当前位置：首页 > news >正文

openssl3.2 - exp - 可以在命令行使用的口令算法名称列表

news 2025/9/12 14:53:10

文章目录

- openssl3.2 - exp - 可以在命令行使用的口令算法名称列表
- 概述
- 笔记
- 测试工程实现
- 备注
- 整理 - 总共有126种加密算法可用于命令行参数的密码加密算法
- 备注
- END

openssl3.2 - exp - 可以在命令行使用的口令算法名称列表

概述

上一个笔记openssl3.2 - exp - PEM ＜==＞ DER, 还有个疑问.

openssl pkey -in app_key3.pem -out app_key5_pwd.pem -outform PEM -passout pass:111111 -算法名称

如果PEM/DER互转时, 要想转换后的文件带口令保护就需要指定用哪种算法来执行口令加密算法.
并不是随便哪一种可见的算法名称就能用的.
算法有限制

算法不能有 EVP_CIPH_FLAG_AEAD_CIPHER 标记
模式不能是 EVP_CIPH_XTS_MODE

如果想确定哪些是不支持的口令加密算法, 必须要自己写个程序, 将不支持的算法过滤掉.
参照openssl源码, 写了一个测试程序, 可以将全部算法都列出来, 不支持的算法加上标记.
运行效果如下, 只要算法后边有标记 " !!! ---------- ", 都是不支持的命令行口令加密算法.

Legacy:
AES-128-CBC // ok
AES-128-CBC-HMAC-SHA1 : !!! ---------- cipher has no object identifier
AES-128-CBC-HMAC-SHA256 : !!! ---------- cipher has no object identifier
id-aes128-CCM : !!! ---------- AEAD ciphers not supported
AES-128-CFB // ok
AES-128-CFB1 // ok
AES-128-CFB8 // ok
AES-128-CTR : !!! ---------- cipher has no object identifier
AES-128-ECB // ok
id-aes128-GCM : !!! ---------- AEAD ciphers not supported
AES-128-OCB : !!! ---------- cipher has no object identifier
AES-128-OFB // ok
AES-128-XTS : !!! ---------- XTS ciphers not supported
AES-192-CBC
id-aes192-CCM : !!! ---------- AEAD ciphers not supported
AES-192-CFB // ok
AES-192-CFB1 // ok
AES-192-CFB8 // ok
AES-192-CTR : !!! ---------- cipher has no object identifier
AES-192-ECB // ok
id-aes192-GCM : !!! ---------- AEAD ciphers not supported
AES-192-OCB : !!! ---------- cipher has no object identifier
AES-192-OFB // ok
AES-256-CBC // ok
AES-256-CBC-HMAC-SHA1 : !!! ---------- cipher has no object identifier
AES-256-CBC-HMAC-SHA256 : !!! ---------- cipher has no object identifier
id-aes256-CCM : !!! ---------- AEAD ciphers not supported
AES-256-CFB // ok
AES-256-CFB1 // ok
AES-256-CFB8 // ok
AES-256-CTR : !!! ---------- cipher has no object identifier
AES-256-ECB // ok
id-aes256-GCM : !!! ---------- AEAD ciphers not supported
AES-256-OCB : !!! ---------- cipher has no object identifier
AES-256-OFB // ok
AES-256-XTS : !!! ---------- XTS ciphers not supported
ARIA-128-CBC // ok
ARIA-128-CCM : !!! ---------- AEAD ciphers not supported
ARIA-128-CFB // ok
ARIA-128-CFB1 : !!! ---------- cipher has no object identifier
ARIA-128-CFB8 : !!! ---------- cipher has no object identifier
ARIA-128-CTR // ok
ARIA-128-ECB // ok
ARIA-128-GCM : !!! ---------- AEAD ciphers not supported
ARIA-128-OFB // ok
ARIA-192-CBC // ok
ARIA-192-CCM : !!! ---------- AEAD ciphers not supported
ARIA-192-CFB // ok
ARIA-192-CFB1 : !!! ---------- cipher has no object identifier
ARIA-192-CFB8 : !!! ---------- cipher has no object identifier
ARIA-192-CTR // ok
ARIA-192-ECB // ok
ARIA-192-GCM : !!! ---------- AEAD ciphers not supported
ARIA-192-OFB // ok
ARIA-256-CBC // ok
ARIA-256-CCM : !!! ---------- AEAD ciphers not supported
ARIA-256-CFB // ok
ARIA-256-CFB1 : !!! ---------- cipher has no object identifier
ARIA-256-CFB8 : !!! ---------- cipher has no object identifier
ARIA-256-CTR // ok
ARIA-256-ECB // ok
ARIA-256-GCM : !!! ---------- AEAD ciphers not supported
ARIA-256-OFB // ok
BF-CBC // err
BF-CFB : !!! ---------- cipher has no object identifier
BF-ECB : !!! ---------- cipher has no object identifier
BF-OFB : !!! ---------- cipher has no object identifier
CAMELLIA-128-CBC // ok
CAMELLIA-128-CFB // ok
CAMELLIA-128-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CTR // ok
CAMELLIA-128-ECB // ok
CAMELLIA-128-OFB // ok
CAMELLIA-192-CBC // ok
CAMELLIA-192-CFB // ok
CAMELLIA-192-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-192-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-192-CTR // ok
CAMELLIA-192-ECB // ok
CAMELLIA-192-OFB // ok
CAMELLIA-256-CBC // ok
CAMELLIA-256-CFB // ok
CAMELLIA-256-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-256-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-256-CTR // ok
CAMELLIA-256-ECB // ok
CAMELLIA-256-OFB // ok
CAST5-CBC // err
CAST5-CFB : !!! ---------- cipher has no object identifier
CAST5-ECB : !!! ---------- cipher has no object identifier
CAST5-OFB : !!! ---------- cipher has no object identifier
ChaCha20 : !!! ---------- cipher has no object identifier
ChaCha20-Poly1305 : !!! ---------- cipher has no object identifier
DES-CBC // err
DES-CFB // err
DES-CFB1 // err
DES-CFB8 // err
DES-ECB // err
DES-EDE // ok
DES-EDE-CBC : !!! ---------- cipher has no object identifier
DES-EDE-CFB : !!! ---------- cipher has no object identifier
DES-EDE-OFB : !!! ---------- cipher has no object identifier
DES-EDE3 : !!! ---------- cipher has no object identifier
DES-EDE3-CBC // ok
DES-EDE3-CFB // err
DES-EDE3-CFB1 // err
DES-EDE3-CFB8 // err
DES-EDE3-OFB : !!! ---------- cipher has no object identifier
DES-OFB // err
DESX-CBC : !!! ---------- cipher has no object identifier
id-aes128-CCM : !!! ---------- AEAD ciphers not supported
id-aes128-GCM : !!! ---------- AEAD ciphers not supported
id-aes128-wrap // ok
id-aes128-wrap-pad // ok
id-aes192-CCM : !!! ---------- AEAD ciphers not supported
id-aes192-GCM : !!! ---------- AEAD ciphers not supported
id-aes192-wrap // ok
id-aes192-wrap-pad // ok
id-aes256-CCM : !!! ---------- AEAD ciphers not supported
id-aes256-GCM : !!! ---------- AEAD ciphers not supported
id-aes256-wrap // ok
id-aes256-wrap-pad // ok
id-smime-alg-CMS3DESwrap // err
IDEA-CBC // err
IDEA-CFB : !!! ---------- cipher has no object identifier
IDEA-ECB : !!! ---------- cipher has no object identifier
IDEA-OFB : !!! ---------- cipher has no object identifier
RC2-40-CBC // err
RC2-64-CBC // err
RC2-CBC
RC2-CFB : !!! ---------- cipher has no object identifier
RC2-ECB : !!! ---------- cipher has no object identifier
RC2-OFB : !!! ---------- cipher has no object identifier
RC4 // err
RC4-40 // err
RC4-HMAC-MD5 : !!! ---------- cipher has no object identifier
SEED-CBC // err
SEED-CFB // err
SEED-ECB // err
SEED-OFB // err
SM4-CBC // ok
SM4-CFB // ok
SM4-CTR // ok
SM4-ECB // ok
SM4-OFB // ok
Provided:
{ 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } // ok
{ 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } // ok
{ 2.16.840.1.101.3.4.1.4, AES-128-CFB } // ok
ARIA-192-CCM : !!! ---------- AEAD ciphers not supported
{ 1.2.410.200046.1.1.1, ARIA-128-ECB } // ok
{ 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } // ok
{ 2.16.840.1.101.3.4.1.24, AES-192-CFB } // ok
{ 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } // ok
{ 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } // ok
ARIA-192-GCM : !!! ---------- AEAD ciphers not supported
{ 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } // ok
{ 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } // ok
ARIA-256-GCM : !!! ---------- AEAD ciphers not supported
AES-256-XTS : !!! ---------- XTS ciphers not supported
{ 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } // ok
{ 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } // err
{ 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } // ok
{ 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } // ok
{ 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } // ok
{ 2.16.840.1.101.3.4.1.41, AES-256-ECB } // ok
{ 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } // ok
{ 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } // ok
AES-128-GCM : !!! ---------- AEAD ciphers not supported
{ 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } // ok
{ 2.16.840.1.101.3.4.1.44, AES-256-CFB } // ok
{ 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } // ok
{ 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } // ok
ARIA-256-CCM : !!! ---------- AEAD ciphers not supported
{ 1.2.410.200046.1.1.14, ARIA-256-OFB } // ok
AES-256-GCM : !!! ---------- AEAD ciphers not supported
{ 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } // ok
{ 2.16.840.1.101.3.4.1.23, AES-192-OFB } // ok
{ 1.2.156.10197.1.104.1, SM4-ECB } // ok
AES-128-CCM : !!! ---------- AEAD ciphers not supported
AES-256-CCM : !!! ---------- AEAD ciphers not supported
{ 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } // ok
{ 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } // ok
{ 1.2.410.200046.1.1.15, ARIA-256-CTR } // ok
{ 1.2.410.200046.1.1.3, ARIA-128-CFB } // ok
ARIA-128-GCM : !!! ---------- AEAD ciphers not supported
{ 1.2.410.200046.1.1.6, ARIA-192-ECB } // ok
AES-192-GCM : !!! ---------- AEAD ciphers not supported
{ 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } // ok
{ 1.2.156.10197.1.104.2, SM4, SM4-CBC } // ok
ARIA-128-CCM : !!! ---------- AEAD ciphers not supported
AES-192-CCM : !!! ---------- AEAD ciphers not supported
{ 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } // ok
{ 1.2.410.200046.1.1.11, ARIA-256-ECB } // ok
AES-128-XTS : !!! ---------- XTS ciphers not supported
{ 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } // ok
{ 2.16.840.1.101.3.4.1.3, AES-128-OFB } // ok
{ 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } // ok
{ 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } // ok
{ 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } // ok
{ 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } // ok
{ 1.2.410.200046.1.1.10, ARIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } // ok
{ 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } // ok
{ 1.2.410.200046.1.1.9, ARIA-192-OFB } // ok
{ 1.2.410.200046.1.1.13, ARIA-256-CFB } // 好使
{ 2.16.840.1.101.3.4.1.1, AES-128-ECB } // 好使
{ 1.2.410.200046.1.1.8, ARIA-192-CFB } // 好使
{ 1.2.156.10197.1.104.7, SM4-CTR } // 好使
{ 2.16.840.1.101.3.4.1.43, AES-256-OFB } // 好使
{ 1.2.410.200046.1.1.4, ARIA-128-OFB } // 好使
{ 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } // 好使
{ 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } // 好使
{ 1.2.410.200046.1.1.5, ARIA-128-CTR } // 好使
{ 2.16.840.1.101.3.4.1.21, AES-192-ECB } // 好使
NULL : !!! ---------- cipher has no object identifier
AES-128-CBC-CTS : !!! ---------- cipher has no object identifier
AES-192-CBC-CTS : !!! ---------- cipher has no object identifier
AES-256-CBC-CTS : !!! ---------- cipher has no object identifier
AES-256-CFB1 // 好使
AES-192-CFB1 // 好使
AES-128-CFB1 // 好使
AES-256-CFB8 // 好使
AES-192-CFB8 // 好使
AES-128-CFB8 // 可以
AES-256-CTR : !!! ---------- cipher has no object identifier
AES-192-CTR : !!! ---------- cipher has no object identifier
AES-128-CTR : !!! ---------- cipher has no object identifier
AES-256-OCB : !!! ---------- cipher has no object identifier
AES-192-OCB : !!! ---------- cipher has no object identifier
AES-128-OCB : !!! ---------- cipher has no object identifier
AES-128-SIV : !!! ---------- cipher has no object identifier
AES-192-SIV : !!! ---------- cipher has no object identifier
AES-256-SIV : !!! ---------- cipher has no object identifier
AES-128-GCM-SIV : !!! ---------- cipher has no object identifier
AES-192-GCM-SIV : !!! ---------- cipher has no object identifier
AES-256-GCM-SIV : !!! ---------- cipher has no object identifier
AES-256-WRAP-INV : !!! ---------- cipher has no object identifier
AES-192-WRAP-INV : !!! ---------- cipher has no object identifier
AES-128-WRAP-INV : !!! ---------- cipher has no object identifier
AES-256-WRAP-PAD-INV : !!! ---------- cipher has no object identifier
AES-192-WRAP-PAD-INV : !!! ---------- cipher has no object identifier
AES-128-WRAP-PAD-INV : !!! ---------- cipher has no object identifier
AES-128-CBC-HMAC-SHA1 : !!! ---------- cipher has no object identifier
AES-256-CBC-HMAC-SHA1 : !!! ---------- cipher has no object identifier
AES-128-CBC-HMAC-SHA256 : !!! ---------- cipher has no object identifier
AES-256-CBC-HMAC-SHA256 : !!! ---------- cipher has no object identifier
ARIA-256-CFB1 : !!! ---------- cipher has no object identifier
ARIA-192-CFB1 : !!! ---------- cipher has no object identifier
ARIA-128-CFB1 : !!! ---------- cipher has no object identifier
ARIA-256-CFB8 : !!! ---------- cipher has no object identifier
ARIA-192-CFB8 : !!! ---------- cipher has no object identifier
ARIA-128-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CBC-CTS : !!! ---------- cipher has no object identifier
CAMELLIA-192-CBC-CTS : !!! ---------- cipher has no object identifier
CAMELLIA-256-CBC-CTS : !!! ---------- cipher has no object identifier
CAMELLIA-256-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-192-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CFB1 : !!! ---------- cipher has no object identifier
CAMELLIA-256-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-192-CFB8 : !!! ---------- cipher has no object identifier
CAMELLIA-128-CFB8 : !!! ---------- cipher has no object identifier
DES-EDE3-ECB : !!! ---------- cipher has no object identifier
DES-EDE3-OFB : !!! ---------- cipher has no object identifier
DES-EDE3-CFB // 不行
DES-EDE3-CFB8 // 不行
DES-EDE3-CFB1 // 不行
DES-EDE-CBC : !!! ---------- cipher has no object identifier
DES-EDE-OFB : !!! ---------- cipher has no object identifier
DES-EDE-CFB : !!! ---------- cipher has no object identifier
SM4-GCM : !!! ---------- cipher has no object identifier
SM4-CCM : !!! ---------- cipher has no object identifier
SM4-XTS : !!! ---------- cipher has no object identifier
ChaCha20 : !!! ---------- cipher has no object identifier
ChaCha20-Poly1305 : !!! ---------- cipher has no object identifier
free map, g_mem_hook_map.size() = 0

笔记

测试工程实现

/*!
* \file main.cpp
*/#include "my_openSSL_lib.h"
#include <openssl/crypto.h>
#include <openssl/bio.h>
#include <openssl/safestack.h>
#include <openssl/evp.h>
#include <openssl/provider.h>#include <stdlib.h>
#include <stdio.h>
#include <assert.h>#include "CMemHookRec.h"BIO* bio_out = NULL;
BIO* bio_err = NULL;
static const char* select_name = NULL;void my_openssl_app();
void list_ciphers(const char* prefix);
int cipher_cmp(const EVP_CIPHER* const* a, const EVP_CIPHER* const* b);
void collect_ciphers(EVP_CIPHER* cipher, void* stack);int main(int argc, char** argv)
{setvbuf(stdout, NULL, _IONBF, 0); // 清掉stdout缓存, 防止调用printf时阻塞mem_hook();my_openssl_app();mem_unhook();return 0;
}void my_openssl_app()
{bio_out = BIO_new_fp(stdout, 0);bio_err = BIO_new_fp(stdout, 0);if ((NULL != bio_out) && (NULL != bio_err)){list_ciphers(" ");}if (NULL != bio_out){BIO_free(bio_out);bio_out = NULL;}if (NULL != bio_err){BIO_free(bio_err);bio_err = NULL;}
}void legacy_cipher_fn(const EVP_CIPHER* c,const char* from, const char* to, void* arg)
{int mode = 0;unsigned long int flags = 0;int alg_nid = 0;if (select_name != NULL&& (c == NULL|| OPENSSL_strcasecmp(select_name, EVP_CIPHER_get0_name(c)) != 0)){return;}if (c != NULL) {mode = EVP_CIPHER_get_mode(c);flags = EVP_CIPHER_get_flags(c);alg_nid = EVP_CIPHER_get_type(c);if (alg_nid == NID_undef) {BIO_printf(bio_out, "  %s :                               !!! ---------- cipher has no object identifier\n", EVP_CIPHER_get0_name(c));}else if (mode == EVP_CIPH_XTS_MODE) {BIO_printf((BIO*)arg, "  %s :                               !!! ---------- XTS ciphers not supported\n", EVP_CIPHER_get0_name(c));}else if ((flags & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {BIO_printf((BIO*)arg, "  %s :                               !!! ---------- AEAD ciphers not supported\n", EVP_CIPHER_get0_name(c));}else {BIO_printf((BIO*)arg, "  %s \n", EVP_CIPHER_get0_name(c));}}
}int name_cmp(const char* const* a, const char* const* b)
{return OPENSSL_strcasecmp(*a, *b);
}void collect_names(const char* name, void* vdata)
{STACK_OF(OPENSSL_CSTRING)* names = (STACK_OF(OPENSSL_CSTRING)*)vdata;sk_OPENSSL_CSTRING_push(names, name);
}void print_names(BIO* out, STACK_OF(OPENSSL_CSTRING)* names)
{int i = sk_OPENSSL_CSTRING_num(names);int j;sk_OPENSSL_CSTRING_sort(names);if (i > 1)BIO_printf(out, "{ ");for (j = 0; j < i; j++) {const char* name = sk_OPENSSL_CSTRING_value(names, j);if (j > 0)BIO_printf(out, ", ");BIO_printf(out, "%s", name);}if (i > 1)BIO_printf(out, " }");
}DEFINE_STACK_OF(EVP_CIPHER)
void list_ciphers(const char* prefix)
{STACK_OF(EVP_CIPHER)* ciphers = sk_EVP_CIPHER_new(cipher_cmp);int i;int mode = 0;int flags = 0;int alg_nid = 0;if (ciphers == NULL) {BIO_printf(bio_err, "ERROR: Memory allocation\n");return;}if (true) {BIO_printf(bio_out, "%sLegacy:\n", prefix);EVP_CIPHER_do_all_sorted(legacy_cipher_fn, bio_out);}BIO_printf(bio_out, "%sProvided:\n", prefix);EVP_CIPHER_do_all_provided(NULL, collect_ciphers, ciphers);sk_EVP_CIPHER_sort(ciphers);for (i = 0; i < sk_EVP_CIPHER_num(ciphers); i++) {const EVP_CIPHER* c = sk_EVP_CIPHER_value(ciphers, i);mode = EVP_CIPHER_get_mode(c);flags = EVP_CIPHER_get_flags(c);alg_nid = EVP_CIPHER_get_type(c);if (alg_nid == NID_undef) {BIO_printf(bio_out, "  %s :                               !!! ---------- cipher has no object identifier\n", EVP_CIPHER_get0_name(c));continue;}else if (mode == EVP_CIPH_XTS_MODE) {BIO_printf(bio_out, "  %s :                               !!! ---------- XTS ciphers not supported\n", EVP_CIPHER_get0_name(c));continue;}else if ((flags & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {BIO_printf(bio_out, "  %s :                               !!! ---------- AEAD ciphers not supported\n", EVP_CIPHER_get0_name(c));continue;}STACK_OF(OPENSSL_CSTRING)* names = NULL;if (select_name != NULL && !EVP_CIPHER_is_a(c, select_name))continue;names = sk_OPENSSL_CSTRING_new(name_cmp);if (names != NULL && EVP_CIPHER_names_do_all(c, collect_names, names)) {BIO_printf(bio_out, "  ");print_names(bio_out, names);BIO_printf(bio_out, "\r\n");/* BIO_printf(bio_out, " @ %s\n",OSSL_PROVIDER_get0_name(EVP_CIPHER_get0_provider(c)));if (verbose) {const char* desc = EVP_CIPHER_get0_description(c);if (desc != NULL)BIO_printf(bio_out, "    description: %s\n", desc);print_param_types("retrievable algorithm parameters",EVP_CIPHER_gettable_params(c), 4);print_param_types("retrievable operation parameters",EVP_CIPHER_gettable_ctx_params(c), 4);print_param_types("settable operation parameters",EVP_CIPHER_settable_ctx_params(c), 4);}*/}sk_OPENSSL_CSTRING_free(names);}sk_EVP_CIPHER_pop_free(ciphers, EVP_CIPHER_free);
}int cipher_cmp(const EVP_CIPHER* const* a, const EVP_CIPHER* const* b)
{return strcmp(OSSL_PROVIDER_get0_name(EVP_CIPHER_get0_provider(*a)),OSSL_PROVIDER_get0_name(EVP_CIPHER_get0_provider(*b)));
}void collect_ciphers(EVP_CIPHER* cipher, void* stack)
{STACK_OF(EVP_CIPHER)* cipher_stack = (STACK_OF(EVP_CIPHER)*)stack;if (sk_EVP_CIPHER_push(cipher_stack, cipher) > 0)EVP_CIPHER_up_ref(cipher);
}

备注

我们自己写的工程, 只能调用openssl对外提供的接口, 没办法用openssl内部接口(包括内部函数, 内部头文件, 内部结构定义)
像这个列出openssl全部加密算法的实现, 用的是openssl接口上的回调函数入参. 传入我们自己的回调函数指针, 在回调函数中判断算法功能是否在命令行参数中可用于口令加密.

现在知道了支持口令加密的加密算法名称, 试几个不常见的口令加密算法, 看看是否好使?

openssl pkey -in app_key.pem -passin pass:my_pwd_for_app_key -out app_key.der -outform DER
app_key.pem是带口令保护的, 执行上面的命令, 转为一个不带口令的.der
现在用这个不带口令的.der, 转成带口令的.der, 加密算法用上面测试工程找到的有效算法名称, 试试好使不?

openssl pkey -in app_key.der -out app_key_pwd1.pem -outform DER -passout pass:111111 -ChaCha20
Error: Cipher options are supported only for PEM output

看到口令加密算法只支持.PEM格式…
那算了, 就实验.der/.pem转成.pem的场景.

openssl pkey -in app_key.der -out app_key_no_pwd.pem -outform PEM
先将上面实验的.der转成不带口令保护的.pem

openssl pkey -in app_key_no_pwd.pem -out app_key_pwd1.pem -outform PEM -passout pass:111111 -ChaCha20
cipher has no object identifier
说明还有限制条件, 选用的算法必须有obj_id, 那将这个条件也加入算法选择逻辑里面.

程序修改完了, 上面的工程副本已经更新. 现在能看到, 算法ChaCha20在列表中已经标记为了不支持.
再试试其他支持的不常见加密算法.
openssl pkey -in app_key_no_pwd.pem -out app_key_pwd1.pem -outform PEM -passout pass:111111 -DES-EDE3-CFB1
BC570600:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:342:Global default library context, Algorithm (DES-CFB : 6), Properties ()
可以看到, 也不是每种算法都支持.
跟了一下openssl源码, 都是宏写的, 调用的都是内部函数, 不好弄清为啥不行.
那就试试找到的其他算法, 看行不行.

下面列出的都是好使的算法, 没有都列出, 在上面的算法列表中写上了是否好使.
openssl pkey -in app_key_no_pwd.pem -out app_key_pwd1.pem -outform PEM -passout pass:111111 -AES-128-CFB8
过滤掉的算法中, 不好通过程序来判断了, 只能一个一个实验.

整理 - 总共有126种加密算法可用于命令行参数的密码加密算法

// 总共有126种加密算法可用于命令行参数的密码加密算法
Legacy:
AES-128-CBC // ok
AES-128-CFB // ok
AES-128-CFB1 // ok
AES-128-CFB8 // ok
AES-128-ECB // ok
AES-128-OFB // ok
AES-192-CBC // ok
AES-192-CFB // ok
AES-192-CFB1 // ok
AES-192-CFB8 // ok
AES-192-ECB // ok
AES-192-OFB // ok
AES-256-CBC // ok
AES-256-CFB // ok
AES-256-CFB1 // ok
AES-256-CFB8 // ok
AES-256-ECB // ok
AES-256-OFB // ok
ARIA-128-CBC // ok
ARIA-128-CFB // ok
ARIA-128-CTR // ok
ARIA-128-ECB // ok
ARIA-128-OFB // ok
ARIA-192-CBC // ok
ARIA-192-CFB // ok
ARIA-192-CTR // ok
ARIA-192-ECB // ok
ARIA-192-OFB // ok
ARIA-256-CBC // ok
ARIA-256-CFB // ok
ARIA-256-CTR // ok
ARIA-256-ECB // ok
ARIA-256-OFB // ok
CAMELLIA-128-CBC // ok
CAMELLIA-128-CFB // ok
CAMELLIA-128-CTR // ok
CAMELLIA-128-ECB // ok
CAMELLIA-128-OFB // ok
CAMELLIA-192-CBC // ok
CAMELLIA-192-CFB // ok
CAMELLIA-192-CTR // ok
CAMELLIA-192-ECB // ok
CAMELLIA-192-OFB // ok
CAMELLIA-256-CBC // ok
CAMELLIA-256-CFB // ok
CAMELLIA-256-CTR // ok
CAMELLIA-256-ECB // ok
CAMELLIA-256-OFB // ok
DES-EDE // ok
DES-EDE3-CBC // ok
DES-EDE3-CFB // err
DES-EDE3-CFB1 // err
DES-EDE3-CFB8 // err
id-aes128-wrap // ok
id-aes128-wrap-pad // ok
id-aes192-wrap // ok
id-aes192-wrap-pad // ok
id-aes256-wrap // ok
id-aes256-wrap-pad // ok
SM4-CBC // ok
SM4-CFB // ok
SM4-CTR // ok
SM4-ECB // ok
SM4-OFB // ok
Provided:
{ 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } // ok
{ 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } // ok
{ 2.16.840.1.101.3.4.1.4, AES-128-CFB } // ok
{ 1.2.410.200046.1.1.1, ARIA-128-ECB } // ok
{ 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } // ok
{ 2.16.840.1.101.3.4.1.24, AES-192-CFB } // ok
{ 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } // ok
{ 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } // ok
{ 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } // ok
{ 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } // ok
{ 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } // ok
{ 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } // err
{ 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } // ok
{ 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } // ok
{ 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } // ok
{ 2.16.840.1.101.3.4.1.41, AES-256-ECB } // ok
{ 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } // ok
{ 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } // ok
{ 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } // ok
{ 2.16.840.1.101.3.4.1.44, AES-256-CFB } // ok
{ 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } // ok
{ 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } // ok
{ 1.2.410.200046.1.1.14, ARIA-256-OFB } // ok
{ 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } // ok
{ 2.16.840.1.101.3.4.1.23, AES-192-OFB } // ok
{ 1.2.156.10197.1.104.1, SM4-ECB } // ok
{ 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } // ok
{ 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } // ok
{ 1.2.410.200046.1.1.15, ARIA-256-CTR } // ok
{ 1.2.410.200046.1.1.3, ARIA-128-CFB } // ok
{ 1.2.410.200046.1.1.6, ARIA-192-ECB } // ok
{ 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } // ok
{ 1.2.156.10197.1.104.2, SM4, SM4-CBC } // ok
{ 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } // ok
{ 1.2.410.200046.1.1.11, ARIA-256-ECB } // ok
{ 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } // ok
{ 2.16.840.1.101.3.4.1.3, AES-128-OFB } // ok
{ 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } // ok
{ 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } // ok
{ 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } // ok
{ 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } // ok
{ 1.2.410.200046.1.1.10, ARIA-192-CTR } // ok
{ 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } // ok
{ 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } // ok
{ 1.2.410.200046.1.1.9, ARIA-192-OFB } // ok
{ 1.2.410.200046.1.1.13, ARIA-256-CFB } // 好使
{ 2.16.840.1.101.3.4.1.1, AES-128-ECB } // 好使
{ 1.2.410.200046.1.1.8, ARIA-192-CFB } // 好使
{ 1.2.156.10197.1.104.7, SM4-CTR } // 好使
{ 2.16.840.1.101.3.4.1.43, AES-256-OFB } // 好使
{ 1.2.410.200046.1.1.4, ARIA-128-OFB } // 好使
{ 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } // 好使
{ 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } // 好使
{ 1.2.410.200046.1.1.5, ARIA-128-CTR } // 好使
{ 2.16.840.1.101.3.4.1.21, AES-192-ECB } // 好使
AES-256-CFB1 // 好使
AES-192-CFB1 // 好使
AES-128-CFB1 // 好使
AES-256-CFB8 // 好使
AES-192-CFB8 // 好使
AES-128-CFB8 // 可以

备注

如果想要转换后的.der/.pem受口令密码和加密算法保护, 必须是.pem格式.
如果怕逆向的用户看到程序中的.pem内容的数组, 可以将.pem放到参数文件中.
文件的组织可以用多个buffer合成一个buffer的方法(C++ - 多个buffer合并成一个buffer的管理类).
对一个大buffer加密(非对称/对称), 只有正版用户才能载入, 间接保护了程序被逆向.

文章目录

openssl3.2 - exp - 可以在命令行使用的口令算法名称列表

概述

笔记

测试工程实现

备注

整理 - 总共有126种加密算法可用于命令行参数的密码加密算法

备注

END

相关文章：