Introduction to OpenSSL
- OpenSSL is an open source and powerful library containing rich cryptographic algorithms and SSL/TLS protocols, mainly including cryptographic algorithms, commonly used key and certificate package management functions and SSL protocols, and provides multi-purpose command line tools. It is written in c language, has good cross-platform performance, and supports platforms such as Linux, Windows, BDS, Mac, and VMS.
- Openssl consists of 3 parts
- The Crypto library (cryptographic algorithm library) : mainly provides symmetric encryption and decryption, asymmetric encryption and decryption, certificate management, data signature, data abstract and other interfaces for users to call.
- The SSL library (SSL/TLS protocol library) : It mainly provides SSL/TLS interface for HTTPS communication.
- Command line tool (command line tool) : You can use the command line in the terminal to implement a series of operations such as encryption and decryption.
- OpenSSL is widely used in cryptography and network security related fields
- This article mainly introduces the installation steps of each version of OpenSSL and some functions of encryption and decryption and certificate generation using command line tools.
resource
Linux platform installation
- command line installation
- sudo apt-get install openssl
- sudo apt-get install libssl-dev
- command line uninstall
- sudo apt-get remove openssl
- Installation package installation
- The latest version
- historic version
- installation steps
- After downloading and decompressing the installation package, execute the following command:
- ./config
- sudo make
- sudo make install
- view version
- openssl version
Windows platform installation
- The latest version
- I only found versions 3.1 and 1.1 on the windows platform, but not version 1.0
- When installing, download the installation package directly and double-click to install it.
Symmetric encryption and decryption
-
enc is a symmetric encryption and decryption command line tool provided by openssl. After installing openssl, execute the command openssl enc -list, you can see all the symmetric encryption algorithms supported by enc
-
Supported ciphers: -aes-128-cbc -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr -aes-128-ecb -aes-128-ofb -aes-192-cbc -aes-192-cfb -aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr -aes-192-ecb -aes-192-ofb -aes-256-cbc -aes-256-cfb -aes-256-cfb1 -aes-256-cfb8 -aes-256-ctr -aes-256-ecb -aes-256-ofb -aes128 -aes128-wrap -aes192 -aes192-wrap -aes256 -aes256-wrap -aria-128-cbc -aria-128-cfb -aria-128-cfb1 -aria-128-cfb8 -aria-128-ctr -aria-128-ecb -aria-128-ofb -aria-192-cbc -aria-192-cfb -aria-192-cfb1 -aria-192-cfb8 -aria-192-ctr -aria-192-ecb -aria-192-ofb -aria-256-cbc -aria-256-cfb -aria-256-cfb1 -aria-256-cfb8 -aria-256-ctr -aria-256-ecb -aria-256-ofb -aria128 -aria192 -aria256 -bf -bf-cbc -bf-cfb -bf-ecb -bf-ofb -blowfish -camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1 -camellia-128-cfb8 -camellia-128-ctr -camellia-128-ecb -camellia-128-ofb -camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1 -camellia-192-cfb8 -camellia-192-ctr -camellia-192-ecb -camellia-192-ofb -camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1 -camellia-256-cfb8 -camellia-256-ctr -camellia-256-ecb -camellia-256-ofb -camellia128 -camellia192 -camellia256 -cast -cast-cbc -cast5-cbc -cast5-cfb -cast5-ecb -cast5-ofb -chacha20 -des -des-cbc -des-cfb -des-cfb1 -des-cfb8 -des-ecb -des-ede -des-ede-cbc -des-ede-cfb -des-ede-ecb -des-ede-ofb -des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8 -des-ede3-ecb -des-ede3-ofb -des-ofb -des3 -des3-wrap -desx -desx-cbc -id-aes128-wrap -id-aes128-wrap-pad -id-aes192-wrap -id-aes192-wrap-pad -id-aes256-wrap -id-aes256-wrap-pad -id-smime-alg-CMS3DESwrap -rc2 -rc2-128 -rc2-40 -rc2-40-cbc -rc2-64 -rc2-64-cbc -rc2-cbc -rc2-cfb -rc2-ecb -rc2-ofb -rc4 -rc4-40 -seed -seed-cbc -seed-cfb -seed-ecb -seed-ofb -sm4 -sm4-cbc -sm4-cfb -sm4-ctr -sm4-ecb -sm4-ofb -
enc full command
- openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e ] [-d ] [-a ] [-A] [-k password ] [-kfile filename] [-K key] [-iv IV] [-p] [-P] [-bufsize number] [-nopad] [-debug]
- -ciphername: Symmetric algorithm name (that is, those displayed after executing the openssl enc -list command above)
- -in filename: input file, the default is standard input.
- -out filename: output file, the default is standard output.
- -pass arg: If the input file is password protected, specify the source of the password.
- -e: Encryption operation, the default operation.
- -d: Perform decryption operation.
- -a: When performing encryption and decryption, it only operates on the data, and sometimes base64 conversion is required. After setting this option, base64 encoding is performed on the encrypted result; base64 decoding is performed before decryption.
- -A: By default, the base64 encoded result is multi-line in the file. If the generated result has only one line in the file, this option needs to be set; when decrypting, the same setting must be used, otherwise an error will occur when reading the data.
- -k password: Specifies the encrypted password. If this item is not set, the program will prompt the user to enter the password.
- -kfile filename: Specify the file where the password is stored.
- -K key: key, in hexadecimal.
- -iv IV: initialization vector, in hexadecimal.
- -p: Print out the salt, password and initialization vector IV used.
- -P: Print the salt, password and IV used, without encryption and decryption.
- -bufsize number: Set the buffer size for I/O operations, because a file may be very large, and the data read each time is limited.
- -debug: Print debug information.
-
AES encryption and decryption
- encryption
- openssl enc -aes-128-cbc -in in.txt -out out.txt -a -K 001122334455BBCCDDEEFF0011223344 -iv 0123456789ABCDEF0123456789ABCDEF
- decrypt
- openssl enc -aes-128-cbc -in out.txt -out inin.txt -d -a -K 001122334455BBCCDDEEFF0011223344 -iv 0123456789ABCDEF0123456789ABCDEF
- The key length we choose is 128 bits. From the above list, we can know that the key length can be 128 bits, 192 bits, or 256 bits. The selected encryption mode is cbc, and the encryption mode can be selected from ecb, cbc, cfb, ofb, and ctr.
- If you want to read the ciphertext, you must specify the parameter -a to perform base64 encoding, otherwise the ciphertext is a binary file, and you must also specify the -a parameter when decrypting, first perform base64 decoding, and then decrypt. The default is the encryption operation, and the parameter can not be specified when encrypting, but we need to specify the parameter -d when decrypting. There is no initialization vector in ecb mode, so we don't need to specify the -iv parameter in ecb mode
-
DES encryption and decryption
- encryption
- openssl enc -des-ecb -K 0123456789AAAAAA -in in.txt -out out.txt -a
- decrypt
- openssl enc -des-ecb -d -K 0123456789AAAAAA -in out.txt -out inin.txt -a
- The des key length is fixed at 64 bits, so we only need to choose the encryption mode.
-
Other symmetric encryption and decryption algorithms will not be demonstrated here, and the usage is basically the same.
Asymmetric encryption and decryption
-
RSA
- Generate a private key with 2048 key digits
openssl genrsa -out private.key 2048
- Export the public key from the private key file
openssl rsa -in private.key -pubout -out public.key
- RSA public key encryption in.txt is the source file, out.txt is the encrypted file
openssl rsautl -encrypt -pubin -inkey public.key -in in.txt -out out.txt
- RSA private key decrypts inin.txt into a decrypted file
openssl rsautl -decrypt -inkey private.key -in out.txt -out inin.txt
-
ECC
- View supported elliptic curves
- openssl ecparam -list_curves
- You can see all supported elliptic curves, with the name of the curve at the top
-
secp112r1 : SECG/WTLS curve over a 112 bit prime field secp112r2 : SECG curve over a 112 bit prime field secp128r1 : SECG curve over a 128 bit prime field secp128r2 : SECG curve over a 128 bit prime field secp160k1 : SECG curve over a 160 bit prime field secp160r1 : SECG curve over a 160 bit prime field secp160r2 : SECG/WTLS curve over a 160 bit prime field secp192k1 : SECG curve over a 192 bit prime field secp224k1 : SECG curve over a 224 bit prime field secp224r1 : NIST/SECG curve over a 224 bit prime field secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field prime192v2: X9.62 curve over a 192 bit prime field prime192v3: X9.62 curve over a 192 bit prime field prime239v1: X9.62 curve over a 239 bit prime field prime239v2: X9.62 curve over a 239 bit prime field prime239v3: X9.62 curve over a 239 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field sect113r1 : SECG curve over a 113 bit binary field sect113r2 : SECG curve over a 113 bit binary field sect131r1 : SECG/WTLS curve over a 131 bit binary field sect131r2 : SECG curve over a 131 bit binary field sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field sect163r1 : SECG curve over a 163 bit binary field sect163r2 : NIST/SECG curve over a 163 bit binary field sect193r1 : SECG curve over a 193 bit binary field sect193r2 : SECG curve over a 193 bit binary field sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field sect239k1 : SECG curve over a 239 bit binary field sect283k1 : NIST/SECG curve over a 283 bit binary field sect283r1 : NIST/SECG curve over a 283 bit binary field sect409k1 : NIST/SECG curve over a 409 bit binary field sect409r1 : NIST/SECG curve over a 409 bit binary field sect571k1 : NIST/SECG curve over a 571 bit binary field sect571r1 : NIST/SECG curve over a 571 bit binary field c2pnb163v1: X9.62 curve over a 163 bit binary field c2pnb163v2: X9.62 curve over a 163 bit binary field c2pnb163v3: X9.62 curve over a 163 bit binary field c2pnb176v1: X9.62 curve over a 176 bit binary field c2tnb191v1: X9.62 curve over a 191 bit binary field c2tnb191v2: X9.62 curve over a 191 bit binary field c2tnb191v3: X9.62 curve over a 191 bit binary field c2pnb208w1: X9.62 curve over a 208 bit binary field c2tnb239v1: X9.62 curve over a 239 bit binary field c2tnb239v2: X9.62 curve over a 239 bit binary field c2tnb239v3: X9.62 curve over a 239 bit binary field c2pnb272w1: X9.62 curve over a 272 bit binary field c2pnb304w1: X9.62 curve over a 304 bit binary field c2tnb359v1: X9.62 curve over a 359 bit binary field c2pnb368w1: X9.62 curve over a 368 bit binary field c2tnb431r1: X9.62 curve over a 431 bit binary field wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field Oakley-EC2N-3: IPSec/IKE/Oakley curve #3 over a 155 bit binary field. Not suitable for ECDSA. Questionable extension field! Oakley-EC2N-4: IPSec/IKE/Oakley curve #4 over a 185 bit binary field. Not suitable for ECDSA. Questionable extension field! brainpoolP160r1: RFC 5639 curve over a 160 bit prime field brainpoolP160t1: RFC 5639 curve over a 160 bit prime field brainpoolP192r1: RFC 5639 curve over a 192 bit prime field brainpoolP192t1: RFC 5639 curve over a 192 bit prime field brainpoolP224r1: RFC 5639 curve over a 224 bit prime field brainpoolP224t1: RFC 5639 curve over a 224 bit prime field brainpoolP256r1: RFC 5639 curve over a 256 bit prime field brainpoolP256t1: RFC 5639 curve over a 256 bit prime field brainpoolP320r1: RFC 5639 curve over a 320 bit prime field brainpoolP320t1: RFC 5639 curve over a 320 bit prime field brainpoolP384r1: RFC 5639 curve over a 384 bit prime field brainpoolP384t1: RFC 5639 curve over a 384 bit prime field brainpoolP512r1: RFC 5639 curve over a 512 bit prime field brainpoolP512t1: RFC 5639 curve over a 512 bit prime field SM2 : SM2 curve over a 256 bit prime field
-
generate parameter file
- openssl ecparam -name secp256k1 -out secp256k1.pem
-
Show parameter file parameters
- openssl ecparam -in secp256k1.pem -text -param_enc explicit -noout
-
Generate a private key using a parameter file
- openssl ecparam -in secp256k1.pem -genkey -out secp256k1-key.key
-
Deriving the public key from the private key
- openssl ec -in secp256k1-key.key -pubout -out public.key
-
Remarks: I only found out how to generate ECC public and private keys using the command line tool, but did not find the function of encryption and decryption. There are two commonly used ECC elliptic curves, SM2 and secp256k1. SM2 has been widely used in domestic commercial encryption products, and secp256k1 is mainly used in the blockchain and Bitcoin fields.
Certificate
- Generate virtual CA certificate
- Generate RSA private key
- openssl genrsa -out ca.key 1024
- Note: 1024 is the number of key bits
- After the command is executed, a ca.key file will be generated in the current directory, which records the RSA private key. You can view the content directly
-
-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDDu6lkJcarc1lmBebpPmluRTf6awjDibqU/zTDBmQCBhwnQi3P LSZ12YFA8vo7DOKhABztZXNxEV08WFgqPB43GhJohYDeDybAwXukKSxmJab5ekvr rNr4szExWCNb2Id1ZOmkbjakHwZStwd54haOa395xVtl5xCZUn4t0K82uwIDAQAB AoGAFyAR6FoqOdF8C3jBCmesTzHwZi7FL00TdU0dr7kOkcqlAuJnxSWBeMUE52aN t/JSyFDaGhY1aHNzv5B0gjDuJMGErAdBaTIXTXc25AOTgMhW/RT1SUzLhZh2IfMN /wSTRlO3trU+mzumY2DbdFG5e4CYv9zRUpRqjnNT/w3Md3ECQQDqrk54+a3acZcC eXioouIVb4VZ3L6xuSM55jdFw+/XFDADpPIBMiLgy7xwIrwQEGfx5uCO5H5FJ+UN j2ccB4zJAkEA1YOXhac16Lblnv4Ygk4wyPmt/LcLUjDMUO7aKR8MLDkVvNlc/qVW FqqAWT+fmICjUJ+xEJorQM0RkwsybckdYwJASGJXBe1M+FGM2FCLLMiAn0f0g5EY qEyIVvVxGu2ibl5lqNoZYtEJ/PgaOSQdiX7l8LDblndXkxEJDzOqA/U4MQJBAMni HhAa1adP4HfgDC6RXiF5q6BrNwIk79uKrK77E1hxNXOWFw8UJ/1QhAFfXjklUMZ3 6EUpcMJZ5Ecj7C/QXL8CQFBpVXikMCE7WwAkNlyOO97cVrLOkDcopi5W1WdfGzt4 uWF56WpDo9ZJb/eevGUqcIa304nxnV80g+myJlRVbHI= -----END RSA PRIVATE KEY----- - Generate CA certificate
- openssl req -new -x509 -key ca.key -out ca.crt -days 365
- Description: -days specifies the validity period of the certificate
- After entering the command, you need to fill in the following information
-
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CH #国家名 State or Province Name (full name) [Some-State]:ShanXi #省份名 Locality Name (eg, city) []:XiAn #城市名 Organization Name (eg, company) [Internet Widgits Pty Ltd]:csdn #公司名 Organizational Unit Name (eg, section) []:csdn #部门 Common Name (e.g. server FQDN or YOUR name) []:CA Email Address []: - After entering the above information, a ca.crt certificate file will be generated, and you can use the following command to view the content of the certificate
- openssl x509 -noout -text -in ca.crt
-
Certificate: Data: Version: 3 (0x2) Serial Number: 17:55:d5:5e:1c:bb:92:cc:09:08:64:c7:1b:b0:e5:27:f6:76:e6:31 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CH, ST = ShanXi, L = XiAn, O = csdn, OU = csdn, CN = CA Validity Not Before: Jan 1 10:30:58 2022 GMT Not After : Jan 1 10:30:58 2023 GMT Subject: C = CH, ST = ShanXi, L = XiAn, O = csdn, OU = csdn, CN = CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (1024 bit) Modulus: 00:c3:bb:a9:64:25:c6:ab:73:59:66:05:e6:e9:3e: 69:6e:45:37:fa:6b:08:c3:89:ba:94:ff:34:c3:06: 64:02:06:1c:27:42:2d:cf:2d:26:75:d9:81:40:f2: fa:3b:0c:e2:a1:00:1c:ed:65:73:71:11:5d:3c:58: 58:2a:3c:1e:37:1a:12:68:85:80:de:0f:26:c0:c1: 7b:a4:29:2c:66:25:a6:f9:7a:4b:eb:ac:da:f8:b3: 31:31:58:23:5b:d8:87:75:64:e9:a4:6e:36:a4:1f: 06:52:b7:07:79:e2:16:8e:6b:7f:79:c5:5b:65:e7: 10:99:52:7e:2d:d0:af:36:bb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: FB:C8:7A:FA:ED:91:C1:60:0A:54:A4:22:F4:6D:BC:9C:47:DE:76:AF X509v3 Authority Key Identifier: keyid:FB:C8:7A:FA:ED:91:C1:60:0A:54:A4:22:F4:6D:BC:9C:47:DE:76:AF X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 0c:4c:be:50:27:dc:fe:b8:dc:cf:f6:9f:85:26:ec:25:34:d6: 3f:54:32:a7:16:78:11:ff:28:4a:c9:43:db:22:c0:ff:8f:fb: 54:1f:ab:8c:3d:a4:21:bc:a7:ea:88:32:c9:31:16:49:96:86: 7a:b2:c3:cf:50:25:ee:bd:dd:61:00:97:88:86:10:4a:93:e0: 16:eb:ce:89:77:c3:f0:fc:4e:73:9f:7f:82:fa:76:52:1f:4d: a7:a7:5c:fe:f6:b5:5a:a5:4b:2d:19:e1:80:b8:63:02:b2:2f: 83:5b:1b:8d:6a:9e:93:3e:70:9b:bc:4d:bd:24:ae:ed:f6:52: 2b:65 - You can change the suffix of the certificate file to .cer or .der, and then copy it to the windows system, and double-click to view the content of the certificate.
- Use a CA certificate to issue a common certificate
- Generate RSA private key
- openssl genrsa -out server.key 1024
- Generate a certificate request file
- openssl req -new -key server.key -out server.csr
- Use a CA certificate to issue a common certificate
- openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -days 365
- At this point, we have successfully constructed a digital certificate server.crt issued by a simulated CA institution
- Use the following command to view the certificate content
- openssl x509 -noout -text -in server.crt
-
Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = CH, ST = ShanXi, L = XiAn, O = csdn, OU = csdn, CN = CA Validity Not Before: Jan 1 11:40:40 2022 GMT Not After : Jan 1 11:40:40 2023 GMT Subject: C = CH, ST = ShanXi, L = Xian, O = dacaoyuan, OU = dacaoyuan, CN = xll Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (1024 bit) Modulus: 00:c2:82:90:cd:dc:77:3a:10:d0:50:f0:f5:71:f3: bc:30:df:02:42:4d:21:cb:34:f1:7e:ca:c8:de:ed: 3e:49:36:3f:98:48:05:7f:3a:73:22:89:91:53:76: c1:3b:5f:48:a6:03:7c:15:04:01:16:ab:26:7e:3f: 17:a4:74:90:12:d2:3f:e0:84:d4:0b:d2:f0:3c:8e: a9:4c:e3:f4:74:1d:c0:71:3e:8b:85:4b:66:8f:bb: 1c:61:2e:40:2d:e8:05:ec:1f:ea:8d:d7:66:3a:2d: 83:5d:5a:69:1a:e7:69:9f:01:2a:a6:98:e3:53:eb: ef:19:33:df:33:9e:67:a6:df Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption 71:c0:e7:13:63:2a:b7:44:15:d8:a2:7c:15:82:21:70:74:ae: 1f:93:24:d5:a1:6c:eb:ac:32:ed:ea:aa:d2:64:f4:5b:59:7f: 85:1f:1e:9f:a3:d9:b7:9d:80:80:44:5b:4b:fa:f3:b4:ae:ff: 11:c0:23:20:e2:60:58:c3:ba:d8:36:b7:6a:7d:97:f1:2b:50: 45:4d:c9:20:1b:01:34:88:5e:be:5c:ce:54:66:1f:72:e7:a9: 1b:96:41:48:14:f7:e1:2b:89:93:45:e3:a5:7a:5d:f1:43:d7: 8b:d5:90:07:d6:20:3b:bb:47:ff:92:20:36:8d:5e:16:89:17: e8:12 - You can compare the CA certificate with the ordinary certificate, and you can see that the issuer and user of the CA certificate are both CAs, while the issuer of the ordinary certificate is the CA, and the user is yourself.