[密码学]OpenSSL实践篇

背景

最近在写Android abl阶段fastboot工具，需要我在Android代码中实现一些鉴权加解密相关的fastboot命令，里面用到了OpenSSL。我们先来实践一下OpenSSL在Linux系统中的指令。

OpenSSL官方网站：OpenSSL 中文手册 | OpenSSL 中文网

1. 查看openssl版本

openssl version
# 完整版本信息
openssl version -a

在这里插入图片描述

2. 命令rsa

2.1 生成双钥

2.1.1 生成key1

openssl genrsa -out priv.key

在这里插入图片描述

2.1.2 提取key2

openssl rsa [-inform PEM|NET|DER] [-outform PEM|NET|DER]
[-in filename] [-passin arg] [-out filename] [-passout arg]
[-sgckey] [-des] [-des3] [-idea] [-text] [-noout] [-modulus] [-check]
[-pubin] [-pubout] [-engine id]

常用选项：

-in filename：输入文件
-out filename：输出文件
-pubout：根据私钥提取出公钥

openssl rsa -in priv.key -out pub.key -pubout

在这里插入图片描述

2.2 查看key内容

openssl rsa -in priv.key -text -noout
openssl rsa -in pub.key -text -noout  -pubin

-text：打印出私有密钥的各个组成部分
-noout：key对应的ASCII码版本不打印

2.2.1 key1

openssl rsa -in priv.key -text -noout

RSA Private-Key: (2048 bit, 2 primes)
modulus:00:cd:0d:ba:2b:56:57:68:10:7a:9d:31:47:51:f7:41:0d:ab:de:f1:c7:70:9f:a0:a2:18:49:6f:74:15:85:b5:68:bc:00:d3:46:f6:26:3d:16:a4:23:25:09:65:4f:f9:8e:2f:70:35:54:fe:b4:31:29:a8:70:f8:bf:b0:31:4a:85:79:31:99:da:7c:72:3a:21:f1:77:ec:d9:50:2a:8e:75:ab:34:c8:bf:82:0b:08:de:74:56:48:ba:56:17:30:1a:22:09:a1:f4:b3:cd:d3:6f:84:12:dc:a3:0e:33:95:91:27:4a:ee:f6:4e:2a:d0:85:9c:04:cc:52:c9:f8:5a:f3:78:e5:de:3e:28:5b:21:d0:ff:4a:54:79:4c:d8:81:a1:4e:3f:52:b5:71:d2:6f:5e:13:c0:33:48:53:5c:7f:7e:34:4f:e9:3b:53:7f:00:a0:80:60:69:e5:94:b0:00:1e:33:08:ec:c9:9a:31:de:40:8e:6b:0a:da:67:30:98:16:be:7f:da:11:c0:e0:64:77:09:6b:a6:26:e8:bb:45:17:88:88:f1:d4:e8:cc:d5:e9:70:ca:c2:1b:72:3d:00:e4:2f:6c:e4:68:ab:7e:03:e3:43:fc:eb:66:b2:7a:0d:c7:27:bc:40:a3:37:bf:76:eb:55:ed:a7:13:54:b7:e2:c5
publicExponent: 65537 (0x10001)
privateExponent:3f:4e:32:a0:b8:8a:49:a5:74:c5:5c:f6:60:d6:cd:ed:b3:97:23:db:e7:e8:50:46:5a:eb:29:0e:94:aa:70:04:42:ae:9a:8b:b8:e8:bb:49:67:29:36:80:fd:17:40:bb:65:e7:e5:7f:35:17:5a:6a:3b:07:8d:b4:58:68:0f:52:bf:c4:d1:74:03:a1:9c:52:e8:62:96:eb:cc:75:27:00:2a:f8:23:d6:04:06:f6:18:ff:9f:b7:da:57:43:d7:64:ea:07:41:49:f3:cc:e2:ae:f5:fe:80:c1:92:5b:d8:9c:34:9e:4c:c2:1c:05:d9:d4:b6:03:41:35:7a:07:43:c4:83:57:3e:e3:41:45:5a:c5:c9:f2:6f:2f:80:59:61:08:19:7d:54:4d:3d:09:be:38:5a:e6:ac:74:0f:80:7e:e7:37:9d:f6:f1:0b:5e:27:c4:a0:58:70:0c:9b:b0:af:25:1c:df:53:83:1a:ad:5d:ab:73:5b:c8:30:5b:9b:cf:e4:9d:e0:0d:5a:f6:60:8b:86:9d:44:37:6b:7c:64:54:c6:c1:3f:fc:74:23:5f:59:5b:cc:af:41:40:c8:79:24:29:13:c6:ff:eb:4b:28:aa:3e:9f:bd:9b:9a:fd:79:58:72:20:7d:cc:8b:0b:96:ca:cc:47:b8:2b:5a:75:5f:3b:6d
prime1:00:f4:40:4b:fc:dc:53:e7:b2:74:03:cd:83:dc:36:e8:97:34:01:37:29:0e:67:40:a2:3b:f3:8d:0c:41:21:16:17:d5:e1:f0:25:61:12:38:5e:db:f1:58:fb:b8:92:63:4d:3a:57:a3:25:b5:0b:9a:21:58:c7:60:2b:b7:16:7b:9f:9c:a3:4a:39:9a:23:c8:b1:2c:68:53:32:f1:a4:7c:6c:92:f4:ed:48:30:a2:d7:ed:9f:a4:d8:f9:dc:69:9f:34:39:3a:bf:1a:14:1e:97:48:81:7b:6a:b4:82:5c:70:6f:5f:4b:32:2b:8f:b2:30:0e:09:f3:a8:72:94:c1:30:5b
prime2:00:d6:ea:c0:b8:c2:c3:e0:6f:96:64:f1:3d:cb:1c:89:cc:b7:d9:bf:f6:32:9e:2b:54:37:77:20:3f:3c:24:a1:c5:55:2a:63:6e:42:18:86:e2:19:e3:19:19:62:e3:2f:59:3d:5d:82:8b:d0:98:80:83:dc:4f:1d:7a:45:4f:da:63:58:b6:fb:13:2d:d7:51:c0:d1:4c:7f:7b:32:d3:00:73:b7:bc:4e:b1:3c:ab:23:fd:7c:90:95:e3:a7:7d:5c:78:c2:5b:72:99:16:bb:fc:4b:e2:39:16:68:1b:22:28:6d:4b:0e:29:d3:04:e9:4c:f3:0d:7e:09:46:02:47:a3:5f
exponent1:00:cf:be:f8:62:c4:0b:e1:a0:59:28:fa:de:52:a9:a9:3f:22:0e:7e:9a:3f:13:f7:57:85:e2:6b:6f:a6:dd:bb:6a:de:92:63:ad:87:58:f5:f5:48:e1:88:ab:e1:9b:31:36:f8:8e:9d:c7:6e:ab:c5:96:e3:6a:01:14:6d:8f:83:ea:88:52:22:c9:c7:9e:f4:0e:2e:15:35:de:b8:c5:0c:c7:54:5f:5a:8a:f2:43:2f:a1:7f:0d:b9:37:1c:10:02:47:6a:fd:da:99:15:cf:c7:20:f6:70:c0:9b:73:dd:a8:0c:32:63:44:f2:e4:2f:cc:cb:c4:0f:28:90:fc:91:2c:cd
exponent2:0d:da:13:91:d4:fb:ca:fb:66:36:1b:56:60:40:f6:a0:bb:38:cd:a6:90:9c:a1:2e:4c:64:e1:2f:32:31:2a:3c:0d:c1:2d:a7:6d:9b:27:16:6b:94:b7:89:6b:56:39:37:07:3d:7f:ac:83:45:51:03:2e:af:ea:b6:76:c1:2e:d2:38:65:92:c9:29:ab:37:19:b6:63:b7:d3:b8:f2:e0:94:94:c3:0e:4f:5e:19:a9:b8:2c:cf:24:da:07:71:8d:04:3b:82:a9:60:34:96:e9:2b:fa:e8:b3:09:02:b6:b0:e4:5a:72:0f:40:0a:90:fe:e4:ab:79:f4:1f:0f:06:8f:01
coefficient:45:b8:5d:e3:ec:af:16:00:60:7a:a1:b8:ce:74:50:74:54:58:12:ab:ac:aa:bc:c4:c0:18:ee:75:50:75:18:3d:0f:99:ed:70:7a:b7:0b:4b:46:e6:ba:28:69:d8:c9:f6:a5:5a:f1:98:8d:f8:a2:91:06:16:89:34:3d:54:f3:a3:3b:0b:dd:f5:0a:ad:5c:99:03:f6:d1:fe:f8:d6:e4:61:46:e9:bf:2f:18:f0:1f:24:25:e0:ad:83:c3:63:4e:d0:ec:75:14:3e:d7:d4:76:e1:b7:c2:dd:0d:fd:14:2a:14:d6:10:e9:c9:73:ef:ac:aa:c8:0a:9c:62:52:ea:4e:53

2.2.3 key2

openssl rsa -pubin -in pub.key -text -noout

RSA Public-Key: (2048 bit)
Modulus:00:cd:0d:ba:2b:56:57:68:10:7a:9d:31:47:51:f7:41:0d:ab:de:f1:c7:70:9f:a0:a2:18:49:6f:74:15:85:b5:68:bc:00:d3:46:f6:26:3d:16:a4:23:25:09:65:4f:f9:8e:2f:70:35:54:fe:b4:31:29:a8:70:f8:bf:b0:31:4a:85:79:31:99:da:7c:72:3a:21:f1:77:ec:d9:50:2a:8e:75:ab:34:c8:bf:82:0b:08:de:74:56:48:ba:56:17:30:1a:22:09:a1:f4:b3:cd:d3:6f:84:12:dc:a3:0e:33:95:91:27:4a:ee:f6:4e:2a:d0:85:9c:04:cc:52:c9:f8:5a:f3:78:e5:de:3e:28:5b:21:d0:ff:4a:54:79:4c:d8:81:a1:4e:3f:52:b5:71:d2:6f:5e:13:c0:33:48:53:5c:7f:7e:34:4f:e9:3b:53:7f:00:a0:80:60:69:e5:94:b0:00:1e:33:08:ec:c9:9a:31:de:40:8e:6b:0a:da:67:30:98:16:be:7f:da:11:c0:e0:64:77:09:6b:a6:26:e8:bb:45:17:88:88:f1:d4:e8:cc:d5:e9:70:ca:c2:1b:72:3d:00:e4:2f:6c:e4:68:ab:7e:03:e3:43:fc:eb:66:b2:7a:0d:c7:27:bc:40:a3:37:bf:76:eb:55:ed:a7:13:54:b7:e2:c5
Exponent: 65537 (0x10001)

2.2.3 内容比较

Modules：模组，双钥都包含这个数，且内容是一样的
publicExponent：公钥指数，一般是固定值65537
privateExponent：私钥指数
prime1：素数1
prime2：素数2
exponent1：指数1
exponent2：指数2
coefficient：系数

3. 命令rsautl

3.1 加密-encrypt

openssl rsautl -encrypt -inkey pub.key -pubin -in text.txt -out sec_text.enc

在这里插入图片描述

3.2 解密-decrypt

openssl rsautl -decrypt -inkey priv.key -in sec_text.enc  -out source.txt && cat source.txt

由于我将cat命令与解密命令进行了拼接，我们能收到命令的返回值：
在这里插入图片描述
此时说明我们成功使用私钥进行了对使用公钥加密后的文件成功解密的处理。

3.3 签名-sign

openssl rsautl -sign -inkey priv.key -in text.txt -out sec_text_sign.enc

在这里插入图片描述

3.4 验签-verify

openssl rsautl -verify -inkey pub.key -pubin -in sec_text_sign.enc -out source_sign.txt

在这里插入图片描述

3.5 实践发现

理论上，使用公钥加密，私钥可以解密；同时用私钥加密，公钥也能解密。
但在OpenSSL工具上，后者并不可以，加密命令可以执行，但解密命令会发生报错：

私钥加密：
公钥解密：

但是使用签名和验签指令实现了该功能。此处的签名和验签其实并不是理论上的签名和验签

4. 命令dgst

# verify by RSA2048 with SHA-256
# Output a base64 string after signing
openssl dgst -sha256 -sign <private key> <file path> | openssl base64 -A# Decode base64 string
$ openssl base64 -d -A -in <base64 encoded file> -out <base64 decoded file>
# Verify the signature
$ openssl dgst -sha256 -verify <public key> -signature <decoded file> <file path>