Here is a sample of OpenSSL C code parsing a certificate from a hardcoded string. Included is basically the output in bash if you parse a cert with command line the openssl command, 'openssl x509 -noout -text -in cert.pem'.
For one of the Matasano crypto challenges, I had to decrypt the text which was encrypted using AES in ECB mode. Everything about AES is actually documented by the National Institute of Standards and Technology. You can get all the algorithms behind AES encryption. It is probably not a good idea to implement it from scratch.Openssl has a well tested and widely used library which works.
This Openssl library page gives a complete example of how to use them. There are a few preparatory steps before you can use the instructions though. These instructions are for Ubuntu like Linux distributions. These worked well on my Raspberry Pi too.
Installing Openssl library
- Generating a CSR and Private Key using OpenSSL in PowerShell Once complete, you will have a valid CSR and private key which can be used to issue an SSL certificate to you. The configuration file defaults can be edited further to streamline this process should you not want to enter data every time you generate a CSR.
- OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.
Following command installs all the C libraries needed to use Openssl with your C code.
For example, you will want to include the following header files:
Compiling your C program with the Openssl library
Next, you can follow the instructions from the Openssl crypto library page to create your C program. I have an example program in my CrytopalsGithub repository. While linking the program you need to provide the ssl and crypto library names. Following command should do it:
A few pointers on the
- If you are going to use the
do_cryptfunction for decrypting a text encrypted using electronic code book (ECB) mode, you should remove the following assert line since there is no Initialization Vector for ECB.
- The example code operates on the raw data. So, if you are trying to decrypt the data which is base64 encoded, your first step should be to convert it into raw data.
To perform certain cryptographic operations (creation of a private key, generation of a CSR, conversion of a certificate ...)on a Windows computer we can use the OpenSSL tool.
- Go to this website: Download link for OpenSSL
- Go down in the page and choose the version (in .EXE):
- Win64 OpenSSL v1.X.X : if your OS is 64 bits
- Win32 OpenSSL v1.X.X : if your OS is 32 bits
- For some versions of Windows systems, you may need to install 'Visual C ++ 2008 Redistributable'.
Use OpenSSL on a Windows machine
By default, OpenSSL for Windows is installed in the following directory:
- if you have installed Win64 OpenSSL v1.X.X: C:Program FilesOpenSSL-Win64
- if you have installed Win32 OpenSSL v1.X.X: C:Program Files (x86)OpenSSL-Win32
To launch OpenSSL, open a command prompt with administrator rights.
b)Generate the private key (.key) and the CSR (Certificate Signing Request)
As part of obtaining (or renewing or reissue) a certificate, you will have to generate a private key and the associated CSR. To do this we advise you to use our online wizard to execute the OpenSSL command with the adequate parameters.
Open a command prompt with Administrators rights (right click - Run as ...). Go to the 'bin' subdirectory from the OpenSSL installation folder.
Save and keep safe the file containing the private key (.key, and copy / paste only the contents of the file .csr file in the order form.
Issues encountered on Windows while generating a CSR via one command
According to the version of OpenSSL you installed or to the the installation method on Windows, you may encounter error messages such as:
- config or req is not recognized as an internal or external command
Check the syntax and the quotes when executing your command.
- Unable to load config info from /usr/local/ssl/openssl.cnf
OpenSSL relies here on a Linux default arborescence.
Troubleshooting: execute simplified commands:
- To launch the command prompt, go to the start menu and execute 'cmd'.
- To paste the following command lines in dos command prompt, right click and select paste.
- To go to the repertory in which is installed OpenSSL, execute:
- The private key is generated with the following command. Define a file name that suits you:
- then use this command to generate the CSR:
or this one:
On some platforms, theopenssl.cnf that OpenSSL reads by default to create the CSR is not good or nonexistent.In this case you can download ourand place it, for example, in C:Program FilesOpenSSL-Win64openssl.cnf:
- For DigiCert or Thawte server certificates: openssl-dem-server-cert-thvs.cnf
- For TBS X509 or Sectigo server certificates: openssl-dem-server-cert.cnf
- You'll be asked by the system to fill-in fields ; Fill them in and respect the instructions (more information onObtain a server certificate)
Country Name (2 letter code) : (FR for example)
State or Province Name (full name) [Some-State]: (the name of your state in full letters)
Locality Name (eg, city) : (the name of your city)
Organization Name (eg, company) : (the name of your organization)
Organizational Unit Name (eg, section) : (let blank - advised - or provide a generic term such as 'IT department')
Common Name (eg, YOUR name) : (the name of the site to be secured)
Email Address : (let blank)
Let the other fields blank, they are optional.
So you get 2 files: site-file.key and site-file.csr. Keep the private key file (site-file.key) securely, then copy / paste the content of the site-file.csr file into the order form at TBS CERTIFICATES.
Warning: Never send us or a third party the private key (site-file.key) otherwise the security of your site may no longer be ensured.
OpenSSL: cases of uses
OpenSSL is the toolbox mainly used by opensource software for SSL implementation.
- Generate your command line withour CSR creation assistant tool.