OPENSSL Learning and Finishing-introduction

OpenSSL directory name and function description

Directory Name	Function description
Crypto	Storing all of the OpenSSL encryption algorithm source code files and related annotations such as the source files, is the most important directory in OpenSSL, including all the contents of the OpenSSL cipher algorithm library.
Ssl	Store all versions of the SSL protocol in OpenSSL and the TLS 1.0 protocol source files, including all the contents of the OpenSSL Protocol library.
Apps	The source files for all application source files in OpenSSL, such as CAS, X509, etc., are stored here.
Doc	Contains all the usage documentation for OpenSSL, including three sections: application documentation, cryptographic algorithm library API documentation, and SSL protocol API documentation.
Demos	Some examples of OpenSSL-based applications are stored, which are generally simple and demonstrate how to use one of the features of OpenSSL.
Include	A header file is required to store a library that uses OpenSSL.
Test	A source file that stores the function test program of OpenSSL itself

OpenSSL algorithm Directory

OpenSSLThe algorithm directoryCryptoThe catalog containsOpenSSLAll source code files for the cipher algorithm library areOpenSSLOne of the most important catalogs in theOpenSSLThe Cipher Algorithm library containsOpenSSLAll cryptographic algorithms, Key management, and certificate management standards are implemented in theWindowsThe following compiled library file is namedLibeay32.libInLinuxThe library file that is produced after compiling is namedLIBCRYPTO.A。CryptoThe directory contains a number of subdirectories, most of which are named after the relevant algorithm or standard name. Of course,Not all of the source files stored in these directories are cipher algorithms and standards, and some areOpenSSLSome of its own related function files, such asBIO、DSOAndEVPsuch as

Crypto Sub-directory list

Aes	Symmetric algorithm, the United States new symmetric encryption algorithm standard AES algorithm source code.
Bf	Symmetric algorithm, Blowfish symmetric encryption algorithm source code.
Cast	Symmetric algorithm, CAST symmetric encryption algorithm source code.
Des	symmetric algorithm, including des and 3DES symmetric encryption algorithm source code.
Idea	Symmetric algorithm, idea symmetric encryption algorithm source code.
Rc2	Symmetric algorithm, RC2 symmetric encryption algorithm source code.
Rc4	Symmetric algorithm, RC4 symmetric encryption algorithm source code
Rc5	Symmetric algorithm, RC5 symmetric encryption algorithm source code.
Dh	Non-symmetric algorithm, DH asymmetric key exchange algorithm source code.
Dsa	Asymmetric algorithm, DSA asymmetric algorithm source code, used for digital signature.
Ec	Asymmetric algorithm, EC elliptic curve algorithm source code.
Rsa	Asymmetric algorithm, RSA asymmetric encryption algorithm source code, can be used for key exchange, can also be used for digital signature.
Md2	Information Digest algorithm, MD2 Information Digest algorithm source code.
Md5	Information Digest algorithm, MD5 Information Digest algorithm source code.
Mdc2	Information Digest algorithm, MDC2 Information Digest algorithm source code.
Sha	Information Digest algorithm, SHA Information Digest algorithm source code, including the SHA1 algorithm.
Ripemd	Information Digest algorithm, RIPEMD-160 Information Digest algorithm source code.
Comp	Data compression algorithm data compression algorithm function interface, there is no compression algorithm, just defined some empty interface functions
Asn1	PKI-related standards ASN.1 standard implementation of the source code, only the implementation of the PKI-related parts, not fully implemented. Includes features such as Der Codec.
Ocsp	PKI-related standards OCSP (online Certificate Services Protocol) Implementation of the source code.
Pem	PKI-related standard PEM standard implementation source, including the PEM codec function.
Pkcs7	PKI-related standards pkcs#7 standard implementation of the source code. Pkcs#7 is the standard for implementing cryptographic information encapsulation, including the standard for certificate encapsulation and the encapsulation standard for encrypted data.
Pkcs12	PKI-related standards pkcs#12 standard implementation of the source code. Includes the codec function of the pkcs#12 file. PKCS#12 is a common certificate and key encapsulation format.
X509	PKI-related standards of the implementation of the standard of the source code. including the encoding and decoding functions, certificate management functions and so on. X509v3 PKI-related standards for the third edition of the extended function of the implementation source.
Krb5	Other standards support some interface functions and structure definitions that support the Kerberos protocol
Hmac	Other standards support the HMAC Standard's support structure and function source code.
Lhash	Other standards support dynamic hash table structure and function source code
Bio	Custom OpenSSL itself defines an abstract IO interface that encapsulates almost all IO interfaces of various platforms, such as files, memory, caches, standard input and output, sockets, and so on.
Bn	Custom OpenSSL implements the structure and functions of large number management.
Buffer	Custom OpenSSL custom buffer structure body.
Conf	Customize the management configuration structure and functions of OpenSSL customizations.
Dso	Custom OpenSSL custom-loaded management function interfaces for dynamic libraries. The functions provided by these functions are used when the engine mechanism is used.
Engine	Customize the engine mechanism source code for OpenSSL customization. Engine mechanism Operation OpenSSL uses a third-party software cipher algorithm library or hardware encryption device for data encryption and other operations. Equivalent to the CSP mechanism of the Windows platform.
	ERR Custom OpenSSL custom error handling mechanism.
Evp	Custom OpenSSL defines a set of high-level algorithm encapsulation functions, including symmetric cryptographic algorithm encapsulation, asymmetric cryptographic algorithm encapsulation, signature verification algorithm encapsulation, and Information Digest algorithm encapsulation, similar The interface standard provided by the pkcs#11.
Objects	Custom OpenSSL manages the definitions and functions of various data objects. In fact, the OID of Objects is named according to the ASN.1 standard, not exactly the OpenSSL custom structure.
	Rand's secure random number generation function and management function for custom OpenSSL.
Stack	Custom defines the stack structure and related management functions in OpenSSL.
Threads	Some mechanisms for customizing the OpenSSL processing thread.
txt_db	Customize the management mechanism of the text certificate library provided by OpenSSL.
Ui	Custom OpenSSL defines the user's access to the function.
Perlasm	Some Perl auxiliary configuration files that need to be used when customizing the compilation.

Symmetric encryption algorithm

OpenSSL provides a total of 8 symmetric encryption algorithms, of which 7 are packet encryption algorithms, and only one stream encryption algorithm is RC4. These 7 packet encryption algorithms are AES, DES, Blowfish, CAST, Idea, RC2, RC5, all of which support electronic cipher mode (ECB), encrypted packet link mode (CBC), Cryptographic feedback mode (CFB) and output feedback mode (OFB) four commonly used block cipher encryption modes. Where AES uses the cryptographic feedback mode (CFB) and output feedback mode (OFB) packet length is 128 bits, the other algorithm uses 64 bits. In fact, the DES algorithm is not only a common des algorithm, but also supports three keys and two key 3DES algorithms.

Although each cryptographic algorithm defines its own interface functions, OpenSSL also uses EVP to encapsulate all symmetric encryption algorithms, enabling various pairs of cryptographic algorithms to encrypt and decrypt data using a unified API interface Evp_encrypt and Evp_decrypt. The reusable performance of the code is greatly provided.

Asymmetric encryption algorithm

OpenSSL has implemented 4 asymmetric encryption algorithms, including DH algorithm, RSA algorithm, DSA algorithm and Elliptic curve algorithm (EC). DH algorithm general user key exchange. The RSA algorithm can be used for both key exchange and digital signature, and of course, if you can tolerate its slow speed, it can also be used for data encryption. The DSA algorithm is generally used only for digital signatures.

Similar to symmetric cryptographic algorithms, OpenSSL uses EVP technology to encapsulate asymmetric cryptographic algorithms with different functions, providing a unified API interface. If you use an asymmetric encryption algorithm for key exchange or key encryption, you use Evp_seal and Evp_open for encryption and decryption, and if you digitally sign using an asymmetric encryption algorithm, you use Evp_sign and evp_verify to sign and verify.

Information Digest algorithm

OpenSSL implements 5 information digest algorithms, namely MD2, MD5, MDC2, SHA (SHA1), and RIPEMD. The SHA algorithm actually includes the SHA and SHA1 two kinds of information digest algorithms, in addition, OpenSSL implements two kinds of information digest algorithms, DSS and DSS1, as stipulated in the DSS standard.

OpenSSL uses the Evp_digest interface as a unified EVP interface for information Digest algorithms, encapsulating All information digest algorithms and providing reuse of code.

Key and certificate Management

Key and certificate management is an important part of PKI , andOpenSSL provides a wide range of functions to support multiple standards.

first, OPENSSL  implements the Span style= "font-family: ' Times New Roman ';" >ASN.1  The certificate and key related standards for , which provides certificates, public keys, private keys, certificate requests, and crl  PEM  and . OPENSSL  the provides methods, functions, and applications that produce various public key pairs and symmetric keys, while providing the public and private key Span style= "font-family: ' Times New Roman ';" >der codec function. and realized the private key PKCS#12  and PKCS#8  the codec function of the . OPENSSL  the provides cryptographic protection of the private key in the standard so that the key can be stored and distributed securely.

On this basis,OpenSSL implements the standard encoding and decoding of the certificate, the codec of thepkcs#12 format, and the codec function of the pkcs#7 . and provides a text database, supporting the management of certificates, including certificate key generation, request generation, certificate issuance, revocation and verification functions.

In fact, the CA application provided byOpenSSL is a small certificate management center (CA) that implements the entire process of certificate issuance and most of the mechanisms for certificate management.

Engine mechanism

The engine mechanism appears in OpenSSL 0.9.6 version of the thing, the beginning is the normal version with the support Engine version, to the 0.9.7 version of OpenSSL, the Engine mechanism integrated into the OpenSSL kernel, became the OpenSSL An indispensable part.

The Engine mechanism is designed to enable OpenSSL to transparently encrypt using a software encryption library provided by a third party or a hardware encryption device. The OpenSSL engine mechanism has succeeded in achieving this goal, which makes OpenSSL not only a cryptographic repository, but a universal encryption interface that works with most cryptographic or cryptographic devices. Of course, to make a particular cryptographic library or encryption device more OpenSSL coordination work, you need to write a small number of interface code, but this workload is not big, although still need a bit of knowledge of cryptography. The capabilities of the Engine mechanism are essentially the same as those provided by Windows for CSP functionality.

BIO mechanism

The BIO mechanism is a high level of support provided by OpenSSL

Io interface, which encapsulates almost all types of IO interfaces, such as memory access, file access, and sockets. This greatly improves the reusability of the code, and the complexity of OpenSSL provides the API a lot less.

OPENSSL Learning and Finishing-introduction