文章目录

    • openssl3.2 – exp – 可以在命令行使用的口令算法名称列表
    • 概述
    • 笔记
    • 测试工程实现
    • 备注
    • 整理 – 总共有126种加密算法可用于命令行参数的密码加密算法
    • 备注
    • END

openssl3.2 – exp – 可以在命令行使用的口令算法名称列表

概述

上一个笔记openssl3.2 – exp – PEM <==> DER, 还有个疑问.

openssl pkey -in app_key3.pem -out app_key5_pwd.pem -outform PEM -passout pass:111111 -算法名称

如果PEM/DER互转时, 要想转换后的文件带口令保护 就需要指定用哪种算法来执行口令加密算法.
并不是随便哪一种可见的算法名称就能用的.
算法有限制

算法不能有 EVP_CIPH_FLAG_AEAD_CIPHER 标记
模式不能是 EVP_CIPH_XTS_MODE

如果想确定哪些是不支持的口令加密算法, 必须要自己写个程序, 将不支持的算法过滤掉.
参照openssl源码, 写了一个测试程序, 可以将全部算法都列出来, 不支持的算法加上标记.
运行效果如下, 只要算法后边有标记 ” !!! ———- “, 都是不支持的命令行口令加密算法.

Legacy:
AES-128-CBC // ok
AES-128-CBC-HMAC-SHA1 : !!! ———- cipher has no object identifier
AES-128-CBC-HMAC-SHA256 : !!! ———- cipher has no object identifier
id-aes128-CCM : !!! ———- AEAD ciphers not supported
AES-128-CFB // ok
AES-128-CFB1 // ok
AES-128-CFB8 // ok
AES-128-CTR : !!! ———- cipher has no object identifier
AES-128-ECB // ok
id-aes128-GCM : !!! ———- AEAD ciphers not supported
AES-128-OCB : !!! ———- cipher has no object identifier
AES-128-OFB // ok
AES-128-XTS : !!! ———- XTS ciphers not supported
AES-192-CBC
id-aes192-CCM : !!! ———- AEAD ciphers not supported
AES-192-CFB // ok
AES-192-CFB1 // ok
AES-192-CFB8 // ok
AES-192-CTR : !!! ———- cipher has no object identifier
AES-192-ECB // ok
id-aes192-GCM : !!! ———- AEAD ciphers not supported
AES-192-OCB : !!! ———- cipher has no object identifier
AES-192-OFB // ok
AES-256-CBC // ok
AES-256-CBC-HMAC-SHA1 : !!! ———- cipher has no object identifier
AES-256-CBC-HMAC-SHA256 : !!! ———- cipher has no object identifier
id-aes256-CCM : !!! ———- AEAD ciphers not supported
AES-256-CFB // ok
AES-256-CFB1 // ok
AES-256-CFB8 // ok
AES-256-CTR : !!! ———- cipher has no object identifier
AES-256-ECB // ok
id-aes256-GCM : !!! ———- AEAD ciphers not supported
AES-256-OCB : !!! ———- cipher has no object identifier
AES-256-OFB // ok
AES-256-XTS : !!! ———- XTS ciphers not supported
ARIA-128-CBC // ok
ARIA-128-CCM : !!! ———- AEAD ciphers not supported
ARIA-128-CFB // ok
ARIA-128-CFB1 : !!! ———- cipher has no object identifier
ARIA-128-CFB8 : !!! ———- cipher has no object identifier
ARIA-128-CTR // ok
ARIA-128-ECB // ok
ARIA-128-GCM : !!! ———- AEAD ciphers not supported
ARIA-128-OFB // ok
ARIA-192-CBC // ok
ARIA-192-CCM : !!! ———- AEAD ciphers not supported
ARIA-192-CFB // ok
ARIA-192-CFB1 : !!! ———- cipher has no object identifier
ARIA-192-CFB8 : !!! ———- cipher has no object identifier
ARIA-192-CTR // ok
ARIA-192-ECB // ok
ARIA-192-GCM : !!! ———- AEAD ciphers not supported
ARIA-192-OFB // ok
ARIA-256-CBC // ok
ARIA-256-CCM : !!! ———- AEAD ciphers not supported
ARIA-256-CFB // ok
ARIA-256-CFB1 : !!! ———- cipher has no object identifier
ARIA-256-CFB8 : !!! ———- cipher has no object identifier
ARIA-256-CTR // ok
ARIA-256-ECB // ok
ARIA-256-GCM : !!! ———- AEAD ciphers not supported
ARIA-256-OFB // ok
BF-CBC // err
BF-CFB : !!! ———- cipher has no object identifier
BF-ECB : !!! ———- cipher has no object identifier
BF-OFB : !!! ———- cipher has no object identifier
CAMELLIA-128-CBC // ok
CAMELLIA-128-CFB // ok
CAMELLIA-128-CFB1 : !!! ———- cipher has no object identifier
CAMELLIA-128-CFB8 : !!! ———- cipher has no object identifier
CAMELLIA-128-CTR // ok
CAMELLIA-128-ECB // ok
CAMELLIA-128-OFB // ok
CAMELLIA-192-CBC // ok
CAMELLIA-192-CFB // ok
CAMELLIA-192-CFB1 : !!! ———- cipher has no object identifier
CAMELLIA-192-CFB8 : !!! ———- cipher has no object identifier
CAMELLIA-192-CTR // ok
CAMELLIA-192-ECB // ok
CAMELLIA-192-OFB // ok
CAMELLIA-256-CBC // ok
CAMELLIA-256-CFB // ok
CAMELLIA-256-CFB1 : !!! ———- cipher has no object identifier
CAMELLIA-256-CFB8 : !!! ———- cipher has no object identifier
CAMELLIA-256-CTR // ok
CAMELLIA-256-ECB // ok
CAMELLIA-256-OFB // ok
CAST5-CBC // err
CAST5-CFB : !!! ———- cipher has no object identifier
CAST5-ECB : !!! ———- cipher has no object identifier
CAST5-OFB : !!! ———- cipher has no object identifier
ChaCha20 : !!! ———- cipher has no object identifier
ChaCha20-Poly1305 : !!! ———- cipher has no object identifier
DES-CBC // err
DES-CFB // err
DES-CFB1 // err
DES-CFB8 // err
DES-ECB // err
DES-EDE // ok
DES-EDE-CBC : !!! ———- cipher has no object identifier
DES-EDE-CFB : !!! ———- cipher has no object identifier
DES-EDE-OFB : !!! ———- cipher has no object identifier
DES-EDE3 : !!! ———- cipher has no object identifier
DES-EDE3-CBC // ok
DES-EDE3-CFB // err
DES-EDE3-CFB1 // err
DES-EDE3-CFB8 // err
DES-EDE3-OFB : !!! ———- cipher has no object identifier
DES-OFB // err
DESX-CBC : !!! ———- cipher has no object identifier
id-aes128-CCM : !!! ———- AEAD ciphers not supported
id-aes128-GCM : !!! ———- AEAD ciphers not supported
id-aes128-wrap // ok
id-aes128-wrap-pad // ok
id-aes192-CCM : !!! ———- AEAD ciphers not supported
id-aes192-GCM : !!! ———- AEAD ciphers not supported
id-aes192-wrap // ok
id-aes192-wrap-pad // ok
id-aes256-CCM : !!! ———- AEAD ciphers not supported
id-aes256-GCM : !!! ———- AEAD ciphers not supported
id-aes256-wrap // ok
id-aes256-wrap-pad // ok
id-smime-alg-CMS3DESwrap // err
IDEA-CBC // err
IDEA-CFB : !!! ———- cipher has no object identifier
IDEA-ECB : !!! ———- cipher has no object identifier
IDEA-OFB : !!! ———- cipher has no object identifier
RC2-40-CBC // err
RC2-64-CBC // err
RC2-CBC
RC2-CFB : !!! ———- cipher has no object identifier
RC2-ECB : !!! ———- cipher has no object identifier
RC2-OFB : !!! ———- cipher has no object identifier
RC4 // err
RC4-40 // err
RC4-HMAC-MD5 : !!! ———- cipher has no object identifier
SEED-CBC // err
SEED-CFB // err
SEED-ECB // err
SEED-OFB // err
SM4-CBC // ok
SM4-CFB // ok
SM4-CTR // ok
SM4-ECB // ok
SM4-OFB // ok
Provided:
{ 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } // ok
{ 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } // ok
{ 2.16.840.1.101.3.4.1.4, AES-128-CFB } // ok
ARIA-192-CCM : !!! ———- AEAD ciphers not supported
{ 1.2.410.200046.1.1.1, ARIA-128-ECB } // ok
{ 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } // ok
{ 2.16.840.1.101.3.4.1.24, AES-192-CFB } // ok
{ 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } // ok
{ 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } // ok
ARIA-192-GCM : !!! ———- AEAD ciphers not supported
{ 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } // ok
{ 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } // ok
ARIA-256-GCM : !!! ———- AEAD ciphers not supported
AES-256-XTS : !!! ———- XTS ciphers not supported
{ 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } // ok
{ 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } // err
{ 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } // ok
{ 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } // ok
{ 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } // ok
{ 2.16.840.1.101.3.4.1.41, AES-256-ECB } // ok
{ 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } // ok
{ 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } // ok
AES-128-GCM : !!! ———- AEAD ciphers not supported
{ 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } // ok
{ 2.16.840.1.101.3.4.1.44, AES-256-CFB } // ok
{ 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } // ok
{ 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } // ok
ARIA-256-CCM : !!! ———- AEAD ciphers not supported
{ 1.2.410.200046.1.1.14, ARIA-256-OFB } // ok
AES-256-GCM : !!! ———- AEAD ciphers not supported
{ 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } // ok
{ 2.16.840.1.101.3.4.1.23, AES-192-OFB } // ok
{ 1.2.156.10197.1.104.1, SM4-ECB } // ok
AES-128-CCM : !!! ———- AEAD ciphers not supported
AES-256-CCM : !!! ———- AEAD ciphers not supported
{ 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } // ok
{ 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } // ok
{ 1.2.410.200046.1.1.15, ARIA-256-CTR } // ok
{ 1.2.410.200046.1.1.3, ARIA-128-CFB } // ok
ARIA-128-GCM : !!! ———- AEAD ciphers not supported
{ 1.2.410.200046.1.1.6, ARIA-192-ECB } // ok
AES-192-GCM : !!! ———- AEAD ciphers not supported
{ 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } // ok
{ 1.2.156.10197.1.104.2, SM4, SM4-CBC } // ok
ARIA-128-CCM : !!! ———- AEAD ciphers not supported
AES-192-CCM : !!! ———- AEAD ciphers not supported
{ 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } // ok
{ 1.2.410.200046.1.1.11, ARIA-256-ECB } // ok
AES-128-XTS : !!! ———- XTS ciphers not supported
{ 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } // ok
{ 2.16.840.1.101.3.4.1.3, AES-128-OFB } // ok
{ 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } // ok
{ 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } // ok
{ 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } // ok
{ 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } // ok
{ 1.2.410.200046.1.1.10, ARIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } // ok
{ 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } // ok
{ 1.2.410.200046.1.1.9, ARIA-192-OFB } // ok
{ 1.2.410.200046.1.1.13, ARIA-256-CFB } // 好使
{ 2.16.840.1.101.3.4.1.1, AES-128-ECB } // 好使
{ 1.2.410.200046.1.1.8, ARIA-192-CFB } // 好使
{ 1.2.156.10197.1.104.7, SM4-CTR } // 好使
{ 2.16.840.1.101.3.4.1.43, AES-256-OFB } // 好使
{ 1.2.410.200046.1.1.4, ARIA-128-OFB } // 好使
{ 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } // 好使
{ 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } // 好使
{ 1.2.410.200046.1.1.5, ARIA-128-CTR } // 好使
{ 2.16.840.1.101.3.4.1.21, AES-192-ECB } // 好使
NULL : !!! ———- cipher has no object identifier
AES-128-CBC-CTS : !!! ———- cipher has no object identifier
AES-192-CBC-CTS : !!! ———- cipher has no object identifier
AES-256-CBC-CTS : !!! ———- cipher has no object identifier
AES-256-CFB1 // 好使
AES-192-CFB1 // 好使
AES-128-CFB1 // 好使
AES-256-CFB8 // 好使
AES-192-CFB8 // 好使
AES-128-CFB8 // 可以
AES-256-CTR : !!! ———- cipher has no object identifier
AES-192-CTR : !!! ———- cipher has no object identifier
AES-128-CTR : !!! ———- cipher has no object identifier
AES-256-OCB : !!! ———- cipher has no object identifier
AES-192-OCB : !!! ———- cipher has no object identifier
AES-128-OCB : !!! ———- cipher has no object identifier
AES-128-SIV : !!! ———- cipher has no object identifier
AES-192-SIV : !!! ———- cipher has no object identifier
AES-256-SIV : !!! ———- cipher has no object identifier
AES-128-GCM-SIV : !!! ———- cipher has no object identifier
AES-192-GCM-SIV : !!! ———- cipher has no object identifier
AES-256-GCM-SIV : !!! ———- cipher has no object identifier
AES-256-WRAP-INV : !!! ———- cipher has no object identifier
AES-192-WRAP-INV : !!! ———- cipher has no object identifier
AES-128-WRAP-INV : !!! ———- cipher has no object identifier
AES-256-WRAP-PAD-INV : !!! ———- cipher has no object identifier
AES-192-WRAP-PAD-INV : !!! ———- cipher has no object identifier
AES-128-WRAP-PAD-INV : !!! ———- cipher has no object identifier
AES-128-CBC-HMAC-SHA1 : !!! ———- cipher has no object identifier
AES-256-CBC-HMAC-SHA1 : !!! ———- cipher has no object identifier
AES-128-CBC-HMAC-SHA256 : !!! ———- cipher has no object identifier
AES-256-CBC-HMAC-SHA256 : !!! ———- cipher has no object identifier
ARIA-256-CFB1 : !!! ———- cipher has no object identifier
ARIA-192-CFB1 : !!! ———- cipher has no object identifier
ARIA-128-CFB1 : !!! ———- cipher has no object identifier
ARIA-256-CFB8 : !!! ———- cipher has no object identifier
ARIA-192-CFB8 : !!! ———- cipher has no object identifier
ARIA-128-CFB8 : !!! ———- cipher has no object identifier
CAMELLIA-128-CBC-CTS : !!! ———- cipher has no object identifier
CAMELLIA-192-CBC-CTS : !!! ———- cipher has no object identifier
CAMELLIA-256-CBC-CTS : !!! ———- cipher has no object identifier
CAMELLIA-256-CFB1 : !!! ———- cipher has no object identifier
CAMELLIA-192-CFB1 : !!! ———- cipher has no object identifier
CAMELLIA-128-CFB1 : !!! ———- cipher has no object identifier
CAMELLIA-256-CFB8 : !!! ———- cipher has no object identifier
CAMELLIA-192-CFB8 : !!! ———- cipher has no object identifier
CAMELLIA-128-CFB8 : !!! ———- cipher has no object identifier
DES-EDE3-ECB : !!! ———- cipher has no object identifier
DES-EDE3-OFB : !!! ———- cipher has no object identifier
DES-EDE3-CFB // 不行
DES-EDE3-CFB8 // 不行
DES-EDE3-CFB1 // 不行
DES-EDE-CBC : !!! ———- cipher has no object identifier
DES-EDE-OFB : !!! ———- cipher has no object identifier
DES-EDE-CFB : !!! ———- cipher has no object identifier
SM4-GCM : !!! ———- cipher has no object identifier
SM4-CCM : !!! ———- cipher has no object identifier
SM4-XTS : !!! ———- cipher has no object identifier
ChaCha20 : !!! ———- cipher has no object identifier
ChaCha20-Poly1305 : !!! ———- cipher has no object identifier
free map, g_mem_hook_map.size() = 0

笔记

测试工程实现

/*!* \file main.cpp*/#include "my_openSSL_lib.h"#include #include #include #include #include #include #include #include #include "CMemHookRec.h"BIO* bio_out = NULL;BIO* bio_err = NULL;static const char* select_name = NULL;void my_openssl_app();void list_ciphers(const char* prefix);int cipher_cmp(const EVP_CIPHER* const* a, const EVP_CIPHER* const* b);void collect_ciphers(EVP_CIPHER* cipher, void* stack);int main(int argc, char** argv){setvbuf(stdout, NULL, _IONBF, 0); // 清掉stdout缓存, 防止调用printf时阻塞mem_hook();my_openssl_app();mem_unhook();return 0;}void my_openssl_app(){bio_out = BIO_new_fp(stdout, 0);bio_err = BIO_new_fp(stdout, 0);if ((NULL != bio_out) && (NULL != bio_err)){list_ciphers(" ");}if (NULL != bio_out){BIO_free(bio_out);bio_out = NULL;}if (NULL != bio_err){BIO_free(bio_err);bio_err = NULL;}}void legacy_cipher_fn(const EVP_CIPHER* c,const char* from, const char* to, void* arg){int mode = 0;unsigned long int flags = 0;int alg_nid = 0;if (select_name != NULL&& (c == NULL|| OPENSSL_strcasecmp(select_name, EVP_CIPHER_get0_name(c)) != 0)){return;}if (c != NULL) {mode = EVP_CIPHER_get_mode(c);flags = EVP_CIPHER_get_flags(c);alg_nid = EVP_CIPHER_get_type(c);if (alg_nid == NID_undef) {BIO_printf(bio_out, "%s : !!! ---------- cipher has no object identifier\n", EVP_CIPHER_get0_name(c));}else if (mode == EVP_CIPH_XTS_MODE) {BIO_printf((BIO*)arg, "%s : !!! ---------- XTS ciphers not supported\n", EVP_CIPHER_get0_name(c));}else if ((flags & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {BIO_printf((BIO*)arg, "%s : !!! ---------- AEAD ciphers not supported\n", EVP_CIPHER_get0_name(c));}else {BIO_printf((BIO*)arg, "%s \n", EVP_CIPHER_get0_name(c));}}}int name_cmp(const char* const* a, const char* const* b){return OPENSSL_strcasecmp(*a, *b);}void collect_names(const char* name, void* vdata){STACK_OF(OPENSSL_CSTRING)* names = (STACK_OF(OPENSSL_CSTRING)*)vdata;sk_OPENSSL_CSTRING_push(names, name);}void print_names(BIO* out, STACK_OF(OPENSSL_CSTRING)* names){int i = sk_OPENSSL_CSTRING_num(names);int j;sk_OPENSSL_CSTRING_sort(names);if (i > 1)BIO_printf(out, "{ ");for (j = 0; j < i; j++) {const char* name = sk_OPENSSL_CSTRING_value(names, j);if (j > 0)BIO_printf(out, ", ");BIO_printf(out, "%s", name);}if (i > 1)BIO_printf(out, " }");}DEFINE_STACK_OF(EVP_CIPHER)void list_ciphers(const char* prefix){STACK_OF(EVP_CIPHER)* ciphers = sk_EVP_CIPHER_new(cipher_cmp);int i;int mode = 0;int flags = 0;int alg_nid = 0;if (ciphers == NULL) {BIO_printf(bio_err, "ERROR: Memory allocation\n");return;}if (true) {BIO_printf(bio_out, "%sLegacy:\n", prefix);EVP_CIPHER_do_all_sorted(legacy_cipher_fn, bio_out);}BIO_printf(bio_out, "%sProvided:\n", prefix);EVP_CIPHER_do_all_provided(NULL, collect_ciphers, ciphers);sk_EVP_CIPHER_sort(ciphers);for (i = 0; i < sk_EVP_CIPHER_num(ciphers); i++) {const EVP_CIPHER* c = sk_EVP_CIPHER_value(ciphers, i);mode = EVP_CIPHER_get_mode(c);flags = EVP_CIPHER_get_flags(c);alg_nid = EVP_CIPHER_get_type(c);if (alg_nid == NID_undef) {BIO_printf(bio_out, "%s : !!! ---------- cipher has no object identifier\n", EVP_CIPHER_get0_name(c));continue;}else if (mode == EVP_CIPH_XTS_MODE) {BIO_printf(bio_out, "%s : !!! ---------- XTS ciphers not supported\n", EVP_CIPHER_get0_name(c));continue;}else if ((flags & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {BIO_printf(bio_out, "%s : !!! ---------- AEAD ciphers not supported\n", EVP_CIPHER_get0_name(c));continue;}STACK_OF(OPENSSL_CSTRING)* names = NULL;if (select_name != NULL && !EVP_CIPHER_is_a(c, select_name))continue;names = sk_OPENSSL_CSTRING_new(name_cmp);if (names != NULL && EVP_CIPHER_names_do_all(c, collect_names, names)) {BIO_printf(bio_out, "");print_names(bio_out, names);BIO_printf(bio_out, "\r\n"); /* BIO_printf(bio_out, " @ %s\n",OSSL_PROVIDER_get0_name(EVP_CIPHER_get0_provider(c)));if (verbose) {const char* desc = EVP_CIPHER_get0_description(c);if (desc != NULL)BIO_printf(bio_out, "description: %s\n", desc);print_param_types("retrievable algorithm parameters",EVP_CIPHER_gettable_params(c), 4);print_param_types("retrievable operation parameters",EVP_CIPHER_gettable_ctx_params(c), 4);print_param_types("settable operation parameters",EVP_CIPHER_settable_ctx_params(c), 4);}*/}sk_OPENSSL_CSTRING_free(names);}sk_EVP_CIPHER_pop_free(ciphers, EVP_CIPHER_free);}int cipher_cmp(const EVP_CIPHER* const* a, const EVP_CIPHER* const* b){return strcmp(OSSL_PROVIDER_get0_name(EVP_CIPHER_get0_provider(*a)),OSSL_PROVIDER_get0_name(EVP_CIPHER_get0_provider(*b)));}void collect_ciphers(EVP_CIPHER* cipher, void* stack){STACK_OF(EVP_CIPHER)* cipher_stack = (STACK_OF(EVP_CIPHER)*)stack;if (sk_EVP_CIPHER_push(cipher_stack, cipher) > 0)EVP_CIPHER_up_ref(cipher);}

备注

我们自己写的工程, 只能调用openssl对外提供的接口, 没办法用openssl内部接口(包括内部函数, 内部头文件, 内部结构定义)
像这个列出openssl全部加密算法的实现, 用的是openssl接口上的回调函数入参. 传入我们自己的回调函数指针, 在回调函数中判断算法功能是否在命令行参数中可用于口令加密.

现在知道了支持口令加密的加密算法名称, 试几个不常见的口令加密算法, 看看是否好使?

openssl pkey -in app_key.pem -passin pass:my_pwd_for_app_key -out app_key.der -outform DER
app_key.pem是带口令保护的, 执行上面的命令, 转为一个不带口令的.der
现在用这个不带口令的.der, 转成带口令的.der, 加密算法用上面测试工程找到的有效算法名称, 试试好使不?

openssl pkey -in app_key.der -out app_key_pwd1.pem -outform DER -passout pass:111111 -ChaCha20
Error: Cipher options are supported only for PEM output

看到口令加密算法只支持.PEM格式…
那算了, 就实验.der/.pem转成.pem的场景.

openssl pkey -in app_key.der -out app_key_no_pwd.pem -outform PEM
先将上面实验的.der转成不带口令保护的.pem

openssl pkey -in app_key_no_pwd.pem -out app_key_pwd1.pem -outform PEM -passout pass:111111 -ChaCha20
cipher has no object identifier
说明还有限制条件, 选用的算法必须有obj_id, 那将这个条件也加入算法选择逻辑里面.

程序修改完了, 上面的工程副本已经更新. 现在能看到, 算法ChaCha20在列表中已经标记为了不支持.
再试试其他支持的不常见加密算法.
openssl pkey -in app_key_no_pwd.pem -out app_key_pwd1.pem -outform PEM -passout pass:111111 -DES-EDE3-CFB1
BC570600:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:342:Global default library context, Algorithm (DES-CFB : 6), Properties ()
可以看到, 也不是每种算法都支持.
跟了一下openssl源码, 都是宏写的, 调用的都是内部函数, 不好弄清为啥不行.
那就试试找到的其他算法, 看行不行.

下面列出的都是好使的算法, 没有都列出, 在上面的算法列表中写上了是否好使.
openssl pkey -in app_key_no_pwd.pem -out app_key_pwd1.pem -outform PEM -passout pass:111111 -AES-128-CFB8
过滤掉的算法中, 不好通过程序来判断了, 只能一个一个实验.

整理 – 总共有126种加密算法可用于命令行参数的密码加密算法

// 总共有126种加密算法可用于命令行参数的密码加密算法
Legacy:
AES-128-CBC // ok
AES-128-CFB // ok
AES-128-CFB1 // ok
AES-128-CFB8 // ok
AES-128-ECB // ok
AES-128-OFB // ok
AES-192-CBC // ok
AES-192-CFB // ok
AES-192-CFB1 // ok
AES-192-CFB8 // ok
AES-192-ECB // ok
AES-192-OFB // ok
AES-256-CBC // ok
AES-256-CFB // ok
AES-256-CFB1 // ok
AES-256-CFB8 // ok
AES-256-ECB // ok
AES-256-OFB // ok
ARIA-128-CBC // ok
ARIA-128-CFB // ok
ARIA-128-CTR // ok
ARIA-128-ECB // ok
ARIA-128-OFB // ok
ARIA-192-CBC // ok
ARIA-192-CFB // ok
ARIA-192-CTR // ok
ARIA-192-ECB // ok
ARIA-192-OFB // ok
ARIA-256-CBC // ok
ARIA-256-CFB // ok
ARIA-256-CTR // ok
ARIA-256-ECB // ok
ARIA-256-OFB // ok
CAMELLIA-128-CBC // ok
CAMELLIA-128-CFB // ok
CAMELLIA-128-CTR // ok
CAMELLIA-128-ECB // ok
CAMELLIA-128-OFB // ok
CAMELLIA-192-CBC // ok
CAMELLIA-192-CFB // ok
CAMELLIA-192-CTR // ok
CAMELLIA-192-ECB // ok
CAMELLIA-192-OFB // ok
CAMELLIA-256-CBC // ok
CAMELLIA-256-CFB // ok
CAMELLIA-256-CTR // ok
CAMELLIA-256-ECB // ok
CAMELLIA-256-OFB // ok
DES-EDE // ok
DES-EDE3-CBC // ok
DES-EDE3-CFB // err
DES-EDE3-CFB1 // err
DES-EDE3-CFB8 // err
id-aes128-wrap // ok
id-aes128-wrap-pad // ok
id-aes192-wrap // ok
id-aes192-wrap-pad // ok
id-aes256-wrap // ok
id-aes256-wrap-pad // ok
SM4-CBC // ok
SM4-CFB // ok
SM4-CTR // ok
SM4-ECB // ok
SM4-OFB // ok
Provided:
{ 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } // ok
{ 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } // ok
{ 2.16.840.1.101.3.4.1.4, AES-128-CFB } // ok
{ 1.2.410.200046.1.1.1, ARIA-128-ECB } // ok
{ 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } // ok
{ 2.16.840.1.101.3.4.1.24, AES-192-CFB } // ok
{ 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } // ok
{ 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } // ok
{ 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } // ok
{ 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } // ok
{ 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } // ok
{ 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } // err
{ 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } // ok
{ 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } // ok
{ 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } // ok
{ 2.16.840.1.101.3.4.1.41, AES-256-ECB } // ok
{ 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } // ok
{ 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } // ok
{ 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } // ok
{ 2.16.840.1.101.3.4.1.44, AES-256-CFB } // ok
{ 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } // ok
{ 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } // ok
{ 1.2.410.200046.1.1.14, ARIA-256-OFB } // ok
{ 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } // ok
{ 2.16.840.1.101.3.4.1.23, AES-192-OFB } // ok
{ 1.2.156.10197.1.104.1, SM4-ECB } // ok
{ 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } // ok
{ 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } // ok
{ 1.2.410.200046.1.1.15, ARIA-256-CTR } // ok
{ 1.2.410.200046.1.1.3, ARIA-128-CFB } // ok
{ 1.2.410.200046.1.1.6, ARIA-192-ECB } // ok
{ 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } // ok
{ 1.2.156.10197.1.104.2, SM4, SM4-CBC } // ok
{ 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } // ok
{ 1.2.410.200046.1.1.11, ARIA-256-ECB } // ok
{ 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } // ok
{ 2.16.840.1.101.3.4.1.3, AES-128-OFB } // ok
{ 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } // ok
{ 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } // ok
{ 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } // ok
{ 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } // ok
{ 1.2.410.200046.1.1.10, ARIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } // ok
{ 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } // ok
{ 1.2.410.200046.1.1.9, ARIA-192-OFB } // ok
{ 1.2.410.200046.1.1.13, ARIA-256-CFB } // 好使
{ 2.16.840.1.101.3.4.1.1, AES-128-ECB } // 好使
{ 1.2.410.200046.1.1.8, ARIA-192-CFB } // 好使
{ 1.2.156.10197.1.104.7, SM4-CTR } // 好使
{ 2.16.840.1.101.3.4.1.43, AES-256-OFB } // 好使
{ 1.2.410.200046.1.1.4, ARIA-128-OFB } // 好使
{ 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } // 好使
{ 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } // 好使
{ 1.2.410.200046.1.1.5, ARIA-128-CTR } // 好使
{ 2.16.840.1.101.3.4.1.21, AES-192-ECB } // 好使
AES-256-CFB1 // 好使
AES-192-CFB1 // 好使
AES-128-CFB1 // 好使
AES-256-CFB8 // 好使
AES-192-CFB8 // 好使
AES-128-CFB8 // 可以

备注

如果想要转换后的.der/.pem受口令密码和加密算法保护, 必须是.pem格式.
如果怕逆向的用户看到程序中的.pem内容的数组, 可以将.pem放到参数文件中.
文件的组织可以用多个buffer合成一个buffer的方法(C++ – 多个buffer合并成一个buffer的管理类).
对一个大buffer加密(非对称/对称), 只有正版用户才能载入, 间接保护了程序被逆向.

END