Linux??????????????????

???????????ü????????????
????1.OpenSSL??????
????1)?????????
????openssl: ????????????й???
????libcrypto: ????????
????libssl??????????????????ssl??tls
????2)openssl????
????????????????????????????????
????opensslversion??????汾??
??????????????????????????
???????????        enc?? ca?? req?? ...        enc????????????÷???
????3????????
?????????opensslenc?? gpg
????????3des?? aes?? blowfish?? twofish
????4??enc????man enc
?????????
????openssl enc -e -des3 -a -salt -in /tmp/fstab -out fstab.cipher
?????????
????openssl enc -d -des3 -a -salt -in fstab.cipher -out fstab
????5??opensl dgst -md5 fstab==md5sum fstab
????6??????????
?????????md5sum?? sha1sum?? sha224sum??sha256sum…
????openssldgst
????7??dgst????man dgst
????openssldgst -md5 [-hex] /PATH/TO/SOMEFILE
????openssldgst -md5 fstab
????md5sum /PATH/TO/SOMEFILE
????8??MAC: Message Authentication Code????????????????????????????????????б??????????????????????
????CBC-MAC
????HMAC?????md5??sha1??
????9?????????????
????passwd????:man sslpasswd
????opensslpasswd -1 -salt SALT(??8λ)
????opensslpasswd -1 –salt centos
????10?????????????man sslrand
????opensslrand -base64|-hex NUM
????NUM: ??????????-hex?????????4λ?????????????NUM*2
????11?????????
????????RSA?? ELGamal
?????????gpg?? opensslrsautl??man rsautl??
????12?????????
????????RSA?? DSA?? ELGamal
????13?????????
????????dh
????DSA: Digital Signature             Algorithm
????DSS??Digital Signature  Standard
????RSA??
????14????????????
????????????????man genrsa
????????????
????openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS
????(umask077; openssl genrsa -out key.pri –des 2048)
????????????????????
????openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE
????openssl rsa -in aaa.key -pubout -out aaa.pub
?????????????????α???????
????????????
???????豸?ж?
????/dev/random?????????????????????????t???????
????/dev/urandom???????????????????????t????????????????α?????????????
????2.OpenSSL??CA????
????1??PKI??Public Key Infrastructure
????CA????????
????RA????????
????CRL????????
???????????2?????????CA??
????OpenCA
????openssl3??????????????    1.????????????    2.RA????    3.CA???    4.??????4??????CA?????????
????openssl???????????/etc/pki/tls/openssl.cnf
????(1) ??????????????
????touch /etc/pki/CA/index.txt
????echo 01 > /etc/pki/CA/serial
??????2??CA??????
??????????
????cd /etc/pki/CA/
????(umask066; openssl genrsa -out /etc/pki/CA/private/cakey.pem2048)
????????????????
????openssl req -new  -x509 –key /etc/pki/CA/private/cakey.pem -days 7300
????-out /etc/pki/CA/cacert.pem
????-new: ????????????????
????-x509: ?????CA?????????飻
????-key: ?????????????????????
????-days n????????Ч?????
????-out /PATH/TO/SOMECERTFILE: ???????·??
??????3???????
????(a) ???????????????????????????
??????web????????????
????(umask066; openssl genrsa -out/etc/httpd/ssl/httpd.key 2048)
??????????????????
????openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
????(b) ?????????????????CA
????(c) CA?????飬?????????????????
????opensslca -in /tmp/httpd.csr –out /etc/pki/CA/certs/httpd.crt -days 365
???????????У???????????????CA??￡???????????ж??壬?????????????????????????????????????
????(d) ??????е??????
????openssl x509 -in /PATH/FROM/CERT_FILE -noout -text|subject|serial|dates
????(4) ???????
????(a) ???????????????????serial
????openssl x509 -in /PATH/FROM/CERT_FILE -noout -serial -subject
????(b) ??CA?????????????serial??subject????????????????index.txt????е???????
??????????飺
????openssl ca -revoke /etc/pki/CA/newcerts/ SERIAL.pem
?????????index.txt?б?????????????V???Ч??飬?????R?????????????
?????????/etc/pki/CA/newcerts?????????????????к?
????(c) ?????????????(????ε??????????????????)
????echo 01 > /etc/pki/CA/crlnumber
????(d) ???????????б?
????openssl ca -gencrl -out /etc/pki/CA/crl/ca.crl
??????crl???
????openssl crl -in /etc/pki/CA/crl/ca.crl -noout -text
????????????????????й???????????б??????????????????????????Ч??
????3.??ó???RPM
????1?????????????????????2????????????
????MD5???????
????rpm -versify package_name(or -V)3)???е?????????
????GPG??????
????rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat*
????rpm --checksig pakage_Pfile_name(or -K)
????4.gpg????????
????1?????gpg????????
??????????file???
????gpg -c file
????ls file.gpg
????????file
????gpg -o file2 -d file.gpg
?????????????????????????????????????????????????2?????gpg?????????????
??????hostA????????????/????
????gpg --gen-key
??????hostA??????????
????gpg --list-keys
??????hostA????????????wang.pubkey
????gpg -a --export -o wang.pubkey
??????hostA??????????????????????B??????
????scp wang.pubkey hostB
????????????????hostB????????????/????
????gpg --list-keys
????gpg --gen-key
??????hostB??????????
????gpg --import wang.pubkey
????gpg--list-keys
???????hostA?????????????????hostB?????????file??????file.gpg
????gpg -e -r wangedu file
????file file.gpg
????????????????hostA????
????scp fstab.gpg hostA
??????hostA???????????
????gpg -d file.gpg
????gpg -o file -d file.gpg
??????????????
????gpg --delete-secret-keys wangedu
????gpg --delete-keys wangedu