Openssl smime命令

1、簡介

S/MIME工具，用於處理S/MIME郵件，它能加密、解密、簽名和驗證S/MIME消息

 

2、語法

openssl smime [-encrypt] [-decrypt] [-sign] [-verify] [-pk7out] [-nointern] [-nosigs] [-noverify] [-nocerts] [ -nodetach] [-noattr] [-binary] [-in file] [-inform SMIME|PEM|DER] [-certfile file] [-signer file] [-recip file] [-passin arg] [-inkey file] [-keyform PEM |ENGINE] [-out file] [-outform SMIME|PEM|DER] [-content file] [-to addr] [-from ad] [-subject s] [-text] [-CApath directory] [-CAfile filename] [-crl_check] [-crl_check_all] [-indef] [-noindef] [-stream] [-rand file(s)] [-md digest] [cert.pem…] [-des] [-des3] [-rc2-40] [-rc2-64] [-rc2-128]

選項

-encrypt       encrypt message
-decrypt       decrypt encrypted message
-sign          sign message
-verify        verify signed message
-pk7out        output PKCS#7 structure
-des3          encrypt with triple DES
-des           encrypt with DES
-seed          encrypt with SEED
-rc2-40        encrypt with RC2-40 (default)
-rc2-64        encrypt with RC2-64
-rc2-128       encrypt with RC2-128
-aes128, -aes192, -aes256
               encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
               encrypt PEM output with cbc camellia
-nointern      don't search certificates in message for signer
-nosigs        don't verify message signature
-noverify      don't verify signers certificate
-nocerts       don't include signers certificate when signing
-nodetach      use opaque signing
-noattr        don't include any signed attributes
-binary        don't translate message to text
-certfile file other certificates file
-signer file   signer certificate file
-recip  file   recipient certificate file for decryption
-in file       input file
-inform arg    input format SMIME (default), PEM or DER
-inkey file    input private key (if not signer or recipient)
-keyform arg   input private key format (PEM or ENGINE)
-out file      output file
-outform arg   output format SMIME (default), PEM or DER
-content file  supply or override content for detached signature
-to addr       to address
-from ad       from address
-subject s     subject
-text          include or delete text MIME headers
-CApath dir    trusted certificates directory
-CAfile file   trusted certificates file
-trusted_first use trusted certificates first when building the trust chain
-crl_check     check revocation status of signer's certificate using CRLs
-crl_check_all check revocation status of signer's certificate chain using CRLs
-engine e      use engine e, possibly a hardware device.
-passin arg    input file pass phrase source
-rand file:file:...
               load the file (or the files in the directory) into
               the random number generator
cert.pem       recipient certificate(s) for encryption

 

3、實例

一、進行數字簽名

1）包含證書和原文信息

openssl smime -sign -inkey prikey.pem -signer certself.pem -in install.log -out install_sign.msg

2）不包含證書信息

openssl smime -sign -inkey prikey.pem -signer certself.pem -passin pass:"123456" –nocerts -in install.log -out install_sign.msg

3）不包含原文

openssl smime -sign -inkey prikey.pem -signer certself.pem -passin pass:"123456" -nodetach -in install.log -out install_sign.msg

 

二、進行簽名驗證

1）包含證書和原文信息

openssl smime -verify -CAfile certself.pem -in install_sign.msg -out install_verify.log 

2）不驗證簽名者證書信息

openssl smime -verify -noverify -CAfile certself.pem -signer certself.pem -in text_sign.msg -out text_verify.log

3）不包含原文

openssl smime -verify -nodetach -CAfile certself.pem -signer certself.pem -in text_sign.msg -out text_verify.log

 

三、進行數字信封加密

openssl smime -encrypt -in install.log -out install_evp.enc certself.pem

四、進行數字信封解密

openssl smime -decrypt -in install_evp.enc -out install_ope.log -inkey prikey.pem

 

五、smime格式與pkcs#7格式的互轉

openssl smime -in text_sign.msg -pk7out -out test_pkcs.pem

openssl pkcs7 -in test_pkcs.pem -text

 

六、對一個現存的消息添加一個簽名者

openssl smime -resign -in mail.msg -signer newsign.pem -out mail2.msg

 

參考：http://blog.csdn.net/as3luyuan123/article/details/16850953