(7) OpenSSL dgst (Generate and verify digital signatures)

This pseudo-command is a one-way encryption tool that generates summary information for a file, can also be digitally signed, and verifies a digital signature .

The first thing to understand is that the digital signature process is to calculate the numeric digest, and then use the private key to sign the Digital digest , and the Digest is calculated using MD5, sha512 and other algorithms (and through the private key encryption digest information to obtain a digital signature), understand this point, The use of the OpenSSL dgst command is fully mastered.

OpenSSL dgst [-md5|-sha1| ...] [-hex |-binary] [-out filename] [-sign filename] [-passin Arg] [-verify filename] [-prverify filename]   [-signature filename] [File ...]

Option Description:

File ... : Specifies the file to be signed.

-hex: Output a numeric digest in hex format. If you do not display it in-hex, signing or verifying the signature is likely to be garbled.

-binary: Output a numeric digest in binary format, or digitally sign in binary format. This is the default format .

-out FileName: Specifies the output file, which is output to standard output if not specified.

-sign FileName: Use the private key in filename to sign file digitally. the signature must not add-hex and other formatting options, otherwise the verification signature will fail, pro-test.

-signature FileName: Specifies the signature file to be validated .

-verify FileName: Use the public key in filename to validate the signature.

-prverify FileName: Use the private key in filename to verify the signature.

-passin ARG: Pass the decryption password. If the utility public or private key file is encrypted when validating the signature, a password is passed to decrypt it.

The following one-way encryption algorithm is supported, that is, the hash algorithm used in signing.

-MD4 to use the MD4 message digest algorithm

-MD5 to use the MD5 message digest algorithm

-ripemd160 to use the RIPEMD160 message digest algorithm

-sha to use the SHA Message digest algorithm

-SHA1 to use the SHA1 message digest algorithm

-sha224 to use the sha224 message digest algorithm

-sha256 to use the SHA256 message digest algorithm

-sha384 to use the SHA384 message digest algorithm

-sha512 to use the SHA512 message digest algorithm

-whirlpool to use the Whirlpool message digest algorithm

Note: Therole of OpenSSL dgst-md5 and OpenSSL MD5 is the same, as are other unidirectional encryption algorithms , such as OpenSSL Dgst-sha equivalent to OpenSSL sha.

For example:

(1). Random Generation of summary information (i.e. one-way encryption)

[Email protected] ~]# echo 123456 | OpenSSL MD5 (stdin) = F447b20a7fcbf53a5d5be013ea0b15af

(2). Generate MD5 and sha512 summary information for/tmp/a.txt files.

[email protected] ~]# OpenSSL dgst-md5 rsa.pub
MD5 (rsa.pub) = 0803103e6685ad6ab4b37402a680e205

[email protected] ~]# OpenSSL MD5 rsa.pub
MD5 (rsa.pub) = 0803103e6685ad6ab4b37402a680e205

[email protected] ~]# OpenSSL sha512 rsa.pub
SHA512 (rsa.pub) = Aed7de92f0f4a3545a1afb29fbac75e16577e3edbb65f2a526ceedc28663f56b4b488ccf7b809f1e22369b7f2c5438b90daee70e3af8126a471acbd92 278ddd7
[email protected] ~]# OpenSSL dgst-sha512 rsa.pub
SHA512 (rsa.pub) = Aed7de92f0f4a3545a1afb29fbac75e16577e3edbb65f2a526ceedc28663f56b4b488ccf7b809f1e22369b7f2c5438b90daee70e3af8126a471acbd92 278ddd7

(3). Generate a private key genrsa.pri, and then use the private key to sign the/tmp/a.txt file . Using the-hex option, otherwise the default output format will be garbled in binary.

-sign genrsa.pri a.txtrsa-md5 (a.txt) = 7a6930b06dc6980d1a1fee872df5c8c9c887633c8e2f8b951d40aff4e934b206423914129f66651344859981e33c448f3a61274bded973b387065e9c7 909bfcfc1d844e35af1453cc248d58170eb27e948a8de862f21a2b7ee34f512b3cc3cb44537e26c62a409e211320b87f74a8fa5ec1bcc790a7c13ffaa 9df9aa8c5ddb64

If the signature is to be verified, the resulting signature is saved to a file and must not be used with the "-hex" option, otherwise the validation signature will fail . The following separately generates signature files that use and do not use hex format for verification of signature tests.

-out md5_hex.sign    -sign genrsa.pri   a.txt               [[email protected] tmp]# OpenSSL dgst-md5      -out  md5_nohex.sign-sign Genrsa.pri   A.txt

(4). Verify the signature. the process of verifying a signature is actually a new generated signature for the validation file, then compared to the existing signature file, and if the result is the same, the validation passes . Therefore, when validating a signature, not only the signature file to be verified, but also the same algorithm, the same private key or public key file, and the file to be signed to generate new signature information.

The following tests first verify the digital signature file with the private key.

The signature file md5_nohex.sign, which is not in hex format, is validated first. Because the MD5 algorithm is used when generating md5_nohex.sign, the MD5 algorithm must also be specified here.

-prverify Genrsa.pri -signature md5_nohex.sign a.txtverified OK

The signature file md5_hex.sign, which uses hex format, is validated, regardless of whether the hex option is used during validation, and the result is a validation failure.

[email protected] tmp]# OpenSSL dgst-md5-prverify genrsa.pri-signature md5_hex.sign a.txt  Verification failure[[e Mail protected] tmp]# OpenSSL dgst-md5-hex-prverify genrsa.pri-signature md5_hex.sign a.txtverification Failure

The second Test uses the public key to verify the digital signature.

-pubout-out rsa.pub [[email protected] tmp]# OpenSSL dgst-md5-verify rsa.pub-signature md5_nohex.sign a.txtverified OK

(7) OpenSSL dgst (Generate and verify digital signatures)