使用openssl的文件的数字签名 [英] Digital signature for a file using openssl

问题描述

有没有办法使用openssl对x509证书或任何文档进行数字签名？

Is there a way to digitally sign a x509 certificate or any document using openssl?

推荐答案

=http://www.openssl.org/docs/apps/dgst.html#> dgst 和 rsautl 组件可用于计算给定RSA密钥对的签名。

Yes, the dgst and rsautl component of OpenSSL can be used to compute a signature given an RSA key pair.

签名：

openssl dgst -sha256 data.txt > hash
openssl rsautl -sign -inkey privatekey.pem -keyform PEM -in hash > signature

验证：

openssl rsautl -verify -inkey publickey.pem -keyform PEM -in signature

更新：从下面捕获Reto的评论，因为这是一个重要的细微差别。大概如果你要去麻烦去验证，你想知道签名是在它附加的明文上生成的：

Update: Capturing Reto's comments from below because this is an important nuance. Presumably if you are going to the trouble to verify, you want to know the signature was produced on the plaintext to which it is attached:

这可能听起来明显的一些但是：注意， rsault验证只是解密文件签名。该调用的输出保证由私钥的所有者产生，但除此之外没有其他任何被检查。因此，要实际验证 data.txt 的一致性，您必须重新生成摘要，然后将其与 openssl rsautl -verify 。

This might sound obvious for some but: Be aware, rsault verify just decrypts the file signature. The output of this call is guaranteed to be produced by the owner of the private key, but beside that nothing else is being checked. So to actually verify the consistency of data.txt you have to regenerate the digest and then compare it against the output of openssl rsautl -verify.

这篇关于使用openssl的文件的数字签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！