Chinaunix首页 | 论坛 | 博客
  • 博客访问: 8821578
  • 博文数量: 29
  • 博客积分: 4010
  • 博客等级: 上校
  • 技术积分: 797
  • 用 户 组: 普通用户
  • 注册时间: 2007-09-19 14:12
文章分类

全部博文(29)

文章存档

2008年(29)

我的朋友

分类: LINUX

2008-06-02 10:05:01

 1.取得 Openssl

Openssl 是一套公布原始码(Open source)之套件,可以从 取得。

wget source/ openssl-0.9.8e.tar.gz

解压缩。

tar zxvf openssl-0.9.8e.tar.gz

cd openssl-0.9.8h

#  ./config --prefix=/usr/local/openssl

#  make

#  make install

修改 ~/openssl/ssl/openssl.cnf

dir= /usr/local/openssl/ssl/misc/demoCA      #设定存取凭证的路径

default_days= 3650       #设定凭证可使用之天数

default_bits = 2048       #设定密钥长度(bits)

产生 CA 凭证

我们所产生的 CA凭证,将放置在 ~/openssl/ssl/misc/demoCA 下,以下我们将介绍如何产生出最上层的 CA凭证。

2.执行CA凭证产生程式。

#  cd ~/openssl/ssl/misc

#  ./CA.sh -newca

CA certificate filename (or enter to create)

[enter]

Making CA certificate ...

Generating a 1024 bit RSA private key

................................ .............................++++++

..++++++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:[设定通行码]

Verifying - Enter PEM pass phrase:[确认通行码]

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:GUANGDONG

Locality Name (eg, city) [Newbury]:GUANGZHOU

Organization Name (eg, company) [My Company Ltd]:demo

Organizational Unit Name (eg, section) []:demo

Common Name (eg, your name or your server's hostname) []:demo

Email Address []demo@demolcn

3.         确定CA凭证及金钥是否产生。

#cd ~/openssl/ssl/misc/demoCA

#ls  –l

cacert.pem     certs     crl     index.txt     newcerts     private     serial

可见「cacert.pem」即是CA之凭证,而「private」目录即是存放CA私钥之处。

设定CA凭证之存取权限,仅允许本人能存取,他人必须限制其存取权限。

chmod -R 660 ~/openssl/ssl/misc/ demoCA

4. CA产生次级凭证

CA凭证产生完之后,我们便可以产生使用者或公司所需要之凭证,此次级凭证产生后,使用者便可应用于Email签章加密或httpsssl传输加密。

产生使用者之金钥档及CSR(Certificate Signing Request)

#cd ~/openssl/ssl/misc/demoCA

#~/openssl/bin/openssl req -nodes -new -keyout islab_key.pem\

#-out islab_req.pem -days 3650 -config ~/openssl/ssl/openssl.cnf

#此处「-keyout」即为产生Private key之档名,我们以「islab_key.pem」为例

#,您可自行设定。而「-out」则产生CSR档,我们以「islab_req.pem」为例。

Generating a 2048 bit RSA private key

................................ ..........................+++

................................ ................................................................+++

writing new private key to 'islab_key.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:CN

State or Province Name (full name) [GUANGDONG]:GUANGDONG

Locality Name (eg, city) []:GUANGZHOU

Organization Name (eg, company) [THU]:demo

Organizational Unit Name (eg, section) []:Idemo

Common Name (eg, YOUR name) []:demo@demo.com

#Common Name请输入您所欲使用之名称,如此凭证产生后欲使用在 Email

#签章,则必须填入email名称;若此凭证欲使用在https,则必须填网址。

Email Address []:demo@demo.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:[password]

An optional company name []:[company]

#以上两项可随意输入即可。

产生使用者之凭证。

~/openssl/bin/openssl ca -config ~/openssl/ssl/openssl.cnf \

-policy policy_anything -out islab_cert.pem -infiles islab_req.pem

Using configuration from /usr/local/openssl/ssl/openssl.cnf

Enter pass phrase for /usr/local/openssl/ssl/misc/demoCA/private/cakey.pem:[输入CA通行码]

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Feb 24 14:34:58 2005 GMT

Not After : Feb 22 14:34:58 2015 GMT

Subject:

countryName = CN

stateOrProvinceName = GUANGDONG

localityName = GUANGZHOU

organizationName = demo

organizationalUnitName= demo

commonName = demo@demo.com

emailAddress = demo@demo.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

EC:88:66:DE:FF:79:CE:81:C2:EE:93:BF:9A:65:92:3B:AC:2C:CD:7E

X509v3 Authority Key Identifier:

keyid:37:AA:42:CF:FA:D9:73:C7:80:E5:0C:E2:9F:7B:95:86:40:66:72:C5

DirName:/C=CNST=GUANGDONG/L=GUANGZHOU/O=GUANGZHOU University/OU=demo/CN=ISLAB_CA/ emailAddress=demo@demo.cn

serial:00

Certificate is to be certified until Feb 22 14:34:58 2015 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 检查凭证是否产生

cd ~/openssl/ssl/misc/demoCA

ls -l

cacert.pem crl      index.txt.attr     islab_cert.pem     islab_req.pem     private     serial.old        certs          index.txt     index.txt.old      islab_key.pem      newcerts          serial

以上可见,islab_cert.pemislab_req.pemislab_key.pem分别为刚刚所产生出来的凭证、CSRPrivate Key

 

   5.Openssl 应用

cacert验证产生出来的使用者cert

~/openssl/bin/openssl verify -CApath . \

-CAfile cacert.pem islab_cert.pem

检查产生的序号

~/openssl/bin/openssl x509 -noout -serial -in islab_cert.pem

serial=01

检查发行者资讯

~/openssl/bin/openssl x509 -noout -issuer -in islab_cert.pem

issuer=/C=CN/ST=CN/L=guangdong/ O=THU/OU=ISLAB/CN=

检查凭证起始及终止日期时间

~/openssl/bin/openssl x509 -noout -in islab_cert.pem -dates

notBefore=Feb 24 07:54:16 2005 GMT

notAfter=Feb 22 07:54:16 2015 GMT

检查个人凭证资讯subject

~/openssl/bin/openssl x509 -noout -in islab_cert.pem -subject

subject=/C=CN/ST=CN/L=GUANGDONG/ O=THU/OU=CSIE/CN=demo@demo.cn/emailAddress=demo@demo.cn

检查MD5 fingerprint

~/openssl/bin/openssl x509 -noout -in islab_cert.pem -fingerprint

MD5 Fingerprint=A4:A1:95:41:CC:26:18:00:AA:16:07:25:A8:5F:65:6E

检查SHA-1 fingerprint

~/openssl/bin/openssl x509 -noout -in islab_cert.pem -fingerprint -sha1

SHA1 Fingerprint=B2:D7:CF:DF:DA:B7:A6:3B:4C:99:3A:94:52:64:B8:28:0B:3A:24:9D

PEM转至PKCS12Microsoft Outlook Express使用PKCS12格式,因此欲使用Microsoft Outlook Express寄出签章信件,只要将产生出来的.p12档安装在Windows即可使用。

~/openssl/bin/openssl pkcs12 -export -in islab_cert.pem -out islab_cert.p12 -name Blave's Certificate -inkey islab_key.pem

Enter Export Password:

Verifying - Enter Export Password:

PKCS12转至PEM

PKCS12产生Private Key

~/openssl/bin/openssl pkcs12 -in islab_cert.p12 -out islab_key2.pem

Enter Import Password:

MAC verified OK

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

再由Private Key产生凭证

~/openssl/bin/openssl x509 -in islab_key2.pem -text \

out islab_cert2.pem

文件加密

islab_cert.pem」为个人凭证,可以公开给大家,因此某人欲加密传送一文件给我,便可以依下列方式加密。编辑一纯文字档,在此我们预设档名为「document.txt」,而经加密码之档名为「document.enc」。

 echo "This is a text file." > document.txt

cat document.txt

This is a text file.

~/openssl/bin/openssl smime -encrypt -in document.txt \

-out document.enc islab_cert.pem

cat document.enc

MIME-Version: 1.0

Content-Disposition: attachment; filename="smime.p7m"

Content-Type: application/x-pkcs7- mime; name="smime.p7m"

Content-Transfer-Encoding: base64

MIICFgYJKoZIhvcNAQcDoIICBzCCAgMCAQAxggG5MIIBtQIBADCBnDCBljEL MAkG

A1UEBhMCVFcxDzANBgNVBAgTBlRBSVdBTjERMA8GA1UEBxMIVGFpY2h 1bmcxDDAK

()

DQEHATAaBggqhkiG9w0DAjAOAgIAoAQIIyXl/ VHcSASAGOtS9efsvXwqks1LmBp6

irSgxerAE6TShw==

文件解密

若我们收到了某人传送的「document.enc」,我们便能使用Private Key来进行解密。

 ~/openssl/bin/openssl smime -decrypt -in document.enc \

-recip islab_cert.pem -inkey islab_key.pem

This is a text file.

文件签章

为文件签章可证明文件的来源为本人无误,并且可以验证文件是否被篡改。我们依前例,为一纯文字档「document.txt」签章,签章后档名为「document.sig」。

~/openssl/bin/openssl smime -sign -inkey islab_key.pem \

-signer islab_cert.pem -in document.txt -out document.sig

cat document.sig

MIME-Version: 1.0

Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary=& quot;----F565CC3F7AEE7ACC3F74CA855D8EC920"

This is an S/MIME signed message

------F565CC3F7AEE7ACC3F74CA855D8EC920

This is a text file.

------F565CC3F7AEE7ACC3F74CA855D8EC920

Content-Type: application/x-pkcs7- signature; name="smime.p7s"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="smime.p7s"

MIIHBgYJKoZIhvcNAQcCoIIG9zCCBvMCAQExCzAJBgUrDgMCGgUAMAsGC SqGSIb3

DQEHAaCCBFYwggRSMIIDu6ADAgECAgEBMA0GCSqGSIb3DQEBBAUAM IGWMQswCQYD

()

------F565CC3F7AEE7ACC3F74CA855D8EC920- -

 文件签章验证

当某人收到这份文件时,可利用我们的凭证(islab_cert.pem)以及CA凭证(cacert.pem)来验证文件。

    ~/openssl/bin/openssl smime -verify -in document.sig \

signer islab_cert.pem -out document.txt -CAfile cacert.pem

Verification successful

因此我们可以知道,验证方必须事先取得 CA凭证(cacert.pem)方可验证文件。

文件加密并签章

我们已知如何加解密以及签章验证的方法了,因此要将文件加密并签章实非难事。我们必须先将文件进行签章再加密,而收方则以相反步骤进行解密再验证即可

阅读(2534) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~