OPENSSL(1) OpenSSL OPENSSL(1)
NAME
openssl - OpenSSL
command line tool
# 注释 :openssl 是 OpenSSL 的命令行工具
SYNOPSIS
openssl command [
command_opts ] [ command_args ]
openssl [ list-standard-commands │ list-message-digest-commands
│list-cipher-commands ] # 注释
:这三个选项可以用于列出不同的命令
openssl no-XXX [ arbitrary options ]
DESCRIPTION
OpenSSL is a cryptography
toolkit implementing the Secure Sockets
Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) network proto-
cols and related
cryptography standards required by them.
# 注释 :OpenSSL 是一个密码工具,用于实现 SSL (v2 和 v3)以及 TLS
v1 协议,以及这些协议
# 所要求的一些加密标准
The openssl program is a command line tool for using the various
cryp-
tography functions of OpenSSL’s crypto library from the shell.
It can
be used for
# 注释 :openssl 是一个命令行工具,它使用于 OpenSSL
的各个加密库的不同加密函数,它可以用于 :
# -)1、建立 RSA、DH、DSA key 参数
# -)2、建立 X.509 证书、证书签名请求(CSR)和
CRLs(证书回收列表)
# -)3、计算消息摘要
# -)4、使用各种 Cipher 加密/解密
# -)5、SSL/TLS 客户端以及服务器的测试
# -)6、处理 S/MIME 或者加密邮件
o Creation of RSA, DH and DSA key parameters
o Creation of X.509
certificates, CSRs and CRLs
o Calculation of Message Digests
o
Encryption and Decryption with Ciphers
o SSL/TLS Client and Server
Tests
o Handling of S/MIME signed or encrypted
mail
COMMAND SUMMARY
The openssl program
provides a rich variety of commands (command in
the SYNOPSIS above),
each of which often has a wealth of options and
arguments
(command_opts and command_args in the SYNOPSIS).
# 注释 :openssl
提供了很多不同的命令,每个子命令有很多的选项和参数。
The pseudo-commands list-standard-commands,
list-message-digest-com-
mands, and list-cipher-commands output a list
(one entry per line) of
the names of all standard commands, message
digest commands, or cipher
commands, respectively, that are available
in the present openssl
utility.
# 注释 :上面提到的
list-standard-commands、list-message-digest-commands、list-cipher-commands
# 是三个伪命令,它们用于输出一个所有标准命令、消息摘要命令、Cipher
命令的列表。
The pseudo-command no-XXX tests whether a command of the
specified
name is available. If no command named XXX exists, it
returns 0 (suc-
cess) and prints no-XXX; otherwise it returns 1 and
prints XXX. In
both cases, the output goes to stdout and nothing is
printed to
stderr. Additional command line arguments are always
ignored. Since
for each cipher there is a command of the same name,
this provides an
easy way for shell scripts to test for the
availability of ciphers in
the openssl program. (no-XXX is not able
to detect pseudo-commands
such as quit, list-...-commands, or no-XXX
itself.)
# 注释 :no-XXX 同样也是一个伪命令,它用于测试一个命令是否存在。如果 xxx
命令不存在,则返回 0,并打印 no-xxx
# 如果它存在则返回1,并打印 xxx ,表示存在该命令 xxx
# 这两种情况的结果都是输出到 stdout ,而不是输出到 stderr
。其他的命令行参数都会被忽略,
# 这个命令可以被用于测试某个 Cipher
是否有效,不过它不能用于测试这些伪命令
[root@dhcp tmp]# openssl
no-suchcmd
no-suchcmd
[root@dhcp tmp]# openssl
no-rsa
rsa
[root@dhcp
tmp]#
STANDARD COMMANDS # 注释
:下面是标准命令,必须有的
asn1parse Parse an ASN.1 sequence. # 注释 :asn1parse 用于解释用 ANS.1 语法书写的语句,ASN 一般用于定义语法的构成
ca Certificate Authority (CA) Management. # 注释 :ca 用于 CA 的管理
ciphers Cipher Suite Description Determination. # 注释 :ciphers 是 Cipher suite 的介绍
crl Certificate Revocation List (CRL) Management. # 注释 :crl 是用于管理 CRL 列表
crl2pkcs7 CRL to PKCS#7 Conversion. # 注释 :crl2pcks7 是用于 CRL 和 PKCS#7 之间的转换
dgst Message Digest Calculation. # 注释 :dgst 用于计算消息摘要
dh Diffie-Hellman Parameter Management. Obsoleted by
dhparam.
dsa DSA Data Management. # 注释 :dsa 是 DSA 数据管理工具
dsaparam DSA Parameter Generation. # 注释 :dsaparm 是 DSA 的参数
enc Encoding with Ciphers. # 注释 :enc 是 Cipher 所使用的编码
errstr Error Number to Error String Conversion. # 注释 :errstr 是错误编号到错误字符串的转换
dhparam Generation and Management of Diffie-Hellman
Parameters. # 注释 :dhparm 是 Diffie-Hellman
参数的管理
gendh Generation of Diffie-Hellman Parameters. Obsoleted by
dhparam.
gendsa Generation of DSA Parameters. # 注释 :gendsa 用于生成 DSA 参数
genrsa Generation of RSA Parameters. # 注释 :genrsa 用于生成 RSA 参数
ocsp Online Certificate Status Protocol utility. # 注释 :oscp 是在线证书状态查询工具
passwd Generation of hashed passwords. # 注释 :passwd 是 hash 密码的管理
pkcs12 PKCS#12 Data Management. # 注释 :pkcs12 是 PKCS#12 数据的管理
pkcs7 PKCS#7 Data Management. # 注释 :pcks7 是 PCKS#7 数据的管理
rand Generate pseudo-random bytes. # 注释 :rand 是用于生成伪随机数
req X.509 Certificate Signing Request (CSR)
Management. # 注释 :req 生成一个 CSR
rsa RSA Data
Management. # 注释 :rsa
是 RSA 数据管理
rsautl RSA utility for signing, verification, encryption, and
decryption. # 注释 :rsautl 是 RSA
工具,用于签名、验证、加密、解密
s_client This implements a generic SSL/TLS client which can
establish # 注释 :s_client 是 SSL/TLS
客户端的实现。可以用于建立一个透明的
a transparent connection to a
remote server speaking 连接到一个远端的
SSL/TLS 服务器。该工具只是用于测试目的,
SSL/TLS. It’s intended for
testing purposes only and pro-
vides
only rudimentary interface functionality but inter-
nally
uses mostly all functionality of the OpenSSL ssl
library.
s_server This implements a generic SSL/TLS server which accepts
con- # 注释 :s_server 是 s_client
的相反,用于接受来自远程的
nections from remote clients speaking
SSL/TLS. It’s intended SSL/TLS
连接。同样也只是用于测试目的而已
for testing purposes only and
provides only rudimentary
interface functionality but
internally uses mostly all func-
tionality of the OpenSSL
ssl library. It provides both an
own command line oriented
protocol for testing SSL functions
and a simple HTTP
response facility to emulate an
SSL/TLS-aware
webserver.
s_time SSL Connection Timer. # 注释
:s_time 是 SSL 连接计时工具
sess_id SSL Session Data Management. # 注释
:sess_id 是 SSL 会话管理
smime S/MIME mail processing. # 注释
:smime 是 S/MIME 邮件处理
speed Algorithm Speed Measurement. # 注释
:speed 是性能测试
verify X.509 Certificate Verification. # 注释
:verify 用于验证一个 X.509 证书
version OpenSSL Version Information. #
注释 :version 用于打印版本信息
x509 X.509 Certificate Data Management. # 注释 :x509 用于 X.509 证书的管理
MESSAGE DIGEST COMMANDS # 注释
:下面是用于生成数字摘要的命令
md2 MD2 Digest # 注释 :md2
是 MD2 数字摘要命令
md5 MD5 Digest # 注释 :md5 是
MD5 数字摘要命令(最常用)
mdc2 MDC2 Digest # 注释 :mdc2 是
MDC2 数字摘要命令
rmd160 RMD-160 Digest # 注释 :rmd160
是 RMD-160 数字摘要命令
sha SHA Digest # 注释 :sha 是
SHA 数字摘要
sha1 SHA-1 Digest # 注释 :sha1 是
SHA-1 数字摘要(最常用)
ENCODING AND CIPHER COMMANDS # 注释 :下面是编码和
Cipher(加密)命令
base64 Base64 Encoding # 注释 :下面是
Base64 编码的相关命令
bf bf-cbc bf-cfb bf-ecb bf-ofb # 注释 :有
bf、bf-cbc、 等5 个命令
Blowfish Cipher # 注释 :下面是
Blowfish Cipher
cast cast-cbc # 注释
:有2个命令
CAST Cipher # 注释 :下面是
CAST Cipher
cast5-cbc cast5-cfb cast5-ecb cast5-ofb #
注释 :有4个命令
CAST5 Cipher # 注释 :下面是
CAST5 Cipher
des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ofb
DES Cipher # 注释 :下面是 DES
Cipher
des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
Triple-DES Cipher
idea idea-cbc idea-cfb idea-ecb idea-ofb
IDEA Cipher
rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb
RC2 Cipher
rc4 RC4 Cipher
RC5 Cipher
rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb
PASS PHRASE ARGUMENTS
Several commands accept
password arguments, typically using -passin
and -passout for input and
output passwords respectively. These allow
the password to be obtained
from a variety of sources. Both of these
options take a single
argument whose format is described below. If no
password argument is
given and a password is required then the user is
prompted to enter
one: this will typically be read from the current
terminal with
echoing turned off.
# 注释 :有几个命令接受密码作为参数。一般是 -passin 和 -passout
用于输入/输出密码。
# 它允许从多个源头获取密码,这两个选项都只接受一个参数,格式如下。
# 如果没有给出 -passin 或者 -passout
,但实际需要密码,则会提示用户输入密码。
# 它是从终端接受输入,而且关闭回显功能。
pass:password
the actual password is
password. Since the password is visi-
ble to utilities (like ’ps’
under Unix) this form should
only be used where security is not
important.
# 注释 :pass:password 中的 passsword 是真正的密码,不过它可以被
ps 命令看到,所以不建议用该方式
env:var
obtain the password from the environment variable var.
Since
the environment of other processes is visible on
certain
platforms (e.g. ps under certain Unix OSes) this
option
should be used with caution.
# 注释 :env:var 通过环境变量获取密码值。同样也是不安全。
file:pathname
the first line of
pathname is the password. If the same
pathname argument is
supplied to -passin and -passout
arguments then the first line
will be used for the input
password and the next line for the
output password. pathname
need not refer to a regular file: it
could for example refer
to a device or named pipe.
# 注释 :file: ,如果同时给出了
-passin 和 -passout ,则第一个 file 是输入密码,第2个 file 是输出密码,
# 一般是指向普通文件,但也可以是设备或者 named pipe
。建议使用这种。
fd:number
read the password from the file descriptor number. This
can
be used to send the data via a pipe for example.
# 注释 :fd 读取指定的文件描述符。这可以通过管道发送密码
stdin read the password from standard input.
SEE ALSO
asn1parse(1), ca(1), config(5), crl(1),
crl2pkcs7(1), dgst(1),
dhparam(1), dsa(1), dsaparam(1), enc(1),
gendsa(1), genrsa(1),
nseq(1), openssl(1), passwd(1), pkcs12(1),
pkcs7(1), pkcs8(1),
rand(1), req(1), rsa(1), rsautl(1), s_client(1),
s_server(1),
smime(1), spkac(1), verify(1), version(1), x509(1),
crypto(3), ssl(3)
HISTORY
The openssl(1) document appeared in OpenSSL 0.9.2. The
list-XXX-com-
mands pseudo-commands were added in OpenSSL 0.9.3; the
no-XXX pseudo-
commands were added in OpenSSL 0.9.5a. For notes on
the availability
of other commands, see their individual manual
pages.
0.9.7a 2001-08-08 OPENSSL(1)