亿景网站建设wordpress 菜单 页面跳转

openssl命令行整理

概述

将资料上的openssl命令行整理一下

笔记

运行openssl命令行的环境脚本

@echo off
rem \file my_openssl_env_cmd.cmdset OPENSSL=.\openssl
set OPENSSL_CONF=.\openssl.cnfcmd

openssl 帮助重定向到文件

openssl help > openssl_help.txt 2>&1

查看openssl版本的全部信息

D:\my_dev\my_local_git_prj\study\openSSL\certs>openssl version -a
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
built on: Sun Jan  7 04:30:29 2024 UTC
platform: VC-WIN64A
options:  bn(64,64)
compiler: cl  /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"
OPENSSLDIR: "C:\openssl_3d2\common"
ENGINESDIR: "C:\openssl_3d2\lib\engines-3"
MODULESDIR: "C:\openssl_3d2\lib\ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x7ffaf3ffffebffff:0x18c07fcef3bfa7eb

这个命令可以看到openssl编译时的全部选项, openssl运行时的环境变量, 非常有用.

openssl help

openssl提供了一组干活的功能, 用help查看, 可以大概能知道当前版本的openssl能干啥活.

D:\my_dev\my_local_git_prj\study\openSSL\certs>openssl help
help:Standard commands
asn1parse         ca                ciphers           cmp
cms               crl               crl2pkcs7         dgst
dhparam           dsa               dsaparam          ec
ecparam           enc               engine            errstr
fipsinstall       gendsa            genpkey           genrsa
help              info              kdf               list
mac               nseq              ocsp              passwd
pkcs12            pkcs7             pkcs8             pkey
pkeyparam         pkeyutl           prime             rand
rehash            req               rsa               rsautl
s_client          s_server          s_time            sess_id
smime             speed             spkac             srp
storeutl          ts                verify            version
x509Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        md4               md5
mdc2              rmd160            sha1              sha224
sha256            sha3-224          sha3-256          sha3-384
sha3-512          sha384            sha512            sha512-224
sha512-256        shake128          shake256          sm3Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
idea              idea-cbc          idea-cfb          idea-ecb
idea-ofb          rc2               rc2-40-cbc        rc2-64-cbc
rc2-cbc           rc2-cfb           rc2-ecb           rc2-ofb
rc4               rc4-40            seed              seed-cbc
seed-cfb          seed-ecb          seed-ofb          sm4-cbc
sm4-cfb           sm4-ctr           sm4-ecb           sm4-ofb

可以看到openssl提供了3组命令
标准命令 - 53个
信息摘要命令 - 20个
加解密命令 - 84个

openssl list

openssl list -verbose -commands > openssl_commands.txt 2>&1
openssl list -verbose -standard-commands > openssl-standard-commands.txt 2>&1
openssl list -verbose -all-algorithms > openssl-all-algorithms.txt 2>&1
openssl list -verbose -digest-commands > openssl-digest-commands.txt 2>&1
openssl list -verbose -digest-algorithms > openssl-digest-algorithms.txt 2>&1
openssl list -verbose -kdf-algorithms > openssl-kdf-algorithms.txt 2>&1
openssl list -verbose -random-instances > openssl-random-instances.txt 2>&1
openssl list -verbose -random-generators > openssl-random-generators.txt 2>&1
openssl list -verbose -mac-algorithms > openssl-mac-algorithms.txt 2>&1
openssl list -verbose -cipher-commands > openssl-cipher-commands.txt 2>&1
openssl list -verbose -cipher-algorithms > openssl-cipher-algorithms.txt 2>&1
openssl list -verbose -encoders > openssl-encoders.txt 2>&1
openssl list -verbose -decoders > openssl-decoders.txt 2>&1
openssl list -verbose -key-managers > openssl-key-managers.txt 2>&1
openssl list -verbose -key-exchange-algorithms > openssl-key-exchange-algorithms.txt 2>&1 
openssl list -verbose -kem-algorithms > openssl-kem-algorithms.txt 2>&1 
openssl list -verbose -signature-algorithms > openssl-signature-algorithms.txt 2>&1 
openssl list -verbose -asymcipher-algorithms > openssl-asymcipher-algorithms.txt 2>&1
openssl list -verbose -public-key-algorithms > openssl-public-key-algorithms.txt 2>&1
openssl list -verbose -public-key-methods > openssl-public-key-methods.txt 2>&1
openssl list -verbose -store-loaders > openssl-store-loaders.txt 2>&1
openssl list -verbose -providers > openssl-providers.txt 2>&1
openssl list -verbose -engines > openssl-engines.txt 2>&1
openssl list -verbose -disabled > openssl-disabled.txt 2>&1
openssl list -verbose -objects > openssl-objects.txt 2>&1

openssl pkey --help

Usage: pkey [options]General options:-help               Display this summary-engine val         Use engine, possibly a hardware deviceProvider options:-provider-path val  Provider load path (must be before 'provider' argument if required)-provider val       Provider to load (can be specified multiple times)-propquery val      Property query used when fetching algorithms-check              Check key consistency-pubcheck           Check public key consistencyInput options:-in val             Input key-inform format      Key input format (ENGINE, other values ignored)-passin val         Key input pass phrase source-pubin              Read only public components from key inputOutput options:-out outfile        Output file for encoded and/or text output-outform PEM|DER    Output encoding format (DER or PEM)-*                  Any supported cipher to be used for encryption-passout val        Output PEM file pass phrase source-traditional        Use traditional format for private key PEM output-pubout             Restrict encoded output to public components-noout              Do not output the key in encoded form-text               Output key components in plaintext-text_pub           Output only public key components in text form-ec_conv_form val   Specifies the EC point conversion form in the encoding-ec_param_enc val   Specifies the way the EC parameters are encoded

openssl pkeyutl --help

Usage: pkeyutl [options]General options:-help                     Display this summary-engine val               Use engine, possibly a hardware device-engine_impl              Also use engine given by -engine for crypto operations-sign                     Sign input data with private key-verify                   Verify with public key-encrypt                  Encrypt input data with public key-decrypt                  Decrypt input data with private key-derive                   Derive shared secret-config infile            Load a configuration file (this may load modules)Input options:-in infile                Input file - default stdin-rawin                    Indicate the input data is in raw form-inkey val                Input key, by default private key-pubin                    Input key is a public key-passin val               Input file pass phrase source-peerkey val              Peer key file used in key derivation-peerform PEM|DER|ENGINE  Peer key format (DER/PEM/P12/ENGINE)-certin                   Input is a cert with a public key-rev                      Reverse the order of the input buffer-sigfile infile           Signature file (verify operation only)-keyform PEM|DER|ENGINE   Private key format (ENGINE, other values ignored)Output options:-out outfile              Output file - default stdout-asn1parse                asn1parse the output data-hexdump                  Hex dump output-verifyrecover            Verify with public key, recover original dataSigning/Derivation options:-digest val               Specify the digest algorithm when signing the raw input data-pkeyopt val              Public key options as opt:value-pkeyopt_passin val       Public key option that is read as a passphrase argument opt:passphrase-kdf val                  Use KDF algorithm-kdflen +int              KDF algorithm output lengthRandom state options:-rand val                 Load the given file(s) into the random number generator-writerand outfile        Write random data to the specified fileProvider options:-provider-path val        Provider load path (must be before 'provider' argument if required)-provider val             Provider to load (can be specified multiple times)-propquery val            Property query used when fetching algorithms

openssl prime --help

Usage: prime [options] [number...]General options:-help               Display this summary-bits +int          Size of number in bits-checks +int        Number of checksOutput options:-hex                Hex output-generate           Generate a prime-safe               When used with -generate, generate a safe primeProvider options:-provider-path val  Provider load path (must be before 'provider' argument if required)-provider val       Provider to load (can be specified multiple times)-propquery val      Property query used when fetching algorithmsParameters:number              Number(s) to check for primality if not generating

对称加密

openssl enc -e -aes-256-cbc -pbkdf2 -in hello.txt -out hello.txt.enc -pass pass:111111

对称解密

openssl enc -d -aes-256-cbc -pbkdf2 -in hello.txt.enc -out hello.txt.enc.txt -pass pass:111111

PEM/DER之间的转换

openssl3.2 - exp - PEM ＜==＞ DER

命令行加解密文件 + 看摘要

cd /d D:\my_dev\my_local_git_prj\study\openSSL\exp_dcwo3d0\p2_38// gen key
openssl rand -hex 32
84912243ceba6e5a8f39a3d65d7e24d0807d755c93021fb7296de724993e7732// gen iv
openssl rand -hex 16
dbd48ea32866ad8f87665986f1117a66// make some file to enc/dec
dir .\* > pt.txt 2>&1// view enc help
openssl enc --help// enc file
openssl enc ^
-aes-256-cbc ^
-K 84912243ceba6e5a8f39a3d65d7e24d0807d755c93021fb7296de724993e7732 ^
-iv dbd48ea32866ad8f87665986f1117a66 ^
-e ^
-in pt.txt ^
-out pt.txt.enc// dec file
openssl enc ^
-aes-256-cbc ^
-K 84912243ceba6e5a8f39a3d65d7e24d0807d755c93021fb7296de724993e7732 ^
-iv dbd48ea32866ad8f87665986f1117a66 ^
-d ^
-in pt.txt.enc ^
-out pt.txt.enc.pt.txt// view file hash
openssl dgst .\pt.*
SHA256(.\pt.txt)= 79237e9b8a59461b70eab0367de6f8f9244e8e20acc80376ba745e92b597dea8
SHA256(.\pt.txt.enc)= 952022336c6cf33eb02b2bba44beec0690396862df4a9fd919f5ac079f979860
SHA256(.\pt.txt.enc.pt.txt)= 79237e9b8a59461b70eab0367de6f8f9244e8e20acc80376ba745e92b597dea8

生成口令

openssl passwd 可以生成口令
下面的命令是生成不同长度的口令
最后不带-的参数是要生成的口令的名字, 给几个名字, 就生成几个口令
最后按照表格的方式显示出来.

D:\my_tmp>openssl passwd -6 -table -password pwd1 pwd2
pwd1    $6$E3NJqA8JZEDhiJK2$iG37JVv3Mt1CE5bTcG.QZPthydXH6XMZZ3tuwMMpAauURG79Vumqx6JUXcfCLIgqIuksg7fqowf34hMW0wgmJ0
pwd2    $6$EldVWE.mYSX26qla$0WxSGdygohLfZPyH3GR/k/ARF2h1OTHEGLkDhZNtEiKw9gL/ek3CJZN9hjXiGC0Zv/fYXXaRmBfaBNrdxbDzu/D:\my_tmp>openssl passwd -5 -table -password pwd1 pwd2
pwd1    $5$6kWWvZkAhLZVbjf/$V93TIB9mX90qFfAKHDEePIlTfoTjZcyN0JvsJQLd2yC
pwd2    $5$E0XQQyBB8v9aGRbX$zyZpO2MiNO2WUQXDtIiX/r1JFjyYc5/6RDAn29plEC4D:\my_tmp>openssl passwd -apr1 -table -password pwd1 pwd2
pwd1    $apr1$NkUPmCZD$ob7Y5pHPWAxhMm9eM/4280
pwd2    $apr1$kpxGLVv4$dd2KtDb2hjvAH9ctt1egf1D:\my_tmp>openssl passwd -1 -table -password pwd1 pwd2
pwd1    $1$WcudEtnZ$k4ebzpnhVrh0FmugAWC641
pwd2    $1$Al9IYWcZ$RtkIwLeCXAsHsjtGnWK9k.D:\my_tmp>openssl passwd -aixmd5 -table -password pwd1 pwd2
pwd1    qeJKFLte$2a5SY0jQypIbTcB8L5SC01
pwd2    ./gcARvI$soLQUGc0qLXVbdbbEcw4W.D:\my_tmp>

END