source-git / openssl

Clone
Source Code
GIT

Blame doc/man1/rsautl.pod

c8 c8s master
  1.   dd46e1f777d2d56ed692a3e9100ebe5052e12513
  2.   doc
  3.   man1
  4.   rsautl.pod
Blob History Raw
Packit Service 084de1 
=pod
Packit Service 084de1
Packit Service 084de1 
=head1 NAME
Packit Service 084de1
Packit Service 084de1 
openssl-rsautl,
Packit Service 084de1 
rsautl - RSA utility
Packit Service 084de1
Packit Service 084de1 
=head1 SYNOPSIS
Packit Service 084de1
Packit Service 084de1 
B<openssl> B<rsautl>
Packit Service 084de1 
[B<-help>]
Packit Service 084de1 
[B<-in file>]
Packit Service 084de1 
[B<-out file>]
Packit Service 084de1 
[B<-inkey file>]
Packit Service 084de1 
[B<-keyform PEM|DER|ENGINE>]
Packit Service 084de1 
[B<-pubin>]
Packit Service 084de1 
[B<-certin>]
Packit Service 084de1 
[B<-sign>]
Packit Service 084de1 
[B<-verify>]
Packit Service 084de1 
[B<-encrypt>]
Packit Service 084de1 
[B<-decrypt>]
Packit Service 084de1 
[B<-rand file...>]
Packit Service 084de1 
[B<-writerand file>]
Packit Service 084de1 
[B<-pkcs>]
Packit Service 084de1 
[B<-ssl>]
Packit Service 084de1 
[B<-raw>]
Packit Service 084de1 
[B<-hexdump>]
Packit Service 084de1 
[B<-asn1parse>]
Packit Service 084de1
Packit Service 084de1 
=head1 DESCRIPTION
Packit Service 084de1
Packit Service 084de1 
The B<rsautl> command can be used to sign, verify, encrypt and decrypt
Packit Service 084de1 
data using the RSA algorithm.
Packit Service 084de1
Packit Service 084de1 
=head1 OPTIONS
Packit Service 084de1
Packit Service 084de1 
=over 4
Packit Service 084de1
Packit Service 084de1 
=item B<-help>
Packit Service 084de1
Packit Service 084de1 
Print out a usage message.
Packit Service 084de1
Packit Service 084de1 
=item B<-in filename>
Packit Service 084de1
Packit Service 084de1 
This specifies the input filename to read data from or standard input
Packit Service 084de1 
if this option is not specified.
Packit Service 084de1
Packit Service 084de1 
=item B<-out filename>
Packit Service 084de1
Packit Service 084de1 
Specifies the output filename to write to or standard output by
Packit Service 084de1 
default.
Packit Service 084de1
Packit Service 084de1 
=item B<-inkey file>
Packit Service 084de1
Packit Service 084de1 
The input key file, by default it should be an RSA private key.
Packit Service 084de1
Packit Service 084de1 
=item B<-keyform PEM|DER|ENGINE>
Packit Service 084de1
Packit Service 084de1 
The key format PEM, DER or ENGINE.
Packit Service 084de1
Packit Service 084de1 
=item B<-pubin>
Packit Service 084de1
Packit Service 084de1 
The input file is an RSA public key.
Packit Service 084de1
Packit Service 084de1 
=item B<-certin>
Packit Service 084de1
Packit Service 084de1 
The input is a certificate containing an RSA public key.
Packit Service 084de1
Packit Service 084de1 
=item B<-sign>
Packit Service 084de1
Packit Service 084de1 
Sign the input data and output the signed result. This requires
Packit Service 084de1 
an RSA private key.
Packit Service 084de1
Packit Service 084de1 
=item B<-verify>
Packit Service 084de1
Packit Service 084de1 
Verify the input data and output the recovered data.
Packit Service 084de1
Packit Service 084de1 
=item B<-encrypt>
Packit Service 084de1
Packit Service 084de1 
Encrypt the input data using an RSA public key.
Packit Service 084de1
Packit Service 084de1 
=item B<-decrypt>
Packit Service 084de1
Packit Service 084de1 
Decrypt the input data using an RSA private key.
Packit Service 084de1
Packit Service 084de1 
=item B<-rand file...>
Packit Service 084de1
Packit Service 084de1 
A file or files containing random data used to seed the random number
Packit Service 084de1 
generator.
Packit Service 084de1 
Multiple files can be specified separated by an OS-dependent character.
Packit Service 084de1 
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
Packit Service 084de1 
all others.
Packit Service 084de1
Packit Service 084de1 
=item [B<-writerand file>]
Packit Service 084de1
Packit Service 084de1 
Writes random data to the specified I<file> upon exit.
Packit Service 084de1 
This can be used with a subsequent B<-rand> flag.
Packit Service 084de1
Packit Service 084de1 
=item B<-pkcs, -oaep, -ssl, -raw>
Packit Service 084de1
Packit Service 084de1 
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
Packit Service 084de1 
special padding used in SSL v2 backwards compatible handshakes,
Packit Service 084de1 
or no padding, respectively.
Packit Service 084de1 
For signatures, only B<-pkcs> and B<-raw> can be used.
Packit Service 084de1
Packit Service 084de1 
=item B<-hexdump>
Packit Service 084de1
Packit Service 084de1 
Hex dump the output data.
Packit Service 084de1
Packit Service 084de1 
=item B<-asn1parse>
Packit Service 084de1
Packit Service 084de1 
Parse the ASN.1 output data, this is useful when combined with the
Packit Service 084de1 
B<-verify> option.
Packit Service 084de1
Packit Service 084de1 
=back
Packit Service 084de1
Packit Service 084de1 
=head1 NOTES
Packit Service 084de1
Packit Service 084de1 
B<rsautl> because it uses the RSA algorithm directly can only be
Packit Service 084de1 
used to sign or verify small pieces of data.
Packit Service 084de1
Packit Service 084de1 
=head1 EXAMPLES
Packit Service 084de1
Packit Service 084de1 
Sign some data using a private key:
Packit Service 084de1
Packit Service 084de1 
 openssl rsautl -sign -in file -inkey key.pem -out sig
Packit Service 084de1
Packit Service 084de1 
Recover the signed data
Packit Service 084de1
Packit Service 084de1 
 openssl rsautl -verify -in sig -inkey key.pem
Packit Service 084de1
Packit Service 084de1 
Examine the raw signed data:
Packit Service 084de1
Packit Service 084de1 
 openssl rsautl -verify -in sig -inkey key.pem -raw -hexdump
Packit Service 084de1
Packit Service 084de1 
 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit Service 084de1 
 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit Service 084de1 
 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit Service 084de1 
 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit Service 084de1 
 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit Service 084de1 
 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit Service 084de1 
 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
Packit Service 084de1 
 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64   .....hello world
Packit Service 084de1
Packit Service 084de1 
The PKCS#1 block formatting is evident from this. If this was done using
Packit Service 084de1 
encrypt and decrypt the block would have been of type 2 (the second byte)
Packit Service 084de1 
and random padding data visible instead of the 0xff bytes.
Packit Service 084de1
Packit Service 084de1 
It is possible to analyse the signature of certificates using this
Packit Service 084de1 
utility in conjunction with B<asn1parse>. Consider the self signed
Packit Service 084de1 
example in certs/pca-cert.pem . Running B<asn1parse> as follows yields:
Packit Service 084de1
Packit Service 084de1 
 openssl asn1parse -in pca-cert.pem
Packit Service 084de1
Packit Service 084de1 
    0:d=0  hl=4 l= 742 cons: SEQUENCE
Packit Service 084de1 
    4:d=1  hl=4 l= 591 cons:  SEQUENCE
Packit Service 084de1 
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
Packit Service 084de1 
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
Packit Service 084de1 
   13:d=2  hl=2 l=   1 prim:   INTEGER           :00
Packit Service 084de1 
   16:d=2  hl=2 l=  13 cons:   SEQUENCE
Packit Service 084de1 
   18:d=3  hl=2 l=   9 prim:    OBJECT            :md5WithRSAEncryption
Packit Service 084de1 
   29:d=3  hl=2 l=   0 prim:    NULL
Packit Service 084de1 
   31:d=2  hl=2 l=  92 cons:   SEQUENCE
Packit Service 084de1 
   33:d=3  hl=2 l=  11 cons:    SET
Packit Service 084de1 
   35:d=4  hl=2 l=   9 cons:     SEQUENCE
Packit Service 084de1 
   37:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
Packit Service 084de1 
   42:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
Packit Service 084de1 
  ....
Packit Service 084de1 
  599:d=1  hl=2 l=  13 cons:  SEQUENCE
Packit Service 084de1 
  601:d=2  hl=2 l=   9 prim:   OBJECT            :md5WithRSAEncryption
Packit Service 084de1 
  612:d=2  hl=2 l=   0 prim:   NULL
Packit Service 084de1 
  614:d=1  hl=3 l= 129 prim:  BIT STRING
Packit Service 084de1
Packit Service 084de1
Packit Service 084de1 
The final BIT STRING contains the actual signature. It can be extracted with:
Packit Service 084de1
Packit Service 084de1 
 openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
Packit Service 084de1
Packit Service 084de1 
The certificate public key can be extracted with:
Packit Service 084de1
Packit Service 084de1 
 openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem
Packit Service 084de1
Packit Service 084de1 
The signature can be analysed with:
Packit Service 084de1
Packit Service 084de1 
 openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
Packit Service 084de1
Packit Service 084de1 
    0:d=0  hl=2 l=  32 cons: SEQUENCE
Packit Service 084de1 
    2:d=1  hl=2 l=  12 cons:  SEQUENCE
Packit Service 084de1 
    4:d=2  hl=2 l=   8 prim:   OBJECT            :md5
Packit Service 084de1 
   14:d=2  hl=2 l=   0 prim:   NULL
Packit Service 084de1 
   16:d=1  hl=2 l=  16 prim:  OCTET STRING
Packit Service 084de1 
      0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5   .F...Js.7...H%..
Packit Service 084de1
Packit Service 084de1 
This is the parsed version of an ASN1 DigestInfo structure. It can be seen that
Packit Service 084de1 
the digest used was md5. The actual part of the certificate that was signed can
Packit Service 084de1 
be extracted with:
Packit Service 084de1
Packit Service 084de1 
 openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4
Packit Service 084de1
Packit Service 084de1 
and its digest computed with:
Packit Service 084de1
Packit Service 084de1 
 openssl md5 -c tbs
Packit Service 084de1 
 MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
Packit Service 084de1
Packit Service 084de1 
which it can be seen agrees with the recovered value above.
Packit Service 084de1
Packit Service 084de1 
=head1 SEE ALSO
Packit Service 084de1
Packit Service 084de1 
L<dgst(1)>, L<rsa(1)>, L<genrsa(1)>
Packit Service 084de1
Packit Service 084de1 
=head1 COPYRIGHT
Packit Service 084de1
Packit Service 084de1 
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Packit Service 084de1
Packit Service 084de1 
Licensed under the OpenSSL license (the "License").  You may not use
Packit Service 084de1 
this file except in compliance with the License.  You can obtain a copy
Packit Service 084de1 
in the file LICENSE in the source distribution or at
Packit Service 084de1 
L<https://www.openssl.org/source/license.html>.
Packit Service 084de1
Packit Service 084de1 
=cut

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation