Introduce
OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page.
The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.
Official website: https://openssl.org/
Download
Goto https://openssl.org/source/ download the newest source tar ball.
OR
Install by HomeBrew:
brew install openssl
Command
List OpenSSL commands:
$ openssl list -commands
OpenSSL usage like this:
$ openssl <CMD> [ARGS] ...
Show OpenSSL version:
$ openssl version
OpenSSL 1.0.2f 28 Jan 2016
asn1parse
打印ASN.1
结构,介绍参看: https://webencrypt.org/asn1/
另外一个Web在线工具: https://webencrypt.org/asn1js/
$ openssl asn1parse -i -in ~/vvvvvvwiki.csr
0:d=0 hl=4 l= 708 cons: SEQUENCE
4:d=1 hl=4 l= 428 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 127 cons: SEQUENCE
13:d=3 hl=2 l= 11 cons: SET
15:d=4 hl=2 l= 9 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :countryName
22:d=5 hl=2 l= 2 prim: PRINTABLESTRING :CN
26:d=3 hl=2 l= 17 cons: SET
28:d=4 hl=2 l= 15 cons: SEQUENCE
30:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
35:d=5 hl=2 l= 8 prim: PRINTABLESTRING :Zhejiang
45:d=3 hl=2 l= 17 cons: SET
47:d=4 hl=2 l= 15 cons: SEQUENCE
49:d=5 hl=2 l= 3 prim: OBJECT :localityName
54:d=5 hl=2 l= 8 prim: PRINTABLESTRING :Hangzhou
64:d=3 hl=2 l= 18 cons: SET
66:d=4 hl=2 l= 16 cons: SEQUENCE
68:d=5 hl=2 l= 3 prim: OBJECT :organizationName
73:d=5 hl=2 l= 9 prim: PRINTABLESTRING :vvvv.wiki
84:d=3 hl=2 l= 20 cons: SET
86:d=4 hl=2 l= 18 cons: SEQUENCE
88:d=5 hl=2 l= 3 prim: OBJECT :commonName
93:d=5 hl=2 l= 11 prim: PRINTABLESTRING :vvvvvv.wiki
106:d=3 hl=2 l= 32 cons: SET
108:d=4 hl=2 l= 30 cons: SEQUENCE
110:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
121:d=5 hl=2 l= 17 prim: IA5STRING :j******@gmail.com
140:d=2 hl=4 l= 290 cons: SEQUENCE
144:d=3 hl=2 l= 13 cons: SEQUENCE
146:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
157:d=4 hl=2 l= 0 prim: NULL
159:d=3 hl=4 l= 271 prim: BIT STRING
434:d=2 hl=2 l= 0 cons: cont [ 0 ]
436:d=1 hl=2 l= 13 cons: SEQUENCE
438:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
449:d=2 hl=2 l= 0 prim: NULL
451:d=1 hl=4 l= 257 prim: BIT STRING
说明:
d -> 结构深度
hl -> Tag头长度(字节)
l -> 数据长度(字节)
prim/cons -> Bit6, 编码方法为简单化的或结构化的
ASN.1 generate by string:
$ openssl asn1parse -genstr 'UTF8:Hello World'
0:d=0 hl=2 l= 11 prim: UTF8STRING :Hello World
ASN.1 generate by conf file:
$ cat asn1.conf
asn1=SEQUENCE:seq_sect
[seq_sect]
field1=BOOL:TRUE
field2=EXP:0, UTF8:some random string
$ openssl asn1parse -genconf asn1.conf -i
0:d=0 hl=2 l= 25 cons: SEQUENCE
2:d=1 hl=2 l= 1 prim: BOOLEAN :255
5:d=1 hl=2 l= 20 cons: cont [ 0 ]
7:d=2 hl=2 l= 18 prim: UTF8STRING :some random string
See more: https://www.openssl.org/docs/manmaster/crypto/ASN1_generate_nconf.html
Alternative tool: derparse.rs
Install with runrs:
$ runrs -i derparse.rs
ciphers
$ openssl ciphers -v 'HIGH:!MD5:!SHA1:!DH'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
dgst
$ echo -n 'Hello World!' | openssl dgst -sha256
(stdin)= 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
Sign
$ openssl dgst -sha256 -sign pri.pem -out sign.sig test.txt
Verify
$ openssl dgst -sha256 -verify pub.pem -signature sign.sig test.txt
Verified OK
dsaparam
$ openssl dsaparam -out dsa_param.pem 1024
Generating DSA parameters, 1024 bit long prime
This could take some time
.......+......+........+....+....+..........................+.....+.........+.....+..........+.........+..........................+...+......+..+..+............+.......+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++*
.........+......+........+...+....................+++++++++++++++++++++++++++++++++++++++++++++++++++*
$ openssl gendsa -out dsa_privatekey.pem dsa_param.pem
Generating DSA key, 1024 bits
$ openssl dsa -in dsa_privatekey.pem -pubout -out dsa_publickey.pem
read DSA key
writing DSA key
ecparam
Generate EC secp256r1
private key:
$ openssl ecparam -genkey -name secp256r1
using curve name prime256v1 instead of secp256r1
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIILLLYsJeaYtSHgtA9D5htjd1clS1oqbQJU0UNzv32m6oAoGCCqGSM49
AwEHoUQDQgAE0CUAu1acX+ok7/NjkbAF9KPa+rgSEWhQBRPyV4YirU+q8wd2WH3I
afQZo3zLqU2UrcvpJbgnVMF9QvLsZfO3Nw==
-----END EC PRIVATE KEY-----
Generate EC SM2
private key:
$ openssl ecparam -genkey -name SM2
List curves:
$ openssl ecparam -list_curves
...
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
prime192v2: X9.62 curve over a 192 bit prime field
prime192v3: X9.62 curve over a 192 bit prime field
prime239v1: X9.62 curve over a 239 bit prime field
prime239v2: X9.62 curve over a 239 bit prime field
prime239v3: X9.62 curve over a 239 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
...
Curve params:
$ openssl ecparam -genkey -name secp256r1 -param_enc explicit | openssl ec -noout -text
read EC key
using curve name prime256v1 instead of secp256r1
Private-Key: (256 bit)
priv:
00:92:5a:6e:ae:15:72:f2:f5:54:51:0e:d2:0a:18:
46:85:7b:04:6c:25:cb:b4:98:34:95:01:22:46:a9:
5d:d5:25
pub:
04:54:f6:92:cc:51:33:48:ea:02:8d:98:22:44:bd:
64:bb:53:f6:19:ce:e9:41:95:95:23:a2:07:30:b3:
e4:7c:55:8e:6d:da:9b:de:ef:34:e4:d5:de:14:9d:
47:b6:fd:19:75:db:12:2a:bd:0f:95:b1:18:23:01:
62:68:48:df:e8
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff
A:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:fc
B:
5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
60:4b
Generator (uncompressed):
04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:
7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:
68:37:bf:51:f5
Order:
00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
63:25:51
Cofactor: 1 (0x1)
Seed:
c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
b7:81:9f:7e:90
enc
$ cat test.txt
Hello World.
Encrypt
$ openssl enc -e -aes-256-cbc -in test.txt -out test.txt.enc -k PASSWORD
Decrypt
$ openssl enc -d -aes-256-cbc -in test.txt.enc -k PASSWORD [-out FILENAME]
Hello World.
$ openssl enc -d -aes-256-cbc -in test.txt.enc -k PASSWORD -P
salt=EBA54C6021D47513
key=62A86E05010766F9EF41990413C4C29756D3A6ECE36CE8FB37CC7A465EC0E4D3
iv =60BBB830797137A5EBA9D2BBFF0DD503
genpkey
Gen EC pkey:
$ openssl genpkey -algorithm EC \
-pkeyopt ec_paramgen_curve:P-256 \
-pkeyopt ec_param_enc:named_curve
Gen Ed pkey:
$ openssl genpkey -algorithm x25519
$ openssl genpkey -algorithm ed25519
Gen RSA pkey:
$ openssl genpkey -algorithm RSA \
-pkeyopt rsa_keygen_bits:2048 \
-pkeyopt rsa_keygen_pubexp:65537
genrsa
Generate RSA private key:
$ openssl genrsa -rand /dev/random 1024
2048 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..++++++
...........++++++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC7ZUKVtEgd+XNN1xiNTFcOHCcFAeyjXrMCLHkHk8uCGKs5/QeY
Z59yGJcU36YDsNjgiKMmcdqh4FcU7s3AfVQZb/LzVsNDhKFUi81gXUN+N25YOvvx
x8pMPK8vy2w0ChvoNnlzJAdYJO3HhLZ79fJQ0VOfxb7CWouiBiG/IkotpQIDAQAB
AoGBALSbfFgCP/s7nshnxU7xQ3ni4ixuVV6C963hpOgLpnkFQ4mI95gITuDNGFdS
0ZL/D5cfuXZlBt069VLEcWLSp4iSNzT/XnHkf2gEAaehoenwOyTcb2B8R3RXgy/U
kPeE7AiGXimI0T0pDWucZIATJKue6xXlkbP6idObDmYOwQmlAkEA4huuoWeB+PDO
XnQLJhWqH8sw/JfK0JJLyIe/WJmNwuIGtG9g0QjXgCUXcUusn+7hC58g7NlWDS0u
7Ydk5XGlRwJBANQrZ2RHwegXwp0oEOWcLWdeImC1AYV4rVfJ+sdTJUqxd5Gh7Qpp
8ZiBSZBd7GrxtbA0foU2GqEOYsyoXxKB+7MCQBQ/oGLp7xTJE+IXiEwP0p1oR+nG
+i21fD3oEjWwAqb6MNmFw+jUXuAl8jR+L2ZfMR4mUP+E8xTZAAPbhSibBc8CQFqY
bf2T5miEPMV+ZjilB34r4+IHaC7l6J6j0EFsb3AFd1joG59mvZKxIghTErBXpY0n
3R5ki9pZmjZpbq8ocaECQHMSCUoFl/eEYsRNfBu3R/Vzu0vQg0qu7wMD3/J8BMLV
Ab6wbT/C3C6Cdtob6M1ghLWIzgm+UribBapRM6P7A5A=
-----END RSA PRIVATE KEY-----
list-cipher-algorithms
$ openssl list-cipher-algorithms
AES-128-CBC
AES-128-CBC-HMAC-SHA1
AES-128-CBC-HMAC-SHA256
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-CTR
AES-128-ECB
AES-128-OFB
...
pkcs12
Make PFX file
$ openssl pkcs12 -export -in certificate.pem -inkey private.pem -out c.pfx
Enter Export Password:
Verifying - Enter Export Password:
$ ll c.pfx
-rw------- 1 **** staff 2517 Feb 15 20:45 c.pfx
Extract PFX file
$ openssl pkcs12 -in c.pfx -nodes [-nocerts]
pkcs7
Print PKCS#7 format.
$ openssl pkcs7 -in p.p7s -inform pem -print
pkcs8
$ openssl pkcs8 -topk8 -nocrypt -in p1.pem -out p8.pem
$ head -n 1 p1.pem
-----BEGIN RSA PRIVATE KEY-----
$ head -n 1 p8.pem
-----BEGIN PRIVATE KEY-----
pkey
$ openssl pkey -in key.pem -noout -text_pub
Public-Key: (2048 bit)
Modulus:
00:b2:9d:63:19:a5:79:53:35:a8:3e:28:8c:f2:3e:
ef:44:7c:6a:82:62:18:0c:63:7a:8d:74:83:8b:60:
95:e3:d8:4f:f2:fd:a9:bf:54:a2:a9:98:b3:11:11:
23:a1:04:29:ba:8c:3b:2f:c8:4e:92:c2:a5:8d:18:
10:30:4c:7d:dd:99:47:72:4e:14:67:03:ed:79:84:
7d:22:2b:1b:e6:e5:15:67:78:b2:90:ea:87:99:b0:
3a:38:33:cc:e9:9d:e7:cd:31:bd:a0:d9:cc:17:79:
df:32:69:7c:ca:35:38:01:0f:dc:17:6e:15:04:af:
cd:d4:80:ae:70:af:1a:a3:6a:24:3a:96:3c:51:e8:
fc:16:6a:22:0f:ab:aa:64:91:9a:fa:ae:19:f1:7b:
f7:92:18:6c:ba:ce:d3:0c:80:19:83:1d:12:a1:a2:
c7:9e:2a:4f:4f:07:ef:72:6b:67:13:2b:4e:35:a2:
85:c2:85:b9:d4:09:33:97:d6:d7:42:bd:06:c7:a1:
0b:cc:05:05:56:21:45:54:de:02:7a:92:43:26:cc:
e4:d7:57:02:fe:b3:c4:e5:df:0f:1e:6a:0a:55:8d:
12:27:1a:75:26:67:92:59:de:ad:a4:24:99:77:31:
f7:93:a0:93:34:df:47:4a:1c:83:7d:06:fa:50:68:
fe:d3
Exponent: 65537 (0x10001)
$ openssl pkey -in key.pem -noout -text_pub
Public-Key: (256 bit)
pub:
04:03:22:6a:3c:25:13:f4:71:b1:23:04:1c:68:13:
97:61:06:f4:58:f1:7d:66:d5:e4:18:28:b1:51:1f:
97:5c:44:12:7e:40:a0:05:80:11:3f:df:6b:ba:ce:
5b:c9:09:29:ad:92:7d:fe:35:cd:16:06:ff:11:4e:
04:8b:db:70:9d
ASN1 OID: prime256v1
NIST CURVE: P-256
pkeyutl
Encrypt:
$ openssl pkeyutl -encrypt -inkey key.pem -in file.txt -out file.txt.enc
Decrypt:
$ openssl pkeyutl -decrypt -inkey key.pem -in file.txt.enc -out file.txt
Sign:
$ openssl pkeyutl -sign -inkey key.pem -in file.txt -out file.txt.sign
Verify:
$ openssl pkeyutl -verify -inkey key.pem -in file.txt -sigfile file.txt.sign
Signature Verified Successfully
prime
判断一个数是否是素数
$ openssl prime 2
2 is prime
$ openssl prime 5
5 is prime
$ openssl prime 6
6 is not prime
rand
$ openssl rand -base64 32
wYkPQLoVwvtxtBlnMHFG6uxxv4hOfcPkx0LPGVQJUww=
$ openssl rand -hex 32
9496b19e77a9bc63d7607cfece2a24f7a62fb7fffff49805d40dc3fc4c73fc1b
rsa
$ openssl rsa -in prikey.pem -text -noout
Private-Key: (512 bit)
modulus:
00:e0:ef:fb:24:67:8c:f8:b9:0d:76:97:fa:4c:61:
36:1b:da:3d:25:7e:6d:bc:38:74:bb:28:8f:87:48:
92:ae:a4:c7:36:bc:7c:fc:0f:ea:f2:26:30:c7:19:
de:1e:8f:0d:04:8e:7d:d5:de:77:de:34:09:1d:9c:
66:8a:5f:99:23
publicExponent: 65537 (0x10001)
privateExponent:
00:c3:fa:d3:09:a8:de:fe:65:dd:01:12:f1:15:53:
2d:5d:9f:0b:df:7b:04:09:15:f7:3e:89:dc:63:b6:
2b:76:d4:9f:ef:93:56:2a:33:6e:e9:50:af:35:5f:
41:10:5b:3c:c0:01:42:3d:2d:e9:6e:64:c3:83:78:
0c:f8:3a:98:81
prime1:
00:f9:ca:d3:bc:12:db:fa:cb:f4:b8:99:b7:62:9f:
0b:33:2f:75:ed:25:76:ae:ba:ea:24:0f:08:33:15:
ca:ff:93
prime2:
00:e6:87:07:20:01:50:f3:0d:11:fe:6f:90:e6:b4:
bd:7b:eb:17:5f:1c:2f:4d:32:ca:8f:07:76:16:b9:
89:5a:31
exponent1:
21:25:00:a3:5b:fd:44:71:fb:ae:e2:f6:aa:67:60:
1d:12:97:1b:38:75:5f:09:fe:37:7a:a7:23:e0:28:
67:71
exponent2:
00:d1:d3:ad:c4:8f:ee:22:8c:8f:08:4c:7c:53:c1:
c7:86:f7:60:fa:8d:28:f0:d7:7e:4f:d9:b6:be:d0:
7a:18:c1
coefficient:
00:86:d3:71:a6:08:8b:19:ca:10:36:e6:bb:cb:ca:
8b:3e:24:d1:9e:fd:d8:6c:a2:67:ea:8e:e9:f1:89:
47:2d:a5
$ openssl rsa -in prikey.pem -pubout | openssl rsa -pubin -text
writing RSA key
Modulus (512 bit):
00:e0:ef:fb:24:67:8c:f8:b9:0d:76:97:fa:4c:61:
36:1b:da:3d:25:7e:6d:bc:38:74:bb:28:8f:87:48:
92:ae:a4:c7:36:bc:7c:fc:0f:ea:f2:26:30:c7:19:
de:1e:8f:0d:04:8e:7d:d5:de:77:de:34:09:1d:9c:
66:8a:5f:99:23
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAODv+yRnjPi5DXaX+kxhNhvaPSV+bbw4
dLsoj4dIkq6kxza8fPwP6vImMMcZ3h6PDQSOfdXed940CR2cZopfmSMCAwEAAQ==
-----END PUBLIC KEY-----
Convert Private Key to Public Key
$ openssl rsa -in pri.pem -pubout -out pub.pem
writing RSA key
rsautl
$ cat prikey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAODv+yRnjPi5DXaX+kxhNhvaPSV+bbw4dLsoj4dIkq6kxza8fPwP
6vImMMcZ3h6PDQSOfdXed940CR2cZopfmSMCAwEAAQJBAMP60wmo3v5l3QES8RVT
LV2fC997BAkV9z6J3GO2K3bUn++TViozbulQrzVfQRBbPMABQj0t6W5kw4N4DPg6
mIECIQD5ytO8Etv6y/S4mbdinwszL3XtJXauuuokDwgzFcr/kwIhAOaHByABUPMN
Ef5vkOa0vXvrF18cL00yyo8Hdha5iVoxAiAhJQCjW/1Ecfuu4vaqZ2AdEpcbOHVf
Cf43eqcj4ChncQIhANHTrcSP7iKMjwhMfFPBx4b3YPqNKPDXfk/Ztr7QehjBAiEA
htNxpgiLGcoQNua7y8qLPiTRnv3YbKJn6o7p8YlHLaU=
-----END RSA PRIVATE KEY-----
Encrypt & Decrypt test:
$ echo 'Hello Hatter!' | openssl rsautl -encrypt -inkey prikey.pem | base64
YwVY9JlAOlXyZGeRMi0V64U7IGz3jTgg8n2Otqee/k10lBWveNweTSLitw8RJ2E5EW2NiyWZzlbyfjbDk0pAJQ==
$ echo YwVY9JlAOlXyZGeRMi0V64U7IGz3jTgg8n2Otqee/k10lBWveNweTSLitw8RJ2E5EW2NiyWZzlbyfjbDk0pAJQ== | base64 -D | openssl rsautl -decrypt -inkey prikey.pem
Hello Hatter!
$ echo YwVY9JlAOlXyZGeRMi0V64U7IGz3jTgg8n2Otqee/k10lBWveNweTSLitw8RJ2E5EW2NiyWZzlbyfjbDk0pAJQ== | base64 -D | openssl rsautl -decrypt -inkey prikey.pem -raw -hexdump
0000 - 00 02 24 e4 2e 62 c7 3d-7f 21 6a 75 e5 de 48 f5 ..$..b.=.!ju..H.
0010 - 46 51 f9 f0 04 ee 78 01-4a e2 eb 2c 13 40 cf af FQ....x.J..,.@..
0020 - ea c5 3e e3 2c 23 fe 0e-8a ae c2 7c 55 32 e8 8c ..>.,#.....|U2..
0030 - 0c 00 48 65 6c 6c 6f 20-48 61 74 74 65 72 21 0a ..Hello Hatter!.
Sign & Verify test:
$ echo 'Hello Hatter!' | openssl rsautl -sign -inkey prikey.pem | base64
gsyY3fSxeDBZjNB0vaNBYjdY/Qmgmo9mXnYMgU/YLdY5tRa0PtXAhpKYSAbJhrKZ3jak2Rhj067ldCAGlF/09w==
$ echo gsyY3fSxeDBZjNB0vaNBYjdY/Qmgmo9mXnYMgU/YLdY5tRa0PtXAhpKYSAbJhrKZ3jak2Rhj067ldCAGlF/09w== | base64 -D | openssl rsautl -verify -inkey prikey.pem
Hello Hatter!
$ echo gsyY3fSxeDBZjNB0vaNBYjdY/Qmgmo9mXnYMgU/YLdY5tRa0PtXAhpKYSAbJhrKZ3jak2Rhj067ldCAGlF/09w== | base64 -D | openssl rsautl -verify -inkey prikey.pem -raw -hexdump
0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................
0030 - ff 00 48 65 6c 6c 6f 20-48 61 74 74 65 72 21 0a ..Hello Hatter!.
s_client
$ echo | openssl s_client -connect www.baidu.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 International Server CA - G3
verify return:1
depth=0 C = CN, ST = Beijing, L = Beijing, O = "Beijing Baidu Netcom Science Technology Co., Ltd.", OU = service operation department, CN = baidu.com
verify return:1
---
Certificate chain
0 s:/C=CN/ST=Beijing/L=Beijing/O=Beijing Baidu Netcom Science Technology Co., Ltd./OU=service operation department/CN=baidu.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGLjCCBRagAwIBAgIQdimqIPqKjnYkohk29K0aqjANBgkqhkiG9w0BAQUFADCB
vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt
VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X
DTE1MDkxNzAwMDAwMFoXDTE2MDgzMTIzNTk1OVowgagxCzAJBgNVBAYTAkNOMRAw
DgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHFAdCZWlqaW5nMTowOAYDVQQKFDFCZWlq
aW5nIEJhaWR1IE5ldGNvbSBTY2llbmNlIFRlY2hub2xvZ3kgQ28uLCBMdGQuMSUw
IwYDVQQLFBxzZXJ2aWNlIG9wZXJhdGlvbiBkZXBhcnRtZW50MRIwEAYDVQQDFAli
YWlkdS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCocs/rdlG7
AR4WURwOZFsmWfVbgiAWPnd4YsDi9lMeCS1itCcHOl2bmjwEL2kLHmSZpvDm2GyC
fgoAcsGMJ57ysmtsBmVQoLMNKvrf+6z0MmGsp1k7LIIYwPvXAA7YCH5THt+wpOvu
MCgn68XdgsUgcy5eQFHt5idy6sAkml3C+BuwYSW+Xi+7HBHWoNHwMAfFKEpaTCQj
skBodDvtk9eHEibEAQ8KCWh0HF0YqbJr106y7DYLkrjGtp7KTlm9JnnSleFpLehK
rCxE0cYzq35v2Spy4Dtky6sb0wXbxnaK7msUKu9ZSCo9C5PdbnIuo+vQO4kNipJV
3QKJxJMuz86vAgMBAAGjggI8MIICODCB5gYDVR0RBIHeMIHbggsqLmJhaWR1LmNv
bYILKi5udW9taS5jb22CDCouaGFvMTIzLmNvbYIOKi5iZHN0YXRpYy5jb22CEHd3
dy5iYWlkdS5jb20uY26CDHd3dy5iYWlkdS5jboISc2FwaS5tYXAuYmFpZHUuY29t
ghFsb2MubWFwLmJhaWR1LmNvbYIQbG9nLmhtLmJhaWR1LmNvbYIJYmFpZHUuY29t
ghFhcGkubWFwLmJhaWR1LmNvbYIVY29uc29sZS5iY2UuYmFpZHUuY29tghNsb2dp
bi5iY2UuYmFpZHUuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1Ud
JQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMGEGA1UdIARaMFgw
VgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3Bz
MCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQY
MBaAFNebfNgioBX33a1fzimbWMO8RgC1MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6
Ly9zZS5zeW1jYi5jb20vc2UuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcw
AYYTaHR0cDovL3NlLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NlLnN5
bWNiLmNvbS9zZS5jcnQwDQYJKoZIhvcNAQEFBQADggEBACz3im2KDp7SHu8wp//l
b9EOC8dY0zqxRsRTZ0y8RPnKqqbzzQDkXxWWvCrMuevMzqDH1gcEBpQQq2q30dJ7
pzGjdoC801F8OqBtBCxMDI6DwRdCMC/BBxYixBXuK9qfMAvXR11QNnWnYs/aEwUt
OYizq06zmORoOw5DL7FLMprDI4VOvA98Ns6OqLOZTmZfoqIRkD9vu/pgmkUNAUNn
wLDAHEiDzTX2sBH4vCBPjbV1nzYnEpCvr8Fgt+gb2HOVO/mem1tkXubf6S1WtOaP
uav+qkNsfL7jalqLGuBqSxdyLRbYS/GDzaLdMuFEKELF3ROkUai//jDakzbFHnbg
xs0=
-----END CERTIFICATE-----
subject=/C=CN/ST=Beijing/L=Beijing/O=Beijing Baidu Netcom Science Technology Co., Ltd./OU=service operation department/CN=baidu.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5068 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 966740C4619FC6CFF6DEA69B7F50B922020B6F55CFAD6C84C7B45232FDAB94F0
Session-ID-ctx:
Master-Key: 949DAA220164D52B855FA8960CE29440C24F5BA071DD1D784FA4FE22910FA87A0A3A8ABC767AEF10204BF5CD9366855B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 72000 (seconds)
TLS session ticket:
0000 - eb de 4a 8d ee 49 80 29-19 e9 e0 aa 9c 7f a2 50 ..J..I.).......P
0010 - 56 7e c4 02 85 cc 24 05-d5 85 0e 67 50 64 8f 3d V~....$....gPd.=
0020 - fc 03 17 4d 66 ac 99 fa-2a 74 25 2a 54 91 41 d4 ...Mf...*t%*T.A.
0030 - 9e 49 6e 8d 2e 75 b8 a8-c3 3e 35 ac 05 d8 da f2 .In..u...>5.....
0040 - af be 75 5c ae 5a 3e c3-99 6c 28 56 25 b2 19 45 ..u\.Z>..l(V%..E
0050 - 79 73 1b 70 d4 50 83 bb-98 90 fd 97 02 20 08 9c ys.p.P....... ..
0060 - d0 a2 2e 05 e0 0c 58 2f-bf f7 74 ec 8a 3c 3f 53 ......X/..t..<?S
0070 - 24 42 25 ce ac e5 01 c9-2c 1b a9 57 2d ff ea 0b $B%.....,..W-...
0080 - 8f 33 2e e6 72 99 e3 67-c3 6c ea 87 6a 9e 71 8f .3..r..g.l..j.q.
0090 - a2 32 3d 53 64 0e 6d d7-bc 61 7e 3d e6 c7 e0 32 .2=Sd.m..a~=...2
Start Time: 1466093576
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
-OR-
$ echo | openssl s_client -prexit -showcerts -state -status -tlsextdebug -verify 10 -connect <host>:443
sess_id
$ cat sess_id.pem
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOQQga2PAeeIXKd7MSzRuykUQjaCbT7BMlieSMmve9MMIj1wE
MOUilBEWWakJzBkDJRdPoRPWpd2EfyosMZsHl/jRxfg2UKi8om3FFSVdFsliwi+L
9KEGAgRMvs+kogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
$ openssl sess_id -in sess_id.pem -noout -text
SSL-Session:
Protocol : TLSv1
Cipher : 0039
Session-ID: 6B63C079E21729DECC4B346ECA45108DA09B4FB04C962792326BDEF4C3088F5C
Session-ID-ctx: 01000000
Master-Key: E52294111659A909CC190325174FA113D6A5DD847F2A2C319B0797F8D1C5F83650A8BCA26DC515255D16C962C22F8BF4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1287573412
Timeout : 300 (sec)
Verify return code: 0 (ok)
smime
Sign:
$ openssl smime -sign -text -signer cert.pem -inkey key.pem -in example.txt -out example.msg
Verify:???
$ openssl smime -verify -noverify -signer cert.pem -in example.msg
speed
$ openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 109630953 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 29109948 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 256 size blocks: 7337476 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1884666 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 8192 size blocks: 230338 aes-128-cbc's in 3.00s
OpenSSL 1.0.2f 28 Jan 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 586653.93k 623089.19k 626131.29k 645450.83k 628976.30k
verify
$ openssl verify -CAfile ca.pem cert.pem
x509
$ openssl x509 -in cert.pem -noout –text
...
Calculate certificate fingerprint:
$ openssl x509 -in cert.pem -noout -fingerprint [-md5 | -sha1 | sha256]
SHA1 Fingerprint=84:CD:16:7B:19:8A:56:8E:99:94:24:B5:46:98:53:48:9A:E9:E8:1E
$ openssl x509 -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash -in cert.pem
Alternatives
- https://boringssl.googlesource.com/boringssl/ - BoringSSL
- https://www.libressl.org/ - LibreSSL
- http://gmssl.org/ - GmSSL
- https://github.com/jntass/TASSL - TASSL
- https://github.com/Tongsuo-Project/Tongsuo 铜锁/Tongsuo(原BabaSSL)
Reference
- h
t t p s : / / w w w . o p e n s s l . o r g / d o c s / m a n m a s t e r / a p p s / a s n 1 p a r s e . h t m l - h
t t p s : / / w w w . o p e n s s l . o r g / d o c s / m a n m a s t e r / c r y p t o / A S N 1 _ g e n e r a t e _ n c o n f . h t m l - h
t t p : / / w i k i . c a c e r t . o r g / S S L S c a n n e r - h
t t p : / / s e c u r i t y . n k n u . e d u . t w / t e x t b o o k / c h a p 5 . p d f - h
t t p s : / / w w w . c n b l o g s . c o m / 2 7 4 9 1 4 7 6 5 q q / p / 4 6 9 3 6 7 6 . h t m l - h
t t p : / / b l o g . c s d n . n e t / a s 3 l u y u a n 1 2 3 / a r t i c l e / d e t a i l s / 1 6 8 7 3 0 9 3 - h
t t p : / / b l o g . c s d n . n e t / a s 3 l u y u a n 1 2 3 / a r t i c l e / d e t a i l s / 1 6 8 7 2 1 0 1 - h
t t p : / / b l o g . c s d n . n e t / a s 3 l u y u a n 1 2 3 / a r t i c l e / d e t a i l s / 1 6 8 5 1 1 2 5 - h
t t p s : / / g i s t . g i t h u b . c o m / g w p l / 2 c 7 6 3 6 f 0 b 2 0 0 c b f b e 8 2 c c 9 d 4 f 6 3 3 8 5 8 5