Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL #103

Open
hysryt opened this issue Dec 11, 2018 · 5 comments
Open

OpenSSL #103

hysryt opened this issue Dec 11, 2018 · 5 comments

Comments

@hysryt
Copy link
Owner

hysryt commented Dec 11, 2018

https://www.openssl.org/

@hysryt
Copy link
Owner Author

hysryt commented Dec 11, 2018

概要

The OpenSSL Project によるソフトウェア。
2018/12/11 現在の最新版は、2018/09/11 にリリースされた OpenSSL 1.1.1。

鍵や証明書、CSRなどはすべて ASN.1 というデータ構造で表される。

  • ASN.1 (Abstract Syntax Notation One)

ASN.1 のエンコード形式には DERPEM の 2 種類が多く使われる。

  • DER (Distinguished Encoding Rules)
  • PEM (Privacy-Enhanced Mail)

OpenSSL ではデフォルトエンコーディングとして PEM を使用する。

@hysryt
Copy link
Owner Author

hysryt commented Dec 11, 2018

openssl genrsa

https://www.openssl.org/docs/man1.0.2/apps/genrsa.html
PEM 形式の RSA 秘密鍵を生成する。

単純な鍵の生成

$ openssl genrsa > private-key.pem
Generating RSA private key, 2048 bit long modulus
.......................+++
...................+++
e is 65537 (0x10001)

鍵長を指定した生成

$ openssl genrsa 3000 > private-key.pem
Generating RSA private key, 3000 bit long modulus
..........++
......................++
e is 65537 (0x10001)

@hysryt
Copy link
Owner Author

hysryt commented Dec 11, 2018

openssl rsa

https://www.openssl.org/docs/man1.0.2/apps/rsa.html
RSA 鍵に対するツール

秘密鍵から公開鍵を生成

$ openssl rsa -in private-key.pem -pubout > public-key.pem
writing RSA key

秘密鍵の内容を出力

prime1prime2 が素数。

$ openssl rsa -in private-key.pem -text -noout
Private-Key: (2048 bit)
modulus:
    00:de:82:ca:fb:46:4d:be:76:d2:23:25:81:70:fd:
    ba:d2:84:e7:3c:21:3b:ae:be:f6:a4:5b:08:56:dc:
    c4:0a:d3:0a:fd:35:14:59:39:80:68:77:3b:c6:6e:
    cc:91:d9:79:8c:9a:9e:73:f1:bf:0c:2a:bb:4c:24:
    48:7c:ca:d9:bf:8f:7a:4d:0f:0a:e1:a3:3f:2f:ff:
    da:47:06:b5:fb:18:65:75:26:14:3b:46:b8:bf:ee:
    37:67:0f:fc:7c:b5:9c:c8:7d:f0:c8:c0:32:6f:3c:
    a3:d4:41:93:eb:7a:4d:31:b1:89:7b:4a:e3:c4:bf:
    03:42:c6:e2:29:9c:87:ec:fa:c9:d7:27:4e:f5:e3:
    68:09:d6:85:3c:99:74:9c:9b:3e:c2:d9:b5:16:3f:
    cf:2c:8e:3a:1f:3d:1e:16:f1:7d:e1:97:80:45:22:
    fe:0d:11:5e:8c:04:73:50:3f:90:57:db:c3:b1:99:
    2c:e4:0a:7b:99:f2:ca:cd:79:d6:dc:ff:e0:89:1f:
    4a:9e:5f:c7:2b:0b:8b:36:bf:5c:5a:33:06:e3:ff:
    68:cf:ec:3d:11:5d:80:bf:e8:b6:e2:98:a3:73:18:
    bc:94:26:d1:b8:c7:e5:0a:f0:89:6a:18:a5:c4:97:
    6d:9e:38:35:d0:b0:ce:8b:b9:32:cc:45:93:c4:61:
    b2:bb
publicExponent: 65537 (0x10001)
privateExponent:
    60:47:ec:19:0a:74:bd:83:a0:ae:00:9e:a0:0b:ca:
    79:29:74:fd:39:cc:1f:73:16:3a:4c:01:b1:c4:59:
    37:ed:d6:05:76:a0:55:73:62:32:d1:d5:15:a9:ff:
    ee:e4:51:8a:1b:a5:90:b9:fc:57:01:6e:86:25:f5:
    0f:ba:9e:ba:1b:15:6a:9e:a5:b0:b8:f8:b0:86:5f:
    26:f8:aa:69:fa:46:7c:88:7b:9c:a2:9f:72:bd:5b:
    4f:c7:45:13:99:6a:3b:fe:f2:df:8a:fa:c7:d3:4f:
    78:9a:df:ac:b7:01:0c:0d:ac:55:a3:34:27:80:17:
    a3:1f:77:e1:55:90:23:64:1a:bb:84:99:e8:b5:93:
    11:50:48:e0:18:eb:4e:54:ec:6f:16:cd:5f:d3:92:
    0b:56:5d:17:17:76:84:6b:02:31:2c:97:6c:af:a1:
    ff:70:0a:13:c1:74:37:5b:8f:6e:9b:00:12:59:5d:
    9e:f8:3e:50:44:e8:5e:0b:31:ea:19:52:03:6f:95:
    7f:4f:8b:26:2b:f2:51:e8:b3:53:bd:56:76:7c:5e:
    c1:76:e6:3f:70:c8:d8:40:39:f9:b8:df:9f:ac:bc:
    a5:c1:77:7e:71:3f:da:61:9e:67:6d:14:04:89:40:
    c7:a7:75:45:ee:b6:e0:1d:32:63:92:71:be:b1:f8:
    11
prime1:
    00:f2:79:20:c0:5e:4d:35:b5:ef:b7:fb:33:98:92:
    04:55:c7:95:9b:93:a4:92:c6:cc:96:2d:ae:ee:6c:
    07:88:0b:ff:19:60:8b:8c:ee:27:e0:37:b3:42:2c:
    d6:9d:b5:f0:03:a9:92:fe:04:3d:71:f7:f1:d8:01:
    eb:1c:ee:e8:1d:a3:94:cb:9e:60:69:18:94:96:82:
    95:71:c4:de:3b:10:4a:37:f5:76:74:c8:d3:7e:7b:
    70:14:a6:26:0f:7e:71:04:47:e5:bf:5a:9b:97:f5:
    e8:d8:25:3a:1a:93:cd:c0:e3:f0:38:16:b6:48:11:
    26:61:e8:ac:43:fb:51:53:af
prime2:
    00:ea:ec:93:27:cb:3f:10:d8:93:19:02:9f:7a:5f:
    0c:50:61:b2:bc:57:64:7e:a6:91:d8:65:dc:21:f2:
    6e:fb:aa:18:14:9f:98:28:6c:14:08:fe:1c:00:a7:
    56:c2:68:0d:17:62:fd:5a:c3:38:a6:b0:00:d5:97:
    82:60:8b:f8:b4:b7:7c:95:de:10:22:e4:0d:c3:86:
    0a:d9:ce:6e:cb:1b:3b:d0:96:16:e3:78:8e:44:69:
    41:e3:aa:dd:0d:ad:3a:11:dd:16:dd:c1:bd:2b:b3:
    b8:14:d9:aa:06:f1:2f:e3:b6:f0:5c:ca:76:7b:95:
    90:9b:d6:3f:b1:86:30:f8:b5
exponent1:
    7a:9c:6d:c7:58:e8:4a:24:ba:17:9a:db:38:67:7d:
    f1:b2:7f:20:b0:c4:23:c4:8b:67:d5:aa:03:be:75:
    00:82:b0:78:b0:ad:60:92:7d:6f:90:3b:01:57:93:
    1f:25:05:3d:94:de:53:bc:e9:25:5c:6f:da:fe:fd:
    59:20:26:17:f6:c4:23:42:ef:15:b5:ec:4d:3f:b3:
    3a:58:86:d7:ef:20:d8:b3:33:37:52:e6:3f:ab:43:
    bd:ed:56:89:b7:32:87:2b:a4:2d:e3:2f:92:e4:32:
    de:39:d4:eb:e3:99:c3:d4:7f:80:9d:5b:87:8d:c4:
    8e:f6:0d:46:43:2b:98:d9
exponent2:
    51:9e:29:ae:0c:a5:f7:83:56:ef:bc:82:8d:b0:52:
    05:e7:3b:82:c5:d6:0b:4e:71:a3:3e:18:51:ce:f9:
    92:03:d1:63:f0:e2:9b:40:99:61:5a:6f:7e:26:a5:
    34:db:93:98:c9:72:7e:43:0e:fe:92:6d:67:c7:c0:
    ab:2c:56:16:eb:1c:a4:b0:c6:e8:68:55:03:d6:21:
    14:f4:ec:77:32:1a:00:e8:f4:40:c9:54:9c:1d:f9:
    9f:50:70:86:5c:e5:ac:e9:24:15:9d:46:cc:d5:1e:
    a2:57:d1:03:a2:6d:e1:ee:5f:e9:cd:09:86:fc:3a:
    86:79:d4:1d:28:23:01:75
coefficient:
    00:f2:5b:2f:1d:bf:24:ca:05:51:19:4e:7a:3a:9f:
    fa:6a:e8:92:25:27:6f:31:62:ee:56:ee:61:a8:2a:
    9f:f3:71:c6:9b:3b:dd:4a:51:1e:ab:1e:c8:70:82:
    49:1f:3f:49:f9:05:5d:2d:7c:02:6b:22:39:65:89:
    0f:e4:e2:7a:cf:73:8b:29:50:fc:81:4c:18:e1:ab:
    9c:a8:5d:0b:0c:d6:96:b6:c7:9d:8e:9f:c7:63:14:
    5d:fe:69:27:93:ce:80:69:b7:b4:53:e1:d1:bc:6a:
    ff:36:78:98:4f:df:ae:09:dd:fe:5d:6d:0d:61:c4:
    31:3e:a4:2a:dc:de:3e:e9:a0

公開鍵の内容を出力

$ openssl rsa -in public-key.pem -pubin -text -noout
Public-Key: (2048 bit)
Modulus:
    00:c9:bf:ea:75:45:07:89:40:41:e3:f4:b3:a4:6a:
    38:0e:26:bb:13:26:8c:c2:e2:32:40:d1:9c:80:17:
    4e:15:cf:22:6a:70:27:93:dd:de:ac:01:6f:5a:1c:
    c9:14:97:df:18:c3:e2:62:22:09:95:3e:42:47:28:
    46:78:94:9e:b4:59:d3:fa:d9:f8:70:83:30:c6:02:
    1d:9e:0e:69:26:f4:1e:ce:91:e0:44:15:35:d2:c2:
    26:08:ad:8a:17:fc:23:a3:bc:cd:4b:e1:41:ef:62:
    a4:4c:71:08:a4:3b:a5:ed:23:e0:31:f5:26:74:57:
    d4:5b:90:c1:6e:8a:5b:60:12:de:92:88:a9:8d:f2:
    b6:14:0a:e9:f1:d3:92:8f:85:50:2f:9c:d9:ad:12:
    8f:1e:3a:37:47:34:23:3c:f4:46:1b:45:de:78:87:
    c1:20:29:bb:5b:29:e9:36:a0:0c:be:47:bf:b9:e3:
    98:ee:f4:35:9a:a7:77:8f:62:4e:11:76:ca:d5:49:
    3e:dd:3d:3f:03:5c:da:ba:8c:11:dd:f8:66:26:3e:
    42:7e:9f:c8:2a:6a:df:7d:66:cb:3e:20:a0:33:0c:
    8d:f3:6a:9d:dd:55:85:24:52:d9:d2:c1:75:b7:e8:
    72:8e:26:e0:41:f5:25:52:57:4e:af:9e:ac:92:39:
    23:65
Exponent: 65537 (0x10001)
writing RSA key

鍵のエンコードを PEM から DER に変換

$ openssl rsa -in private-key.pem -outform der > private-key.der
writing RSA key

@hysryt
Copy link
Owner Author

hysryt commented Dec 11, 2018

openssl req

https://www.openssl.org/docs/man1.0.2/apps/req.html
PKCS#10 に従った署名リクエスト関連のツール

CSR を作成する

PEM 形式の CSR を作成する。
CSR を署名するために秘密鍵を渡す必要がある。

$ openssl req -new -key private-key.pem > request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:JP
State or Province Name (full name) []:Gifu
Locality Name (eg, city) []:Mizunami
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:

CSR の内容を出力

Modulus: が公開鍵で、一番最後についてるのが署名(多分)

$ openssl req -in request.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=JP, ST=Gifu, L=Mizunami
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:82:ca:fb:46:4d:be:76:d2:23:25:81:70:fd:
                    ba:d2:84:e7:3c:21:3b:ae:be:f6:a4:5b:08:56:dc:
                    c4:0a:d3:0a:fd:35:14:59:39:80:68:77:3b:c6:6e:
                    cc:91:d9:79:8c:9a:9e:73:f1:bf:0c:2a:bb:4c:24:
                    48:7c:ca:d9:bf:8f:7a:4d:0f:0a:e1:a3:3f:2f:ff:
                    da:47:06:b5:fb:18:65:75:26:14:3b:46:b8:bf:ee:
                    37:67:0f:fc:7c:b5:9c:c8:7d:f0:c8:c0:32:6f:3c:
                    a3:d4:41:93:eb:7a:4d:31:b1:89:7b:4a:e3:c4:bf:
                    03:42:c6:e2:29:9c:87:ec:fa:c9:d7:27:4e:f5:e3:
                    68:09:d6:85:3c:99:74:9c:9b:3e:c2:d9:b5:16:3f:
                    cf:2c:8e:3a:1f:3d:1e:16:f1:7d:e1:97:80:45:22:
                    fe:0d:11:5e:8c:04:73:50:3f:90:57:db:c3:b1:99:
                    2c:e4:0a:7b:99:f2:ca:cd:79:d6:dc:ff:e0:89:1f:
                    4a:9e:5f:c7:2b:0b:8b:36:bf:5c:5a:33:06:e3:ff:
                    68:cf:ec:3d:11:5d:80:bf:e8:b6:e2:98:a3:73:18:
                    bc:94:26:d1:b8:c7:e5:0a:f0:89:6a:18:a5:c4:97:
                    6d:9e:38:35:d0:b0:ce:8b:b9:32:cc:45:93:c4:61:
                    b2:bb
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         3e:b6:03:e7:90:62:32:fd:c6:8a:50:6d:d4:52:a9:0d:ed:f6:
         1f:2d:32:c1:92:e4:ad:6a:11:89:e2:9b:cf:54:98:79:fa:5d:
         3e:e1:01:17:29:c5:af:43:f7:b5:98:44:41:76:b1:82:8d:93:
         66:44:d5:1c:69:c7:cd:61:79:74:8d:cd:81:bf:4a:41:ea:86:
         90:5d:45:28:b3:81:54:83:ab:3b:b1:0a:ca:60:a5:a3:26:8a:
         5d:4e:04:ce:ee:66:f6:f4:ba:23:ea:47:91:cb:af:6e:3b:a1:
         05:a6:db:32:92:93:69:ea:ea:36:b0:78:9e:a6:2b:53:38:d7:
         92:1b:ef:d0:49:a2:e3:d9:ee:0d:87:4a:a3:7b:ab:11:81:48:
         e4:63:e0:2f:5b:fa:be:cd:03:7e:8a:ef:5c:8a:62:cb:c0:b4:
         e1:14:9b:70:70:22:df:56:7e:33:c5:e3:4f:5c:b4:58:bb:cf:
         56:2c:0e:83:bd:31:e6:d0:74:ae:31:de:6e:87:90:2a:0b:ba:
         b8:fd:8a:15:92:57:40:f8:90:2d:e8:a8:fe:70:fd:08:7a:16:
         4d:52:b9:a5:ea:23:7b:bc:bc:08:c7:59:c3:b4:76:52:a2:16:
         9a:34:5f:09:d7:14:61:be:80:41:71:5c:9b:26:48:cd:69:15:
         44:ec:94:93

@hysryt
Copy link
Owner Author

hysryt commented Dec 11, 2018

openssl x509

https://www.openssl.org/docs/man1.0.2/apps/x509.html
証明書に関するツール

CSR を基に証明書を作成する

有効期限90日間で署名している。

$ openssl x509 -req -in request.csr -signkey private-key.pem -days 90 > public-key.crt
Signature ok
subject=/C=JP/ST=Gifu/L=Mizunami
Getting Private key

証明書の内容を出力する

Modules: が CSR に含まれる公開鍵、一番最後についてるのが認証局の秘密鍵による署名(多分)

$ openssl x509 -in public-key.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 16314587825692551598 (0xe2690f30675129ae)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=Gifu, L=Mizunami
        Validity
            Not Before: Dec 11 11:32:57 2018 GMT
            Not After : Mar 11 11:32:57 2019 GMT
        Subject: C=JP, ST=Gifu, L=Mizunami
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:82:ca:fb:46:4d:be:76:d2:23:25:81:70:fd:
                    ba:d2:84:e7:3c:21:3b:ae:be:f6:a4:5b:08:56:dc:
                    c4:0a:d3:0a:fd:35:14:59:39:80:68:77:3b:c6:6e:
                    cc:91:d9:79:8c:9a:9e:73:f1:bf:0c:2a:bb:4c:24:
                    48:7c:ca:d9:bf:8f:7a:4d:0f:0a:e1:a3:3f:2f:ff:
                    da:47:06:b5:fb:18:65:75:26:14:3b:46:b8:bf:ee:
                    37:67:0f:fc:7c:b5:9c:c8:7d:f0:c8:c0:32:6f:3c:
                    a3:d4:41:93:eb:7a:4d:31:b1:89:7b:4a:e3:c4:bf:
                    03:42:c6:e2:29:9c:87:ec:fa:c9:d7:27:4e:f5:e3:
                    68:09:d6:85:3c:99:74:9c:9b:3e:c2:d9:b5:16:3f:
                    cf:2c:8e:3a:1f:3d:1e:16:f1:7d:e1:97:80:45:22:
                    fe:0d:11:5e:8c:04:73:50:3f:90:57:db:c3:b1:99:
                    2c:e4:0a:7b:99:f2:ca:cd:79:d6:dc:ff:e0:89:1f:
                    4a:9e:5f:c7:2b:0b:8b:36:bf:5c:5a:33:06:e3:ff:
                    68:cf:ec:3d:11:5d:80:bf:e8:b6:e2:98:a3:73:18:
                    bc:94:26:d1:b8:c7:e5:0a:f0:89:6a:18:a5:c4:97:
                    6d:9e:38:35:d0:b0:ce:8b:b9:32:cc:45:93:c4:61:
                    b2:bb
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         62:0e:58:cc:2a:e8:7b:94:0e:37:3f:62:a9:0b:5a:9d:ab:a4:
         98:47:0f:d8:63:11:75:c3:5e:c6:be:b6:fc:a2:a4:fc:53:89:
         f4:c5:4c:3f:67:a3:76:0c:07:32:05:1e:e6:a8:42:ad:39:96:
         41:ef:5f:aa:60:db:08:2a:b9:9f:a0:8b:f4:45:7a:e6:ee:73:
         45:16:8d:cf:c1:d2:28:d9:f4:a0:56:6b:21:06:9b:e3:cc:a1:
         d1:8f:cc:dd:db:f7:c2:61:5f:4e:d2:1a:de:0a:0c:73:53:c7:
         c0:8c:99:20:c9:0b:ff:4f:99:ef:37:d2:95:97:cb:05:3d:f5:
         a0:b8:b5:a9:5a:06:11:51:d4:fe:90:c8:00:53:c2:dd:eb:15:
         1f:80:06:6a:70:e1:5e:dc:ad:b9:34:37:88:ae:43:a1:be:1f:
         20:42:18:7e:7f:88:50:a8:d3:9e:96:51:0c:52:1a:02:b7:2b:
         0d:1b:7e:df:dc:0a:9f:1b:fc:7e:10:11:ab:0f:e5:3b:0e:81:
         de:ac:33:e2:d5:01:9c:cf:20:13:74:d1:1a:2b:a4:f6:f5:59:
         09:3e:7e:a0:37:38:42:05:a8:77:ab:f5:e4:49:4f:49:92:3b:
         59:5b:54:90:5d:d3:0b:a0:da:87:04:d1:70:e4:bb:ff:3c:05:
         e9:09:6c:41

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant