jorben/openssl_tool.txt

## openssl_tool.txt
1) Generate RSA key:

$ openssl genrsa -out key.pem 1024
$ openssl rsa -in key.pem -text -noout
2) Save public key in pub.pem file:

$ openssl rsa -in key.pem -pubout -out pub.pem
$ openssl rsa -in pub.pem -pubin -text -noout
3) Encrypt some data:

$ echo test test test > file.txt
$ openssl rsautl -encrypt -inkey pub.pem -pubin -in file.txt -out file.bin
4) Decrypt encrypted data:

$ openssl rsautl -decrypt -inkey key.pem -in file.bin
It works like a charm


私钥生成签名
$openssl rsautl -sign -inkey key.pem -in md.txt -out sign.bin

公钥验证签名
$openssl rsautl -verify -inkey pub.pem -pubin -in sign.bin -out sign.txt


cer证书中提取公钥
openssl x509 -outform PEM -in gzcb_1.cer -pubkey -out gzcb_1.pem

从pfx提取密钥信息，并转换为key格式（pfx使用pkcs12模式补足）

1、提取密钥对（如果pfx证书已加密，会提示输入密码。）
       openssl pkcs12 -in 1.pfx -nocerts -nodes -out 1.key

2、从密钥对提取私钥
       openssl rsa -in  1.key -out 1_pri.key

3、从密钥对提取公钥
       openssl rsa -in 1.key -pubout -out 1_pub.key

4、因为RSA算法使用的是pkcs8模式补足，需要对提取的私钥进一步处理

       openssl pkcs8 -in 1_pri.key -out 1_pri.p8 -outform der -nocrypt -topk8


#shell openssl 签名验签
#!/bin/bash


PRE_MD5='3020300c06082a864886f70d020505000410'
PUB_KEY='./gzcb_3000000001_pub.key'

REPORT_FILE='./report.txt'
TMP_SIGNN_FILE='./signn.txt'
TMP_SIGNN_BIN_FILE='./signn.bin'
TMP_REPORT_MD5_FILE='./md5check.txt'
TMP_REPORT_MD5_BIN_FILE='./md5check.bin'
TMP_DATA_FILE='./report.data.csv'
VERIFY_RESULT_FILE='./verifyresult.txt'

tail -1 $REPORT_FILE |awk -F"," '{print $6}' |base64 -d > $TMP_SIGNN_BIN_FILE
grep '^R\|^T' $REPORT_FILE > $TMP_DATA_FILE

openssl rsautl -verify -pubin -inkey $PUB_KEY -in $TMP_SIGNN_BIN_FILE |xxd -p | tr -d '\n' > $VERIFY_RESULT_FILE

openssl dgst -md5 $TMP_DATA_FILE > $TMP_REPORT_MD5_FILE
read dirty1 BUF dirty2 < $TMP_REPORT_MD5_FILE
echo $PRE_MD5$BUF | tr -d '\n' > $TMP_REPORT_MD5_FILE

diff $TMP_REPORT_MD5_FILE $VERIFY_RESULT_FILE
if [[ $? = 0 ]];then
    echo "check pass!"
else
    echo "not match!"
fi


#PRI_KEY='./gzcb_3000000001_pri.key'
#cat $TMP_REPORT_MD5_FILE |xxd -r -p > $TMP_REPORT_MD5_BIN_FILE
#openssl rsautl -sign -inkey $PRI_KEY -in $TMP_REPORT_MD5_BIN_FILE -out $TMP_SIGNN_BIN_FILE
#base64 $TMP_SIGNN_BIN_FILE > $TMP_SIGNN_FILE


# python 签名
from Crypto.Signature import PKCS1_v1_5 as pk
from Crypto.PublicKey import RSA
# from Crypto.Hash import SHA # 使用SHA或MD5签名
from Crypto.Hash import MD5
prikey= RSA.importKey(open('./pri.key','r').read())
content = "hello world!"
hash = MD5.new(content)
signer = pk.new(prikey)
signn=signer.sign(hash)
signn=base64.b64encode(signn)


# python 验签
from Crypto.Signature import PKCS1_v1_5 as pk
from Crypto.PublicKey import RSA
# from Crypto.Hash import SHA # 使用SHA或MD5签名
from Crypto.Hash import MD5
import base64

pubkey= RSA.importKey(open('./pub.pem','r').read())
signn=base64.b64decode("XXxxXX==")
verifier = pk.new(pubkey)
verifier.verify(SHA.new("source string"), signn)
	1) Generate RSA key:

	$ openssl genrsa -out key.pem 1024
	$ openssl rsa -in key.pem -text -noout
	2) Save public key in pub.pem file:

	$ openssl rsa -in key.pem -pubout -out pub.pem
	$ openssl rsa -in pub.pem -pubin -text -noout
	3) Encrypt some data:

	$ echo test test test > file.txt
	$ openssl rsautl -encrypt -inkey pub.pem -pubin -in file.txt -out file.bin
	4) Decrypt encrypted data:

	$ openssl rsautl -decrypt -inkey key.pem -in file.bin
	It works like a charm


	私钥生成签名
	$openssl rsautl -sign -inkey key.pem -in md.txt -out sign.bin

	公钥验证签名
	$openssl rsautl -verify -inkey pub.pem -pubin -in sign.bin -out sign.txt


	cer证书中提取公钥
	openssl x509 -outform PEM -in gzcb_1.cer -pubkey -out gzcb_1.pem

	从pfx提取密钥信息，并转换为key格式（pfx使用pkcs12模式补足）

	1、提取密钥对（如果pfx证书已加密，会提示输入密码。）
	openssl pkcs12 -in 1.pfx -nocerts -nodes -out 1.key

	2、从密钥对提取私钥
	openssl rsa -in 1.key -out 1_pri.key

	3、从密钥对提取公钥
	openssl rsa -in 1.key -pubout -out 1_pub.key

	4、因为RSA算法使用的是pkcs8模式补足，需要对提取的私钥进一步处理

	openssl pkcs8 -in 1_pri.key -out 1_pri.p8 -outform der -nocrypt -topk8


	#shell openssl 签名验签
	#!/bin/bash


	PRE_MD5='3020300c06082a864886f70d020505000410'
	PUB_KEY='./gzcb_3000000001_pub.key'

	REPORT_FILE='./report.txt'
	TMP_SIGNN_FILE='./signn.txt'
	TMP_SIGNN_BIN_FILE='./signn.bin'
	TMP_REPORT_MD5_FILE='./md5check.txt'
	TMP_REPORT_MD5_BIN_FILE='./md5check.bin'
	TMP_DATA_FILE='./report.data.csv'
	VERIFY_RESULT_FILE='./verifyresult.txt'

	tail -1 $REPORT_FILE \|awk -F"," '{print $6}' \|base64 -d > $TMP_SIGNN_BIN_FILE
	grep '^R\\|^T' $REPORT_FILE > $TMP_DATA_FILE

	openssl rsautl -verify -pubin -inkey $PUB_KEY -in $TMP_SIGNN_BIN_FILE \|xxd -p \| tr -d '\n' > $VERIFY_RESULT_FILE

	openssl dgst -md5 $TMP_DATA_FILE > $TMP_REPORT_MD5_FILE
	read dirty1 BUF dirty2 < $TMP_REPORT_MD5_FILE
	echo $PRE_MD5$BUF \| tr -d '\n' > $TMP_REPORT_MD5_FILE

	diff $TMP_REPORT_MD5_FILE $VERIFY_RESULT_FILE
	if [[ $? = 0 ]];then
	echo "check pass!"
	else
	echo "not match!"
	fi


	#PRI_KEY='./gzcb_3000000001_pri.key'
	#cat $TMP_REPORT_MD5_FILE \|xxd -r -p > $TMP_REPORT_MD5_BIN_FILE
	#openssl rsautl -sign -inkey $PRI_KEY -in $TMP_REPORT_MD5_BIN_FILE -out $TMP_SIGNN_BIN_FILE
	#base64 $TMP_SIGNN_BIN_FILE > $TMP_SIGNN_FILE



	# python 签名
	from Crypto.Signature import PKCS1_v1_5 as pk
	from Crypto.PublicKey import RSA
	# from Crypto.Hash import SHA # 使用SHA或MD5签名
	from Crypto.Hash import MD5
	prikey= RSA.importKey(open('./pri.key','r').read())
	content = "hello world!"
	hash = MD5.new(content)
	signer = pk.new(prikey)
	signn=signer.sign(hash)
	signn=base64.b64encode(signn)


	# python 验签
	from Crypto.Signature import PKCS1_v1_5 as pk
	from Crypto.PublicKey import RSA
	# from Crypto.Hash import SHA # 使用SHA或MD5签名
	from Crypto.Hash import MD5
	import base64

	pubkey= RSA.importKey(open('./pub.pem','r').read())
	signn=base64.b64decode("XXxxXX==")
	verifier = pk.new(pubkey)
	verifier.verify(SHA.new("source string"), signn)