Introduce

OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page.

The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.

Official website: https://openssl.org/
GitHub Group: https://github.com/openssl Github Group Follows: openssl
Source code: https://github.com/openssl/openssl Github Repo Stars: openssl/openssl

Download

Goto https://openssl.org/source/ download the newest source tar ball.

OR

Install by HomeBrew:

brew install openssl

Command

List OpenSSL commands:

openssl list -commands

OpenSSL usage like this:

openssl <CMD> [ARGS] ...

Show OpenSSL version:

$ openssl version
OpenSSL 1.0.2f  28 Jan 2016

asn1parse

打印ASN.1结构,介绍参看: https://webencrypt.org/asn1/

另外一个Web在线工具: https://webencrypt.org/asn1js/

$ openssl asn1parse -i -in ~/vvvvvvwiki.csr
    0:d=0  hl=4 l= 708 cons: SEQUENCE          
    4:d=1  hl=4 l= 428 cons:  SEQUENCE          
    8:d=2  hl=2 l=   1 prim:   INTEGER           :00
   11:d=2  hl=2 l= 127 cons:   SEQUENCE          
   13:d=3  hl=2 l=  11 cons:    SET               
   15:d=4  hl=2 l=   9 cons:     SEQUENCE          
   17:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
   22:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :CN
   26:d=3  hl=2 l=  17 cons:    SET               
   28:d=4  hl=2 l=  15 cons:     SEQUENCE          
   30:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
   35:d=5  hl=2 l=   8 prim:      PRINTABLESTRING   :Zhejiang
   45:d=3  hl=2 l=  17 cons:    SET               
   47:d=4  hl=2 l=  15 cons:     SEQUENCE          
   49:d=5  hl=2 l=   3 prim:      OBJECT            :localityName
   54:d=5  hl=2 l=   8 prim:      PRINTABLESTRING   :Hangzhou
   64:d=3  hl=2 l=  18 cons:    SET               
   66:d=4  hl=2 l=  16 cons:     SEQUENCE          
   68:d=5  hl=2 l=   3 prim:      OBJECT            :organizationName
   73:d=5  hl=2 l=   9 prim:      PRINTABLESTRING   :vvvv.wiki
   84:d=3  hl=2 l=  20 cons:    SET               
   86:d=4  hl=2 l=  18 cons:     SEQUENCE          
   88:d=5  hl=2 l=   3 prim:      OBJECT            :commonName
   93:d=5  hl=2 l=  11 prim:      PRINTABLESTRING   :vvvvvv.wiki
  106:d=3  hl=2 l=  32 cons:    SET               
  108:d=4  hl=2 l=  30 cons:     SEQUENCE          
  110:d=5  hl=2 l=   9 prim:      OBJECT            :emailAddress
  121:d=5  hl=2 l=  17 prim:      IA5STRING         :j******@gmail.com
  140:d=2  hl=4 l= 290 cons:   SEQUENCE          
  144:d=3  hl=2 l=  13 cons:    SEQUENCE          
  146:d=4  hl=2 l=   9 prim:     OBJECT            :rsaEncryption
  157:d=4  hl=2 l=   0 prim:     NULL              
  159:d=3  hl=4 l= 271 prim:    BIT STRING        
  434:d=2  hl=2 l=   0 cons:   cont [ 0 ]        
  436:d=1  hl=2 l=  13 cons:  SEQUENCE          
  438:d=2  hl=2 l=   9 prim:   OBJECT            :sha256WithRSAEncryption
  449:d=2  hl=2 l=   0 prim:   NULL              
  451:d=1  hl=4 l= 257 prim:  BIT STRING

说明:

d         -> 结构深度
hl        -> Tag头长度(字节)
l         -> 数据长度(字节)
prim/cons -> Bit6, 编码方法为简单化的或结构化的

ASN.1 generate by string:

$ openssl asn1parse -genstr 'UTF8:Hello World'
    0:d=0  hl=2 l=  11 prim: UTF8STRING        :Hello World

ASN.1 generate by conf file:

$ cat asn1.conf 
asn1=SEQUENCE:seq_sect

[seq_sect]

field1=BOOL:TRUE
field2=EXP:0, UTF8:some random string
$ openssl asn1parse -genconf asn1.conf -i
    0:d=0  hl=2 l=  25 cons: SEQUENCE          
    2:d=1  hl=2 l=   1 prim:  BOOLEAN           :255
    5:d=1  hl=2 l=  20 cons:  cont [ 0 ]        
    7:d=2  hl=2 l=  18 prim:   UTF8STRING        :some random string

See more: https://www.openssl.org/docs/manmaster/crypto/ASN1_generate_nconf.html

Alternative tool: derparse.rs

Install with runrs:

$ runrs -i derparse.rs

ciphers

$ openssl ciphers -v 'HIGH:!MD5:!SHA1:!DH'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

dgst

$ echo -n 'Hello World!' | openssl dgst -sha256
(stdin)= 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
Sign
openssl dgst -sha256 -sign pri.pem -out sign.sig test.txt
Verify
$ openssl dgst -sha256 -verify pub.pem -signature sign.sig test.txt 
Verified OK

dsaparam

$ openssl dsaparam -out dsa_param.pem 1024
Generating DSA parameters, 1024 bit long prime
This could take some time
.......+......+........+....+....+..........................+.....+.........+.....+..........+.........+..........................+...+......+..+..+............+.......+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++*
.........+......+........+...+....................+++++++++++++++++++++++++++++++++++++++++++++++++++*

$ openssl gendsa -out dsa_privatekey.pem dsa_param.pem 
Generating DSA key, 1024 bits

$ openssl dsa -in dsa_privatekey.pem -pubout -out dsa_publickey.pem
read DSA key
writing DSA key

ecparam

Generate EC secp256r1 private key:

$ openssl ecparam -genkey -name secp256r1
using curve name prime256v1 instead of secp256r1
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIILLLYsJeaYtSHgtA9D5htjd1clS1oqbQJU0UNzv32m6oAoGCCqGSM49
AwEHoUQDQgAE0CUAu1acX+ok7/NjkbAF9KPa+rgSEWhQBRPyV4YirU+q8wd2WH3I
afQZo3zLqU2UrcvpJbgnVMF9QvLsZfO3Nw==
-----END EC PRIVATE KEY-----

Generate EC SM2 private key:

openssl ecparam -genkey -name SM2

List curves:

$ openssl ecparam -list_curves
...
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
  prime192v2: X9.62 curve over a 192 bit prime field
  prime192v3: X9.62 curve over a 192 bit prime field
  prime239v1: X9.62 curve over a 239 bit prime field
  prime239v2: X9.62 curve over a 239 bit prime field
  prime239v3: X9.62 curve over a 239 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field
...

Curve params:

$ openssl ecparam -genkey -name secp256r1 -param_enc explicit | openssl ec -noout -text
read EC key
using curve name prime256v1 instead of secp256r1
Private-Key: (256 bit)
priv:
    00:92:5a:6e:ae:15:72:f2:f5:54:51:0e:d2:0a:18:
    46:85:7b:04:6c:25:cb:b4:98:34:95:01:22:46:a9:
    5d:d5:25
pub: 
    04:54:f6:92:cc:51:33:48:ea:02:8d:98:22:44:bd:
    64:bb:53:f6:19:ce:e9:41:95:95:23:a2:07:30:b3:
    e4:7c:55:8e:6d:da:9b:de:ef:34:e4:d5:de:14:9d:
    47:b6:fd:19:75:db:12:2a:bd:0f:95:b1:18:23:01:
    62:68:48:df:e8
Field Type: prime-field
Prime:
    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:ff
A:   
    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    ff:ff:fc
B:   
    5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
    bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
    60:4b
Generator (uncompressed):
    04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
    40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
    98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:
    7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:
    68:37:bf:51:f5
Order: 
    00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
    ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
    63:25:51
Cofactor:  1 (0x1)
Seed:
    c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
    b7:81:9f:7e:90

enc

$ cat test.txt
Hello World.
Encrypt
openssl enc -e -aes-256-cbc -in test.txt -out test.txt.enc -k PASSWORD

Decrypt

$ openssl enc -d -aes-256-cbc -in test.txt.enc -k PASSWORD [-out FILENAME]
Hello World.

$ openssl enc -d -aes-256-cbc -in test.txt.enc -k PASSWORD -P
salt=EBA54C6021D47513
key=62A86E05010766F9EF41990413C4C29756D3A6ECE36CE8FB37CC7A465EC0E4D3
iv =60BBB830797137A5EBA9D2BBFF0DD503

genpkey

Gen EC pkey:

openssl genpkey -algorithm EC \
    -pkeyopt ec_paramgen_curve:P-256 \
    -pkeyopt ec_param_enc:named_curve

Gen Ed pkey:

openssl genpkey -algorithm x25519

openssl genpkey -algorithm ed25519

Gen RSA pkey:

openssl genpkey -algorithm RSA \
    -pkeyopt rsa_keygen_bits:2048 \
    -pkeyopt rsa_keygen_pubexp:65537

genrsa

Generate RSA private key:

$ openssl genrsa -rand /dev/random 1024
2048 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..++++++
...........++++++
e is 65537 (0x10001)
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC7ZUKVtEgd+XNN1xiNTFcOHCcFAeyjXrMCLHkHk8uCGKs5/QeY
Z59yGJcU36YDsNjgiKMmcdqh4FcU7s3AfVQZb/LzVsNDhKFUi81gXUN+N25YOvvx
x8pMPK8vy2w0ChvoNnlzJAdYJO3HhLZ79fJQ0VOfxb7CWouiBiG/IkotpQIDAQAB
AoGBALSbfFgCP/s7nshnxU7xQ3ni4ixuVV6C963hpOgLpnkFQ4mI95gITuDNGFdS
0ZL/D5cfuXZlBt069VLEcWLSp4iSNzT/XnHkf2gEAaehoenwOyTcb2B8R3RXgy/U
kPeE7AiGXimI0T0pDWucZIATJKue6xXlkbP6idObDmYOwQmlAkEA4huuoWeB+PDO
XnQLJhWqH8sw/JfK0JJLyIe/WJmNwuIGtG9g0QjXgCUXcUusn+7hC58g7NlWDS0u
7Ydk5XGlRwJBANQrZ2RHwegXwp0oEOWcLWdeImC1AYV4rVfJ+sdTJUqxd5Gh7Qpp
8ZiBSZBd7GrxtbA0foU2GqEOYsyoXxKB+7MCQBQ/oGLp7xTJE+IXiEwP0p1oR+nG
+i21fD3oEjWwAqb6MNmFw+jUXuAl8jR+L2ZfMR4mUP+E8xTZAAPbhSibBc8CQFqY
bf2T5miEPMV+ZjilB34r4+IHaC7l6J6j0EFsb3AFd1joG59mvZKxIghTErBXpY0n
3R5ki9pZmjZpbq8ocaECQHMSCUoFl/eEYsRNfBu3R/Vzu0vQg0qu7wMD3/J8BMLV
Ab6wbT/C3C6Cdtob6M1ghLWIzgm+UribBapRM6P7A5A=
-----END RSA PRIVATE KEY-----

list-cipher-algorithms

$ openssl list-cipher-algorithms
AES-128-CBC
AES-128-CBC-HMAC-SHA1
AES-128-CBC-HMAC-SHA256
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-CTR
AES-128-ECB
AES-128-OFB
...

passwd

Option Description
-crypt for the standard UNIX crypt, i.e., DES (default)
-apr1 for the Apache-specific MD5 variant
-1 for MD5
-5 for SHA-256
-6 for SHA-512
ID Description
$1$ is Message Digest 5 (MD5)
$2a$ is blowfish
$5$ is 256-bit Secure Hash Algorithm (SHA-256)
$6$ is 512-bit Secure Hash Algorithm (SHA-512)
$y$ (or $7$) is yescrypt 
echo -n password | openssl passwd -1 --stdin
$1$EmsQtP8V$lYwzZ/1/PO9OSz82fIF3F1

echo -n password | openssl passwd -5 --stdin
$5$BttfJq6ul4iQnm5y$3kHHdr93xbiIZ5cNY6SUKRegzwW/64RXV7yZp7jhQS2

echo -n password | openssl passwd -6 --stdin
$6$g6454vUelEmShn0P$m2vhYgVcEPHdywy87Fc.WGNKEsCgEEsPeyIFkCfklPUXfm3hd0wSiwsKWBCf9rmVnNL4C2n88Oejx/xHb2iw5.

pkcs12

Make PFX file

$ openssl pkcs12 -export -in certificate.pem -inkey private.pem -out c.pfx
Enter Export Password:
Verifying - Enter Export Password:
$ ll c.pfx 
-rw-------  1 ****  staff  2517 Feb 15 20:45 c.pfx

Extract PFX file

openssl pkcs12 -in c.pfx -nodes [-nocerts]

pkcs7

Print PKCS#7 format.

openssl pkcs7 -in p.p7s -inform pem -print

pkcs8

$ openssl pkcs8 -topk8 -nocrypt -in p1.pem -out p8.pem
$ head -n 1 p1.pem 
-----BEGIN RSA PRIVATE KEY-----
$ head -n 1 p8.pem 
-----BEGIN PRIVATE KEY-----

pkey

$ openssl pkey -in key.pem -noout -text_pub
Public-Key: (2048 bit)
Modulus:
    00:b2:9d:63:19:a5:79:53:35:a8:3e:28:8c:f2:3e:
    ef:44:7c:6a:82:62:18:0c:63:7a:8d:74:83:8b:60:
    95:e3:d8:4f:f2:fd:a9:bf:54:a2:a9:98:b3:11:11:
    23:a1:04:29:ba:8c:3b:2f:c8:4e:92:c2:a5:8d:18:
    10:30:4c:7d:dd:99:47:72:4e:14:67:03:ed:79:84:
    7d:22:2b:1b:e6:e5:15:67:78:b2:90:ea:87:99:b0:
    3a:38:33:cc:e9:9d:e7:cd:31:bd:a0:d9:cc:17:79:
    df:32:69:7c:ca:35:38:01:0f:dc:17:6e:15:04:af:
    cd:d4:80:ae:70:af:1a:a3:6a:24:3a:96:3c:51:e8:
    fc:16:6a:22:0f:ab:aa:64:91:9a:fa:ae:19:f1:7b:
    f7:92:18:6c:ba:ce:d3:0c:80:19:83:1d:12:a1:a2:
    c7:9e:2a:4f:4f:07:ef:72:6b:67:13:2b:4e:35:a2:
    85:c2:85:b9:d4:09:33:97:d6:d7:42:bd:06:c7:a1:
    0b:cc:05:05:56:21:45:54:de:02:7a:92:43:26:cc:
    e4:d7:57:02:fe:b3:c4:e5:df:0f:1e:6a:0a:55:8d:
    12:27:1a:75:26:67:92:59:de:ad:a4:24:99:77:31:
    f7:93:a0:93:34:df:47:4a:1c:83:7d:06:fa:50:68:
    fe:d3
Exponent: 65537 (0x10001)

$ openssl pkey -in key.pem -noout -text_pub
Public-Key: (256 bit)
pub: 
    04:03:22:6a:3c:25:13:f4:71:b1:23:04:1c:68:13:
    97:61:06:f4:58:f1:7d:66:d5:e4:18:28:b1:51:1f:
    97:5c:44:12:7e:40:a0:05:80:11:3f:df:6b:ba:ce:
    5b:c9:09:29:ad:92:7d:fe:35:cd:16:06:ff:11:4e:
    04:8b:db:70:9d
ASN1 OID: prime256v1
NIST CURVE: P-256

pkeyutl

Encrypt:

openssl pkeyutl -encrypt -inkey key.pem -in file.txt -out file.txt.enc

Decrypt:

openssl pkeyutl -decrypt -inkey key.pem -in file.txt.enc -out file.txt

Sign:

openssl pkeyutl -sign -inkey key.pem -in file.txt -out file.txt.sign

Verify:

$ openssl pkeyutl -verify -inkey key.pem -in file.txt -sigfile file.txt.sign 
Signature Verified Successfully

prime

判断一个数是否是素数

$ openssl prime 2
2 is prime
$ openssl prime 5
5 is prime
$ openssl prime 6
6 is not prime

rand

$ openssl rand -base64 32
wYkPQLoVwvtxtBlnMHFG6uxxv4hOfcPkx0LPGVQJUww=
$ openssl rand -hex 32
9496b19e77a9bc63d7607cfece2a24f7a62fb7fffff49805d40dc3fc4c73fc1b

rsa

$ openssl rsa -in prikey.pem -text -noout
Private-Key: (512 bit)
modulus:
    00:e0:ef:fb:24:67:8c:f8:b9:0d:76:97:fa:4c:61:
    36:1b:da:3d:25:7e:6d:bc:38:74:bb:28:8f:87:48:
    92:ae:a4:c7:36:bc:7c:fc:0f:ea:f2:26:30:c7:19:
    de:1e:8f:0d:04:8e:7d:d5:de:77:de:34:09:1d:9c:
    66:8a:5f:99:23
publicExponent: 65537 (0x10001)
privateExponent:
    00:c3:fa:d3:09:a8:de:fe:65:dd:01:12:f1:15:53:
    2d:5d:9f:0b:df:7b:04:09:15:f7:3e:89:dc:63:b6:
    2b:76:d4:9f:ef:93:56:2a:33:6e:e9:50:af:35:5f:
    41:10:5b:3c:c0:01:42:3d:2d:e9:6e:64:c3:83:78:
    0c:f8:3a:98:81
prime1:
    00:f9:ca:d3:bc:12:db:fa:cb:f4:b8:99:b7:62:9f:
    0b:33:2f:75:ed:25:76:ae:ba:ea:24:0f:08:33:15:
    ca:ff:93
prime2:
    00:e6:87:07:20:01:50:f3:0d:11:fe:6f:90:e6:b4:
    bd:7b:eb:17:5f:1c:2f:4d:32:ca:8f:07:76:16:b9:
    89:5a:31
exponent1:
    21:25:00:a3:5b:fd:44:71:fb:ae:e2:f6:aa:67:60:
    1d:12:97:1b:38:75:5f:09:fe:37:7a:a7:23:e0:28:
    67:71
exponent2:
    00:d1:d3:ad:c4:8f:ee:22:8c:8f:08:4c:7c:53:c1:
    c7:86:f7:60:fa:8d:28:f0:d7:7e:4f:d9:b6:be:d0:
    7a:18:c1
coefficient:
    00:86:d3:71:a6:08:8b:19:ca:10:36:e6:bb:cb:ca:
    8b:3e:24:d1:9e:fd:d8:6c:a2:67:ea:8e:e9:f1:89:
    47:2d:a5

$ openssl rsa -in prikey.pem -pubout | openssl rsa -pubin -text
writing RSA key
Modulus (512 bit):
    00:e0:ef:fb:24:67:8c:f8:b9:0d:76:97:fa:4c:61:
    36:1b:da:3d:25:7e:6d:bc:38:74:bb:28:8f:87:48:
    92:ae:a4:c7:36:bc:7c:fc:0f:ea:f2:26:30:c7:19:
    de:1e:8f:0d:04:8e:7d:d5:de:77:de:34:09:1d:9c:
    66:8a:5f:99:23
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAODv+yRnjPi5DXaX+kxhNhvaPSV+bbw4
dLsoj4dIkq6kxza8fPwP6vImMMcZ3h6PDQSOfdXed940CR2cZopfmSMCAwEAAQ==
-----END PUBLIC KEY-----
Convert Private Key to Public Key
$ openssl rsa -in pri.pem -pubout -out pub.pem
writing RSA key

rsautl

$ cat prikey.pem 
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAODv+yRnjPi5DXaX+kxhNhvaPSV+bbw4dLsoj4dIkq6kxza8fPwP
6vImMMcZ3h6PDQSOfdXed940CR2cZopfmSMCAwEAAQJBAMP60wmo3v5l3QES8RVT
LV2fC997BAkV9z6J3GO2K3bUn++TViozbulQrzVfQRBbPMABQj0t6W5kw4N4DPg6
mIECIQD5ytO8Etv6y/S4mbdinwszL3XtJXauuuokDwgzFcr/kwIhAOaHByABUPMN
Ef5vkOa0vXvrF18cL00yyo8Hdha5iVoxAiAhJQCjW/1Ecfuu4vaqZ2AdEpcbOHVf
Cf43eqcj4ChncQIhANHTrcSP7iKMjwhMfFPBx4b3YPqNKPDXfk/Ztr7QehjBAiEA
htNxpgiLGcoQNua7y8qLPiTRnv3YbKJn6o7p8YlHLaU=
-----END RSA PRIVATE KEY-----

Encrypt & Decrypt test:

$ echo 'Hello Hatter!' | openssl rsautl -encrypt -inkey prikey.pem | base64
YwVY9JlAOlXyZGeRMi0V64U7IGz3jTgg8n2Otqee/k10lBWveNweTSLitw8RJ2E5EW2NiyWZzlbyfjbDk0pAJQ==

$ echo YwVY9JlAOlXyZGeRMi0V64U7IGz3jTgg8n2Otqee/k10lBWveNweTSLitw8RJ2E5EW2NiyWZzlbyfjbDk0pAJQ== | base64 -D | openssl rsautl -decrypt -inkey prikey.pem 
Hello Hatter!

$ echo YwVY9JlAOlXyZGeRMi0V64U7IGz3jTgg8n2Otqee/k10lBWveNweTSLitw8RJ2E5EW2NiyWZzlbyfjbDk0pAJQ== | base64 -D | openssl rsautl -decrypt -inkey prikey.pem -raw -hexdump
0000 - 00 02 24 e4 2e 62 c7 3d-7f 21 6a 75 e5 de 48 f5   ..$..b.=.!ju..H.
0010 - 46 51 f9 f0 04 ee 78 01-4a e2 eb 2c 13 40 cf af   FQ....x.J..,.@..
0020 - ea c5 3e e3 2c 23 fe 0e-8a ae c2 7c 55 32 e8 8c   ..>.,#.....|U2..
0030 - 0c 00 48 65 6c 6c 6f 20-48 61 74 74 65 72 21 0a   ..Hello Hatter!.

Sign & Verify test:

$ echo 'Hello Hatter!' | openssl rsautl -sign -inkey prikey.pem | base64
gsyY3fSxeDBZjNB0vaNBYjdY/Qmgmo9mXnYMgU/YLdY5tRa0PtXAhpKYSAbJhrKZ3jak2Rhj067ldCAGlF/09w==

$ echo gsyY3fSxeDBZjNB0vaNBYjdY/Qmgmo9mXnYMgU/YLdY5tRa0PtXAhpKYSAbJhrKZ3jak2Rhj067ldCAGlF/09w== | base64 -D | openssl rsautl -verify -inkey prikey.pem 
Hello Hatter!

$ echo gsyY3fSxeDBZjNB0vaNBYjdY/Qmgmo9mXnYMgU/YLdY5tRa0PtXAhpKYSAbJhrKZ3jak2Rhj067ldCAGlF/09w== | base64 -D | openssl rsautl -verify -inkey prikey.pem -raw -hexdump
0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
0030 - ff 00 48 65 6c 6c 6f 20-48 61 74 74 65 72 21 0a   ..Hello Hatter!.

s_client

$ echo | openssl s_client -connect www.baidu.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 International Server CA - G3
verify return:1
depth=0 C = CN, ST = Beijing, L = Beijing, O = "Beijing Baidu Netcom Science Technology Co., Ltd.", OU = service operation department, CN = baidu.com
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=Beijing/L=Beijing/O=Beijing Baidu Netcom Science Technology Co., Ltd./OU=service operation department/CN=baidu.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGLjCCBRagAwIBAgIQdimqIPqKjnYkohk29K0aqjANBgkqhkiG9w0BAQUFADCB
vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt
VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X
DTE1MDkxNzAwMDAwMFoXDTE2MDgzMTIzNTk1OVowgagxCzAJBgNVBAYTAkNOMRAw
DgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHFAdCZWlqaW5nMTowOAYDVQQKFDFCZWlq
aW5nIEJhaWR1IE5ldGNvbSBTY2llbmNlIFRlY2hub2xvZ3kgQ28uLCBMdGQuMSUw
IwYDVQQLFBxzZXJ2aWNlIG9wZXJhdGlvbiBkZXBhcnRtZW50MRIwEAYDVQQDFAli
YWlkdS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCocs/rdlG7
AR4WURwOZFsmWfVbgiAWPnd4YsDi9lMeCS1itCcHOl2bmjwEL2kLHmSZpvDm2GyC
fgoAcsGMJ57ysmtsBmVQoLMNKvrf+6z0MmGsp1k7LIIYwPvXAA7YCH5THt+wpOvu
MCgn68XdgsUgcy5eQFHt5idy6sAkml3C+BuwYSW+Xi+7HBHWoNHwMAfFKEpaTCQj
skBodDvtk9eHEibEAQ8KCWh0HF0YqbJr106y7DYLkrjGtp7KTlm9JnnSleFpLehK
rCxE0cYzq35v2Spy4Dtky6sb0wXbxnaK7msUKu9ZSCo9C5PdbnIuo+vQO4kNipJV
3QKJxJMuz86vAgMBAAGjggI8MIICODCB5gYDVR0RBIHeMIHbggsqLmJhaWR1LmNv
bYILKi5udW9taS5jb22CDCouaGFvMTIzLmNvbYIOKi5iZHN0YXRpYy5jb22CEHd3
dy5iYWlkdS5jb20uY26CDHd3dy5iYWlkdS5jboISc2FwaS5tYXAuYmFpZHUuY29t
ghFsb2MubWFwLmJhaWR1LmNvbYIQbG9nLmhtLmJhaWR1LmNvbYIJYmFpZHUuY29t
ghFhcGkubWFwLmJhaWR1LmNvbYIVY29uc29sZS5iY2UuYmFpZHUuY29tghNsb2dp
bi5iY2UuYmFpZHUuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1Ud
JQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMGEGA1UdIARaMFgw
VgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3Bz
MCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQY
MBaAFNebfNgioBX33a1fzimbWMO8RgC1MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6
Ly9zZS5zeW1jYi5jb20vc2UuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcw
AYYTaHR0cDovL3NlLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NlLnN5
bWNiLmNvbS9zZS5jcnQwDQYJKoZIhvcNAQEFBQADggEBACz3im2KDp7SHu8wp//l
b9EOC8dY0zqxRsRTZ0y8RPnKqqbzzQDkXxWWvCrMuevMzqDH1gcEBpQQq2q30dJ7
pzGjdoC801F8OqBtBCxMDI6DwRdCMC/BBxYixBXuK9qfMAvXR11QNnWnYs/aEwUt
OYizq06zmORoOw5DL7FLMprDI4VOvA98Ns6OqLOZTmZfoqIRkD9vu/pgmkUNAUNn
wLDAHEiDzTX2sBH4vCBPjbV1nzYnEpCvr8Fgt+gb2HOVO/mem1tkXubf6S1WtOaP
uav+qkNsfL7jalqLGuBqSxdyLRbYS/GDzaLdMuFEKELF3ROkUai//jDakzbFHnbg
xs0=
-----END CERTIFICATE-----
subject=/C=CN/ST=Beijing/L=Beijing/O=Beijing Baidu Netcom Science Technology Co., Ltd./OU=service operation department/CN=baidu.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5068 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 966740C4619FC6CFF6DEA69B7F50B922020B6F55CFAD6C84C7B45232FDAB94F0
    Session-ID-ctx: 
    Master-Key: 949DAA220164D52B855FA8960CE29440C24F5BA071DD1D784FA4FE22910FA87A0A3A8ABC767AEF10204BF5CD9366855B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 72000 (seconds)
    TLS session ticket:
    0000 - eb de 4a 8d ee 49 80 29-19 e9 e0 aa 9c 7f a2 50   ..J..I.).......P
    0010 - 56 7e c4 02 85 cc 24 05-d5 85 0e 67 50 64 8f 3d   V~....$....gPd.=
    0020 - fc 03 17 4d 66 ac 99 fa-2a 74 25 2a 54 91 41 d4   ...Mf...*t%*T.A.
    0030 - 9e 49 6e 8d 2e 75 b8 a8-c3 3e 35 ac 05 d8 da f2   .In..u...>5.....
    0040 - af be 75 5c ae 5a 3e c3-99 6c 28 56 25 b2 19 45   ..u\.Z>..l(V%..E
    0050 - 79 73 1b 70 d4 50 83 bb-98 90 fd 97 02 20 08 9c   ys.p.P....... ..
    0060 - d0 a2 2e 05 e0 0c 58 2f-bf f7 74 ec 8a 3c 3f 53   ......X/..t..<?S
    0070 - 24 42 25 ce ac e5 01 c9-2c 1b a9 57 2d ff ea 0b   $B%.....,..W-...
    0080 - 8f 33 2e e6 72 99 e3 67-c3 6c ea 87 6a 9e 71 8f   .3..r..g.l..j.q.
    0090 - a2 32 3d 53 64 0e 6d d7-bc 61 7e 3d e6 c7 e0 32   .2=Sd.m..a~=...2

    Start Time: 1466093576
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

-OR-

echo | openssl s_client -prexit -showcerts -state -status -tlsextdebug -verify 10 -connect <host>:443

sess_id

$ cat sess_id.pem
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOQQga2PAeeIXKd7MSzRuykUQjaCbT7BMlieSMmve9MMIj1wE
MOUilBEWWakJzBkDJRdPoRPWpd2EfyosMZsHl/jRxfg2UKi8om3FFSVdFsliwi+L
9KEGAgRMvs+kogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----

$ openssl sess_id -in sess_id.pem -noout -text
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0039
    Session-ID: 6B63C079E21729DECC4B346ECA45108DA09B4FB04C962792326BDEF4C3088F5C
    Session-ID-ctx: 01000000
    Master-Key: E52294111659A909CC190325174FA113D6A5DD847F2A2C319B0797F8D1C5F83650A8BCA26DC515255D16C962C22F8BF4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1287573412
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

smime

Sign:

openssl smime -sign -text -signer cert.pem -inkey key.pem -in example.txt -out example.msg

Verify:???

openssl smime -verify -noverify -signer cert.pem -in example.msg

speed

$ openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 109630953 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 64 size blocks: 29109948 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 256 size blocks: 7337476 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 1884666 aes-128-cbc's in 2.99s
Doing aes-128-cbc for 3s on 8192 size blocks: 230338 aes-128-cbc's in 3.00s
OpenSSL 1.0.2f  28 Jan 2016
built on: reproducible build, date unspecified
options:bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: clang -I. -I.. -I../include  -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc     586653.93k   623089.19k   626131.29k   645450.83k   628976.30k

verify

openssl verify -CAfile ca.pem cert.pem

x509

$ openssl x509 -in cert.pem -noout –text

...

Calculate certificate fingerprint:

$ openssl x509 -in cert.pem -noout -fingerprint [-md5 | -sha1 | sha256]
SHA1 Fingerprint=84:CD:16:7B:19:8A:56:8E:99:94:24:B5:46:98:53:48:9A:E9:E8:1E

openssl x509 -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash -in cert.pem

Alternatives

Reference

  1. https://www.openssl.org/docs/manmaster/apps/asn1parse.html
  2. https://www.openssl.org/docs/manmaster/crypto/ASN1_generate_nconf.html
  3. http://wiki.cacert.org/SSLScanner
  4. http://security.nknu.edu.tw/textbook/chap5.pdf
  5. https://www.cnblogs.com/274914765qq/p/4693676.html
  6. http://blog.csdn.net/as3luyuan123/article/details/16873093
  7. http://blog.csdn.net/as3luyuan123/article/details/16872101
  8. http://blog.csdn.net/as3luyuan123/article/details/16851125
  9. https://gist.github.com/gwpl/2c7636f0b200cbfbe82cc9d4f6338585
  10. https://www.baeldung.com/linux/shadow-passwords