Update files for OpenSSL-1.0.1c import.
[dragonfly.git] / secure / usr.bin / openssl / man / rsautl.1
... / ...
CommitLineData
1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
2.\"
3.\" Standard preamble:
4.\" ========================================================================
5.de Sp \" Vertical space (when we can't use .PP)
6.if t .sp .5v
7.if n .sp
8..
9.de Vb \" Begin verbatim text
10.ft CW
11.nf
12.ne \\$1
13..
14.de Ve \" End verbatim text
15.ft R
16.fi
17..
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
26.ie n \{\
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
35'br\}
36.el\{\
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
41'br\}
42.\"
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
47.\" If the F register is turned on, we'll generate index entries on stderr for
48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
51.ie \nF \{\
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
54..
55. nr % 0
56. rr F
57.\}
58.el \{\
59. de IX
60..
61.\}
62.\"
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
65. \" fudge factors for nroff and troff
66.if n \{\
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
72.\}
73.if t \{\
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
79.\}
80. \" simple accents for nroff and troff
81.if n \{\
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
88.\}
89.if t \{\
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
96.\}
97. \" troff and (daisy-wheel) nroff accents
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
107. \" corrections for vroff
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
110. \" for low resolution devices (crt and lpr)
111.if \n(.H>23 .if \n(.V>19 \
112\{\
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
122.\}
123.rm #[ #] #H #V #F C
124.\" ========================================================================
125.\"
126.IX Title "RSAUTL 1"
127.TH RSAUTL 1 "2012-05-10" "1.0.1c" "OpenSSL"
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
132.SH "NAME"
133rsautl \- RSA utility
134.SH "SYNOPSIS"
135.IX Header "SYNOPSIS"
136\&\fBopenssl\fR \fBrsautl\fR
137[\fB\-in file\fR]
138[\fB\-out file\fR]
139[\fB\-inkey file\fR]
140[\fB\-pubin\fR]
141[\fB\-certin\fR]
142[\fB\-sign\fR]
143[\fB\-verify\fR]
144[\fB\-encrypt\fR]
145[\fB\-decrypt\fR]
146[\fB\-pkcs\fR]
147[\fB\-ssl\fR]
148[\fB\-raw\fR]
149[\fB\-hexdump\fR]
150[\fB\-asn1parse\fR]
151.SH "DESCRIPTION"
152.IX Header "DESCRIPTION"
153The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt
154data using the \s-1RSA\s0 algorithm.
155.SH "COMMAND OPTIONS"
156.IX Header "COMMAND OPTIONS"
157.IP "\fB\-in filename\fR" 4
158.IX Item "-in filename"
159This specifies the input filename to read data from or standard input
160if this option is not specified.
161.IP "\fB\-out filename\fR" 4
162.IX Item "-out filename"
163specifies the output filename to write to or standard output by
164default.
165.IP "\fB\-inkey file\fR" 4
166.IX Item "-inkey file"
167the input key file, by default it should be an \s-1RSA\s0 private key.
168.IP "\fB\-pubin\fR" 4
169.IX Item "-pubin"
170the input file is an \s-1RSA\s0 public key.
171.IP "\fB\-certin\fR" 4
172.IX Item "-certin"
173the input is a certificate containing an \s-1RSA\s0 public key.
174.IP "\fB\-sign\fR" 4
175.IX Item "-sign"
176sign the input data and output the signed result. This requires
177and \s-1RSA\s0 private key.
178.IP "\fB\-verify\fR" 4
179.IX Item "-verify"
180verify the input data and output the recovered data.
181.IP "\fB\-encrypt\fR" 4
182.IX Item "-encrypt"
183encrypt the input data using an \s-1RSA\s0 public key.
184.IP "\fB\-decrypt\fR" 4
185.IX Item "-decrypt"
186decrypt the input data using an \s-1RSA\s0 private key.
187.IP "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4
188.IX Item "-pkcs, -oaep, -ssl, -raw"
189the padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP\s0,
190special padding used in \s-1SSL\s0 v2 backwards compatible handshakes,
191or no padding, respectively.
192For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used.
193.IP "\fB\-hexdump\fR" 4
194.IX Item "-hexdump"
195hex dump the output data.
196.IP "\fB\-asn1parse\fR" 4
197.IX Item "-asn1parse"
198asn1parse the output data, this is useful when combined with the
199\&\fB\-verify\fR option.
200.SH "NOTES"
201.IX Header "NOTES"
202\&\fBrsautl\fR because it uses the \s-1RSA\s0 algorithm directly can only be
203used to sign or verify small pieces of data.
204.SH "EXAMPLES"
205.IX Header "EXAMPLES"
206Sign some data using a private key:
207.PP
208.Vb 1
209\& openssl rsautl \-sign \-in file \-inkey key.pem \-out sig
210.Ve
211.PP
212Recover the signed data
213.PP
214.Vb 1
215\& openssl rsautl \-verify \-in sig \-inkey key.pem
216.Ve
217.PP
218Examine the raw signed data:
219.PP
220.Vb 1
221\& openssl rsautl \-verify \-in file \-inkey key.pem \-raw \-hexdump
222\&
223\& 0000 \- 00 01 ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
224\& 0010 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
225\& 0020 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
226\& 0030 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
227\& 0040 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
228\& 0050 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
229\& 0060 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
230\& 0070 \- ff ff ff ff 00 68 65 6c\-6c 6f 20 77 6f 72 6c 64 .....hello world
231.Ve
232.PP
233The PKCS#1 block formatting is evident from this. If this was done using
234encrypt and decrypt the block would have been of type 2 (the second byte)
235and random padding data visible instead of the 0xff bytes.
236.PP
237It is possible to analyse the signature of certificates using this
238utility in conjunction with \fBasn1parse\fR. Consider the self signed
239example in certs/pca\-cert.pem . Running \fBasn1parse\fR as follows yields:
240.PP
241.Vb 1
242\& openssl asn1parse \-in pca\-cert.pem
243\&
244\& 0:d=0 hl=4 l= 742 cons: SEQUENCE
245\& 4:d=1 hl=4 l= 591 cons: SEQUENCE
246\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ]
247\& 10:d=3 hl=2 l= 1 prim: INTEGER :02
248\& 13:d=2 hl=2 l= 1 prim: INTEGER :00
249\& 16:d=2 hl=2 l= 13 cons: SEQUENCE
250\& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
251\& 29:d=3 hl=2 l= 0 prim: NULL
252\& 31:d=2 hl=2 l= 92 cons: SEQUENCE
253\& 33:d=3 hl=2 l= 11 cons: SET
254\& 35:d=4 hl=2 l= 9 cons: SEQUENCE
255\& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName
256\& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
257\& ....
258\& 599:d=1 hl=2 l= 13 cons: SEQUENCE
259\& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
260\& 612:d=2 hl=2 l= 0 prim: NULL
261\& 614:d=1 hl=3 l= 129 prim: BIT STRING
262.Ve
263.PP
264The final \s-1BIT\s0 \s-1STRING\s0 contains the actual signature. It can be extracted with:
265.PP
266.Vb 1
267\& openssl asn1parse \-in pca\-cert.pem \-out sig \-noout \-strparse 614
268.Ve
269.PP
270The certificate public key can be extracted with:
271.PP
272.Vb 1
273\& openssl x509 \-in test/testx509.pem \-pubkey \-noout >pubkey.pem
274.Ve
275.PP
276The signature can be analysed with:
277.PP
278.Vb 1
279\& openssl rsautl \-in sig \-verify \-asn1parse \-inkey pubkey.pem \-pubin
280\&
281\& 0:d=0 hl=2 l= 32 cons: SEQUENCE
282\& 2:d=1 hl=2 l= 12 cons: SEQUENCE
283\& 4:d=2 hl=2 l= 8 prim: OBJECT :md5
284\& 14:d=2 hl=2 l= 0 prim: NULL
285\& 16:d=1 hl=2 l= 16 prim: OCTET STRING
286\& 0000 \- f3 46 9e aa 1a 4a 73 c9\-37 ea 93 00 48 25 08 b5 .F...Js.7...H%..
287.Ve
288.PP
289This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that
290the digest used was md5. The actual part of the certificate that was signed can
291be extracted with:
292.PP
293.Vb 1
294\& openssl asn1parse \-in pca\-cert.pem \-out tbs \-noout \-strparse 4
295.Ve
296.PP
297and its digest computed with:
298.PP
299.Vb 2
300\& openssl md5 \-c tbs
301\& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
302.Ve
303.PP
304which it can be seen agrees with the recovered value above.
305.SH "SEE ALSO"
306.IX Header "SEE ALSO"
307\&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1)