将 RFC 名称映射到 OpenSSL [英] Mapping RFC names to OpenSSL

问题描述

我想使用 EVP_get_cipherbyname 获取密码，我有以下内容

I want to get a cipher using EVP_get_cipherbyname, I have the following

• RFC 名称:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

哪个应该映射到这个

• OpenSSL 名称:DHE-RSA-AES128-GCM-SHA256.

但是当将此字符串传递给函数时，它找不到密码.

But when passing this string to the function, it can't find the cipher.

使用 openssl -V 我可以看到这是一个受支持的密码，并且它的值 0x9e 是 158 在 base 10，我假设这将是 NID，并尝试使用 158 调用 EVP_get_cipherbynid，但是虽然我认为这不再是 NID，但它也不起作用.

Using openssl -V I can see this is a supported cipher, and that it has a value 0x9e which is 158 in base 10, I have assumed that this would be the NID, and tried calling EVP_get_cipherbynid with 158, but alas doesn't work either although I don't think this is the NID anymore.

如何将 RFC 名称映射到 OpenSSL 将接受的名称?

How do I get a mapping of the RFC names to names that OpenSSL will accept?

推荐答案

我认为问题在于您混淆了密码套件和密码.

I believe the issue is that you're confusing cipher suites and ciphers.

EVP_get_cipherbyname() 不采用密码套件的名称，而是采用密码的名称.OpenSSL API 的 man 页面和一般文档非常糟糕.但是在 此 PDF 中搜索EVP_get_cipherbyname"会产生 6 个结果.最后一个参考是在讨论 PEM 编码证书的部分.现在我知道这不是你在做什么，但它包含以下引用:

EVP_get_cipherbyname() does not take the name of a cipher suite it takes the name of a cipher. The man page and general documentation for the OpenSSL API is pretty terrible. But searching for "EVP_get_cipherbyname" in this PDF yields 6 results. The very last reference is in a section talking about PEM encoded certificates. Now I know this isn't what you're doing, but it contains the following quote:

以 DEK-Info 开头的行包含两个逗号分隔的信息:使用的 加密算法名称通过 EVP_get_cipherbyname() 和编码为一组的 8 字节盐十六进制数字.

The line beginning DEK-Info contains two comma separated pieces of information: the encryption algorithm name as used by EVP_get_cipherbyname() and an 8 byte salt encoded as a set of hexadecimal digits.

他们所指的行是:DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC8

这意味着 EVP_get_cipherbyname() 确实将 DES_3DE3-CBC 作为输入，而不是密码套件.对于您的情况，我相信您正在寻找 AES-128-GCM 以获得正确的密码.

Which means that EVP_get_cipherbyname() really takes DES_3DE3-CBC as input, not a cipher suite. For your case I believe you're looking for AES-128-GCM to get the correct cipher.

NID 仅代表数字 ID.这是用于标识集合列表的通用术语.密码套件没有 NID，只有 RFC 分配的代码(感谢 @dave_thompson_085).这就是为什么当您尝试使用 NID 时它仍然找不到密码.

NID simply stands for Numerical ID. This is a generic term for identifying a set list. Cipher suites do not have NIDs only the RFC assigned codes (thanks @dave_thompson_085). Which is why when you attempted to use the NID it still couldn't find the cipher.

这篇关于将 RFC 名称映射到 OpenSSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！