@localhost opensscommand]# openssl ec -outform der -in eckey.pem -out eckey.der
read EC key
writing EC key
例子3:给私钥eckey.pem进行口令保护,写入文件enceckey.pem
[root@localhost opensscommand]# openssl ec -in eckey.pem -des -out enceckey.pem
read EC key
writing EC key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase: 
例子4:将公钥写入文件ecpubkey.pem
[root@localhost opensscommand]# openssl ec -in eckey.pem -pubout -out ecpubkey.pem
read EC key
writing EC key
例子5:显示密钥信息
[root@localhost opensscommand]# openssl ec -in eckey.pem -text
read EC key
Private-Key: (384 bit)
priv:
    54:23:d8:0a:c8:4c:d9:f1:48:2e:05:33:e5:9c:eb:
    26:14:93:b0:49:f0:78:85:32:ce:09:bd:ec:02:13:
    95:f1:e5:45:57:91:42:95:79:ca:8c:67:3b:bc:bb:
    10:4c:cd
pub: 
    04:48:d3:7e:5d:40:37:56:81:2c:20:f6:b6:3e:51:
    a2:f4:25:d5:e8:c0:a4:6b:bf:ed:18:1d:19:58:37:
    e8:c6:10:49:c7:66:bc:d0:4e:06:ec:cc:4a:a9:4d:
    a8:3c:80:e5:61:5c:b7:d9:1a:84:94:be:84:0b:83:
    d4:35:77:61:5d:cf:bd:27:1b:30:d7:d1:85:d3:38:
    5b:8b:72:d6:e1:f8:f0:cc:2e:04:70:29:70:44:7a:
    bf:35:12:49:24:11:a0
ASN1 OID: secp384r1
writing EC key
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDBUI9gKyEzZ8UguBTPlnOsmFJOwSfB4hTLOCb3sAhOV8eVFV5FClXnK
jGc7vLsQTM2gBwYFK4EEACKhZANiAARI035dQDdWgSwg9rY+UaL0JdXowKRrv+0Y
HRlYN+jGEEnHZrzQTgbszEqpTag8gOVhXLfZGoSUvoQLg9Q1d2Fdz70nGzDX0YXT
OFuLctbh+PDMLgRwKXBEer81EkkkEaA=
-----END EC PRIVATE KEY-----
例子6:显示公钥信息
[root@localhost opensscommand]# openssl ec -in ecpubkey.pem -pubin -text
read EC key
Private-Key: (384 bit)
pub: 
    04:48:d3:7e:5d:40:37:56:81:2c:20:f6:b6:3e:51:
    a2:f4:25:d5:e8:c0:a4:6b:bf:ed:18:1d:19:58:37:
    e8:c6:10:49:c7:66:bc:d0:4e:06:ec:cc:4a:a9:4d:
    a8:3c:80:e5:61:5c:b7:d9:1a:84:94:be:84:0b:83:
    d4:35:77:61:5d:cf:bd:27:1b:30:d7:d1:85:d3:38:
    5b:8b:72:d6:e1:f8:f0:cc:2e:04:70:29:70:44:7a:
    bf:35:12:49:24:11:a0
ASN1 OID: secp384r1
writing EC key
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAESNN+XUA3VoEsIPa2PlGi9CXV6MCka7/t
GB0ZWDfoxhBJx2a80E4G7MxKqU2oPIDlYVy32RqElL6EC4PUNXdhXc+9Jxsw19GF
0zhbi3LW4fjwzC4EcClwRHq/NRJJJBGg
-----END PUBLIC KEY-----
例子7:转换为pkcs8格式eckeypk8.pem
[root@localhost opensscommand]# openssl pkcs8 -topk8 -in eckey.pem -out eckeypk8.pem
Enter Encryption Password:
Verifying - Enter Encryption Password:
 
五 DSA算法(Dsa/Dsaparam/Gendsa)
1 dsa
功能:dsa命令用于处理DSA密钥、格式转换和打印信息。
用法:openssl dsa [-inform PEM|DER] [-outform PEM|DER] [-in filename]
       [-passin arg] [-out filename] [-passout arg] [-des] [-des3] [-idea]
       [-text] [-noout] [-modulus] [-engine id]
选项:
-inform 输入dsa密钥格式,PEM或DER。
-outform 输出文件格式,PEM或DER。
-in filename 输入的DSA密钥文件名。
-passin arg 指定私钥包含口令存放方式。比如用户将私钥的保护口令写入一个文件,采用此选项指定此文件,可以免去用户输入口令的操作。
            比如用户将口令写入文件“pwd.txt”,输入的参数为:-passin file:pwd.txt。
-out filename  指定输出文件名。
-passout arg  输出文件口令保护存放方式。
-des  -des3 -idea  指定私钥保护加密算法。
-text  打印所有信息。
-noout 不打印信息。
-modulus 打印公钥信息。
-engine id 指定引擎。
例子1:生成dsa参数文件
 
[root@localhost opensscommand]# openssl dsaparam -out dsaparam.pem 1024
Generating DSA parameters, 1024 bit long prime
This could take some time
.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
..+..+......+..+...+................+.+....+........+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
例子2:根据dsa参数文件生成dsa密钥dsakey.pem
 
[root@localhost opensscommand]# openssl gendsa -out dsakey.pem dsaparam.pem
Generating DSA key, 1024 bits
例子3:将PME密钥转换为DER密钥:
 
[root@localhost opensscommand]# openssl dsa -in dsakey.pem -outform DER -out dsakeyder.pem
read DSA key
writing DSA key
例子4:打印密钥模数:
 
[root@localhost opensscommand]# openssl dsa -in dsakey.pem -modulus
read DSA key
Public Key=60CF98F7AED1CF716EDB67F2D366F8E9F10187D53BFD737D01B9ADDA768BE94CDC12DD2E8F66533F9C1BF1FF4515752077ECEB574C90262B4B7776B08E6D97B6BC40CB643D4A1FE1891CB131C7F4C772416D38A040F29760ECB1242B6C7BB8DCF5E672D8B3296971C194268D84D48DB65F2D09C90BD472DC24372C76E7C5B096
writing DSA key
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQDMeJrAskUgmP+fnWwKxxMAGJ2brbK0DfSZUUEthrIxpeXHfxRS
jQu0/zoqQ59+r7n3T8xA4pS4s1Lz440TU6p2/caH2ScxTU0qThDitGj2p+i4VDMQ
ucR6NQEzalZ9EcWfNYdzrPB2h2w0VPHoGyjBL83p3f+GpYUF40bRLy5j8QIVAPTd
8Nkorsa4ZYx21WA0XyxDgl3vAoGBAK/l/YYwCFkOm6QUrjzMXAcs+eobrA9RVTYy
j42I8W00CenMR+T3koJE8L2yOZUvqIwuqP06FVGxjaVFmSe4PsHlrQCivmZ+038s
HLDXyAkZTYXc401VONTFoVd5Hxm7S3KtWkguLDc38DjfObyr5sXPK5oknMgQ96gt
kGQrIJd5AoGAYM+Y967Rz3Fu22fy02b46fEBh9U7/XN9Abmt2naL6UzcEt0uj2ZT
P5wb8f9FFXUgd+zrV0yQJitLd3awjm2XtrxAy2Q9Sh/hiRyxMcf0x3JBbTigQPKX
YOyxJCtse7jc9eZy2LMpaXHBlCaNhNSNtl8tCckL1HLcJDcsdufFsJYCFH/+CBym
YEVsX3PP4auMYRWM50xp
-----END DSA PRIVATE KEY-----
例子5:打印所有信息:
 
[root@localhost opensscommand]# openssl dsa -in dsakey.pem -text
read DSA key
Private-Key: (1024 bit)
priv:
    7f:fe:08:1c:a6:60:45:6c:5f:73:cf:e1:ab:8c:61:
    15:8c:e7:4c:69
pub: 
    60:cf:98:f7:ae:d1:cf:71:6e:db:67:f2:d3:66:f8:
    e9:f1:01:87:d5:3b:fd:73:7d:01:b9:ad:da:76:8b:
    e9:4c:dc:12:dd:2e:8f:66:53:3f:9c:1b:f1:ff:45:
    15:75:20:77:ec:eb:57:4c:90:26:2b:4b:77:76:b0:
    8e:6d:97:b6:bc:40:cb:64:3d:4a:1f:e1:89:1c:b1:
    31:c7:f4:c7:72:41:6d:38:a0:40:f2:97:60:ec:b1:
    24:2b:6c:7b:b8:dc:f5:e6:72:d8:b3:29:69:71:c1:
    94:26:8d:84:d4:8d:b6:5f:2d:09:c9:0b:d4:72:dc:
    24:37:2c:76:e7:c5:b0:96
P:   
    00:cc:78:9a:c0:b2:45:20:98:ff:9f:9d:6c:0a:c7:
    13:00:18:9d:9b:ad:b2:b4:0d:f4:99:51:41:2d:86:
    b2:31:a5:e5:c7:7f:14:52:8d:0b:b4:ff:3a:2a:43:
    9f:7e:af:b9:f7:4f:cc:40:e2:94:b8:b3:52:f3:e3:
    8d:13:53:aa:76:fd:c6:87:d9:27:31:4d:4d:2a:4e:
    10:e2:b4:68:f6:a7:e8:b8:54:33:10:b9:c4:7a:35:
    01:33:6a:56:7d:11:c5:9f:35:87:73:ac:f0:76:87:
    6c:34:54:f1:e8:1b:28:c1:2f:cd:e9:dd:ff:86:a5:
    85:05:e3:46:d1:2f:2e:63:f1
Q:   
    00:f4:dd:f0:d9:28:ae:c6:b8:65:8c:76:d5:60:34:
    5f:2c:43:82:5d:ef
G:   
    00:af:e5:fd:86:30:08:59:0e:9b:a4:14:ae:3c:cc:
    5c:07:2c:f9:ea:1b:ac:0f:51:55:36:32:8f:8d:88:
    f1:6d:34:09:e9:cc:47:e4:f7:92:82:44:f0:bd:b2:
    39:95:2f:a8:8c:2e:a8:fd:3a:15:51:b1:8d:a5:45:
    99:27:b8:3e:c1:e5:ad:00:a2:be:66:7e:d3:7f:2c:
    1c:b0:d7:c8:09:19:4d:85:dc:e3:4d:55:38:d4:c5:
    a1:57:79:1f:19:bb:4b:72:ad:5a:48:2e:2c:37:37:
    f0:38:df:39:bc:ab:e6:c5:cf:2b:9a:24:9c:c8:10:
    f7:a8:2d:90:64:2b:20:97:79
writing DSA key
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQDMeJrAskUgmP+fnWwKxxMAGJ2brbK0DfSZUUEthrIxpeXHfxRS
jQu0/zoqQ59+r7n3T8xA4pS4s1Lz440TU6p2/caH2ScxTU0qThDitGj2p+i4VDMQ
ucR6NQEzalZ9EcWfNYdzrPB2h2w0VPHoGyjBL83p3f+GpYUF40bRLy5j8QIVAPTd
8Nkorsa4ZYx21WA0XyxDgl3vAoGBAK/l/YYwCFkOm6QUrjzMXAcs+eobrA9RVTYy
j42I8W00CenMR+T3koJE8L2yOZUvqIwuqP06FVGxjaVFmSe4PsHlrQCivmZ+038s
HLDXyAkZTYXc401VONTFoVd5Hxm7S3KtWkguLDc38DjfObyr5sXPK5oknMgQ96gt
kGQrIJd5AoGAYM+Y967Rz3Fu22fy02b46fEBh9U7/XN9Abmt2naL6UzcEt0uj2ZT
P5wb8f9FFXUgd+zrV0yQJitLd3awjm2XtrxAy2Q9Sh/hiRyxMcf0x3JBbTigQPKX
YOyxJCtse7jc9eZy2LMpaXHBlCaNhNSNtl8tCckL1HLcJDcsdufFsJYCFH/+CBym
YEVsX3PP4auMYRWM50xp
-----END DSA PRIVATE KEY-----
例子6:将dsa密钥加密存放:
 
[root@localhost opensscommand]# openssl dsa -in dsakey.pem -des -out enckey.pem
read DSA key
writing DSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
 
2 dsaparam
功能:dsaparam命令用于生成和操作dsa参数。
用法:openssl dsaparam [-inform DER|PEM] [-outform DER|PEM] [-in filename ] [-out filename] [-noout] [-text] [-C] [-rand file(s)] [-genkey] [-engine id] [numbits]
选项:
-inform DER|PEM 输入文件格式。
-outform DER|PME 输出文件格式。
-in filename 输入文件名。
-out filename 输出文件名。
-nout 不打印输出信息。
-text 打印内容信息。
-C 以C语言格式打印信息。
-rand file(s) 指定随机数种子文件,多个文件用冒号分开。
-genkey 生成dsa密钥。
-engine id 指定硬件引擎。
number 生成密钥时指定密钥大小。
例子1:生成DSA密钥:
[root@localhost opensscommand]# openssl dsaparam -genkey 512 -out dsa.pem
Generating DSA parameters, 512 bit long prime
This could take some time
......+......+....+....+.+............+...+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
......+.................+........+......+.........+....+.................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
例子2:打印密钥信息:
[root@localhost opensscommand]# openssl dsaparam -in dsa.pem -text
    P:   
        00:d8:97:81:90:47:40:60:c9:fd:bb:09:db:15:4f:
        04:19:91:61:c2:17:e2:c3:c7:1f:73:48:b6:01:4f:
        d5:22:16:56:09:98:65:1d:2b:5b:e9:5e:e3:d9:41:
        cf:61:ae:26:d7:9c:42:08:4f:05:3c:22:94:cc:2d:
        d0:8b:34:0c:87
    Q:   
        00:d5:ed:e2:9e:52:2d:54:28:e5:ab:14:11:76:70:
        ca:c1:87:bf:0a:05
    G:   
        50:8b:3f:49:e6:05:7f:20:73:bf:4f:7b:8c:a5:29:
        91:c2:79:fa:13:06:12:e4:cc:4b:9d:9e:95:8b:23:
        7b:a6:65:a8:79:63:d6:03:19:3e:22:08:ec:4c:29:
        ff:c9:40:a8:09:db:67:d6:b7:de:db:1a:a8:9e:ff:
        98:ca:c4:e1
-----BEGIN DSA PARAMETERS-----
MIGcAkEA2JeBkEdAYMn9uwnbFU8EGZFhwhfiw8cfc0i2AU/VIhZWCZhlHStb6V7j
2UHPYa4m15xCCE8FPCKUzC3QizQMhwIVANXt4p5SLVQo5asUEXZwysGHvwoFAkBQ
iz9J5gV/IHO/T3uMpSmRwnn6EwYS5MxLnZ6ViyN7pmWoeWPWAxk+IgjsTCn/yUCo
Cdtn1rfe2xqonv+YysTh
-----END DSA PARAMETERS-----
[root@localhost opensscommand]# openssl dsaparam -in dsa.pem -C
static unsigned char dsa512_p[]={
0xD8,0x97,0x81,0x90,0x47,0x40,0x60,0xC9,0xFD,0xBB,0x09,0xDB,
0x15,0x4F,0x04,0x19,0x91,0x61,0xC2,0x17,0xE2,0xC3,0xC7,0x1F,
0x73,0x48,0xB6,0x01,0x4F,0xD5,0x22,0x16,0x56,0x09,0x98,0x65,
0x1D,0x2B,0x5B,0xE9,0x5E,0xE3,0xD9,0x41,0xCF,0x61,0xAE,0x26,
0xD7,0x9C,0x42,0x08,0x4F,0x05,0x3C,0x22,0x94,0xCC,0x2D,0xD0,
0x8B,0x34,0x0C,0x87,
};
static unsigned char dsa512_q[]={
0xD5,0xED,0xE2,0x9E,0x52,0x2D,0x54,0x28,0xE5,0xAB,0x14,0x11,
0x76,0x70,0xCA,0xC1,0x87,0xBF,0x0A,0x05,
};
static unsigned char dsa512_g[]={
0x50,0x8B,0x3F,0x49,0xE6,0x05,0x7F,0x20,0x73,0xBF,0x4F,0x7B,
0x8C,0xA5,0x29,0x91,0xC2,0x79,0xFA,0x13,0x06,0x12,0xE4,0xCC,
0x4B,0x9D,0x9E,0x95,0x8B,0x23,0x7B,0xA6,0x65,0xA8,0x79,0x63,
0xD6,0x03,0x19,0x3E,0x22,0x08,0xEC,0x4C,0x29,0xFF,0xC9,0x40,
0xA8,0x09,0xDB,0x67,0xD6,0xB7,0xDE,0xDB,0x1A,0xA8,0x9E,0xFF,
0x98,0xCA,0xC4,0xE1,
};
 
DSA *get_dsa512()
{
DSA *dsa;
 
if ((dsa=DSA_new()) == NULL) return(NULL);
dsa->p=BN_bin2bn(dsa512_p,sizeof(dsa512_p),NULL);
dsa->q=BN_bin2bn(dsa512_q,sizeof(dsa512_q),NULL);
dsa->g=BN_bin2bn(dsa512_g,sizeof(dsa512_g),NULL);
if ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
{ DSA_free(dsa); return(NULL); }
return(dsa);
}
-----BEGIN DSA PARAMETERS-----
MIGcAkEA2JeBkEdAYMn9uwnbFU8EGZFhwhfiw8cfc0i2AU/VIhZWCZhlHStb6V7j
2UHPYa4m15xCCE8FPCKUzC3QizQMhwIVANXt4p5SLVQo5asUEXZwysGHvwoFAkBQ
iz9J5gV/IHO/T3uMpSmRwnn6EwYS5MxLnZ6ViyN7pmWoeWPWAxk+IgjsTCn/yUCo
Cdtn1rfe2xqonv+YysTh
-----END DSA PARAMETERS-----
3 gendsa
功能:gendsa根据DSA密钥参数生成DSA密钥,dsa密钥参数可用dsaparam命令生成。
用法:openssl gendsa [-out filename] [-des] [-des3] [-idea] [-rand file(s)] [-engine id] [paramfile] 
选项:   
-out filename 指定输出文件。
-des|-des3|-idea|-aes128|-aes192|-aes256 指定私钥口令保护算法,如果不指定,私钥将被明文存放。
-rand file(s) 指定随机数种子文件,多个文件用冒号分开。
-engine id 指定硬件引擎。
paramfile 指定使用的DSA密钥参数文件。
例子1:生成DSA参数:
[root@localhost opensscommand]# openssl dsaparam -genkey 512 -out dsaparam.pem
Generating DSA parameters, 512 bit long prime
This could take some time
...+..+..+......+.....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
...................+...+.............+........+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
例子2:生成DSA密钥:
[root@localhost opensscommand]# openssl gendsa -des3 -out encdsa.pem dsaparam.pem
Generating DSA key, 512 bits
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
 
六 对称算法(Enc)
1 Enc  
功能:对称加解密工具,可以进行base64编码转换。 
用法:Openssl enc -ciphername [-in ][pass][bufsize] [nopad][kfile] [e d a A p P ] [debug] 
参数:  
-ciphername 对称算法名字 
-pass arg 指定密码保护来源; 
-e 加密  
-d 解密  
-a 自动在加密后,解密前,进行base64编解码; 
-p 打印出使用的salt、口令以及初始化变量iv; 
-P 同p ,只不做加解密操作; 
-bufsize 设置IO擦左缓冲区大小; 
-debug 调试信息; 
例子1: 加密a.txt,密文存到b.txt
 
[root@localhost opensscommand]# openssl enc -des3 -e -in a.txt -out b.txt
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
[root@localhost opensscommand]# cat b.txt
Salted__+.聆?.L~?.m
例子2: 解密b.txt,解密后文件存到c.txt
[root@localhost opensscommand]# openssl enc -des3 -d -in b.txt -out c.txt
enter des-ede3-cbc decryption password:
[root@localhost opensscommand]# cat c.txt
ttest