分类：未分类

openssl-passwd
openssl-passwd

名字

openssl-passwd – compute password hashes

概要

openssl passwd [-help] [-1] [-apr1] [-aixmd5] [-5] [-6] [-salt string] [-in file] [-stdin] [-noverify] [-quiet] [-table] [-reverse] [-rand files] [-writerand file] [-provider name] [-provider-path path] [-propquery propq] [password]

描述

这个命令用于计算运行时键入或在列表中的每个密码的hash。这个密码列表通过-in指定的文件读取，或者指定-stdin时从stdin中读取，或者来自命令行，或者来自终端。

选项
- -help
  Print out a usage message.
- -1
  
  使用基于MD5的BSD的password algorithm 1，这也是默认值。
- -apr1
  
  使用apr1算法，bsd算法的apache变种。
- -aixmd5
  
  使用AIX MD5算法，(BSD算法的AIX变种)
- -5,-6
  
  使用基于Ulrich Drepper定义的算法的SHA256/SHA512算法。See https://www.akkadia.org/drepper/SHA-crypt.txt.
- -salt string
  
  Use the specified salt. When reading a password from the terminal, this implies -noverify.
  使用指定的salt.当从终端读取密码时，已经隐含-noverify。
- -in file
  
  从文件读取密码
- -stdin
  
  从stdin读取密码
- -noverify
  
  不验证从终端读取的密码(有什么可验证的？)
- -quiet
  
  当命令行给出的密码被截断时不显示警告
- -table
  
  在输出列表中，每个password hash前面插入明文密码和一个TAB符号。
- -reverse
  
  使用-table选项时，交换cleartext和hash列的位置。
- -rand files, -writerand file
  
  See “Random State Options” in openssl(1) for details.
- -provider name
- -provider-path path
- -propquery propq
  
  See “Provider Options” in openssl(1), provider(7), and property(7).
注意

这个命令没有-out选项，所有的信息都输出到stdout

Views: 2
2024年12月29日
openssl-mac
openssl-mac

执行Message Authentication Code操作

概述

openssl mac [-help] [-cipher] [-digest] [-macopt] [-in filename] [-out filename] [-binary] [-provider name] [-provider-path path] [-propquery propq] mac_name

描述

计算输入文件的MAC

选项
- -help
  Print a usage message.
- -in filename
  
  读取输入的文件名，用于于计算MAC，或者默认为标准输入。如果文件名是’-‘，则使用标准输入。文件和标准输入应该是二进制格式。
- -out filename
  
  用于输出的文件名, 或使用默认的standard output.
- -binary
  
  输出的MAC是二进制格式。如果没有指定，则使用十六进制文本格式。
- -cipher name
  
  为CMAC和GMAC指定密码算法。对于CMAC，它应该是一个CBC模式密码，例如AES-128-CBC。对于GMAC，它应该是一个GCM模式密码，例如AES-128-GCM。
- -digest name
  
  为HMAC指定摘要算法。默认为SHA256。完整的列表可以使用命令openssl list -digest-algorithms查看。
- -macopt nm:v
  
  传递选项给MAC算法。EVP_MAC实现文档中可以找到控制的全面列表。EVP_MAC_CTX_get_params()使用的常见参数名称有：
  - key:string
    指定字母数字字符串作为MAC key（仅使用可打印字符）。字符串长度必须符合MAC算法的任何限制。必须为每个MAC算法指定一个密钥。
  - hexkey:string
    
    使用16进制格式指定MAC key（每个字节两个十六进制数字）。密钥长度必须符合MAC算法的任何限制。必须为每个MAC算法指定一个密钥。
  - iv:string
    
    指定一个alphanumeric字符串作为GMAC的IV（仅包含可打印字符）。字符串长度必须符合MAC算法的任何限制。
  - hexiv:string
    
    用16进制形式指定GMAC的IV（每个字节两个十六进制数字）。
  - size:int
    
    为KMAC128或KMAC256指定输出长度。默认大小分别为32或64字节。
  - custom:string
    
    为KMAC128或KMAC256指定一个自定义字符串。默认值为空字符串””。
  - digest:string
    
    这个选项与-digest选项等效。
  - cipher:string
    
    这个选项与-cipher选项等效。
- -provider name
- -provider-path path
- -propquery propq
  
  See “Provider Options” in openssl(1), provider(7), and property(7).
- mac_name
  
  指定要使用的支持的MAC算法的名称。要查看支持的MAC列表，请使用命令openssl list -mac-algorithms。
注意

支持的MAC算法取决于构建OpenSSL时使用的选项。使用openssl list -mac-algorithms列出它们。
cipher与digest算法的组合通常是固定的

Views: 3
2024年12月29日
openssl-speed
openssl-speed

测试库性能

概述

openssl speed [-help] [-config filename] [-elapsed] [-evp algo] [-hmac algo] [-cmac algo] [-mb] [-aead] [-kem-algorithms] [-signature-algorithms] [-multi num] [-async_jobs num] [-misalign num] [-decrypt] [-primes num] [-seconds num] [-bytes num] [-mr] [-mlock] [-rand files] [-writerand file] [-engine id] [-provider name] [-provider-path path] [-propquery propq] [algorithm ...]

DESCRIPTION

这个命令用于测试加密算法的性能

选项
- -help
  Print out a usage message.
- -config filename
  
  指定要使用的配置文件。可选；有关默认值的说明，请参阅 “COMMAND SUMMARY” in openssl(1).
- -elapsed
  
  计算每秒操作数或字节数时，使用wall-clock(进程等待时间)而不是 CPU user time作为除数。这在测试硬件引擎速度时很有用。
- -evp algo
  
  通过 EVP 接口使用指定的加密或消息摘要算法。如果 algo 是 AEAD 密码，那么您可以传递 -aead 来使用TLS-like sequence(模拟实际的TLS操作，反映TLS应用性能而是算法性能)方法进行基准测试。如果 algo 是支持多缓冲区的密码，例如 aes-128-cbc-hmac-sha1，那么 -mb 将对多缓冲区操作进行计时。
  To see the algorithms supported with this option, use openssl list -digest-algorithms or openssl list -cipher-algorithms command.
- -multi num
  
  并行运行多个操作
- -async_jobs num
  
  启用异步模式，并指定启动的jobs数量。
- -misalign num
  
  指定缓冲区错位的字节数（故意降低性能?）。
- -hmac digest
  
  使用指定的digest进行HMAC运算的时间
- -cmac cipher
  
  使用指定的cipher进行CMAC运算的时间，例如openssl speed -cmac aes128
- -decrypt
  
  Time the decryption instead of encryption. Affects only the EVP testing.
  解密而不是加密的时间(默认是加密测试吗？)。仅影响EVP测试。
- -mb
  
  为EVP算法启用multi-block模式
- -aead
  
  使用TLS-like sequence进行EVP AEAD算法的基准测试
- -kem-algorithms
  
  KEM(Key encapsulaton Mechanism)算法的基准测试:key generation, encapsulation, decapsulation.
- -signature-algorithms
  
  Benchmark signature algorithms: key generation, signature, verification.
  签名算法的基准测试：key generation, signature, verification.
- -primes num
  
  生成num个素数作为 RSA key and 并用它进行基准测试. 这个选项仅影响RSA算法.
- -seconds num
  
  基准测试运行的秒数
- -bytes num
  
  使用num个字节的缓存运算基准测试。影响ciphers, digests and the CSPRNG。范围限制是INT_MAX-64,INT_MAX的值是2147483583。
- -mr
  
  以机器可读的格式生成摘要
- -mlock
  
  将内存锁定到 RAM 中以实现更确定性的测量（意思是避免使用虚拟内存吗）。
- -rand files, -writerand file
  
  See “Random State Options” in openssl(1) for details.
- -engine id
  
  See “Engine Options” in openssl(1). This option is deprecated.
- -provider name
- -provider-path path
- -propquery propq
  
  See “Provider Options” in openssl(1), provider(7), and property(7).
- algorithm …
  
  如果给定了任意algorithm，则使用这些算法进行测试，否则会选择预编译的所有算法进行测试。algorithm只能给定speed命令预编译的算法，对于其它的算法请使用-evp选项。
Views: 1
2024年12月29日
ejbca手动安装(基于almalinux9.5)
ejbca手动安装(基于almalinux9.5)

手动安装的一个好处是使用hsm方便，可以安装hsm驱动，但是安装过程颇为繁锁
- 安装java环境
  “`
  dnf update
  dnf install java-17-openjdk java-17-openjdk-devel
  “`
- 下载ejbca源码
  
  下载WildFly 32.0
  https://www.wildfly.org/downloads/
  ejbca下载
  https://github.com/Keyfactor/ejbca-ce/releases
- 安装wildFly
  
  “`
  wget https://github.com/wildfly/wildfly/releases/download/32.0.1.Final/wildfly-32.0.1.Final.zip -O /tmp/wildfly-32.0.1.Final.zip
  unzip -q /tmp/wildfly-32.0.1.Final.zip -d /opt/
  ln -snf /opt/wildfly-32.0.1.Final /opt/wildfly
  sed -i '/.*org.jboss.resteasy.resteasy-crypto.*/d' /opt/wildfly/modules/system/layers/base/org/jboss/as/jaxrs/main/module.xml
  rm -rf /opt/wildfly/modules/system/layers/base/org/jboss/resteasy/resteasy-crypto/
  “`
  
  替换文件/opt/wildfly/bin/standalone.conf
  
  “`
  if [ "x $JBOSS_MODULES_SYSTEM_PKGS" = "x" ]; then JBOSS_MODULES_SYSTEM_PKGS="org.jboss.byteman" fi$
  
  if [ "xJAVA_OPTS" = "x" ]; then
  JAVA_OPTS="-Xms{{ HEAP_SIZE }}m -Xmx{{ HEAP_SIZE }}m"
  JAVA_OPTS=" $JAVA_OPTS -Dhttps.protocols=TLSv1.2,TLSv1.3" JAVA_OPTS="$ JAVA_OPTS -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3"
  JAVA_OPTS=" $JAVA_OPTS -Djava.net.preferIPv4Stack=true" JAVA_OPTS="$ JAVA_OPTS -Djboss.modules.system.pkgs= $JBOSS_MODULES_SYSTEM_PKGS" JAVA_OPTS="$ JAVA_OPTS -Djava.awt.headless=true"
  JAVA_OPTS=" $JAVA_OPTS -Djboss.tx.node.id={{ TX_NODE_ID }}" JAVA_OPTS="$ JAVA_OPTS -XX:+HeapDumpOnOutOfMemoryError"
  JAVA_OPTS=" $JAVA_OPTS -Djdk.tls.ephemeralDHKeySize=2048" else echo "JAVA_OPTS already set in environment; overriding default settings with values:$ JAVA_OPTS"
  fi
  
  “`
  
  “`
  echo -e "\nJAVA_OPTS=\"\ $JAVA_OPTS –add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED\"" >> /opt/wildfly/bin/standalone.conf sed -i -e 's/{{ HEAP_SIZE }}/2048/g' /opt/wildfly/bin/standalone.conf sed -i -e "s/{{ TX_NODE_ID }}/$ (od -A n -t d -N 1 /dev/urandom | tr -d ' ')/g" /opt/wildfly/bin/standalone.conf
  
  cp /opt/wildfly/docs/contrib/scripts/systemd/launch.sh /opt/wildfly/bin
  cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.service /etc/systemd/system
  mkdir /etc/wildfly
  cp /opt/wildfly/docs/contrib/scripts/systemd/wildfly.conf /etc/wildfly
  systemctl daemon-reload
  useradd -r -s /bin/false wildfly
  chown -R wildfly:wildfly /opt/wildfly-32.0.1.Final/
  systemctl start wildfly
  systemctl stop firewalld
  systemctl disable firewalld
  systemctl enable wildfly
  #开启remoting，否者ejbcli无法使用，既而ant runinstall无法执行
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=connector-ref,value=remoting)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447,interface=management)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting,enable-http2=true)'
  /opt/wildfly/bin/jboss-cli.sh –connect ':reload'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.ejbca:add(level=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.cesecore:add(level=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=com.keyfactor:add(level=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=undertow/server=default-server/host=default-host/setting=access-log:add(pattern="%h %t \"%r\" %s \"%{i,User-Agent}\"", relative-to=jboss.server.log.dir, directory=access-logs)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=io.undertow.accesslog:add(level=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/root-logger=ROOT:remove-handler(name=CONSOLE)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/console-handler=CONSOLE:remove()'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.cesecore.certificates.ocsp.logging.TransactionLogger:add(use-parent-handlers=false)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.cesecore.certificates.ocsp.logging.TransactionLogger:write-attribute(name=level, value=INFO)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/async-handler=ocsp-tx-async:add(queue-length="100")'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/async-handler=ocsp-tx-async:write-attribute(name=level, value=DEBUG)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/async-handler=ocsp-tx-async:write-attribute(name="overflow-action", value="BLOCK")'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/logger=org.cesecore.certificates.ocsp.logging.TransactionLogger:add-handler(name=ocsp-tx-async)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/periodic-rotating-file-handler=ocsp-tx:add(autoflush=true, append=true, suffix=".yyyy-MM-dd", file={path=ocsp-tx.log,relative-to=jboss.server.log.dir})'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=logging/async-handler=ocsp-tx-async:add-handler(name=ocsp-tx)'
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-interval,value=0)'
  
  “`
  配置https并使用3端口配置(默认是2端口)
  “`
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/http-listener=default:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=http:remove()’
  # Line 4 is not needed if Galleon was used
  #/opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/https-listener=https:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=https:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/interface=http:add(inet-address=”0.0.0.0″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/interface=httpspub:add(inet-address=”0.0.0.0″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/interface=httpspriv:add(inet-address=”0.0.0.0″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=http:add(port=”8080″,interface=”http”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port=”8442″,interface=”httpspub”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port=”8443″,interface=”httpspriv”)’
  
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/credential-store=defaultCS:add-alias(alias=httpsKeystorePassword, secret-value=”hetao1987″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/credential-store=defaultCS:add-alias(alias=httpsTruststorePassword, secret-value=”hetao1987″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/key-store=httpsKS:add(path=”keystore/keystore.p12″,relative-to=jboss.server.config.dir,credential-reference={store=defaultCS, alias=httpsKeystorePassword},type=PKCS12)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/key-store=httpsTS:add(path=”keystore/truststore.p12″,relative-to=jboss.server.config.dir,credential-reference={store=defaultCS, alias=httpsTruststorePassword},type=PKCS12)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm=”SunX509″,credential-reference={store=defaultCS, alias=httpsKeystorePassword})’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/trust-manager=httpsTM:add(key-store=httpsTS)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/server-ssl-context=httpspub:add(key-manager=httpsKM,protocols=[“TLSv1.3″,”TLSv1.2″],use-cipher-suites-order=false,cipher-suite-filter=”TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256″,cipher-suite-names=”TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=[“TLSv1.3″,”TLSv1.2″],use-cipher-suites-order=false,cipher-suite-filter=”TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256″,cipher-suite-names=”TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256″,trust-manager=httpsTM,need-client-auth=true)’
  
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding=”http”, redirect-socket=”httpspriv”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding=”httpspub”, ssl-context=”httpspub”, max-parameters=2048)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding=”httpspriv”, ssl-context=”httpspriv”, max-parameters=2048)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.catalina.connector.URI_ENCODING:add(value=”UTF-8″)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.tomcat.util.http.Parameters.MAX_COUNT:add(value=2048)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/host=default-host/location=”\/”:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=handler/file=welcome-content:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  #rm -rf /opt/wildfly/welcome-content/
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=redirect-to-app:add(redirect=true,target=”/ejbca/adminweb/”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/host=default-host/filter-ref=redirect-to-app:add(priority=1,predicate=”method(GET) and not path-prefix(/ejbca,/crls,/certificates,/.well-known) and not equals({\%{LOCAL_PORT}, 4447})”)’
  
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=redirect-to-app:add(redirect=true,target=”/ejbca/adminweb/”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/host=default-host/filter-ref=redirect-to-app:add(priority=1,predicate=”method(GET) and not path-prefix(/ejbca,/crls,/certificates,/.well-known) and not equals({\%{LOCAL_PORT}, 4447})”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=crl-rewrite:add(target=”/ejbca/publicweb/crls/ ${1}”)’ /opt/wildfly/bin/jboss-cli.sh –connect “/subsystem=undertow/server=default-server/host=default-host/filter-ref=crl-rewrite:add(predicate=\”method(GET) and regex(‘/crls/(._)’)\”)” /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=certs-rewrite:add(target=”/ejbca/publicweb/certificates/$ {1}”)’
  /opt/wildfly/bin/jboss-cli.sh –connect “/subsystem=undertow/server=default-server/host=default-host/filter-ref=certs-rewrite:add(predicate=\”method(GET) and regex(‘/certificates/(.)’)\”)”
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/configuration=filter/rewrite=rewrite-ocsp:add(target=”/ejbca/publicweb/status/ocsp”)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/host=default-host/filter-ref=rewrite-ocsp:add(predicate=”path(/ocsp) and method(GET,POST)”)’
  #/opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=elytron/trust-manager=httpsTM:write-attribute(name=ocsp, value={})’
  #/opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=ee/service=default-bindings:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘data-source remove –name=ExampleDS’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=distributable-web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=datasources/jdbc-driver=h2:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=security-manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.clustering.web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.security.manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=distributable-web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=datasources/jdbc-driver=h2:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=security-manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.clustering.web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.security.manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=distributable-web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=datasources/jdbc-driver=h2:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=microprofile-config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=security-manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.config-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.jwt-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.clustering.web:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.microprofile.opentracing-smallrye:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.health:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.metrics:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jdr:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.jmx:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.sar:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.jboss.as.pojo:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.ee-security:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.request-controller:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/extension=org.wildfly.extension.security.manager:remove()’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘/subsystem=undertow/server=default-server/ajp-listener=ajp-listener:add(socket-binding=ajp, scheme=https, enabled=true)’
  /opt/wildfly/bin/jboss-cli.sh –connect ‘:reload’
  
  “`
  </p></li>
  <li><p>安装数据库
  
  “`
  dnf install mariadb maraidb-server
  mysql -u root -p
  CREATE DATABASE ejbca CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
  GRANT ALL PRIVILEGES ON ejbca.* TO ‘ejbca’@’%’ IDENTIFIED BY ‘ejbca’;
  quit
  “`
  
  “`
  echo '#!/bin/sh' > /usr/bin/wildfly_pass
  echo "echo '$(openssl rand -base64 24)'" >> /usr/bin/wildfly_pass
  chown wildfly:wildfly /usr/bin/wildfly_pass
  chmod 700 /usr/bin/wildfly_pass
  mkdir /opt/wildfly/standalone/configuration/keystore
  chown wildfly:wildfly /opt/wildfly/standalone/configuration/keystore
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=elytron/credential-store=defaultCS:add(path=keystore/credentials, relative-to=jboss.server.config.dir, credential-reference={clear-text="{EXT}/usr/bin/wildfly_pass", type="COMMAND"}, create=true)'
  
  wget https://dlm.mariadb.com/3852266/Connectors/java/connector-java-3.4.1/mariadb-java-client-3.4.1.jar -O /opt/wildfly/standalone/deployments/mariadb-java-client.jar
  
  /opt/wildfly/bin/jboss-cli.sh –connect '/subsystem=elytron/credential-store=defaultCS:add-alias(alias=dbPassword, secret-value="ejbca")'
  /opt/wildfly/bin/jboss-cli.sh –connect 'data-source add –name=ejbcads –connection-url="jdbc:mysql://127.0.0.1:3306/ejbca?permitMysqlScheme" –jndi-name="java:/EjbcaDS" –use-ccm=true –driver-name="mariadb-java-client.jar" –driver-class="org.mariadb.jdbc.Driver" –user-name="ejbca" –credential-reference={store=defaultCS, alias=dbPassword} –validate-on-match=true –background-validation=false –prepared-statements-cache-size=50 –share-prepared-statements=true –min-pool-size=5 –max-pool-size=150 –pool-prefill=true –transaction-isolation=TRANSACTION_READ_COMMITTED –check-valid-connection-sql="select 1;"'
  /opt/wildfly/bin/jboss-cli.sh –connect ':reload'
  
  “`
- 安装ejbca
  
  “`
  export ejbca_home=/opt/ejbca
  # 用dnf安装的ant绑定了java11，会出现class file has wrong version 61.0, should be 55.0的错误
  wget https://downloads.apache.org/ant/binaries/apache-ant-1.10.15-bin.tar.gz -O apache-ant-1.10.15-bin.tar.gz
  tar -zxf apache-ant-1.10.15-bin.tar.gz
  mv apache-ant-1.10.15 /opt/
  cd /opt
  mv apache-ant-1.10.15 ant
  export PATH=$PATH:/opt/ant/bin
  ant -q clean deployear
  ant runinstall
  ant deploy-keystore
  systemctl restart wildfly
  “`
Views: 1
2024年12月29日

yubico-piv-tool中的的slot与pkcs-tool中的id对应关系

id	slot
1	9a PIV Authentication
2	9c Digital Signature (PIN always checked)
3	9d Key Management
4	9e Card Authentication (PIN never checked)
5	82 (RETIRED1)
a	87 (RETIRED6)
18	95 (RETIRED20)
19	不可见(F9 Attestation)

一共25个可见的slot(其中id 19只在pkcs11-tool中可见，在ykman中不可见)

参考：
https://docs.yubico.com/yesdk/users-manual/application-piv/slots.html

2024年12月26日

PCSC和CCID编译

PCSC

git clone https://github.com/LudovicRousseau/PCSC.git
cd PCSC
meson configure builddir --prefix=/usr -Dpolkit=false
cd builddir
meson compile
meson install --destdir /opt/pkg/pcsc/

CCID

用于读取USBKey

git clone https://salsa.debian.org/rousseau/CCID.git
cd CCID
meson setup builddir --prefix=/usr
cd builddir
meson compile
meson install --destdir /opt/pkg/ccid/

2024年12月23日

ejbca9.0集成eToken 5110
docker 映射到/dev:/dev，设置ejbca容器privileged权限
```
services:
  ejbca:
    image: keyfactor/ejbca-ce
    hostname: ca.hetao.me
    restart: always
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./data/ejbca/persistent:/mnt/persistent
      - ./data/ejbca/external:/mnt/external
      - ./data/ejbca/pkcs11:/opt/pkcs11
      - ./data/ejbca/pkcs11/99-deny-all.rules:/etc/polkit-1/rules.d/99-deny-all.rules
      - ./data/ejbca/conf/web.properties:/opt/keyfactor/ejbca/conf/web.properties
      - /dev:/dev
    ports:
      - 192.168.33.38:443:8443/tcp
      - 192.168.33.38:80:8080/tcp
        # devices:
        #- /dev/bus/usb
    privileged: true
    environment:
      - "TLS_SETUP_ENABLED=later"
      - "PROXY_HTTP_BIND=0.0.0.0"
      - "TZ=Asia/Shanghai"
```
执行
```
microdnf install chkconfig pcsc-lite procps-ng opensc vi usbutils psmisc tar gzip -y 
rpm -i SafenetAuthenticationClient-core-10.8.1050-1.el9.x86_64.rpm
```
web.properties添加以下内容
```
cryptotoken.p11.lib.200.name=eToken
cryptotoken.p11.lib.200.file=/usr/lib64/libeToken.so
```
执行以下命令，开启java的pkcs11功能
```
echo -e "\nJAVA_OPTS=\"\$JAVA_OPTS --add-exports=jdk.crypto.cryptoki/sun.security.pkcs11.wrapper=ALL-UNNAMED\"" >> /opt/keyfactor/appserver/bin/standalone.conf
```
创建/etc/polkit-1/rules.d/99-deny-all.rules并添加以下内容
```
polkit.addRule(function(action, subject) {
    return polkit.Result.YES;
});
```
然后执行

systemctl daemon-reload && systemctl daemon-reexec(如果有systemctl的话)
和
/opt/keyfactor/appserver/bin/jboss-cli.sh --connect ':reload'

最后只是调出了pkcs11 token的选项，并不能正常使用pkcs11 token(容器中缺少必要的组件和安全服务(polkit))
在原生Linux中用上述方法是能成功的

同样的方法也适用于基于OpenSC的ePass2003,但是OpenSC似乎不完善，会出现RSA签名无法通过验证，etoken 5110生成密钥速度慢，但还算稳定，在almalinux和ubuntu上都没有任何问题，就是linux上的驱动不好找。

后来分析了pcscd以及polkit的日志及源码，发现是polkit启动的时候依懒dbus服务，容器中无法启动dbus服务。但是新版本的pcscd提供了选项可以在编译时和运行时禁用polkit的支持。
重新编译最新版本的pcsc，然后以以下命令启动即可：
```
tar -zxf pcsc.tar.gz -C / --strip-components 1
tar -zxf ccid.tar.gz -C / --strip-components 1
pcscd --disable-polkit
```
使用中发现如果pcscd进程重启后,java进程也要重启，不然会报Token has been removed的异常。

对于ePass2003无法执行RSA签名的问题可以通过
update-crypto-policies --set LEGACY
来修复

通过参考这里的方法：https://github.com/Keyfactor/keyfactorcommunity/blob/main/hsm-integration/hsm-driver-smartcard-hsm/README.md
我有了更好的解决方案
```
services:
  ejbca:
    image: keyfactor/ejbca-ce
    hostname: ca.hetao.me
    restart: always
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ./data/ejbca/persistent:/mnt/persistent
      - ./data/ejbca/external:/mnt/external
      - ./data/ejbca/conf/web.properties:/opt/keyfactor/ejbca/conf/web.properties
      - ./data/ejbca/conf/standalone.conf:/opt/keyfactor/wildfly-33.0.0.Final/bin/standalone.conf 
      - /lib/x86_64-linux-gnu/libpcsclite.so.1.0.0:/usr/lib64/libpcsclite.so.1.0.0:ro
      - /lib/x86_64-linux-gnu/libpcsclite.so.1.0.0:/usr/lib64/libpcsclite.so.1:ro
      - ./data/ejbca/pkcs11/libeToken.so:/usr/lib64/pkcs11/libeToken.so:ro
      - ./data/ejbca/pkcs11/libeToken.so:/usr/lib64/libeToken.so:ro
      - /var/run/pcscd:/var/run/pcscd:ro
    ports:
      - 192.168.33.38:443:8443/tcp
      - 192.168.33.38:80:8080/tcp
```
以这种方式创建ebjca容器可以在在ejbca中直接使用eToken5110。
原理是在缩主机上运行pcscd服务，在容器中运行pcsc客户端功能，需要把pcsc的socket(/var/run/pcscd/pcscd.comm)和客户端(libpcsclite.so)库映射到容器中。
eToken的pkcs11库可以从rpm包中提取出来映射到容器中，至于OpenSC也不是eToken必须的，这样就不需要在容器中安装任何软件了。

其它问题
- 修复ePass2003 RSA密钥无法签名的问题
在cesecore.properties中添加以下配置
```
pkcs11.disableHashingSignMechanisms=false
```
这样在签名时不使用java自己的hash,而是使用hsm内置的hash，有些token不允许在外部进行hash.
这样修改后以前生成的CA证书会失效，需要注意。

参考：
https://www.smartcard-hsm.com/2014/09/05/Accessing_your_SmartCard-HSM_from_EJBCA.html
https://doc.primekey.com/ejbca/ejbca-integration/hardware-security-modules-hsm/nitrokey-hsm

Views: 5
2024年12月22日
docker升级ejbca 8.3.2 到 9.0.0 版本
docker升级ejbca 8.3.2 到 9.0.0 版本

9.0.0版本不再支持旧版本的h2数据库，会出现“Unsupported database file version or invalid file header in file”错误信息，需要升级h2数据库版本。

升级h2数据库到2.0版本
- 停止并删除现有ejbca容器
- 安装21版本以上的openjdk
- 下载1.4版本的h2 jar包
  https://h2database.com/h2-2019-10-14.zip
- 启动h2数据库服务
  
  命令行窗口执行 java -jar bin\h2-1.4.200.jar
- 下载数据库
  
  进入ejbca的persistent目录，下载ejbcadb.*.db文件到本地
- 打开数据库
  
  浏览器打开localhost:8082/login.jsp
  输入数据库文件路径,我这里是jdbc:h2:C:\software\h2\data\ejbcadb，输入数据库名的时候不带任何后缀。
  用户名:sa,密码:sa
- 备份数据库到Sql
  
  sql命令窗口执行script to 'ejbcadb.sql'
- 关闭数据库连接，关闭数据库服务，删除数据库文件
- 下载2.3版本的h2数据库jar包
  
  https://github.com/h2database/h2database/releases
- 启动新版的数据库服务
  
  命令行窗口执行 java -jar java -jar h2-2.3.232.jar
- 启动h2数据库服务
- 创建数据库
  
  浏览器打开localhost:8082/login.jsp
  输入数据库文件路径,我这里是jdbc:h2:C:\software\h2\data\ejbcadb，输入数据库名的时候不带任何后缀。
  用户名:sa,密码:sa
  当输入的数据库不存在时会自动创建数据库
- 导入数据
  
  sql命令窗口执行runscript from 'ejbcadb.sql'
- 复制新建创的ejbcadb数据库到原位置
更新ejbca镜像版本
- 拉取新版本的ejbca
  
  docker pull keyfactor/ejbca-ce
- 启动容器
  
  docker compose -up -d
升级后除了版本号没发现有什么功能上的变化

Views: 9
2024年12月20日
IPSec中DH组,PFS,Rekey,PRF之间的关系

不管IKEv1还是IKEv2都要求IKE连接和和IPSec连接定期更新密钥。对于IPSec连接就是Rekey操作就是建立新的连接然后把旧连接删掉。
对于IKEv1中的IKE连接也是建立新的IKE连接然后把旧的IKE连接删掉，对于IKEv2则可以通过create_child_ca操作创建新的IKE SA不用重新初始化IKE连接，当然新建再删除的方法仍然可以用(如果需要重新认证)。

在IKE SA重新生成的时候必须重新发送DH公钥并生成新的共享密钥，不管IKEv1还是IKEv2。对于IPSec SA重新生成时跟据是否开启PFS，如果开启PFS则建立IPSec SA时也要重新发送DH公钥并生成新的共享密钥，如果没有开启PFS则重用IKE SA中的共享密钥。

每次Rekey时都会以g^ir(DH协商的共享密钥，根据情况可以是新的，也可以是旧的，如果没有开启PFS则会始终使用IKE SA中旧的DH共享密钥)，SK_d，随机数及其它参数一起作为密钥材料生成新的密钥。

IKE_INIT_SA首次连接时的密钥计算:
SKEYSEED = prf(Ni | Nr, g^ir)
{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr }
= prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
SK_d 用于为使用此 IKE SA 建立的子 SA 派生新密钥；SK_ai 和 SK_ar 用作完整性保护算法的密钥，用于验证后续交换的组件消息；SK_ei 和 SK_er 用于加密（当然还有解密）所有后续交换；SK_pi 和 SK_pr 用于生成 AUTH 有效负载。SK_d、SK_pi 和 SK_pr 的长度必须是商定的 PRF 的首选密钥长度。
CREATE_CHILD_SA的密钥计算(也用于rekey):
SKEYSEED = prf(SK_d (old), g^ir (new) | Ni | Nr)
prf用于生成key seed,prf+可以一次性生成7个不同用途的密钥
IKE_INIT_SA和CREATE_CHILD_SA必须生成新的nonce用于prf派生新的seed和密钥,nonce必须是128位以上的长度而且必须是prf密钥长度的一半以上。

Views: 10

2024年12月18日
注册证书时的DN名称解释

C Country 国家
L locality 城市
O organization 组织，公司
OU organizationalUnit 组织部门
CN commonName 一般名字
ST stateOrProvince 省份
emailAddress 邮箱地址

Views: 40

2024年12月11日

分类： 未分类

openssl-passwd

名字

概要

描述

选项

注意

openssl-mac

概述

描述

选项

注意

openssl-speed

概述

DESCRIPTION

选项

ejbca手动安装(基于almalinux9.5)

其它问题

docker升级ejbca 8.3.2 到 9.0.0 版本

升级h2数据库到2.0版本

更新ejbca镜像版本

分类：未分类