Openssl === ## Setup alice: 192.168.122.50 bob: 192.168.122.237 ## SK/PK/Random bytes ### Random bytes ``` $: openssl rand -hex 16 ``` ### Encryption (SK) ```bash # binary $: openssl enc \ -aes-256-cbc \ -in plaintext \ -out cyphertext \ -K <hex-key> \ -iv <hex-iv> # base64 $: openssl enc \ -aes-256-cbc \ -in plaintext \ -out cyphertext \ -K <hex-key> \ -iv <hex-iv> \ -a # Base64 ``` ### Decryption (SK) ```bash # binary # (ciphertext, 53c73e819cbd75b985c68b8620e96cc0) $: openssl enc \ -aes-256-cbc \ -d \ -in plaintext \ -out cyphertext \ -K <hex-key> \ -iv <hex-iv> # base64 # (ciphertext64, 53c73e819cbd75b985c68b8620e96cc0) $: openssl enc \ -aes-256-cbc \ -d -in plaintext \ -out cyphertext \ -K <hex-key> \ -iv <hex-iv> \ -a # Base64 ``` ### RSA #### Generate private key ```bash # With no passphrase $: openssl genrsa \ -out privA.pem \ 3072 ``` #### Generate public key from private key ```bash $: openssl r \ -in privA.pem \ -pubout \ -out pubA.pem ``` #### Encrypt ```bash # From public key $: openssl rsautl -encrypt \ -in plaintext \ -out encryptedfile \ -inkey pubB.pem \ -pubin # From certificate $: openssl rsautl -encrypt \ -in plaintext \ -out encryptedfile \ -inkey cert.pem \ -certin ``` #### Decrypt ```bash # Only with private key $: openssl rsautl -decrypt \ -in encryptedfile \ -out decryptedFile -inkey privB.pem ``` #### RAW Sign ```bash $: openssl rsautl -sign \ -in plaintext \ -out signedfile \ -inkey privA.pem ``` #### RAW Verify ```bash $: openssl rsautl -verify \ -in signedfile -out verifiedfile -inkey pubA.pem -pubin ``` ### Dgst Create hash and then sign ```bash # Create hash message and sign it $: openssl dgst -sha256 \ -sign privatekey.pem \ -out signature.sign \ # Signature image.jpg # Image to verify # Verify signature applying the hash $: openssl dgst -sha256 \ -verify publickey.pem \ -signature signature.sign # Signature image.jpg # Image to very signature ``` ## Certificates ### Configuration Extensions: - **policy**: `[ policy_anything ]` `[ policy_match ]` - **Self signed CA**: `[v3_ca]` in the practice we set it up more restrictive ``` [ v3_ca ] # Extensions for a Root CA (`man x509v3_config`). basicConstraints = critical,CA:true subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer keyUsage = critical, cRLSign, keyCertSign ``` - **req**: `[req]` - **DN**: `[req_distinguished_name]` - **usr_cert**: for client certificates (tls-client) - **server_cert**: for server certificates (webserver) - **ocsp_responder_cert** Practice configurations: - Change CA's base dir and copy extension - **[req]**: change default bits of key Setup of folder: ```bash $: mkdir rootca $: cp /etc/ssl/openssl.cnf . $: mkdir certs crl newcerts private requests # Only access to the CA user $: chmod 700 private $: touch index.txt $: echo 00 > crlnumber ``` - 1. Create private key `private/cakey.pem` - 2. Create certificate request `requests/careq.pem` - 3. Create CA certificate `cacert.pem` - 4. Create a serial Generation of the request: - Country Name: ES (*match) - State: Barcelona (*match) - Location Name: Barcelona - Organization Name: Network Security Org (*match) - Organizationn Unit Name: Certification (*optional) - **Common Name (CN)**: NS Root CA (*supplied) Example index.txt: ``` V 301004164523Z 3FECDAF129F455826EA6B91719041B05E852C632 unknown /C=ES/ST=Barcelona/O=Network Security Org/OU=Certification/CN=NS Root CA ``` ### req Create a certificate request with privatekey.pem: ``` $: openssl req \ -config openssl.cnf \ -new \ -keyout private/cakey.pem \ -out requests/careq.pem ``` Create certificate for tls server: ``` $: openssl req \ -new \ -keyout private/testtlsserver.key.pem \ -out requests/testtlsserver.csr.pem ``` Create a certificate request with (SAN) extension enabled: ``` $: openssl req -new -addext 'subjectAltName = IP:10.0.2.7' -nodes -keyout tls/webserver.key.pem -out webserver.csr.pem ``` ### ca Create a **self signed** serial **cacert.pem** ``` $: openssl ca \ -config openssl.cnf \ -extensions v3_ca \ -days 3652 \ -create_serial \ -selfsign \ -in requests/careq.pem \ -out cacert.pem ``` Issue a certificate for the tls server with corresponding extension **[server-cert]**: ``` $: openssl ca \ -config openssl.cnf \ -extensions server_cert \ -in requests/testtlsserver.csr.pem \ -out certs/testtlsserver.crt.pem ``` Verify [X509v3 Subject Alternative Name] is set up ### OCSP Create a certificate request: ``` $: openssl req \ -config openssl.cnf -new \ -keyout private/ocspresponder.key.pem \ -out requests/ocspresponder.csr.pem ``` Sign oscp request with **[ocsp_responder_cert]** extension: ``` $: openssl ca \ -config openssl.cnf \ -extensions ocsp_responder_cert \ -in requests/ocspresponder.csr.pem \ -out certs/ocspresponder.crt.pem ``` Start OCSP server: ``` $: sudo openssl ocsp \ -port 80 \ -text \ -index index.txt \ -CA cacert.pem \ -rkey private/ocspresponder.key.pem \ -rsigner certs/ocspresponder.crt.pem ``` Test certificate: ``` $: openssl ocsp \ -CAfile cacert.pem \ -url http://10.0.2.15 \ -resp_text \ -issuer cacert.pem \ -cert certs/testtlsserver.crt.pem ``` Revoke certificate: ``` $: openssl ca -config openssl.cnf -revoke certs/testtlsserver.crt.pem ``` ### pkcs12 and client certificate Create a client certificate with [user_cert] extension: ``` $: openssl pkcs12 \ -export \ -in client.crt.pem \ -inkey client.key.pem \ -name "Oscar Perez" \ -out cert.p12 ```