source-git / openssl

Clone
Source Code
GIT

Blame doc/man1/rsautl.pod

c8 c8s master
  1.   c4476c2d191c8f18018d947521358ac6321a212e
  2.   doc
  3.   man1
  4.   rsautl.pod
Blob History Raw
Packit c4476c 
=pod
Packit c4476c
Packit c4476c 
=head1 NAME
Packit c4476c
Packit c4476c 
openssl-rsautl,
Packit c4476c 
rsautl - RSA utility
Packit c4476c
Packit c4476c 
=head1 SYNOPSIS
Packit c4476c
Packit c4476c 
B<openssl> B<rsautl>
Packit c4476c 
[B<-help>]
Packit c4476c 
[B<-in file>]
Packit c4476c 
[B<-out file>]
Packit c4476c 
[B<-inkey file>]
Packit c4476c 
[B<-keyform PEM|DER|ENGINE>]
Packit c4476c 
[B<-pubin>]
Packit c4476c 
[B<-certin>]
Packit c4476c 
[B<-sign>]
Packit c4476c 
[B<-verify>]
Packit c4476c 
[B<-encrypt>]
Packit c4476c 
[B<-decrypt>]
Packit c4476c 
[B<-rand file...>]
Packit c4476c 
[B<-writerand file>]
Packit c4476c 
[B<-pkcs>]
Packit c4476c 
[B<-ssl>]
Packit c4476c 
[B<-raw>]
Packit c4476c 
[B<-hexdump>]
Packit c4476c 
[B<-asn1parse>]
Packit c4476c
Packit c4476c 
=head1 DESCRIPTION
Packit c4476c
Packit c4476c 
The B<rsautl> command can be used to sign, verify, encrypt and decrypt
Packit c4476c 
data using the RSA algorithm.
Packit c4476c
Packit c4476c 
=head1 OPTIONS
Packit c4476c
Packit c4476c 
=over 4
Packit c4476c
Packit c4476c 
=item B<-help>
Packit c4476c
Packit c4476c 
Print out a usage message.
Packit c4476c
Packit c4476c 
=item B<-in filename>
Packit c4476c
Packit c4476c 
This specifies the input filename to read data from or standard input
Packit c4476c 
if this option is not specified.
Packit c4476c
Packit c4476c 
=item B<-out filename>
Packit c4476c
Packit c4476c 
Specifies the output filename to write to or standard output by
Packit c4476c 
default.
Packit c4476c
Packit c4476c 
=item B<-inkey file>
Packit c4476c
Packit c4476c 
The input key file, by default it should be an RSA private key.
Packit c4476c
Packit c4476c 
=item B<-keyform PEM|DER|ENGINE>
Packit c4476c
Packit c4476c 
The key format PEM, DER or ENGINE.
Packit c4476c
Packit c4476c 
=item B<-pubin>
Packit c4476c
Packit c4476c 
The input file is an RSA public key.
Packit c4476c
Packit c4476c 
=item B<-certin>
Packit c4476c
Packit c4476c 
The input is a certificate containing an RSA public key.
Packit c4476c
Packit c4476c 
=item B<-sign>
Packit c4476c
Packit c4476c 
Sign the input data and output the signed result. This requires
Packit c4476c 
an RSA private key.
Packit c4476c
Packit c4476c 
=item B<-verify>
Packit c4476c
Packit c4476c 
Verify the input data and output the recovered data.
Packit c4476c
Packit c4476c 
=item B<-encrypt>
Packit c4476c
Packit c4476c 
Encrypt the input data using an RSA public key.
Packit c4476c
Packit c4476c 
=item B<-decrypt>
Packit c4476c
Packit c4476c 
Decrypt the input data using an RSA private key.
Packit c4476c
Packit c4476c 
=item B<-rand file...>
Packit c4476c
Packit c4476c 
A file or files containing random data used to seed the random number
Packit c4476c 
generator.
Packit c4476c 
Multiple files can be specified separated by an OS-dependent character.
Packit c4476c 
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
Packit c4476c 
all others.
Packit c4476c
Packit c4476c 
=item [B<-writerand file>]
Packit c4476c
Packit c4476c 
Writes random data to the specified I<file> upon exit.
Packit c4476c 
This can be used with a subsequent B<-rand> flag.
Packit c4476c
Packit c4476c 
=item B<-pkcs, -oaep, -ssl, -raw>
Packit c4476c
Packit c4476c 
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
Packit c4476c 
special padding used in SSL v2 backwards compatible handshakes,
Packit c4476c 
or no padding, respectively.
Packit c4476c 
For signatures, only B<-pkcs> and B<-raw> can be used.
Packit c4476c
Packit c4476c 
=item B<-hexdump>
Packit c4476c
Packit c4476c 
Hex dump the output data.
Packit c4476c
Packit c4476c 
=item B<-asn1parse>
Packit c4476c
Packit c4476c 
Parse the ASN.1 output data, this is useful when combined with the
Packit c4476c 
B<-verify> option.
Packit c4476c
Packit c4476c 
=back
Packit c4476c
Packit c4476c 
=head1 NOTES
Packit c4476c
Packit c4476c 
B<rsautl> because it uses the RSA algorithm directly can only be
Packit c4476c 
used to sign or verify small pieces of data.
Packit c4476c
Packit c4476c 
=head1 EXAMPLES
Packit c4476c
Packit c4476c 
Sign some data using a private key:
Packit c4476c
Packit c4476c 
 openssl rsautl -sign -in file -inkey key.pem -out sig
Packit c4476c
Packit c4476c 
Recover the signed data
Packit c4476c
Packit c4476c 
 openssl rsautl -verify -in sig -inkey key.pem
Packit c4476c
Packit c4476c 
Examine the raw signed data:
Packit c4476c
Packit c4476c 
 openssl rsautl -verify -in sig -inkey key.pem -raw -hexdump
Packit c4476c
Packit c4476c 
 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit c4476c 
 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit c4476c 
 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit c4476c 
 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit c4476c 
 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit c4476c 
 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit c4476c 
 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit c4476c 
 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64   .....hello world
Packit c4476c
Packit c4476c 
The PKCS#1 block formatting is evident from this. If this was done using
Packit c4476c 
encrypt and decrypt the block would have been of type 2 (the second byte)
Packit c4476c 
and random padding data visible instead of the 0xff bytes.
Packit c4476c
Packit c4476c 
It is possible to analyse the signature of certificates using this
Packit c4476c 
utility in conjunction with B<asn1parse>. Consider the self signed
Packit c4476c 
example in certs/pca-cert.pem . Running B<asn1parse> as follows yields:
Packit c4476c
Packit c4476c 
 openssl asn1parse -in pca-cert.pem
Packit c4476c
Packit c4476c 
    0:d=0  hl=4 l= 742 cons: SEQUENCE
Packit c4476c 
    4:d=1  hl=4 l= 591 cons:  SEQUENCE
Packit c4476c 
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
Packit c4476c 
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
Packit c4476c 
   13:d=2  hl=2 l=   1 prim:   INTEGER           :00
Packit c4476c 
   16:d=2  hl=2 l=  13 cons:   SEQUENCE
Packit c4476c 
   18:d=3  hl=2 l=   9 prim:    OBJECT            :md5WithRSAEncryption
Packit c4476c 
   29:d=3  hl=2 l=   0 prim:    NULL
Packit c4476c 
   31:d=2  hl=2 l=  92 cons:   SEQUENCE
Packit c4476c 
   33:d=3  hl=2 l=  11 cons:    SET
Packit c4476c 
   35:d=4  hl=2 l=   9 cons:     SEQUENCE
Packit c4476c 
   37:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
Packit c4476c 
   42:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
Packit c4476c 
  ....
Packit c4476c 
  599:d=1  hl=2 l=  13 cons:  SEQUENCE
Packit c4476c 
  601:d=2  hl=2 l=   9 prim:   OBJECT            :md5WithRSAEncryption
Packit c4476c 
  612:d=2  hl=2 l=   0 prim:   NULL
Packit c4476c 
  614:d=1  hl=3 l= 129 prim:  BIT STRING
Packit c4476c
Packit c4476c
Packit c4476c 
The final BIT STRING contains the actual signature. It can be extracted with:
Packit c4476c
Packit c4476c 
 openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
Packit c4476c
Packit c4476c 
The certificate public key can be extracted with:
Packit c4476c
Packit c4476c 
 openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem
Packit c4476c
Packit c4476c 
The signature can be analysed with:
Packit c4476c
Packit c4476c 
 openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
Packit c4476c
Packit c4476c 
    0:d=0  hl=2 l=  32 cons: SEQUENCE
Packit c4476c 
    2:d=1  hl=2 l=  12 cons:  SEQUENCE
Packit c4476c 
    4:d=2  hl=2 l=   8 prim:   OBJECT            :md5
Packit c4476c 
   14:d=2  hl=2 l=   0 prim:   NULL
Packit c4476c 
   16:d=1  hl=2 l=  16 prim:  OCTET STRING
Packit c4476c 
      0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5   .F...Js.7...H%..
Packit c4476c
Packit c4476c 
This is the parsed version of an ASN1 DigestInfo structure. It can be seen that
Packit c4476c 
the digest used was md5. The actual part of the certificate that was signed can
Packit c4476c 
be extracted with:
Packit c4476c
Packit c4476c 
 openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4
Packit c4476c
Packit c4476c 
and its digest computed with:
Packit c4476c
Packit c4476c 
 openssl md5 -c tbs
Packit c4476c 
 MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
Packit c4476c
Packit c4476c 
which it can be seen agrees with the recovered value above.
Packit c4476c
Packit c4476c 
=head1 SEE ALSO
Packit c4476c
Packit c4476c 
L<dgst(1)>, L<rsa(1)>, L<genrsa(1)>
Packit c4476c
Packit c4476c 
=head1 COPYRIGHT
Packit c4476c
Packit c4476c 
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Packit c4476c
Packit c4476c 
Licensed under the OpenSSL license (the "License").  You may not use
Packit c4476c 
this file except in compliance with the License.  You can obtain a copy
Packit c4476c 
in the file LICENSE in the source distribution or at
Packit c4476c 
L<https://www.openssl.org/source/license.html>.
Packit c4476c
Packit c4476c 
=cut

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation