OpenSSL ToolKit Usage


OpenSSL Toolkit Usage

OpenSSL is a great project, which provide a excellent implement of SSL and TLS protocol, and also a great toolkit which can do many of kinds of job related with cryptography field.

There is a Great tutorial of openssl command toolkit: openssl introduction.

This article has also some extension based above introduction. And this article  collect some the uses of openssl command, which I already tested in linux environment.

Table of Contents

  • 1 Use openssl as a encryption and decryption tool
    • 1.1 symmetric cipher algorithms
    • 1.2 asymmetric cipher algorithm (public key algorithm)
  • 2 Create a signature of a file
  • 3 verify certificate authority (CA) by command line
  • 4 How to retrieve some web site's certificate by command line?
  • 5 openssl's system path to store CA.
  • 6 build your own CA step by step
  • 7 X509 PKCS#12 PKCS#8

1 Use openssl as a encryption and decryption tool

There are some kinds of classification methods of encryption algorithms -- asymmetric and symmetric algorithms or secret key and public key algorithms. Following sections provide a tutorial of how to use openssl as a cipher tool.

1.1 symmetric cipher algorithms

To see the complete list of the symmetric algorithms:
openssl list-cipher-commands
encrypt and decrypt by one cipher mentioned above. (in this case use aes-256-cbc)
openssl enc -aes-256-cbc -in plain.txt -out ciphertext.txt
openssl enc -aes-256-cbc -d -in ciphertext.txt -out decrypt.txt

1.2 asymmetric cipher algorithm (public key algorithm)

Generate the RSA key file first.
openssl genrsa -out rsakey.pem 2048
# maybe you need to encrypt the key file 
openssl rsa -in rsakey.pem -des3 -out rsakey.enc.pem
# you can view the key file details (moduels, private key, public key)
openssl rsa -in rsakey.pem -text -noout
# yes, you can extract the public key 
openssl rsa -in rsakey.pem -pubout -out pub-rsakey.pem
encrypt or decrypt by RSA public key algorithm.
# encyption, the plain.txt must no longer than 116 bytes = 928 bits
openssl rsautl -encrypt -in plain.txt -inkey rsakey.pem -out cipher.txt
# much better method, to encrypt by just the public key
# openssl rsautl -encrypt -in plain.txt -pubin -inkey pub-rsakey.pem -out cipher.txt

# decrypt the cipher.txt
openssl rsautl -decrypt -in cipher.txt -inkey rsakey.pem -out plain.txt

2 Create a signature of a file

This section is a step to step tutorial to illustrate how to create a digit signature and verify it.
  1. Create a digest by chosen hash function 
    # you can choose hash functions listed by openssl dgst --help 
openssl dgst -sha1 -out file.digest file.txt
  2. encrypt the digest to create a signature 
    # generate the RSA key key.pem first
openssl rsautl -sign -in file.digest -out file.sig -inkey key.pem
  3. verify the signature 
    # customer can verfiy the digist buy decrypt the signature file to
# create a digest file, and compare the digest with the file to
# verify the signature. 
# How to extract pub-key from key.pem refer to above section.
openssl rsautl -verify -in file.sig -out file.digest -inkey pub-key.pem -pubin

3 verify certificate authority (CA) by command line

openssl verify pem-file

4 How to retrieve some web site's certificate by command line?

openssl s_client -showcerts -connect www.google.com:443 > cert_file

5 openssl's system path to store CA.

openssl version -d

6 build your own CA step by step

  • create a root Certificate Create a root Certificate means that build a certificate which is self signed. A self signed certificate is the center of a Certificate Authority(CA) which can be used to issue other client certificate. You need to configure the computer's openssl.cnf to set your PC's CA environment. This section show you how to create root certificate and issue certificate. you can follow this section's instruction to create the root certificate and put that into the location mentioned in openssl.cnf file.
    • generate a private key 
      openssl genrsa -3 -out rootca.key 2048
      This command create a file contain both public and private key, which are encrypted. The next command can view the details of RSA key pair. 
      openssl rsa -in rootca.key -text -noout
      You also can choose the encryption algorithm to cipher the RSA key file 
      openssl rsa -in target.key -des3 -out enc-target.pem
    • create the certificate 
      openssl req -new -x509 -sha1 -key rootca.key -out rootca.x509.pem -days 1000 -subj "/..."
  • create a Certificate issued by root CA
    • generate a private key 
      openssl genrsa -3 -out hostca.key 2048
    • Fill in the certificate request 
      openssl req -new -key hostca.key -out hostca.req
    • Issue the certificate with the Root CA 
      openssl x509 -req -days 1000 -sha1 -extensions v3_req \
    -CA rootca.crt -CAkey rootca.key -CAserial rootca.srl -CAcreateserial \
    -in hostca.req -out hostca.pem

7 X509 PKCS#12 PKCS#8

There are many file format in openssl toolkit. Some of them really puzzled me, so I make this introduction, which target to conceptional distinguish them. PKCS#8 is a store of private key. X509 is associated with signature information and public key. PKCS#12 is combination of certificate and private key which is protected by password. And java keystore is an archive of many PKCS#12 file. PKCS#8 PEM/DER key and traditional RSA private key is actually same thing in different format.
  1. convert traditional private key to PKCS#8 without no password: 
    openssl pkcs8 -in private.key -topk8 -outform DER -out target.pk8 -nocrypt
  2. convert above PKCS#8 to pem/DER format 
    openssl pkcs8 -inform DER -nocrypt -in target.pk8 -out target.key.pem
  3. convert above PEM/DER format key to traditional RSA private key 
    openssl rsa -in target.key.pem -out target.key
  4. encrypt the private key file: 
    openssl rsa -in target.key -des3 -out enc-target.pem
  5. extract pub key from the file RSA key file 
    openssl rsa -in key.pem -pubout -out pub-key.pem
build PKCS#12 with certification and private key file.

openssl pkcs12 -export -in file.cert -inkey file.key -out file.p12 -password pass:passphrase -name alias

Comments

Post a Comment

Popular posts from this blog

Bluedroid stack in android

Image
Bluedroid stack in android Table of Contents Bluetooth stack in android Bluedroid .VS. Bluez Porting guide of Bluedroid stack 1 Bluetooth stack in android From Android 4.2, google use Bluedroid stack as its default Bluetooth host stack, before android 4.2, its default Bluetooth host stack was Bluez, which is also the Linux distribution's default stack. So why google changed its Bluetooth stack? The reason is maybe that Bluez stack was designed for the desktop environment, so in order to port Bluez into android, android must solve some dependency issues, like porting Dbus, Linux desktop's default IPC, into android. So there are at least five processes to power Bluetooth before android 4.2, they are systems, Bluetooth APP, Bluez, hciattach, and Dbus. The damn thing is that there are bugs between them, so Bluetooth stack is the weakest part in the android system before android 4.2, yeah, it is the usual reason that android system corrupted. So, what's t
Read more

How to setup a NAT server?

Image
How to setup an NAT server? Table of Contents What is NAT? How to setup NAT host? a shell script from vbird's book 1 What is NAT? NAT stands for Network Address Transition, which is the basic function of gateway host. I try to hack Bluetooth tethering module in android this week, it include the Bluetooth Pan profile and the NAT setup process, which means in order to implement the Bluetooth tethering, first, two devices must be connected by Bluetooth Pan profile, and then the server part device acted as gateway host to supply the network forward service. In other words, after Bluetooth Pan profile connected, the server must to setup its NAT rules to forward the IP packages. So how to setup NAT rules? 2 How to setup NAT host? My memory is still fresh that at the start of my Linux journey, I setup my Linux desktop as an NAT host to provide Internet services for my lab's classmates. During the days as a programmer, I once did a job to hacking android&
Read more

Network programming in elisp

  Network API in elisp Table of Contents 1 Introduction 2 A example 3 Http server implemented by elisp 1 Introduction Emacs is not just an editor, Yes, that's true. Emacs lisp can do network connection programming by its network API. But there is something difference with other kinds of programming language. First, elisp do not support multi-thread, pretty cool, huh!! Yeh, Multi-threads programming is a horrible venture for you, right! Second, There is no socket similarly conception in elisp, and elisp provide network programming ability as processes. Elisp can open a network connection by function – open-network-stream .  It can make network connection server listen a special port by function - make-network-process . Both of those function return a process object. Then you can communicate with the process by process's API. 2 A example I write a snippet code to figure out How to use it. ( require ' cl ) ( defvar my-network-client-b
Read more