Introduce
OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page.
The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions.
Official website: https://openssl.org/
GitHub Group: https://github.com/openssl
Source code: https://github.com/openssl/openssl
Download
Goto https://openssl.org/source/ download the newest source tar ball.
OR
Install by HomeBrew:
brew install openssl
Command
List OpenSSL commands:
openssl list -commands
OpenSSL usage like this:
openssl <CMD> [ARGS] ...
Show OpenSSL version:
$ openssl version OpenSSL 1.0.2f 28 Jan 2016
asn1parse
打印ASN.1
结构,介绍参看: https://webencrypt.org/asn1/
另外一个Web在线工具: https://webencrypt.org/asn1js/
$ openssl asn1parse -i -in ~/vvvvvvwiki.csr 0:d=0 hl=4 l= 708 cons: SEQUENCE 4:d=1 hl=4 l= 428 cons: SEQUENCE 8:d=2 hl=2 l= 1 prim: INTEGER :00 11:d=2 hl=2 l= 127 cons: SEQUENCE 13:d=3 hl=2 l= 11 cons: SET 15:d=4 hl=2 l= 9 cons: SEQUENCE 17:d=5 hl=2 l= 3 prim: OBJECT :countryName 22:d=5 hl=2 l= 2 prim: PRINTABLESTRING :CN 26:d=3 hl=2 l= 17 cons: SET 28:d=4 hl=2 l= 15 cons: SEQUENCE 30:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 35:d=5 hl=2 l= 8 prim: PRINTABLESTRING :Zhejiang 45:d=3 hl=2 l= 17 cons: SET 47:d=4 hl=2 l= 15 cons: SEQUENCE 49:d=5 hl=2 l= 3 prim: OBJECT :localityName 54:d=5 hl=2 l= 8 prim: PRINTABLESTRING :Hangzhou 64:d=3 hl=2 l= 18 cons: SET 66:d=4 hl=2 l= 16 cons: SEQUENCE 68:d=5 hl=2 l= 3 prim: OBJECT :organizationName 73:d=5 hl=2 l= 9 prim: PRINTABLESTRING :vvvv.wiki 84:d=3 hl=2 l= 20 cons: SET 86:d=4 hl=2 l= 18 cons: SEQUENCE 88:d=5 hl=2 l= 3 prim: OBJECT :commonName 93:d=5 hl=2 l= 11 prim: PRINTABLESTRING :vvvvvv.wiki 106:d=3 hl=2 l= 32 cons: SET 108:d=4 hl=2 l= 30 cons: SEQUENCE 110:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 121:d=5 hl=2 l= 17 prim: IA5STRING :j******@gmail.com 140:d=2 hl=4 l= 290 cons: SEQUENCE 144:d=3 hl=2 l= 13 cons: SEQUENCE 146:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 157:d=4 hl=2 l= 0 prim: NULL 159:d=3 hl=4 l= 271 prim: BIT STRING 434:d=2 hl=2 l= 0 cons: cont [ 0 ] 436:d=1 hl=2 l= 13 cons: SEQUENCE 438:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 449:d=2 hl=2 l= 0 prim: NULL 451:d=1 hl=4 l= 257 prim: BIT STRING
说明:
d -> 结构深度
hl -> Tag头长度(字节)
l -> 数据长度(字节)
prim/cons -> Bit6, 编码方法为简单化的或结构化的
ASN.1 generate by string:
$ openssl asn1parse -genstr 'UTF8:Hello World' 0:d=0 hl=2 l= 11 prim: UTF8STRING :Hello World
ASN.1 generate by conf file:
$ cat asn1.conf asn1=SEQUENCE:seq_sect [seq_sect] field1=BOOL:TRUE field2=EXP:0, UTF8:some random string $ openssl asn1parse -genconf asn1.conf -i 0:d=0 hl=2 l= 25 cons: SEQUENCE 2:d=1 hl=2 l= 1 prim: BOOLEAN :255 5:d=1 hl=2 l= 20 cons: cont [ 0 ] 7:d=2 hl=2 l= 18 prim: UTF8STRING :some random string
See more: https://www.openssl.org/docs/manmaster/crypto/ASN1_generate_nconf.html
Alternative tool: derparse.rs
Install with runrs:
$ runrs -i derparse.rs
ciphers
$ openssl ciphers -v 'HIGH:!MD5:!SHA1:!DH' ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256 ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
dgst
$ echo -n 'Hello World!' | openssl dgst -sha256 (stdin)= 7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069
Sign
openssl dgst -sha256 -sign pri.pem -out sign.sig test.txt
Verify
$ openssl dgst -sha256 -verify pub.pem -signature sign.sig test.txt Verified OK
dsaparam
$ openssl dsaparam -out dsa_param.pem 1024 Generating DSA parameters, 1024 bit long prime This could take some time .......+......+........+....+....+..........................+.....+.........+.....+..........+.........+..........................+...+......+..+..+............+.......+..+.+++++++++++++++++++++++++++++++++++++++++++++++++++* .........+......+........+...+....................+++++++++++++++++++++++++++++++++++++++++++++++++++*
$ openssl gendsa -out dsa_privatekey.pem dsa_param.pem Generating DSA key, 1024 bits
$ openssl dsa -in dsa_privatekey.pem -pubout -out dsa_publickey.pem read DSA key writing DSA key
ecparam
Generate EC secp256r1
private key:
$ openssl ecparam -genkey -name secp256r1 using curve name prime256v1 instead of secp256r1 -----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHcCAQEEIILLLYsJeaYtSHgtA9D5htjd1clS1oqbQJU0UNzv32m6oAoGCCqGSM49 AwEHoUQDQgAE0CUAu1acX+ok7/NjkbAF9KPa+rgSEWhQBRPyV4YirU+q8wd2WH3I afQZo3zLqU2UrcvpJbgnVMF9QvLsZfO3Nw== -----END EC PRIVATE KEY-----
Generate EC SM2
private key:
openssl ecparam -genkey -name SM2
List curves:
$ openssl ecparam -list_curves ... secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field prime192v2: X9.62 curve over a 192 bit prime field prime192v3: X9.62 curve over a 192 bit prime field prime239v1: X9.62 curve over a 239 bit prime field prime239v2: X9.62 curve over a 239 bit prime field prime239v3: X9.62 curve over a 239 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field ...
Curve params:
$ openssl ecparam -genkey -name secp256r1 -param_enc explicit | openssl ec -noout -text read EC key using curve name prime256v1 instead of secp256r1 Private-Key: (256 bit) priv: 00:92:5a:6e:ae:15:72:f2:f5:54:51:0e:d2:0a:18: 46:85:7b:04:6c:25:cb:b4:98:34:95:01:22:46:a9: 5d:d5:25 pub: 04:54:f6:92:cc:51:33:48:ea:02:8d:98:22:44:bd: 64:bb:53:f6:19:ce:e9:41:95:95:23:a2:07:30:b3: e4:7c:55:8e:6d:da:9b:de:ef:34:e4:d5:de:14:9d: 47:b6:fd:19:75:db:12:2a:bd:0f:95:b1:18:23:01: 62:68:48:df:e8 Field Type: prime-field Prime: 00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00: 00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff A: 00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00: 00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:fc B: 5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86: bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2: 60:4b Generator (uncompressed): 04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4: 40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8: 98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a: 7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40: 68:37:bf:51:f5 Order: 00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff: ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc: 63:25:51 Cofactor: 1 (0x1) Seed: c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26: b7:81:9f:7e:90
enc
$ cat test.txt Hello World.
Encrypt
openssl enc -e -aes-256-cbc -in test.txt -out test.txt.enc -k PASSWORD
Decrypt
$ openssl enc -d -aes-256-cbc -in test.txt.enc -k PASSWORD [-out FILENAME] Hello World.
$ openssl enc -d -aes-256-cbc -in test.txt.enc -k PASSWORD -P salt=EBA54C6021D47513 key=62A86E05010766F9EF41990413C4C29756D3A6ECE36CE8FB37CC7A465EC0E4D3 iv =60BBB830797137A5EBA9D2BBFF0DD503
genpkey
Gen EC pkey:
openssl genpkey -algorithm EC \ -pkeyopt ec_paramgen_curve:P-256 \ -pkeyopt ec_param_enc:named_curve
Gen Ed pkey:
openssl genpkey -algorithm x25519
openssl genpkey -algorithm ed25519
Gen RSA pkey:
openssl genpkey -algorithm RSA \ -pkeyopt rsa_keygen_bits:2048 \ -pkeyopt rsa_keygen_pubexp:65537
genrsa
Generate RSA private key:
$ openssl genrsa -rand /dev/random 1024 2048 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ..++++++ ...........++++++ e is 65537 (0x10001) -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQC7ZUKVtEgd+XNN1xiNTFcOHCcFAeyjXrMCLHkHk8uCGKs5/QeY Z59yGJcU36YDsNjgiKMmcdqh4FcU7s3AfVQZb/LzVsNDhKFUi81gXUN+N25YOvvx x8pMPK8vy2w0ChvoNnlzJAdYJO3HhLZ79fJQ0VOfxb7CWouiBiG/IkotpQIDAQAB AoGBALSbfFgCP/s7nshnxU7xQ3ni4ixuVV6C963hpOgLpnkFQ4mI95gITuDNGFdS 0ZL/D5cfuXZlBt069VLEcWLSp4iSNzT/XnHkf2gEAaehoenwOyTcb2B8R3RXgy/U kPeE7AiGXimI0T0pDWucZIATJKue6xXlkbP6idObDmYOwQmlAkEA4huuoWeB+PDO XnQLJhWqH8sw/JfK0JJLyIe/WJmNwuIGtG9g0QjXgCUXcUusn+7hC58g7NlWDS0u 7Ydk5XGlRwJBANQrZ2RHwegXwp0oEOWcLWdeImC1AYV4rVfJ+sdTJUqxd5Gh7Qpp 8ZiBSZBd7GrxtbA0foU2GqEOYsyoXxKB+7MCQBQ/oGLp7xTJE+IXiEwP0p1oR+nG +i21fD3oEjWwAqb6MNmFw+jUXuAl8jR+L2ZfMR4mUP+E8xTZAAPbhSibBc8CQFqY bf2T5miEPMV+ZjilB34r4+IHaC7l6J6j0EFsb3AFd1joG59mvZKxIghTErBXpY0n 3R5ki9pZmjZpbq8ocaECQHMSCUoFl/eEYsRNfBu3R/Vzu0vQg0qu7wMD3/J8BMLV Ab6wbT/C3C6Cdtob6M1ghLWIzgm+UribBapRM6P7A5A= -----END RSA PRIVATE KEY-----
list-cipher-algorithms
$ openssl list-cipher-algorithms AES-128-CBC AES-128-CBC-HMAC-SHA1 AES-128-CBC-HMAC-SHA256 AES-128-CFB AES-128-CFB1 AES-128-CFB8 AES-128-CTR AES-128-ECB AES-128-OFB ...
passwd
Option | Description |
---|---|
-crypt | for the standard UNIX crypt, i.e., DES (default) |
-apr1 | for the Apache-specific MD5 variant |
-1 | for MD5 |
-5 | for SHA-256 |
-6 | for SHA-512 |
ID | Description |
---|---|
$1$ | is Message Digest 5 (MD5) |
$2a$ | is blowfish |
$5$ | is 256-bit Secure Hash Algorithm (SHA-256) |
$6$ | is 512-bit Secure Hash Algorithm (SHA-512) |
$y$ $7$ | is yescrypt |
echo -n password | openssl passwd -1 --stdin $1$EmsQtP8V$lYwzZ/1/PO9OSz82fIF3F1
echo -n password | openssl passwd -5 --stdin $5$BttfJq6ul4iQnm5y$3kHHdr93xbiIZ5cNY6SUKRegzwW/64RXV7yZp7jhQS2
echo -n password | openssl passwd -6 --stdin $6$g6454vUelEmShn0P$m2vhYgVcEPHdywy87Fc.WGNKEsCgEEsPeyIFkCfklPUXfm3hd0wSiwsKWBCf9rmVnNL4C2n88Oejx/xHb2iw5.
pkcs12
Make PFX file
$ openssl pkcs12 -export -in certificate.pem -inkey private.pem -out c.pfx Enter Export Password: Verifying - Enter Export Password: $ ll c.pfx -rw------- 1 **** staff 2517 Feb 15 20:45 c.pfx
Extract PFX file
openssl pkcs12 -in c.pfx -nodes [-nocerts]
pkcs7
Print PKCS#7 format.
openssl pkcs7 -in p.p7s -inform pem -print
pkcs8
$ openssl pkcs8 -topk8 -nocrypt -in p1.pem -out p8.pem $ head -n 1 p1.pem -----BEGIN RSA PRIVATE KEY----- $ head -n 1 p8.pem -----BEGIN PRIVATE KEY-----
pkey
$ openssl pkey -in key.pem -noout -text_pub Public-Key: (2048 bit) Modulus: 00:b2:9d:63:19:a5:79:53:35:a8:3e:28:8c:f2:3e: ef:44:7c:6a:82:62:18:0c:63:7a:8d:74:83:8b:60: 95:e3:d8:4f:f2:fd:a9:bf:54:a2:a9:98:b3:11:11: 23:a1:04:29:ba:8c:3b:2f:c8:4e:92:c2:a5:8d:18: 10:30:4c:7d:dd:99:47:72:4e:14:67:03:ed:79:84: 7d:22:2b:1b:e6:e5:15:67:78:b2:90:ea:87:99:b0: 3a:38:33:cc:e9:9d:e7:cd:31:bd:a0:d9:cc:17:79: df:32:69:7c:ca:35:38:01:0f:dc:17:6e:15:04:af: cd:d4:80:ae:70:af:1a:a3:6a:24:3a:96:3c:51:e8: fc:16:6a:22:0f:ab:aa:64:91:9a:fa:ae:19:f1:7b: f7:92:18:6c:ba:ce:d3:0c:80:19:83:1d:12:a1:a2: c7:9e:2a:4f:4f:07:ef:72:6b:67:13:2b:4e:35:a2: 85:c2:85:b9:d4:09:33:97:d6:d7:42:bd:06:c7:a1: 0b:cc:05:05:56:21:45:54:de:02:7a:92:43:26:cc: e4:d7:57:02:fe:b3:c4:e5:df:0f:1e:6a:0a:55:8d: 12:27:1a:75:26:67:92:59:de:ad:a4:24:99:77:31: f7:93:a0:93:34:df:47:4a:1c:83:7d:06:fa:50:68: fe:d3 Exponent: 65537 (0x10001)
$ openssl pkey -in key.pem -noout -text_pub Public-Key: (256 bit) pub: 04:03:22:6a:3c:25:13:f4:71:b1:23:04:1c:68:13: 97:61:06:f4:58:f1:7d:66:d5:e4:18:28:b1:51:1f: 97:5c:44:12:7e:40:a0:05:80:11:3f:df:6b:ba:ce: 5b:c9:09:29:ad:92:7d:fe:35:cd:16:06:ff:11:4e: 04:8b:db:70:9d ASN1 OID: prime256v1 NIST CURVE: P-256
pkeyutl
Encrypt:
openssl pkeyutl -encrypt -inkey key.pem -in file.txt -out file.txt.enc
Decrypt:
openssl pkeyutl -decrypt -inkey key.pem -in file.txt.enc -out file.txt
Sign:
openssl pkeyutl -sign -inkey key.pem -in file.txt -out file.txt.sign
Verify:
$ openssl pkeyutl -verify -inkey key.pem -in file.txt -sigfile file.txt.sign Signature Verified Successfully
prime
判断一个数是否是素数
$ openssl prime 2 2 is prime $ openssl prime 5 5 is prime $ openssl prime 6 6 is not prime
rand
$ openssl rand -base64 32 wYkPQLoVwvtxtBlnMHFG6uxxv4hOfcPkx0LPGVQJUww= $ openssl rand -hex 32 9496b19e77a9bc63d7607cfece2a24f7a62fb7fffff49805d40dc3fc4c73fc1b
rsa
$ openssl rsa -in prikey.pem -text -noout Private-Key: (512 bit) modulus: 00:e0:ef:fb:24:67:8c:f8:b9:0d:76:97:fa:4c:61: 36:1b:da:3d:25:7e:6d:bc:38:74:bb:28:8f:87:48: 92:ae:a4:c7:36:bc:7c:fc:0f:ea:f2:26:30:c7:19: de:1e:8f:0d:04:8e:7d:d5:de:77:de:34:09:1d:9c: 66:8a:5f:99:23 publicExponent: 65537 (0x10001) privateExponent: 00:c3:fa:d3:09:a8:de:fe:65:dd:01:12:f1:15:53: 2d:5d:9f:0b:df:7b:04:09:15:f7:3e:89:dc:63:b6: 2b:76:d4:9f:ef:93:56:2a:33:6e:e9:50:af:35:5f: 41:10:5b:3c:c0:01:42:3d:2d:e9:6e:64:c3:83:78: 0c:f8:3a:98:81 prime1: 00:f9:ca:d3:bc:12:db:fa:cb:f4:b8:99:b7:62:9f: 0b:33:2f:75:ed:25:76:ae:ba:ea:24:0f:08:33:15: ca:ff:93 prime2: 00:e6:87:07:20:01:50:f3:0d:11:fe:6f:90:e6:b4: bd:7b:eb:17:5f:1c:2f:4d:32:ca:8f:07:76:16:b9: 89:5a:31 exponent1: 21:25:00:a3:5b:fd:44:71:fb:ae:e2:f6:aa:67:60: 1d:12:97:1b:38:75:5f:09:fe:37:7a:a7:23:e0:28: 67:71 exponent2: 00:d1:d3:ad:c4:8f:ee:22:8c:8f:08:4c:7c:53:c1: c7:86:f7:60:fa:8d:28:f0:d7:7e:4f:d9:b6:be:d0: 7a:18:c1 coefficient: 00:86:d3:71:a6:08:8b:19:ca:10:36:e6:bb:cb:ca: 8b:3e:24:d1:9e:fd:d8:6c:a2:67:ea:8e:e9:f1:89: 47:2d:a5
$ openssl rsa -in prikey.pem -pubout | openssl rsa -pubin -text writing RSA key Modulus (512 bit): 00:e0:ef:fb:24:67:8c:f8:b9:0d:76:97:fa:4c:61: 36:1b:da:3d:25:7e:6d:bc:38:74:bb:28:8f:87:48: 92:ae:a4:c7:36:bc:7c:fc:0f:ea:f2:26:30:c7:19: de:1e:8f:0d:04:8e:7d:d5:de:77:de:34:09:1d:9c: 66:8a:5f:99:23 Exponent: 65537 (0x10001) writing RSA key -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAODv+yRnjPi5DXaX+kxhNhvaPSV+bbw4 dLsoj4dIkq6kxza8fPwP6vImMMcZ3h6PDQSOfdXed940CR2cZopfmSMCAwEAAQ== -----END PUBLIC KEY-----
Convert Private Key to Public Key
$ openssl rsa -in pri.pem -pubout -out pub.pem writing RSA key
rsautl
$ cat prikey.pem -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAODv+yRnjPi5DXaX+kxhNhvaPSV+bbw4dLsoj4dIkq6kxza8fPwP 6vImMMcZ3h6PDQSOfdXed940CR2cZopfmSMCAwEAAQJBAMP60wmo3v5l3QES8RVT LV2fC997BAkV9z6J3GO2K3bUn++TViozbulQrzVfQRBbPMABQj0t6W5kw4N4DPg6 mIECIQD5ytO8Etv6y/S4mbdinwszL3XtJXauuuokDwgzFcr/kwIhAOaHByABUPMN Ef5vkOa0vXvrF18cL00yyo8Hdha5iVoxAiAhJQCjW/1Ecfuu4vaqZ2AdEpcbOHVf Cf43eqcj4ChncQIhANHTrcSP7iKMjwhMfFPBx4b3YPqNKPDXfk/Ztr7QehjBAiEA htNxpgiLGcoQNua7y8qLPiTRnv3YbKJn6o7p8YlHLaU= -----END RSA PRIVATE KEY-----
Encrypt & Decrypt test:
$ echo 'Hello Hatter!' | openssl rsautl -encrypt -inkey prikey.pem | base64 YwVY9JlAOlXyZGeRMi0V64U7IGz3jTgg8n2Otqee/k10lBWveNweTSLitw8RJ2E5EW2NiyWZzlbyfjbDk0pAJQ==
$ echo YwVY9JlAOlXyZGeRMi0V64U7IGz3jTgg8n2Otqee/k10lBWveNweTSLitw8RJ2E5EW2NiyWZzlbyfjbDk0pAJQ== | base64 -D | openssl rsautl -decrypt -inkey prikey.pem Hello Hatter!
$ echo YwVY9JlAOlXyZGeRMi0V64U7IGz3jTgg8n2Otqee/k10lBWveNweTSLitw8RJ2E5EW2NiyWZzlbyfjbDk0pAJQ== | base64 -D | openssl rsautl -decrypt -inkey prikey.pem -raw -hexdump 0000 - 00 02 24 e4 2e 62 c7 3d-7f 21 6a 75 e5 de 48 f5 ..$..b.=.!ju..H. 0010 - 46 51 f9 f0 04 ee 78 01-4a e2 eb 2c 13 40 cf af FQ....x.J..,.@.. 0020 - ea c5 3e e3 2c 23 fe 0e-8a ae c2 7c 55 32 e8 8c ..>.,#.....|U2.. 0030 - 0c 00 48 65 6c 6c 6f 20-48 61 74 74 65 72 21 0a ..Hello Hatter!.
Sign & Verify test:
$ echo 'Hello Hatter!' | openssl rsautl -sign -inkey prikey.pem | base64 gsyY3fSxeDBZjNB0vaNBYjdY/Qmgmo9mXnYMgU/YLdY5tRa0PtXAhpKYSAbJhrKZ3jak2Rhj067ldCAGlF/09w==
$ echo gsyY3fSxeDBZjNB0vaNBYjdY/Qmgmo9mXnYMgU/YLdY5tRa0PtXAhpKYSAbJhrKZ3jak2Rhj067ldCAGlF/09w== | base64 -D | openssl rsautl -verify -inkey prikey.pem Hello Hatter!
$ echo gsyY3fSxeDBZjNB0vaNBYjdY/Qmgmo9mXnYMgU/YLdY5tRa0PtXAhpKYSAbJhrKZ3jak2Rhj067ldCAGlF/09w== | base64 -D | openssl rsautl -verify -inkey prikey.pem -raw -hexdump 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0030 - ff 00 48 65 6c 6c 6f 20-48 61 74 74 65 72 21 0a ..Hello Hatter!.
s_client
$ echo | openssl s_client -connect www.baidu.com:443 CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 International Server CA - G3 verify return:1 depth=0 C = CN, ST = Beijing, L = Beijing, O = "Beijing Baidu Netcom Science Technology Co., Ltd.", OU = service operation department, CN = baidu.com verify return:1 --- Certificate chain 0 s:/C=CN/ST=Beijing/L=Beijing/O=Beijing Baidu Netcom Science Technology Co., Ltd./OU=service operation department/CN=baidu.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGLjCCBRagAwIBAgIQdimqIPqKjnYkohk29K0aqjANBgkqhkiG9w0BAQUFADCB vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X DTE1MDkxNzAwMDAwMFoXDTE2MDgzMTIzNTk1OVowgagxCzAJBgNVBAYTAkNOMRAw DgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHFAdCZWlqaW5nMTowOAYDVQQKFDFCZWlq aW5nIEJhaWR1IE5ldGNvbSBTY2llbmNlIFRlY2hub2xvZ3kgQ28uLCBMdGQuMSUw IwYDVQQLFBxzZXJ2aWNlIG9wZXJhdGlvbiBkZXBhcnRtZW50MRIwEAYDVQQDFAli YWlkdS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCocs/rdlG7 AR4WURwOZFsmWfVbgiAWPnd4YsDi9lMeCS1itCcHOl2bmjwEL2kLHmSZpvDm2GyC fgoAcsGMJ57ysmtsBmVQoLMNKvrf+6z0MmGsp1k7LIIYwPvXAA7YCH5THt+wpOvu MCgn68XdgsUgcy5eQFHt5idy6sAkml3C+BuwYSW+Xi+7HBHWoNHwMAfFKEpaTCQj skBodDvtk9eHEibEAQ8KCWh0HF0YqbJr106y7DYLkrjGtp7KTlm9JnnSleFpLehK rCxE0cYzq35v2Spy4Dtky6sb0wXbxnaK7msUKu9ZSCo9C5PdbnIuo+vQO4kNipJV 3QKJxJMuz86vAgMBAAGjggI8MIICODCB5gYDVR0RBIHeMIHbggsqLmJhaWR1LmNv bYILKi5udW9taS5jb22CDCouaGFvMTIzLmNvbYIOKi5iZHN0YXRpYy5jb22CEHd3 dy5iYWlkdS5jb20uY26CDHd3dy5iYWlkdS5jboISc2FwaS5tYXAuYmFpZHUuY29t ghFsb2MubWFwLmJhaWR1LmNvbYIQbG9nLmhtLmJhaWR1LmNvbYIJYmFpZHUuY29t ghFhcGkubWFwLmJhaWR1LmNvbYIVY29uc29sZS5iY2UuYmFpZHUuY29tghNsb2dp bi5iY2UuYmFpZHUuY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCgGA1Ud JQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMGEGA1UdIARaMFgw VgYGZ4EMAQICMEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3Bz MCUGCCsGAQUFBwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQY MBaAFNebfNgioBX33a1fzimbWMO8RgC1MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6 Ly9zZS5zeW1jYi5jb20vc2UuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcw AYYTaHR0cDovL3NlLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3NlLnN5 bWNiLmNvbS9zZS5jcnQwDQYJKoZIhvcNAQEFBQADggEBACz3im2KDp7SHu8wp//l b9EOC8dY0zqxRsRTZ0y8RPnKqqbzzQDkXxWWvCrMuevMzqDH1gcEBpQQq2q30dJ7 pzGjdoC801F8OqBtBCxMDI6DwRdCMC/BBxYixBXuK9qfMAvXR11QNnWnYs/aEwUt OYizq06zmORoOw5DL7FLMprDI4VOvA98Ns6OqLOZTmZfoqIRkD9vu/pgmkUNAUNn wLDAHEiDzTX2sBH4vCBPjbV1nzYnEpCvr8Fgt+gb2HOVO/mem1tkXubf6S1WtOaP uav+qkNsfL7jalqLGuBqSxdyLRbYS/GDzaLdMuFEKELF3ROkUai//jDakzbFHnbg xs0= -----END CERTIFICATE----- subject=/C=CN/ST=Beijing/L=Beijing/O=Beijing Baidu Netcom Science Technology Co., Ltd./OU=service operation department/CN=baidu.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5068 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 966740C4619FC6CFF6DEA69B7F50B922020B6F55CFAD6C84C7B45232FDAB94F0 Session-ID-ctx: Master-Key: 949DAA220164D52B855FA8960CE29440C24F5BA071DD1D784FA4FE22910FA87A0A3A8ABC767AEF10204BF5CD9366855B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 72000 (seconds) TLS session ticket: 0000 - eb de 4a 8d ee 49 80 29-19 e9 e0 aa 9c 7f a2 50 ..J..I.).......P 0010 - 56 7e c4 02 85 cc 24 05-d5 85 0e 67 50 64 8f 3d V~....$....gPd.= 0020 - fc 03 17 4d 66 ac 99 fa-2a 74 25 2a 54 91 41 d4 ...Mf...*t%*T.A. 0030 - 9e 49 6e 8d 2e 75 b8 a8-c3 3e 35 ac 05 d8 da f2 .In..u...>5..... 0040 - af be 75 5c ae 5a 3e c3-99 6c 28 56 25 b2 19 45 ..u\.Z>..l(V%..E 0050 - 79 73 1b 70 d4 50 83 bb-98 90 fd 97 02 20 08 9c ys.p.P....... .. 0060 - d0 a2 2e 05 e0 0c 58 2f-bf f7 74 ec 8a 3c 3f 53 ......X/..t..<?S 0070 - 24 42 25 ce ac e5 01 c9-2c 1b a9 57 2d ff ea 0b $B%.....,..W-... 0080 - 8f 33 2e e6 72 99 e3 67-c3 6c ea 87 6a 9e 71 8f .3..r..g.l..j.q. 0090 - a2 32 3d 53 64 0e 6d d7-bc 61 7e 3d e6 c7 e0 32 .2=Sd.m..a~=...2 Start Time: 1466093576 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE
-OR-
echo | openssl s_client -prexit -showcerts -state -status -tlsextdebug -verify 10 -connect <host>:443
sess_id
$ cat sess_id.pem -----BEGIN SSL SESSION PARAMETERS----- MHUCAQECAgMBBAIAOQQga2PAeeIXKd7MSzRuykUQjaCbT7BMlieSMmve9MMIj1wE MOUilBEWWakJzBkDJRdPoRPWpd2EfyosMZsHl/jRxfg2UKi8om3FFSVdFsliwi+L 9KEGAgRMvs+kogQCAgEspAYEBAEAAAA= -----END SSL SESSION PARAMETERS-----
$ openssl sess_id -in sess_id.pem -noout -text SSL-Session: Protocol : TLSv1 Cipher : 0039 Session-ID: 6B63C079E21729DECC4B346ECA45108DA09B4FB04C962792326BDEF4C3088F5C Session-ID-ctx: 01000000 Master-Key: E52294111659A909CC190325174FA113D6A5DD847F2A2C319B0797F8D1C5F83650A8BCA26DC515255D16C962C22F8BF4 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1287573412 Timeout : 300 (sec) Verify return code: 0 (ok)
smime
Sign:
openssl smime -sign -text -signer cert.pem -inkey key.pem -in example.txt -out example.msg
Verify:???
openssl smime -verify -noverify -signer cert.pem -in example.msg
speed
$ openssl speed -evp aes-128-cbc Doing aes-128-cbc for 3s on 16 size blocks: 109630953 aes-128-cbc's in 2.99s Doing aes-128-cbc for 3s on 64 size blocks: 29109948 aes-128-cbc's in 2.99s Doing aes-128-cbc for 3s on 256 size blocks: 7337476 aes-128-cbc's in 3.00s Doing aes-128-cbc for 3s on 1024 size blocks: 1884666 aes-128-cbc's in 2.99s Doing aes-128-cbc for 3s on 8192 size blocks: 230338 aes-128-cbc's in 3.00s OpenSSL 1.0.2f 28 Jan 2016 built on: reproducible build, date unspecified options:bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: clang -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 586653.93k 623089.19k 626131.29k 645450.83k 628976.30k
verify
openssl verify -CAfile ca.pem cert.pem
x509
$ openssl x509 -in cert.pem -noout –text ...
Calculate certificate fingerprint:
$ openssl x509 -in cert.pem -noout -fingerprint [-md5 | -sha1 | sha256] SHA1 Fingerprint=84:CD:16:7B:19:8A:56:8E:99:94:24:B5:46:98:53:48:9A:E9:E8:1E
openssl x509 -subject -issuer -nameopt multiline,show_type -noout -subject_hash -issuer_hash -in cert.pem
Alternatives
- https://boringssl.googlesource.com/boringssl/ - BoringSSL
- https://www.libressl.org/ - LibreSSL
- http://gmssl.org/ [GitHub]
- GmSSL
- https://github.com/jntass/TASSL
- TASSL
- https://github.com/Tongsuo-Project/Tongsuo
铜锁/Tongsuo(原BabaSSL)
Reference
- h
t t p s : / / w w w . o p e n s s l . o r g / d o c s / m a n m a s t e r / a p p s / a s n 1 p a r s e . h t m l - h
t t p s : / / w w w . o p e n s s l . o r g / d o c s / m a n m a s t e r / c r y p t o / A S N 1 _ g e n e r a t e _ n c o n f . h t m l - h
t t p : / / w i k i . c a c e r t . o r g / S S L S c a n n e r - h
t t p : / / s e c u r i t y . n k n u . e d u . t w / t e x t b o o k / c h a p 5 . p d f - h
t t p s : / / w w w . c n b l o g s . c o m / 2 7 4 9 1 4 7 6 5 q q / p / 4 6 9 3 6 7 6 . h t m l - h
t t p : / / b l o g . c s d n . n e t / a s 3 l u y u a n 1 2 3 / a r t i c l e / d e t a i l s / 1 6 8 7 3 0 9 3 - h
t t p : / / b l o g . c s d n . n e t / a s 3 l u y u a n 1 2 3 / a r t i c l e / d e t a i l s / 1 6 8 7 2 1 0 1 - h
t t p : / / b l o g . c s d n . n e t / a s 3 l u y u a n 1 2 3 / a r t i c l e / d e t a i l s / 1 6 8 5 1 1 2 5 - h
t t p s : / / g i s t . g i t h u b . c o m / g w p l / 2 c 7 6 3 6 f 0 b 2 0 0 c b f b e 8 2 c c 9 d 4 f 6 3 3 8 5 8 5 - h
t t p s : / / w w w . b a e l d u n g . c o m / l i n u x / s h a d o w - p a s s w o r d s