OpenSSL
What is it?
OpenSSL is an application that is able to provide (by setting parameters on the
command line) a set of cryptographic functions (hash functions, symmetric and
asymmetric encryption, CA); at the same time OpenSSL can be used as a
cryptographic library in your own applications. As the name suggests, originally the
library offered primarily the SSL protocol support. This functionality has been
included up to now, but the library is offering much wider portfolio of cryptographic
functions nowadays.
Address, version, license
OpenSSL is downloadable in the form of source code at the URL
http://www.openssl.org. The binary form is part of many operating systems or can be
downloaded from other source (use Google). OpenSSL can be compiled under many
operating systems including MS Windows and UNIX systems. The authors are Eric
A. Young and Tim J. Hudson. The license is better (more permittable) than GPL, the
OpenSSL license is close to the Apache license and permits both noncommercial
and commercial use AND MODIFICATION. Currently the latest version is 1.0.2d,
1.0.1p, 1.0.0s and 0.9.8zg, some time ago there used to be two the versions of the
library – the „engine” version (which included support of cryptographic HW devices)
and the non-engine version, today all the versions include the HW device support
automatically.
Documentation
Documentation of the OpenSSL program is fairly good and is available in the form of
man pages (directory openssl/doc/apps), documentation of the API of the library is
not so good, some functions are sufficiently documented (openssl/doc/crypto, for SSL
API it’s openssl/doc/ssl), but many functions remain undocumented and for a correct
use the inspiration in the source codes of particular modules of the program
(openssl/apps) or header files (openssl/include/openssl) is necessary.
Advantages/Disadvantages
The advantages of OpenSSL include good licensing terms (commercial use of
modified code is permitted), availability of source codes, platform independence and
wide functionality. On the other hand the disadvantages include poor documentation,
and poor code quality (“hacks”) in some parts of the library.
Program
The functionality offered by the OpenSSL program (command line) is divided into
following modules (further info on parameters „openssl module help”):
o asn1parse - ASN.1 parsing tool
o ca - sample minimal CA application
o crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates.
o crl - CRL utility
o dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests
o dhparam - DH parameter manipulation and generation
o dsa - DSA key processing
o dsaparam - DSA parameter manipulation and generation
o ec - EC key processing
o ecparam - EC parameter manipulation and generation
o enc - symmetric cipher routines
o gendsa - generate a DSA private key from a set of parameters
o genrsa - generate an RSA private key
o ocsp - Online Certificate Status Protocol utility
o passwd - compute password hashes
o pkcs7 - PKCS#7 utility
o pkcs8 - PKCS#8 format private key conversion tool
o pkcs12 - PKCS#12 file utility
o rand - generate pseudo-random bytes
o req - PKCS#10 certificate request and certificate generating utility.
o rsa - RSA key processing tool
o rsautl - RSA utility
o s_client - SSL/TLS client program
o s_server - SSL/TLS server program
o sess_id - SSL/TLS session handling utility
o smime - S/MIME utility
o speed - test library performance
o spkac - SPKAC printing and generating utility
o verify - Utility to verify certificates.
o x509 - Certificate display and signing utility
o x509v3_config - X509 V3 certificate extension configuration format
OpenSSL supports algorithms RC4, RC2, DES3, DES, CAST, BLOWFISH, AES, (to
get the full list of modes use „openssl list-cipher-commands“), MD2, MD4, MD5,
RMD160, SHA, SHA1, RSA, DSS, DH (see openssl ciphers -v).
Usage of the program
Let’s look at one of the typical uses of the OpenSSL program i.e. at the certificate
requesting, signing and revoking (CRL generation).
1. Generate the RSA key of the CA
o openssl genrsa -out ca.key 2048
2. Creation of the self-signed certificate of the CA
o openssl req -new -x509 -days 365 -key ca.key -out ca.crt [-md5]
[-sha1] [-sha256] [-sha224] [-sha384] [sha512]
3. Generate RSA key of a user (e.g. server)
o openssl genrsa -out server.key 2048
4. Generate the certificate request
o openssl req -new -key server.key -out server.csr
5. Certificate signature
o openssl ca -cert ca.crt -in server.csr -keyfile ca.key -days
365 –out server.crt
o this command requires a specific directory structure, therefore we better
use sign.sh script from the mod-ssl package (directory pkg.contrib) and
we comment the deletion of the ca.config file at the end of the script.
o ./sign.sh server.csr
6. Prepare the PKCS#12 file (certificate plus the private key)
o openssl pkcs12 -export -out server.p12 -in server.crt -inkey
server.key
7. Issue the CRL (it’s empty now)
o openssl ca -gencrl -config ca.config -keyfile ca.key -cert
ca.crt -out ca1.crl [-md md5/sha1/sha224/...]
8. Revoke the user’s certificate
o openssl ca -config ca.config -revoke server.crt -keyfile ca.key
-cert ca.crt
9. Issue a new CRL
o openssl ca -gencrl -config ca.config -keyfile ca.key -cert
ca.crt -out ca2.crl
10. Let’s examine the CRLs
o openssl crl -in ca1.crl -noout -text
o openssl crl -in ca2.crl -noout -text
Next we can focus on the symmetric encryption:
1. file encryption
o openssl enc -aes-256-cbc -salt -in file.txt -out file.enc
2. file decryption
o openssl enc -d -aes-256-cbc -in file.enc
Assignments
1. How do you obtain the SHA-1 hash of a file by using the openssl program?
[describe the command line parameters] {2}
2. Generate an RSA key pair with the public exponent of 3 and 65537. [describe
the command line parameters and include the files] {4}
3. Create a CA certificate based on DSA. [describe the command line
parameters and certificate files] {4}