openssl3.2 - exp - 可以在命令行使用的口令算法名称列表
概述
上一个笔记openssl3.2 - exp - PEM <==> DER, 还有个疑问.
openssl pkey -in app_key3.pem -out app_key5_pwd.pem -outform PEM -passout pass:111111 -算法名称
如果PEM/DER互转时, 要想转换后的文件带口令保护 就需要指定用哪种算法来执行口令加密算法.
并不是随便哪一种可见的算法名称就能用的.
算法有限制
算法不能有 EVP_CIPH_FLAG_AEAD_CIPHER 标记
模式不能是 EVP_CIPH_XTS_MODE
如果想确定哪些是不支持的口令加密算法, 必须要自己写个程序, 将不支持的算法过滤掉.
参照openssl源码, 写了一个测试程序, 可以将全部算法都列出来, 不支持的算法加上标记.
运行效果如下, 只要算法后边有标记 " !!! ---------- ", 都是不支持的命令行口令加密算法.
Legacy:
AES-128-CBC // ok
AES-128-CBC-HMAC-SHA1 : !!! ---------- cipher has no object identifier
AES-128-CBC-HMAC-SHA256 : !!! ---------- cipher has no object identifier
id-aes128-CCM : !!! ---------- AEAD ciphers not supported
AES-128-CFB // ok
AES-128-CFB1 // ok
AES-128-CFB8 // ok
AES-128-CTR : !!! ---------- cipher has no object identifier
AES-128-ECB // ok
id-aes128-GCM : !!! ---------- AEAD ciphers not supported
AES-128-OCB : !!! ---------- cipher has no object identifier
AES-128-OFB // ok
AES-128-XTS : !!! ---------- XTS ciphers not supported
AES-192-CBC
id-aes192-CCM : !!! ---------- AEAD ciphers not supported
AES-192-CFB // ok
AES-192-CFB1 // ok
AES-192-CFB8 // ok
AES-192-CTR : !!! ---------- cipher has no object identifier
AES-192-ECB // ok
id-aes192-GCM : !!! ---------- AEAD ciphers not supported
AES-192-OCB : !!! ---------- cipher has no object identifier
AES-192-OFB // ok
AES-256-CBC // ok
AES-256-CBC-HMAC-SHA1 : !!! ---------- cipher has no object identifier
AES-256-CBC-HMAC-SHA256 : !!! ---------- cipher has no object identifier
id-aes256-CCM : !!! ---------- AEAD ciphers not supported
AES-256-CFB // ok
AES-256-CFB1 // ok
AES-256-CFB8 // ok
AES-256-CTR : !!! ---------- cipher has no object identifier
AES-256-ECB // ok
id-aes256-GCM : !!! ---------- AEAD ciphers not supported
AES-256-OCB : !!! ---------- cipher has no object identifier
AES-256-OFB // ok
AES-256-XTS : !!! ---------- XTS ciphers not supported
ARIA-128-CBC // ok
ARIA-128-CCM : !!! ---------- AEAD ciphers not supported
ARIA-128-CFB // ok
ARIA-128-CFB1 : !!! ---------- cipher has no object identifier
ARIA-128-CFB8 : !!! ---------- cipher has no object identifier
ARIA-128-CTR // ok
ARIA-128-ECB // ok
ARIA-128-GCM : !!! ---------- AEAD ciphers not supported
ARIA-128-OFB // ok
ARIA-192-CBC // ok
ARIA-192-CCM : !!! ---------- AEAD ciphers not supported
ARIA-192-CFB // ok
ARIA-192-CFB1 : !!! ---------- cipher has no object identifier
ARIA-192-CFB8 : !!! ---------- cipher has no object identifier
ARIA-192-CTR // ok
ARIA-192-ECB // ok
ARIA-192-GCM : !!! ---------- AEAD ciphers not supported
ARIA-192-OFB // ok
ARIA-256-CBC // ok
ARIA-256-CCM : !!! ---------- AEAD ciphers not supported
ARIA-256-CFB // ok
ARIA-256-CFB1 : !!! ---------- cipher has no object identifier
ARIA-256-CFB8 : !!! ---------- cipher has no object identifier
ARIA-256-CTR // ok
ARIA-256-ECB // ok
ARIA-256-GCM : !!! ---------- AEAD ciphers not supported
ARIA-256-OFB // ok
BF-CBC // err
BF-CFB : !!! ---------- cipher has no object identifier
BF-ECB : !!! ---------- cipher has no object identifier
BF-OFB : !!! ---------- cipher has no object identifier
CAMELLIA-128-CBC // ok
CAMELLIA-128-CFB // ok
CAMELLIA-128-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CTR // ok
CAMELLIA-128-ECB // ok
CAMELLIA-128-OFB // ok
CAMELLIA-192-CBC // ok
CAMELLIA-192-CFB // ok
CAMELLIA-192-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-192-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-192-CTR // ok
CAMELLIA-192-ECB // ok
CAMELLIA-192-OFB // ok
CAMELLIA-256-CBC // ok
CAMELLIA-256-CFB // ok
CAMELLIA-256-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-256-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-256-CTR // ok
CAMELLIA-256-ECB // ok
CAMELLIA-256-OFB // ok
CAST5-CBC // err
CAST5-CFB : !!! ---------- cipher has no object identifier
CAST5-ECB : !!! ---------- cipher has no object identifier
CAST5-OFB : !!! ---------- cipher has no object identifier
ChaCha20 : !!! ---------- cipher has no object identifier
ChaCha20-Poly1305 : !!! ---------- cipher has no object identifier
DES-CBC // err
DES-CFB // err
DES-CFB1 // err
DES-CFB8 // err
DES-ECB // err
DES-EDE // ok
DES-EDE-CBC : !!! ---------- cipher has no object identifier
DES-EDE-CFB : !!! ---------- cipher has no object identifier
DES-EDE-OFB : !!! ---------- cipher has no object identifier
DES-EDE3 : !!! ---------- cipher has no object identifier
DES-EDE3-CBC // ok
DES-EDE3-CFB // err
DES-EDE3-CFB1 // err
DES-EDE3-CFB8 // err
DES-EDE3-OFB : !!! ---------- cipher has no object identifier
DES-OFB // err
DESX-CBC : !!! ---------- cipher has no object identifier
id-aes128-CCM : !!! ---------- AEAD ciphers not supported
id-aes128-GCM : !!! ---------- AEAD ciphers not supported
id-aes128-wrap // ok
id-aes128-wrap-pad // ok
id-aes192-CCM : !!! ---------- AEAD ciphers not supported
id-aes192-GCM : !!! ---------- AEAD ciphers not supported
id-aes192-wrap // ok
id-aes192-wrap-pad // ok
id-aes256-CCM : !!! ---------- AEAD ciphers not supported
id-aes256-GCM : !!! ---------- AEAD ciphers not supported
id-aes256-wrap // ok
id-aes256-wrap-pad // ok
id-smime-alg-CMS3DESwrap // err
IDEA-CBC // err
IDEA-CFB : !!! ---------- cipher has no object identifier
IDEA-ECB : !!! ---------- cipher has no object identifier
IDEA-OFB : !!! ---------- cipher has no object identifier
RC2-40-CBC // err
RC2-64-CBC // err
RC2-CBC
RC2-CFB : !!! ---------- cipher has no object identifier
RC2-ECB : !!! ---------- cipher has no object identifier
RC2-OFB : !!! ---------- cipher has no object identifier
RC4 // err
RC4-40 // err
RC4-HMAC-MD5 : !!! ---------- cipher has no object identifier
SEED-CBC // err
SEED-CFB // err
SEED-ECB // err
SEED-OFB // err
SM4-CBC // ok
SM4-CFB // ok
SM4-CTR // ok
SM4-ECB // ok
SM4-OFB // ok
Provided:
{ 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } // ok
{ 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } // ok
{ 2.16.840.1.101.3.4.1.4, AES-128-CFB } // ok
ARIA-192-CCM : !!! ---------- AEAD ciphers not supported
{ 1.2.410.200046.1.1.1, ARIA-128-ECB } // ok
{ 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } // ok
{ 2.16.840.1.101.3.4.1.24, AES-192-CFB } // ok
{ 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } // ok
{ 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } // ok
ARIA-192-GCM : !!! ---------- AEAD ciphers not supported
{ 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } // ok
{ 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } // ok
ARIA-256-GCM : !!! ---------- AEAD ciphers not supported
AES-256-XTS : !!! ---------- XTS ciphers not supported
{ 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } // ok
{ 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } // err
{ 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } // ok
{ 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } // ok
{ 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } // ok
{ 2.16.840.1.101.3.4.1.41, AES-256-ECB } // ok
{ 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } // ok
{ 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } // ok
AES-128-GCM : !!! ---------- AEAD ciphers not supported
{ 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } // ok
{ 2.16.840.1.101.3.4.1.44, AES-256-CFB } // ok
{ 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } // ok
{ 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } // ok
ARIA-256-CCM : !!! ---------- AEAD ciphers not supported
{ 1.2.410.200046.1.1.14, ARIA-256-OFB } // ok
AES-256-GCM : !!! ---------- AEAD ciphers not supported
{ 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } // ok
{ 2.16.840.1.101.3.4.1.23, AES-192-OFB } // ok
{ 1.2.156.10197.1.104.1, SM4-ECB } // ok
AES-128-CCM : !!! ---------- AEAD ciphers not supported
AES-256-CCM : !!! ---------- AEAD ciphers not supported
{ 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } // ok
{ 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } // ok
{ 1.2.410.200046.1.1.15, ARIA-256-CTR } // ok
{ 1.2.410.200046.1.1.3, ARIA-128-CFB } // ok
ARIA-128-GCM : !!! ---------- AEAD ciphers not supported
{ 1.2.410.200046.1.1.6, ARIA-192-ECB } // ok
AES-192-GCM : !!! ---------- AEAD ciphers not supported
{ 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } // ok
{ 1.2.156.10197.1.104.2, SM4, SM4-CBC } // ok
ARIA-128-CCM : !!! ---------- AEAD ciphers not supported
AES-192-CCM : !!! ---------- AEAD ciphers not supported
{ 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } // ok
{ 1.2.410.200046.1.1.11, ARIA-256-ECB } // ok
AES-128-XTS : !!! ---------- XTS ciphers not supported
{ 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } // ok
{ 2.16.840.1.101.3.4.1.3, AES-128-OFB } // ok
{ 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } // ok
{ 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } // ok
{ 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } // ok
{ 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } // ok
{ 1.2.410.200046.1.1.10, ARIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } // ok
{ 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } // ok
{ 1.2.410.200046.1.1.9, ARIA-192-OFB } // ok
{ 1.2.410.200046.1.1.13, ARIA-256-CFB } // 好使
{ 2.16.840.1.101.3.4.1.1, AES-128-ECB } // 好使
{ 1.2.410.200046.1.1.8, ARIA-192-CFB } // 好使
{ 1.2.156.10197.1.104.7, SM4-CTR } // 好使
{ 2.16.840.1.101.3.4.1.43, AES-256-OFB } // 好使
{ 1.2.410.200046.1.1.4, ARIA-128-OFB } // 好使
{ 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } // 好使
{ 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } // 好使
{ 1.2.410.200046.1.1.5, ARIA-128-CTR } // 好使
{ 2.16.840.1.101.3.4.1.21, AES-192-ECB } // 好使
NULL : !!! ---------- cipher has no object identifier
AES-128-CBC-CTS : !!! ---------- cipher has no object identifier
AES-192-CBC-CTS : !!! ---------- cipher has no object identifier
AES-256-CBC-CTS : !!! ---------- cipher has no object identifier
AES-256-CFB1 // 好使
AES-192-CFB1 // 好使
AES-128-CFB1 // 好使
AES-256-CFB8 // 好使
AES-192-CFB8 // 好使
AES-128-CFB8 // 可以
AES-256-CTR : !!! ---------- cipher has no object identifier
AES-192-CTR : !!! ---------- cipher has no object identifier
AES-128-CTR : !!! ---------- cipher has no object identifier
AES-256-OCB : !!! ---------- cipher has no object identifier
AES-192-OCB : !!! ---------- cipher has no object identifier
AES-128-OCB : !!! ---------- cipher has no object identifier
AES-128-SIV : !!! ---------- cipher has no object identifier
AES-192-SIV : !!! ---------- cipher has no object identifier
AES-256-SIV : !!! ---------- cipher has no object identifier
AES-128-GCM-SIV : !!! ---------- cipher has no object identifier
AES-192-GCM-SIV : !!! ---------- cipher has no object identifier
AES-256-GCM-SIV : !!! ---------- cipher has no object identifier
AES-256-WRAP-INV : !!! ---------- cipher has no object identifier
AES-192-WRAP-INV : !!! ---------- cipher has no object identifier
AES-128-WRAP-INV : !!! ---------- cipher has no object identifier
AES-256-WRAP-PAD-INV : !!! ---------- cipher has no object identifier
AES-192-WRAP-PAD-INV : !!! ---------- cipher has no object identifier
AES-128-WRAP-PAD-INV : !!! ---------- cipher has no object identifier
AES-128-CBC-HMAC-SHA1 : !!! ---------- cipher has no object identifier
AES-256-CBC-HMAC-SHA1 : !!! ---------- cipher has no object identifier
AES-128-CBC-HMAC-SHA256 : !!! ---------- cipher has no object identifier
AES-256-CBC-HMAC-SHA256 : !!! ---------- cipher has no object identifier
ARIA-256-CFB1 : !!! ---------- cipher has no object identifier
ARIA-192-CFB1 : !!! ---------- cipher has no object identifier
ARIA-128-CFB1 : !!! ---------- cipher has no object identifier
ARIA-256-CFB8 : !!! ---------- cipher has no object identifier
ARIA-192-CFB8 : !!! ---------- cipher has no object identifier
ARIA-128-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CBC-CTS : !!! ---------- cipher has no object identifier
CAMELLIA-192-CBC-CTS : !!! ---------- cipher has no object identifier
CAMELLIA-256-CBC-CTS : !!! ---------- cipher has no object identifier
CAMELLIA-256-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-192-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-256-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-192-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CFB8 : !!! ---------- cipher has no object identifier
DES-EDE3-ECB : !!! ---------- cipher has no object identifier
DES-EDE3-OFB : !!! ---------- cipher has no object identifier
DES-EDE3-CFB // 不行
DES-EDE3-CFB8 // 不行
DES-EDE3-CFB1 // 不行
DES-EDE-CBC : !!! ---------- cipher has no object identifier
DES-EDE-OFB : !!! ---------- cipher has no object identifier
DES-EDE-CFB : !!! ---------- cipher has no object identifier
SM4-GCM : !!! ---------- cipher has no object identifier
SM4-CCM : !!! ---------- cipher has no object identifier
SM4-XTS : !!! ---------- cipher has no object identifier
ChaCha20 : !!! ---------- cipher has no object identifier
ChaCha20-Poly1305 : !!! ---------- cipher has no object identifier
free map, g_mem_hook_map.size() = 0
笔记
测试工程实现
/*!
* \file main.cpp
*/
#include "my_openSSL_lib.h"
#include <openssl/crypto.h>
#include <openssl/bio.h>
#include <openssl/safestack.h>
#include <openssl/evp.h>
#include <openssl/provider.h>
#include <stdlib.h>
#include <stdio.h>
#include <assert.h>
#include "CMemHookRec.h"
BIO* bio_out = NULL;
BIO* bio_err = NULL;
static const char* select_name = NULL;
void my_openssl_app();
void list_ciphers(const char* prefix);
int cipher_cmp(const EVP_CIPHER* const* a, const EVP_CIPHER* const* b);
void collect_ciphers(EVP_CIPHER* cipher, void* stack);
int main(int argc, char** argv)
{
setvbuf(stdout, NULL, _IONBF, 0); // 清掉stdout缓存, 防止调用printf时阻塞
mem_hook();
my_openssl_app();
mem_unhook();
return 0;
}
void my_openssl_app()
{
bio_out = BIO_new_fp(stdout, 0);
bio_err = BIO_new_fp(stdout, 0);
if ((NULL != bio_out) && (NULL != bio_err))
{
list_ciphers(" ");
}
if (NULL != bio_out)
{
BIO_free(bio_out);
bio_out = NULL;
}
if (NULL != bio_err)
{
BIO_free(bio_err);
bio_err = NULL;
}
}
void legacy_cipher_fn(const EVP_CIPHER* c,
const char* from, const char* to, void* arg)
{
int mode = 0;
unsigned long int flags = 0;
int alg_nid = 0;
if (select_name != NULL
&& (c == NULL
|| OPENSSL_strcasecmp(select_name, EVP_CIPHER_get0_name(c)) != 0))
{
return;
}
if (c != NULL) {
mode = EVP_CIPHER_get_mode(c);
flags = EVP_CIPHER_get_flags(c);
alg_nid = EVP_CIPHER_get_type(c);
if (alg_nid == NID_undef) {
BIO_printf(bio_out, " %s : !!! ---------- cipher has no object identifier\n", EVP_CIPHER_get0_name(c));
}
else if (mode == EVP_CIPH_XTS_MODE) {
BIO_printf((BIO*)arg, " %s : !!! ---------- XTS ciphers not supported\n", EVP_CIPHER_get0_name(c));
}
else if ((flags & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
BIO_printf((BIO*)arg, " %s : !!! ---------- AEAD ciphers not supported\n", EVP_CIPHER_get0_name(c));
}
else {
BIO_printf((BIO*)arg, " %s \n", EVP_CIPHER_get0_name(c));
}
}
}
int name_cmp(const char* const* a, const char* const* b)
{
return OPENSSL_strcasecmp(*a, *b);
}
void collect_names(const char* name, void* vdata)
{
STACK_OF(OPENSSL_CSTRING)* names = (STACK_OF(OPENSSL_CSTRING)*)vdata;
sk_OPENSSL_CSTRING_push(names, name);
}
void print_names(BIO* out, STACK_OF(OPENSSL_CSTRING)* names)
{
int i = sk_OPENSSL_CSTRING_num(names);
int j;
sk_OPENSSL_CSTRING_sort(names);
if (i > 1)
BIO_printf(out, "{ ");
for (j = 0; j < i; j++) {
const char* name = sk_OPENSSL_CSTRING_value(names, j);
if (j > 0)
BIO_printf(out, ", ");
BIO_printf(out, "%s", name);
}
if (i > 1)
BIO_printf(out, " }");
}
DEFINE_STACK_OF(EVP_CIPHER)
void list_ciphers(const char* prefix)
{
STACK_OF(EVP_CIPHER)* ciphers = sk_EVP_CIPHER_new(cipher_cmp);
int i;
int mode = 0;
int flags = 0;
int alg_nid = 0;
if (ciphers == NULL) {
BIO_printf(bio_err, "ERROR: Memory allocation\n");
return;
}
if (true) {
BIO_printf(bio_out, "%sLegacy:\n", prefix);
EVP_CIPHER_do_all_sorted(legacy_cipher_fn, bio_out);
}
BIO_printf(bio_out, "%sProvided:\n", prefix);
EVP_CIPHER_do_all_provided(NULL, collect_ciphers, ciphers);
sk_EVP_CIPHER_sort(ciphers);
for (i = 0; i < sk_EVP_CIPHER_num(ciphers); i++) {
const EVP_CIPHER* c = sk_EVP_CIPHER_value(ciphers, i);
mode = EVP_CIPHER_get_mode(c);
flags = EVP_CIPHER_get_flags(c);
alg_nid = EVP_CIPHER_get_type(c);
if (alg_nid == NID_undef) {
BIO_printf(bio_out, " %s : !!! ---------- cipher has no object identifier\n", EVP_CIPHER_get0_name(c));
continue;
}
else if (mode == EVP_CIPH_XTS_MODE) {
BIO_printf(bio_out, " %s : !!! ---------- XTS ciphers not supported\n", EVP_CIPHER_get0_name(c));
continue;
}
else if ((flags & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
BIO_printf(bio_out, " %s : !!! ---------- AEAD ciphers not supported\n", EVP_CIPHER_get0_name(c));
continue;
}
STACK_OF(OPENSSL_CSTRING)* names = NULL;
if (select_name != NULL && !EVP_CIPHER_is_a(c, select_name))
continue;
names = sk_OPENSSL_CSTRING_new(name_cmp);
if (names != NULL && EVP_CIPHER_names_do_all(c, collect_names, names)) {
BIO_printf(bio_out, " ");
print_names(bio_out, names);
BIO_printf(bio_out, "\r\n");
/* BIO_printf(bio_out, " @ %s\n",
OSSL_PROVIDER_get0_name(EVP_CIPHER_get0_provider(c)));
if (verbose) {
const char* desc = EVP_CIPHER_get0_description(c);
if (desc != NULL)
BIO_printf(bio_out, " description: %s\n", desc);
print_param_types("retrievable algorithm parameters",
EVP_CIPHER_gettable_params(c), 4);
print_param_types("retrievable operation parameters",
EVP_CIPHER_gettable_ctx_params(c), 4);
print_param_types("settable operation parameters",
EVP_CIPHER_settable_ctx_params(c), 4);
}*/
}
sk_OPENSSL_CSTRING_free(names);
}
sk_EVP_CIPHER_pop_free(ciphers, EVP_CIPHER_free);
}
int cipher_cmp(const EVP_CIPHER* const* a, const EVP_CIPHER* const* b)
{
return strcmp(OSSL_PROVIDER_get0_name(EVP_CIPHER_get0_provider(*a)),
OSSL_PROVIDER_get0_name(EVP_CIPHER_get0_provider(*b)));
}
void collect_ciphers(EVP_CIPHER* cipher, void* stack)
{
STACK_OF(EVP_CIPHER)* cipher_stack = (STACK_OF(EVP_CIPHER)*)stack;
if (sk_EVP_CIPHER_push(cipher_stack, cipher) > 0)
EVP_CIPHER_up_ref(cipher);
}
备注
我们自己写的工程, 只能调用openssl对外提供的接口, 没办法用openssl内部接口(包括内部函数, 内部头文件, 内部结构定义)
像这个列出openssl全部加密算法的实现, 用的是openssl接口上的回调函数入参. 传入我们自己的回调函数指针, 在回调函数中判断算法功能是否在命令行参数中可用于口令加密.
现在知道了支持口令加密的加密算法名称, 试几个不常见的口令加密算法, 看看是否好使?
openssl pkey -in app_key.pem -passin pass:my_pwd_for_app_key -out app_key.der -outform DER
app_key.pem是带口令保护的, 执行上面的命令, 转为一个不带口令的.der
现在用这个不带口令的.der, 转成带口令的.der, 加密算法用上面测试工程找到的有效算法名称, 试试好使不?openssl pkey -in app_key.der -out app_key_pwd1.pem -outform DER -passout pass:111111 -ChaCha20
Error: Cipher options are supported only for PEM output看到口令加密算法只支持.PEM格式…
那算了, 就实验.der/.pem转成.pem的场景.openssl pkey -in app_key.der -out app_key_no_pwd.pem -outform PEM
先将上面实验的.der转成不带口令保护的.pemopenssl pkey -in app_key_no_pwd.pem -out app_key_pwd1.pem -outform PEM -passout pass:111111 -ChaCha20
cipher has no object identifier
说明还有限制条件, 选用的算法必须有obj_id, 那将这个条件也加入算法选择逻辑里面.程序修改完了, 上面的工程副本已经更新. 现在能看到, 算法ChaCha20在列表中已经标记为了不支持.
再试试其他支持的不常见加密算法.
openssl pkey -in app_key_no_pwd.pem -out app_key_pwd1.pem -outform PEM -passout pass:111111 -DES-EDE3-CFB1
BC570600:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:342:Global default library context, Algorithm (DES-CFB : 6), Properties ()
可以看到, 也不是每种算法都支持.
跟了一下openssl源码, 都是宏写的, 调用的都是内部函数, 不好弄清为啥不行.
那就试试找到的其他算法, 看行不行.下面列出的都是好使的算法, 没有都列出, 在上面的算法列表中写上了是否好使.
openssl pkey -in app_key_no_pwd.pem -out app_key_pwd1.pem -outform PEM -passout pass:111111 -AES-128-CFB8
过滤掉的算法中, 不好通过程序来判断了, 只能一个一个实验.
整理 - 总共有126种加密算法可用于命令行参数的密码加密算法
// 总共有126种加密算法可用于命令行参数的密码加密算法
Legacy:
AES-128-CBC // ok
AES-128-CFB // ok
AES-128-CFB1 // ok
AES-128-CFB8 // ok
AES-128-ECB // ok
AES-128-OFB // ok
AES-192-CBC // ok
AES-192-CFB // ok
AES-192-CFB1 // ok
AES-192-CFB8 // ok
AES-192-ECB // ok
AES-192-OFB // ok
AES-256-CBC // ok
AES-256-CFB // ok
AES-256-CFB1 // ok
AES-256-CFB8 // ok
AES-256-ECB // ok
AES-256-OFB // ok
ARIA-128-CBC // ok
ARIA-128-CFB // ok
ARIA-128-CTR // ok
ARIA-128-ECB // ok
ARIA-128-OFB // ok
ARIA-192-CBC // ok
ARIA-192-CFB // ok
ARIA-192-CTR // ok
ARIA-192-ECB // ok
ARIA-192-OFB // ok
ARIA-256-CBC // ok
ARIA-256-CFB // ok
ARIA-256-CTR // ok
ARIA-256-ECB // ok
ARIA-256-OFB // ok
CAMELLIA-128-CBC // ok
CAMELLIA-128-CFB // ok
CAMELLIA-128-CTR // ok
CAMELLIA-128-ECB // ok
CAMELLIA-128-OFB // ok
CAMELLIA-192-CBC // ok
CAMELLIA-192-CFB // ok
CAMELLIA-192-CTR // ok
CAMELLIA-192-ECB // ok
CAMELLIA-192-OFB // ok
CAMELLIA-256-CBC // ok
CAMELLIA-256-CFB // ok
CAMELLIA-256-CTR // ok
CAMELLIA-256-ECB // ok
CAMELLIA-256-OFB // ok
DES-EDE // ok
DES-EDE3-CBC // ok
DES-EDE3-CFB // err
DES-EDE3-CFB1 // err
DES-EDE3-CFB8 // err
id-aes128-wrap // ok
id-aes128-wrap-pad // ok
id-aes192-wrap // ok
id-aes192-wrap-pad // ok
id-aes256-wrap // ok
id-aes256-wrap-pad // ok
SM4-CBC // ok
SM4-CFB // ok
SM4-CTR // ok
SM4-ECB // ok
SM4-OFB // ok
Provided:
{ 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } // ok
{ 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } // ok
{ 2.16.840.1.101.3.4.1.4, AES-128-CFB } // ok
{ 1.2.410.200046.1.1.1, ARIA-128-ECB } // ok
{ 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } // ok
{ 2.16.840.1.101.3.4.1.24, AES-192-CFB } // ok
{ 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } // ok
{ 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } // ok
{ 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } // ok
{ 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } // ok
{ 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } // ok
{ 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } // err
{ 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } // ok
{ 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } // ok
{ 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } // ok
{ 2.16.840.1.101.3.4.1.41, AES-256-ECB } // ok
{ 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } // ok
{ 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } // ok
{ 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } // ok
{ 2.16.840.1.101.3.4.1.44, AES-256-CFB } // ok
{ 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } // ok
{ 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } // ok
{ 1.2.410.200046.1.1.14, ARIA-256-OFB } // ok
{ 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } // ok
{ 2.16.840.1.101.3.4.1.23, AES-192-OFB } // ok
{ 1.2.156.10197.1.104.1, SM4-ECB } // ok
{ 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } // ok
{ 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } // ok
{ 1.2.410.200046.1.1.15, ARIA-256-CTR } // ok
{ 1.2.410.200046.1.1.3, ARIA-128-CFB } // ok
{ 1.2.410.200046.1.1.6, ARIA-192-ECB } // ok
{ 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } // ok
{ 1.2.156.10197.1.104.2, SM4, SM4-CBC } // ok
{ 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } // ok
{ 1.2.410.200046.1.1.11, ARIA-256-ECB } // ok
{ 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } // ok
{ 2.16.840.1.101.3.4.1.3, AES-128-OFB } // ok
{ 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } // ok
{ 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } // ok
{ 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } // ok
{ 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } // ok
{ 1.2.410.200046.1.1.10, ARIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } // ok
{ 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } // ok
{ 1.2.410.200046.1.1.9, ARIA-192-OFB } // ok
{ 1.2.410.200046.1.1.13, ARIA-256-CFB } // 好使
{ 2.16.840.1.101.3.4.1.1, AES-128-ECB } // 好使
{ 1.2.410.200046.1.1.8, ARIA-192-CFB } // 好使
{ 1.2.156.10197.1.104.7, SM4-CTR } // 好使
{ 2.16.840.1.101.3.4.1.43, AES-256-OFB } // 好使
{ 1.2.410.200046.1.1.4, ARIA-128-OFB } // 好使
{ 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } // 好使
{ 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } // 好使
{ 1.2.410.200046.1.1.5, ARIA-128-CTR } // 好使
{ 2.16.840.1.101.3.4.1.21, AES-192-ECB } // 好使
AES-256-CFB1 // 好使
AES-192-CFB1 // 好使
AES-128-CFB1 // 好使
AES-256-CFB8 // 好使
AES-192-CFB8 // 好使
AES-128-CFB8 // 可以
备注
如果想要转换后的.der/.pem受口令密码和加密算法保护, 必须是.pem格式.
如果怕逆向的用户看到程序中的.pem内容的数组, 可以将.pem放到参数文件中.
文件的组织可以用多个buffer合成一个buffer的方法(C++ - 多个buffer合并成一个buffer的管理类).
对一个大buffer加密(非对称/对称), 只有正版用户才能载入, 间接保护了程序被逆向.
