将 RFC 名称映射到 OpenSSL [英] Mapping RFC names to OpenSSL
问题描述
我想使用 EVP_get_cipherbyname
获取密码,我有以下内容
I want to get a cipher using EVP_get_cipherbyname
, I have the following
- RFC 名称:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
哪个应该映射到这个
- OpenSSL 名称:
DHE-RSA-AES128-GCM-SHA256
.
但是当将此字符串传递给函数时,它找不到密码.
But when passing this string to the function, it can't find the cipher.
使用 openssl -V
我可以看到这是一个受支持的密码,并且它的值 0x9e
是 158
在 base 10,我假设这将是 NID,并尝试使用 158
调用 EVP_get_cipherbynid
,但是虽然我认为这不再是 NID,但它也不起作用.
Using openssl -V
I can see this is a supported cipher, and that it has a value 0x9e
which is 158
in base 10, I have assumed that this would be the NID, and tried calling EVP_get_cipherbynid
with 158
, but alas doesn't work either although I don't think this is the NID anymore.
如何将 RFC 名称映射到 OpenSSL 将接受的名称?
How do I get a mapping of the RFC names to names that OpenSSL will accept?
推荐答案
我认为问题在于您混淆了密码套件和密码.
I believe the issue is that you're confusing cipher suites and ciphers.
EVP_get_cipherbyname()
不采用密码套件的名称,而是采用密码的名称.OpenSSL API 的 man
页面和一般文档非常糟糕.但是在 此 PDF 中搜索EVP_get_cipherbyname"会产生 6 个结果.最后一个参考是在讨论 PEM 编码证书的部分.现在我知道这不是你在做什么,但它包含以下引用:
EVP_get_cipherbyname()
does not take the name of a cipher suite it takes the name of a cipher. The man
page and general documentation for the OpenSSL API is pretty terrible. But searching for "EVP_get_cipherbyname" in this PDF yields 6 results. The very last reference is in a section talking about PEM encoded certificates. Now I know this isn't what you're doing, but it contains the following quote:
以 DEK-Info 开头的行包含两个逗号分隔的信息:使用的 加密算法名称通过 EVP_get_cipherbyname() 和编码为一组的 8 字节盐十六进制数字.
The line beginning DEK-Info contains two comma separated pieces of information: the encryption algorithm name as used by EVP_get_cipherbyname() and an 8 byte salt encoded as a set of hexadecimal digits.
他们所指的行是:DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC8
这意味着 EVP_get_cipherbyname() 确实将 DES_3DE3-CBC
作为输入,而不是密码套件.对于您的情况,我相信您正在寻找 AES-128-GCM
以获得正确的密码.
Which means that EVP_get_cipherbyname() really takes DES_3DE3-CBC
as input, not a cipher suite. For your case I believe you're looking for AES-128-GCM
to get the correct cipher.
NID 仅代表数字 ID.这是用于标识集合列表的通用术语.密码套件没有 NID,只有 RFC 分配的代码(感谢 @dave_thompson_085).这就是为什么当您尝试使用 NID 时它仍然找不到密码.
NID simply stands for Numerical ID. This is a generic term for identifying a set list. Cipher suites do not have NIDs only the RFC assigned codes (thanks @dave_thompson_085). Which is why when you attempted to use the NID it still couldn't find the cipher.
这篇关于将 RFC 名称映射到 OpenSSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!