Chinaunix首页 | 论坛 | 博客
  • 博客访问: 566465
  • 博文数量: 375
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 15
  • 用 户 组: 普通用户
  • 注册时间: 2013-09-20 10:21
文章分类

全部博文(375)

文章存档

2015年(1)

2014年(374)

分类: LINUX

2014-08-18 13:36:33

原文地址:[手册] OpenSSL 之 rsautil 命令 作者:ailms

NAME
       rsautl - RSA utility

SYNOPSIS
       openssl rsautl [-in file] [-out file] [-inkey file] [-pubin] [-certin] [-sign] [-verify] [-encrypt] [-decrypt] [-pkcs]
                      [-ssl] [-raw] [-hexdump] [-asn1parse]

DESCRIPTION
       The rsautl command can be used to sign, verify, encrypt and decrypt  data using the RSA algorithm.
 
# 注释 :rsautl 是使用 RSA 算法,用于签名、校验、加密/解密数据的工具
 
# 补充 :该工具不能对太大的文件进行操作,否则会报错
 
[root@dhcp ~]# openssl rsautl -in mbox -out mbox.sign -inkey my.key -encrypt
Enter pass phrase for my.key:
RSA operation error
4050:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151:
[root@dhcp ~]#
[root@dhcp ~]# ll mbox
-rw-------  1 root root 32648 Dec  8 16:39 mbox
[root@dhcp ~]#


COMMAND OPTIONS
       -in filename
       This specifies the input filename to read data from or standard input if this option is not specified.
 
        # 注释 :-in 指定输入的文件名。

       -out filename
       specifies the output filename to write to or standard output by default.
    
        # 注释 :-out 指定输出的文件名

       -inkey file
       the input key file, by default it should be an RSA private key.
    
        # 注释 :-inkey 指定输入的 RSA private key 文件(用于签名)

       -pubin
       the input file is an RSA public key.
 
        # 注释 :-pubin 表示输入的是一个 RSA 公钥

       -certin
       the input is a certificate containing an RSA public key.
 
        # 注释 :-certin 表示输入的是一个含有 RSA 公钥的证书

       -sign
       sign the input data and output the signed result. This requires and RSA private key.
 
        # 注释 :-sign 表示对输入的数据进行签名并输出结果。它需要一个 RSA private key

       -verify
       verify the input data and output the recovered data.
 
        # 注释 :-verify 校验输入的数据,并输出恢复的数据

       -encrypt
       encrypt the input data using an RSA public key.
 
        # 注释 :-encrypt 表示使用一个 RSA 公钥加密输入的文件

       -decrypt
       decrypt the input data using an RSA private key.
 
        # 注释 :-decrypt 表示使用一个 RSA 私钥解密输入的文件

       -pkcs, -oaep, -ssl, -raw
       the padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, spe-
       cial padding used in SSL v2 backwards compatible handshakes, or no
       padding, respectively.  For signatures, only -pkcs and -raw can be
       used.
 


       -hexdump
       hex dump the output data.
 
        # 注释 :-hexdump 表示以16进制输出数据

       -asn1parse
       asn1parse the output data, this is useful when combined with the -verify option.
 
        # 注释 :-asn1parse 表示对输出数据进行解释,和 -verify 选项一起使用

NOTES
       rsautl because it uses the RSA algorithm directly can only be used to sign or verify small pieces of data.
 
        # 注释 :因为它直接使用 RSA 算法,所以只能用于对小块的数据进行签名或者校验

EXAMPLES
       Sign some data using a private key:
 
        # 注释 :使用一个 private key 对数据进行加密使用下面的命令

        openssl rsautl -sign -in file -inkey key.pem -out sig

       Recover the signed data
 
        # 注释 :下面的命令恢复被签名的数据为原来的数据

        openssl rsautl -verify -in sig -inkey key.pem

       Examine the raw signed data:
 
        # 注释 :下面的命令校验原始的被签名的数据,并以16进制格式输出

        openssl rsautl -verify -in file -inkey key.pem -raw -hexdump

    0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff     ................
    0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff     ................
    0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff     ................
    0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff     ................
    0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff     ................
    0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff     ................
    0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff     ................
    0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64     .....hello world

       The PKCS#1 block formatting is evident from this. If this was done
       using encrypt and decrypt the block would have been of type 2 (the
       second byte) and random padding data visible instead of the 0xff
       bytes.

       It is possible to analyse the signature of certificates using this
       utility in conjunction with asn1parse. Consider the self signed exam-
       ple in certs/pca-cert.pem . Running asn1parse as follows yields:
 
        # 注释:可以使用该工具和 asn1parse 一起分析证书的签名

        openssl asn1parse -in pca-cert.pem

       0:d=0  hl=4 l= 742 cons: SEQUENCE
       4:d=1  hl=4 l= 591 cons:  SEQUENCE
       8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
      10:d=3  hl=2 l=   1 prim:    INTEGER         :02
      13:d=2  hl=2 l=   1 prim:   INTEGER        :00
      16:d=2  hl=2 l=  13 cons:   SEQUENCE
      18:d=3  hl=2 l=   9 prim:    OBJECT         :md5WithRSAEncryption
      29:d=3  hl=2 l=   0 prim:    NULL
      31:d=2  hl=2 l=  92 cons:   SEQUENCE
      33:d=3  hl=2 l=  11 cons:    SET
      35:d=4  hl=2 l=   9 cons:    SEQUENCE
      37:d=5  hl=2 l=   3 prim:     OBJECT           :countryName
      42:d=5  hl=2 l=   2 prim:     PRINTABLESTRING   :AU
     ....
     599:d=1  hl=2 l=  13 cons:  SEQUENCE
     601:d=2  hl=2 l=   9 prim:   OBJECT        :md5WithRSAEncryption
     612:d=2  hl=2 l=   0 prim:   NULL
     614:d=1  hl=3 l= 129 prim:  BIT STRING

       The final BIT STRING contains the actual signature. It can be
       extracted with:

    openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614

       The certificate public key can be extracted with:
 
    # 注释 :要想从一个证书中取出公钥,可以用下面的命令

        openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem

       The signature can be analysed with:
 
    # 注释 :可以用下面的命令对一个公钥文件进行分析

    openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin

       0:d=0  hl=2 l=  32 cons: SEQUENCE
       2:d=1  hl=2 l=  12 cons:  SEQUENCE
       4:d=2  hl=2 l=   8 prim:   OBJECT        :md5
      14:d=2  hl=2 l=   0 prim:   NULL
      16:d=1  hl=2 l=  16 prim:  OCTET STRING
         0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5   .F...Js.7...H%..

       This is the parsed version of an ASN1 DigestInfo structure. It can be
       seen that the digest used was md5. The actual part of the certificate
       that was signed can be extracted with:

    openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4

       and its digest computed with:

    openssl md5 -c tbs
        MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5

       which it can be seen agrees with the recovered value above.

SEE ALSO
       dgst(1), rsa(1), genrsa(1)



0.9.7a                  2001-04-25                RSAUTL(1)
阅读(1511) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~