openssl搭建CA证书服务器

安全机制概述

信息安全防护的目标

  • 保密性 Confidentiality
  • 完整性 Integrity
  • 可用性 Usability
  • 可控制性Controlability
  • 不可否认性 Non-repudiation

安全防护环节

  • 物理安全:各种设备/主机、机房环境
  • 系统安全:主机或设备的操作系统
  • 应用安全:各种网络服务、应用程序
  • 网络安全:对网络访问的控制、防火墙规则
  • 数据安全:信息的备份与恢复、加密解密
  • 管理安全:各种保障性的规范、流程、方法安全

安全攻击: STRIDE

  • Spoofing 假冒
  • Tampering 篡改
  • Repudiation 否认
  • Information Disclosure 信息泄漏
  • Denial of Service 拒绝服务
  • Elevation of Privilege 提升权限

5安全设计基本原则

  • 使用成熟的安全系统
  • 以小人之心度输入数据
  • 外部系统是不安全的
  • 最小授权
  • 减少外部接口
  • 缺省使用安全模式
  • 安全不是似是而非
  • 从STRIDE思考
  • 在入口处检查
  • 从管理上保护好你的系统

安全算法

常用安全技术
  • 认证
  • 授权
  • 审计
  • 安全通信
密码算法和协议:
  • 对称加密
  • 公钥加密
  • 单向加密
  • 认证协议
Linux系统:OpenSSL, gpg(pgp协议的实现)
加密需要
不加密流量的易受攻击性
  • 密码/数据嗅探
  • 数据操作
  • 验证操作
  • 相当于邮寄明信片
不安全的传统协议
  • telnet、FTP、POP3等等;不安全密码
  • http、smtp、NFS等等;不安全信息
  • Ldap、NIS、rsh等等;不安全验证

对称加密算法

对称加密:加密和解密使用同一个密钥
DES:Data Encryption Standard,56bits
3DES:
AES:Advanced (128, 192, 256bits)
Blowfish,Twofish
IDEA,RC6,CAST5
特性:
  1. 加密、解密使用同一个密钥,效率高
  2. 将原始数据分割成固定大小的块,逐个进行加密
缺陷:
  1. 密钥过多
  2. 密钥分发
  3. 数据来源无法确认10

非对称加密算法

公钥加密:密钥是成对出现
公钥:公开给所有人;public key
私钥:自己留存,必须保证其私密性;secret key
 特点:
  • 用公钥加密数据,只能使用与之配对的私钥解密;反之亦然
功能:
  •  数字签名:主要在于让接收方确认发送方身份
  • 对称密钥交换:发送方用对方的公钥加密一个对称密钥后发送给对方
  • 数据加密:适合加密较小数据
 缺点:
  • 密钥长,加密解密效率低下
 算法:
  • RSA(加密,数字签名),DSA(数字签名),ELGamal

非对称加密

基于一对公钥/密钥对
用密钥对中的一个加密,另一个解密
实现加密:
接收者
  •     生成公钥/密钥对:P和S
  •     公开公钥P,保密密钥S
发送者
  •     使用接收者的公钥来加密消息M
  •      将P(M)发送给接收者
 接收者
  •     使用密钥S来解密:M=S(P(M))
实现数字签名:
发送者
  •     生成公钥/密钥对:P和S
  •     公开公钥P,保密密钥S
  •     使用密钥S来加密消息M
  •     发送给接收者S(M)
接收者
  • 使用发送者的公钥来解密M=P(S(M))
  • 结合签名和加密
  • 分离签名

CA和证书

PKI: Public Key Infrastructure

  • 签证机构:CA(Certificate Authority)
  • 注册机构:RA
  • 证书吊销列表:CRL
  • 证书存取库

 X.509:定义了证书的结构以及认证协议标准

  • 版本号
  • 序列号
  • 签名算法
  • 颁发者
  • 有效期限
  • 主体名称
  • 主体公钥
  • CRL分发点
  • 扩展信息
  • 发行者签名

证书获取

证书类型:

  • 证书授权机构的证书
  • 服务器
  • 用户证书
获取证书两种方法:
  • 使用证书授权机构
  • 生成签名请求(csr)
  • 将csr发送给CA
  • 从CA处接收签名
自签名的证书
  • 自已签发自己的公钥

安全协议

  • SSL: Secure Socket Layer
  • TLS: Transport Layer Security
    • 1995:SSL 2.0 Netscape
    • 1996: SSL 3.0
    • 1999: TLS 1.0
    • 2006: TLS 1.1 IETF(Internet工程任务组) RFC 4346
    • 2008:TLS 1.2 当前使用
    • 2015: TLS 1.3
功能:
  • 机密性,认证,完整性,重放保护
两阶段协议,分为握手阶段和应用阶段
  •     握手阶段(协商阶段):客户端和服务器端认证对方身份(依赖于PKI体系,利用数字证书进行身份认证),并协商通信中使用的安全参数、密码套件以及主密钥。后续通信使用的所有密钥都是通过MasterSecret生成。
  •     应用阶段:在握手阶段完成后进入,在应用阶段通信双方使用握手阶段协商好的密钥进行安全通信

SSL/TLS 

  • Handshake协议:包括协商安全参数和密码套件、服务器身份认证(客户端身份认证可选)、密钥交换
  • ChangeCipherSpec 协议:一条消息表明握手协议已经完成
  • Alert 协议:对握手协议中一些异常的错误提醒,分为fatal和warning两个级别,fatal类型错误会直接中断SSL链接,而warning级别的错误SSL链接仍可继续,只是会给出错误警告
  • Record 协议:包括对消息的分段、压缩、消息认证和完整性保护、加密等
  • HTTPS 协议:就是“HTTP 协议”和“SSL/TLS 协议”的组合。HTTP over SSL”或“HTTP over TLS”,对http协议的文本数据进行加密处理后,成为二进制形式传输

 

 

 

OpenSSL

OpenSSL:开源项目
三个组件:
  • openssl: 多用途的命令行工具,包openssl
  • libcrypto: 加密算法库,包openssl-libs
  • libssl:加密模块应用库,实现了ssl及tls,包nss

SSH

ssh: secure shell, protocol, 22/tcp, 安全的远程登录
具体的软件实现:
  • OpenSSH: ssh协议的开源实现,CentOS默认安装
  • dropbear:另一个开源实现
SSH协议版本
  • v1: 基于CRC-32做MAC,不安全;man-in-middle
  • v2:双方主机协议选择安全的MAC方式
  • 基于DH算法做密钥交换,基于RSA或DSA实现身份认证
两种方式的用户登录认证:
  • 基于password
  • 基于key

openssl命令:

两种运行模式:交互模式和批处理模式
openssl version:程序版本号
标准命令、消息摘要命令、加密命令
标准命令:enc, ca, req, ...

对称加密:

工具:openssl enc, gpg
算法:3des, aes, blowfish, twofish
enc命令:
    帮助: man enc 
加密: openssl enc -e -des3 -a -salt -in testfile -out test.cipher 

解密: openssl enc -d -des3 -a -salt –in test.cipher -out testfile 

单向加密

工具:md5sum, sha1sum, sha224sum,sha256sum…openssl dgst
dgst命令:
帮助: man dgst 
openssl dgst -md5 [-hex默认] /PATH/SOMEFILE
openssl dgst -md5 testfile
md5sum /PATH/TO/SOMEFILE
MAC: Message Authentication Code,单向加密的一种延伸应用,用于实现网络通信中保证所传输数据的完整性机制CBC-MAC
HMAC:使用md5或sha1算法31

生成用户密码

passwd命令:
帮助: man sslpasswd 
openssl passwd -1 -salt SALT(最多8位)
openssl passwd -1 –salt centos

生成随机数

帮助: man sslrand 
openssl rand -base64|-hex NUM

  NUM: 表示字节数;-hex时,每个字符为十六进制,相当于4位二进制,出现的字符数为NUM*232

生成密钥对

公钥加密
  算法:RSA, ELGamal
  工具:gpg, openssl rsautl(man rsautl)
数字签名:
  算法:RSA, DSA, ELGamal
密钥交换:
  算法:dh
  DSA: Digital Signature Algorithm
  DSS:Digital Signature Standard
  RSA:33
生成私钥
openssl genrsa -out /PATH/TO/PRIVATEKEY.FILE NUM_BITS
(umask 077; openssl genrsa –out test.key –des 2048)
openssl rsa -in test.key –out test2.key 将加密key解密
从私钥中提取出公钥
openssl rsa -in PRIVATEKEYFILE –pubout –out PUBLICKEYFILE
Openssl rsa –in test.key –pubout –out test.key.pub
 

OpenSSL证书服务器搭建

PKI:Public Key Infrastructure

  • CA
  • RA
  • CRL
  • 证书存取库

证书申请及签署步骤:

  1. 生成申请请求
  2. RA核验
  3. CA签署
  4. 获取证书35

创建CA

openssl的配置文件: /etc/pki/tls/openssl.cnf 
HOME            = .
oid_section        = new_oids
openssl_conf = default_modules
[ default_modules ]
ssl_conf = ssl_module
[ ssl_module ]
system_default = crypto_policy
[ crypto_policy ]
.include /etc/crypto-policies/back-ends/opensslcnf.config
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ ca ]     # 语句块
default_ca    = CA_default        # The default ca section
[ CA_default ]  # 语句块
dir        = /etc/pki/CA        # ca 相关的具体路径 证书
certs        = $dir/certs        # 存放证书的目录
crl_dir        = $dir/crl        # 证书兑换列表
database    = $dir/index.txt    # 数据库 存放所有证书的信息 自动更新
                    # several certs with same subject.
new_certs_dir    = $dir/newcerts        #新证书存放的路径
certificate    = $dir/cacert.pem     # The CA certificate
serial        = $dir/serial         # 编号 存放下一个要颁发的编号
crlnumber    = $dir/crlnumber    # 吊销列表的标号
                    # must be commented out to leave a V1 CRL
crl        = $dir/crl.pem         # 证书吊销列表文件名
private_key    = $dir/private/cakey.pem# 私钥文件
x509_extensions    = usr_cert        # The extensions to add to the cert
name_opt     = ca_default        # Subject Name options
cert_opt     = ca_default        # Certificate field options
default_days    = 365            # 默认有效期
default_crl_days= 30            # 30天发布一次私钥信息
default_md    = sha256        # 默认加密算法
preserve    = no            # 
policy        = policy_match   # 策略匹配
[ policy_match ]
countryName        = match             # 必须有的信息 国家
stateOrProvinceName    = match         # 省市
organizationName    = match         # 公司
organizationalUnitName    = optional
commonName        = supplied          # 通用名 域名
emailAddress        = optional      # 
[ policy_anything ]              # 策略可以不一样
countryName        = optional
stateOrProvinceName    = optional
localityName        = optional
organizationName    = optional
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional
[ req ]
default_bits        = 2048
default_md        = sha256
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
x509_extensions    = v3_ca    # The extensions to add to the self signed cert
string_mask = utf8only
[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = XX
countryName_min            = 2
countryName_max            = 2
stateOrProvinceName        = State or Province Name (full name)
localityName            = Locality Name (eg, city)
localityName_default        = Default City
0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = Default Company Ltd
organizationalUnitName        = Organizational Unit Name (eg, section)
commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64
emailAddress            = Email Address
emailAddress_max        = 64
[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min        = 4
challengePassword_max        = 20
unstructuredName        = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment            = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment            = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
[ tsa ]
default_tsa = tsa_config1    # the default TSA section
[ tsa_config1 ]
dir        = /etc/pki/CA        # TSA root directory
serial        = $dir/tsaserial    # The current serial number (mandatory)
crypto_device    = builtin        # OpenSSL engine to use for signing
signer_cert    = $dir/tsacert.pem     # The TSA signing certificate
                    # (optional)
certs        = $dir/cacert.pem    # Certificate chain to include in reply
                    # (optional)
signer_key    = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest  = sha256            # Signing digest to use. (Optional)
default_policy    = tsa_policy1        # Policy if request did not specify it
                    # (optional)
other_policies    = tsa_policy2, tsa_policy3    # acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100    # (optional)
clock_precision_digits  = 0    # number of digits after dot. (optional)
ordering        = yes    # Is ordering defined for timestamps?
                # (optional, default: no)
tsa_name        = yes    # Must the TSA name be included in the reply?
                # (optional, default: no)
ess_cert_id_chain    = no    # Must the ESS cert id chain be included?
                # (optional, default: no)
ess_cert_id_alg        = sha1    # algorithm to compute certificate
                # identifier (optional, default: sha1)
主配置文件(不需要修改)

创建所需要的文件

mkdir /etc/pki/CA/
mkdir /etc/pki/CA/{certs,crl,newcerts,private}
[root@djcy-200 CA]# tree 
.
├── certs
├── crl
├── newcerts
└── private

mkdir /etc/pki/CA/crlnumber
touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号

CA生成私钥

# 输入密码 每次签发证书都需认证
[root@djcy-200 CA]# (umask 066; openssl genrsa -out private/cakey.pem -des3 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..................................+++++
e is 65537 (0x010001)
Enter pass phrase for private/cakey.pem:
Verifying - Enter pass phrase for private/cakey.pem:
[root@djcy-200 CA]# tree 
.
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem

CA自签证书

参数说明:
    -new: 生成新证书签署请求
    -x509: 专用于CA生成自签证书
    -key: 生成请求时用到的私钥文件
    -days n:证书的有效期限
    -out /PATH/TO/SOMECERTFILE: 证书的保存路径
[root@djcy-200 CA]# openssl req -new -x509 -key private/cakey.pem -days 18250 -out /etc/pki/CA/cacert.pem
Enter pass phrase for private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing      
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:devops
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.devops.com
Email Address []:admin@devops.com
[root@djcy-200 CA]# tree 
.
├── cacert.pem
├── certs
├── crl
├── newcerts
└── private
    └── cakey.pem

4 directories, 2 files查看

查看证书信息

[root@djcy-200 CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            11:10:a5:ca:51:77:cb:43:06:61:42:27:9d:ec:5e:35:d7:9b:61:17
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = ops, CN = ca.devops.com, emailAddress = admin@devops.com
        Validity
            Not Before: Aug  2 13:34:53 2020 GMT
            Not After : Jul 21 13:34:53 2070 GMT
        Subject: C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = ops, CN = ca.devops.com, emailAddress = admin@devops.com
  ''''''''  省略

# 只查看某些内容
[root@djcy-200 CA]# openssl x509 -in cacert.pem -noout -dates 
notBefore=Aug  2 13:34:53 2020 GMT
notAfter=Jul 21 13:34:53 2070 GMT

客户端请求颁发证书

生成私钥

[root@djcy-62 ~]# mkdir ca
[root@djcy-62 ~]# cd ca/
[root@djcy-62 ca]# (umask 066;openssl genrsa -out app.key 1024)
Generating RSA private key, 1024 bit long modulus (2 primes)
............+++++
......................+++++
e is 65537 (0x010001)
[root@djcy-62 ca]# ll
total 4
-rw------- 1 root root 891 Aug  2 21:43 app.key

使用私钥生成请求

[root@djcy-62 ca]# openssl req -new -key app.key -out app.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN						# 必须跟CA服务器一致
State or Province Name (full name) []:BeiJing               # 必须跟CA服务器一致
Locality Name (eg, city) [Default City]:ChaoYang
Organization Name (eg, company) [Default Company Ltd]:devops # 必须跟CA服务器一致
Organizational Unit Name (eg, section) []:webdev    
Common Name (eg, your name or your server's hostname) []:www.devops.com  # 颁发的域名
Email Address []:dev@devops.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@djcy-62 ca]# ll
total 8
-rw-r--r-- 1 root root 700 Aug  2 21:47 app.csr
-rw------- 1 root root 891 Aug  2 21:43 app.key

发送请求秘钥到CA服务器

[root@djcy-62 ca]# scp app.csr bjcy-200.host.io:/etc/pki/CA/

查看服务器颁发的密码

[root@djcy-62 ca]# openssl x509 -in app.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = ops, CN = ca.devops.com, emailAddress = admin@devops.com
        Validity
            Not Before: Aug  2 14:01:05 2020 GMT
            Not After : Jul 31 14:01:05 2030 GMT
        Subject: C = CN, ST = BeiJing, O = devops, OU = webdev, CN = www.devops.com, emailAddress = dev@devops.com
        Subject Public Key Info:
''''''' 省略'

CA授权客户端

[root@djcy-200 CA]# touch index.txt							# 数据库文件存放着所有的申请授权信息
[root@djcy-200 CA]# echo 01 > /etc/pki/CA/serial            # 开始申请的编号 每次都会增加
[root@djcy-200 CA]# openssl ca -in app.csr -out certs/app.crt -days 3650   # 开始授权
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug  2 14:01:05 2020 GMT
            Not After : Jul 31 14:01:05 2030 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = devops
            organizationalUnitName    = webdev
            commonName                = www.devops.com
            emailAddress              = dev@devops.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                BF:F7:D0:7A:0B:B8:11:6E:27:64:69:C2:7D:3D:38:62:69:E7:4A:10
            X509v3 Authority Key Identifier: 
                keyid:31:BC:8B:B0:A6:F8:FF:B7:6E:F9:B2:E5:7C:80:B8:47:6C:AA:AB:1D

Certificate is to be certified until Jul 31 14:01:05 2030 GMT (3650 days)
Sign the certificate? [y/n]:y								# 是否授权


1 out of 1 certificate requests certified, commit? [y/n]y		# 确认
Write out database with 1 new entries
Data Base Updated
[root@djcy-200 CA]# tree 
.
├── app.csr
├── cacert.pem
├── certs
│   └── app.crt			# 生产的私钥文件
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem       # 和 certs下的 app.crt 是同一个文件
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 10 files
[root@djcy-200 CA]# cat index.txt    # 数据库文件
V	300731140105Z		01	unknown	/C=CN/ST=BeiJing/O=devops/OU=webdev/CN=www.devops.com/emailAddress=dev@devops.com
[root@djcy-200 CA]# cat serial     # 下次申请的编号
02

CA吊销证书

[root@djcy-200 CA]# echo 01 > /etc/pki/CA/crlnumber

[root@djcy-200 CA]# openssl ca -revoke newcerts/01.pem   指定吊销证书
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate 01.
Data Base Updated
[root@djcy-200 CA]# tree 
.
├── app.csr
├── cacert.pem
├── certs
│   └── app.crt
├── crl
├── crlnumber
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 12 files
[root@djcy-200 CA]# openssl ca -gencrl -out crl.pem # 生成证书吊销列表
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
[root@djcy-200 CA]# tree 
.
├── app.csr
├── cacert.pem
├── certs
│   └── app.crt
├── crl
├── crlnumber
├── crlnumber.old
├── crl.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 14 files
[root@djcy-200 CA]# # 查看吊销列表文件
[root@djcy-200 CA]# openssl crl -in crl
crl/           crlnumber      crlnumber.old  crl.pem        
[root@djcy-200 CA]# openssl crl -in crl.pem -noout -text 
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = BeiJing, L = BeiJing, O = devops, OU = ops, CN = ca.devops.com, emailAddress = admin@devops.com
        Last Update: Aug  2 14:21:56 2020 GMT
        Next Update: Sep  1 14:21:56 2020 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Aug  2 14:20:37 2020 GMT
    Signature Algorithm: sha256WithRSAEncryption
         29:af:64:35:f5:aa:48:dd:7b:9d:0e:2c:a0:73:95:a1:e3:9a:
         fc:16:a9:e0:51:7d:a8:ee:f1:c4:f1:83:f9:b3:88:f2:f5:12:
         06:27:f7:f0:92:19:91:7b:f6:bc:30:ed:c6:34:ed:26:2d:ae:
         a7:2b:a2:7f:c2:60:9b:e1:24:2d:23:34:7b:7c:5e:ee:66:07:
         da:2f:c5:8e:35:e8:65:aa:89:da:d7:1f:df:53:9b:c6:4a:78:
         a8:09:fe:f3:0d:f4:0d:d6:65:48:0b:3d:75:73:19:26:db:ba:
         d0:0d:74:0c:c2:89:30:e5:33:f4:db:fd:73:e8:1e:07:30:1c:
         05:03:47:df:b3:82:26:e7:73:64:14:07:b9:f3:70:eb:8d:c0:
         fb:74:07:d8:22:ad:ce:3c:2e:ad:4a:00:cb:6c:9e:60:6c:dd:
         8c:14:ea:95:69:4a:be:ab:57:25:2d:ed:54:5a:45:04:13:4c:
         3a:90:23:96:d8:1b:01:c3:c6:a3:55:cf:8e:8b:c7:85:08:9b:
         44:ab:e8:eb:0f:c5:7c:8d:05:ef:d8:db:45:2c:36:32:f9:0c:
         56:db:6b:aa:72:1d:68:a8:4c:3f:7a:58:fc:26:cf:0c:53:d1:
         d2:57:33:4a:22:44:89:49:74:7a:1b:4f:91:0d:0f:59:5d:b0:
         83:28:66:02

  

 

 

 
posted @ 2020-08-03 02:29  闫世成  阅读(1363)  评论(0编辑  收藏  举报