3 45993349 2005-02-13 devnull dsagen, rsagen, rsafill, asn12dsa, asn12rsa, dsa2pub, rsa2csr, rsa2pub, dsa2ssh, rsa2ssh, rsa2x509 \- generate and format dsa and rsa keys
4 a784b110 2005-02-13 devnull .SH SYNOPSIS
12 a784b110 2005-02-13 devnull .B rsagen
22 a784b110 2005-02-13 devnull .B rsafill
27 a784b110 2005-02-13 devnull .B asn12dsa
36 a784b110 2005-02-13 devnull .B asn12rsa
45 a784b110 2005-02-13 devnull .B dsa2pub
50 a784b110 2005-02-13 devnull .B rsa2pub
55 a784b110 2005-02-13 devnull .B dsa2ssh
60 a784b110 2005-02-13 devnull .B rsa2ssh
68 a784b110 2005-02-13 devnull .B rsa2x509
71 a784b110 2005-02-13 devnull .I expiretime
73 45993349 2005-02-13 devnull .I certinfo
78 45993349 2005-02-13 devnull .B rsa2csr
79 a784b110 2005-02-13 devnull .I certinfo
83 a784b110 2005-02-13 devnull .SH DESCRIPTION
84 a784b110 2005-02-13 devnull Plan 9 represents DSA and RSA keys as attribute-value pair lists
85 a784b110 2005-02-13 devnull prefixed with the string
86 a784b110 2005-02-13 devnull .BR key ;
87 a784b110 2005-02-13 devnull this is the generic key format used by
88 a784b110 2005-02-13 devnull .IR factotum (4).
89 a784b110 2005-02-13 devnull A full DSA private key has the following attributes:
96 a784b110 2005-02-13 devnull prime public modulus
99 a784b110 2005-02-13 devnull prime group order; divides
100 a784b110 2005-02-13 devnull .BR p -1
102 a784b110 2005-02-13 devnull .B alpha
103 a784b110 2005-02-13 devnull group generator
106 a784b110 2005-02-13 devnull .BR alpha ^ !secret
110 a784b110 2005-02-13 devnull .B !secret
111 a784b110 2005-02-13 devnull the secret exponent
114 a784b110 2005-02-13 devnull A full RSA private key has the following attributes:
116 a784b110 2005-02-13 devnull .B proto
121 a784b110 2005-02-13 devnull the number of significant bits in
125 a784b110 2005-02-13 devnull the encryption exponent
128 a784b110 2005-02-13 devnull the product of
134 a784b110 2005-02-13 devnull the decryption exponent
137 a784b110 2005-02-13 devnull a large prime
140 a784b110 2005-02-13 devnull another large prime
142 a784b110 2005-02-13 devnull .B "!kp\fR, \fL!kq\fR, \fL!c2
143 a784b110 2005-02-13 devnull parameters derived from the other attributes, cached to speed decryption
146 a784b110 2005-02-13 devnull All the numbers in both keys are in hexadecimal except RSA's
147 a784b110 2005-02-13 devnull .I size ,
148 a784b110 2005-02-13 devnull which is decimal.
149 a784b110 2005-02-13 devnull A public key omits the attributes beginning with
151 a784b110 2005-02-13 devnull A key may have other attributes as well (for example, a
152 a784b110 2005-02-13 devnull .B service
153 a784b110 2005-02-13 devnull attribute identifying how this key is typically used),
154 a784b110 2005-02-13 devnull but to these utilities such attributes are merely comments.
156 a784b110 2005-02-13 devnull For example, a very small (and thus insecure) private key and corresponding
157 a784b110 2005-02-13 devnull public key might be:
160 a784b110 2005-02-13 devnull key proto=rsa size=8 ek=7 n=8F !dk=67 !p=B !q=D !kp=3 !kq=7 !c2=6
161 a784b110 2005-02-13 devnull key proto=rsa size=8 ek=7 n=8F
164 a784b110 2005-02-13 devnull Note that the order of the attributes does not matter.
166 a784b110 2005-02-13 devnull .I Dsagen
167 a784b110 2005-02-13 devnull prints a randomly generated DSA private key using the
168 a784b110 2005-02-13 devnull NIST-recommended algorithm.
171 a784b110 2005-02-13 devnull is specified, it is printed between
174 a784b110 2005-02-13 devnull .BR proto=dsa ;
175 a784b110 2005-02-13 devnull typically,
177 a784b110 2005-02-13 devnull is a sequence of attribute-value comments describing the key.
179 a784b110 2005-02-13 devnull .I Rsagen
180 a784b110 2005-02-13 devnull prints a randomly generated RSA private key
183 a784b110 2005-02-13 devnull has exactly
184 a784b110 2005-02-13 devnull .I nbits
185 a784b110 2005-02-13 devnull (default 1024)
186 a784b110 2005-02-13 devnull significant bits.
188 a784b110 2005-02-13 devnull .I Rsafill
189 a784b110 2005-02-13 devnull reads a private key,
190 a784b110 2005-02-13 devnull recomputes the
191 a784b110 2005-02-13 devnull .BR !kp ,
192 a784b110 2005-02-13 devnull .BR !kq ,
195 a784b110 2005-02-13 devnull attributes if they are missing,
196 a784b110 2005-02-13 devnull and prints a full key.
198 a784b110 2005-02-13 devnull .I Asn12dsa
199 a784b110 2005-02-13 devnull reads an DSA private key stored as ASN.1
200 a784b110 2005-02-13 devnull encoded in the binary Distinguished Encoding Rules (DER)
201 a784b110 2005-02-13 devnull and prints a Plan 9 DSA key,
202 a784b110 2005-02-13 devnull inserting
204 a784b110 2005-02-13 devnull exactly as
205 a784b110 2005-02-13 devnull .I dsagen
207 a784b110 2005-02-13 devnull ASN.1/DER is a popular key format on Unix and Windows;
208 a784b110 2005-02-13 devnull it is often encoded in text form using the Privacy Enhanced Mail (PEM) format
209 a784b110 2005-02-13 devnull in a section labeled as an
210 a784b110 2005-02-13 devnull .RB `` DSA
211 a784b110 2005-02-13 devnull .B PRIVATE
212 a784b110 2005-02-13 devnull .BR KEY .''
213 a784b110 2005-02-13 devnull The command:
216 a784b110 2005-02-13 devnull pemdecode 'DSA PRIVATE KEY' | asn12dsa
219 a784b110 2005-02-13 devnull extracts the key section from a textual ASN.1/DER/PEM key
220 a784b110 2005-02-13 devnull into binary ASN.1/DER format and then
221 a784b110 2005-02-13 devnull converts it to a Plan 9 DSA key.
223 a784b110 2005-02-13 devnull .I Asn12rsa
224 a784b110 2005-02-13 devnull is similar but operates on RSA keys.
226 a784b110 2005-02-13 devnull .I Dsa2pub
227 a784b110 2005-02-13 devnull reads a Plan 9 DSA public or private key,
228 a784b110 2005-02-13 devnull removes the private attributes, and prints the resulting public key.
229 a784b110 2005-02-13 devnull Comment attribtes are preserved.
231 a784b110 2005-02-13 devnull .I Rsa2pub
232 a784b110 2005-02-13 devnull is similar but operates on RSA keys.
234 a784b110 2005-02-13 devnull .I Dsa2ssh
235 a784b110 2005-02-13 devnull reads a Plan 9 DSA public or private key and prints the
236 a784b110 2005-02-13 devnull public portion in the format used by SSH version 2 (version 1 did not support DSA).
237 a784b110 2005-02-13 devnull If the key has a
238 a784b110 2005-02-13 devnull .B comment
239 a784b110 2005-02-13 devnull attribute, that comment is appended to the key.
241 a784b110 2005-02-13 devnull .I Rsa2ssh
242 a784b110 2005-02-13 devnull is similar but operates on RSA keys.
243 a784b110 2005-02-13 devnull It decides whether to print in version 1 or version 2
244 a784b110 2005-02-13 devnull format by inspecting the
245 a784b110 2005-02-13 devnull .B service
246 a784b110 2005-02-13 devnull attribute.
248 a784b110 2005-02-13 devnull .I Dsa2ssh
250 a784b110 2005-02-13 devnull .I rsa2ssh
251 a784b110 2005-02-13 devnull are useful for generating SSH's
252 a784b110 2005-02-13 devnull .B authorized_keys
255 a784b110 2005-02-13 devnull .I Rsa2x509
256 a784b110 2005-02-13 devnull reads a Plan 9 RSA private key and writes a self-signed X.509 certificate
257 a784b110 2005-02-13 devnull encoded in ASN.1/DER format to standard output.
258 a784b110 2005-02-13 devnull (Note that ASN.1/DER X.509 certificates are different from ASN.1/DER private keys).
259 a784b110 2005-02-13 devnull The certificate uses the current time as its start time and expires
260 a784b110 2005-02-13 devnull .I expiretime
262 a784b110 2005-02-13 devnull (default 3 years)
264 a784b110 2005-02-13 devnull It contains the public half of the key
265 a784b110 2005-02-13 devnull and includes
266 a784b110 2005-02-13 devnull .I certinfo
267 a784b110 2005-02-13 devnull as the issuer/subject string (also known as a ``Distinguished Name'').
268 a784b110 2005-02-13 devnull This info is typically in the form:
271 a784b110 2005-02-13 devnull C=US ST=NJ L=07974 O=Lucent OU='Bell Labs' CN=G.R.Emlin
274 a784b110 2005-02-13 devnull The X.509 ASN.1/DER format is often encoded in text using a PEM section
275 a784b110 2005-02-13 devnull labeled as a
276 a784b110 2005-02-13 devnull .RB `` CERTIFICATE .''
277 a784b110 2005-02-13 devnull The command:
280 a784b110 2005-02-13 devnull rsa2x509 'C=US OU=''Bell Labs''' file |
281 a784b110 2005-02-13 devnull pemencode CERTIFICATE
284 a784b110 2005-02-13 devnull generates such a textual certificate.
285 45993349 2005-02-13 devnull Applications that serve TLS-encrypted sessions
286 45993349 2005-02-13 devnull typically expect certificates in ASN.1/DER/PEM format.
288 45993349 2005-02-13 devnull .I Rsa2csr
290 45993349 2005-02-13 devnull .I rsa2x509
291 45993349 2005-02-13 devnull but writes an X.509 certificate request.
292 a784b110 2005-02-13 devnull .SH EXAMPLES
293 45993349 2005-02-13 devnull Generate a fresh key and use it to start the Plan 9 TLS-enabled web server:
296 a784b110 2005-02-13 devnull rsagen -t 'service=tls owner=*' >key
297 a784b110 2005-02-13 devnull rsa2x509 'C=US CN=*.cs.bell-labs.com' key |
298 a784b110 2005-02-13 devnull pemencode CERTIFICATE >cert
299 a784b110 2005-02-13 devnull cat key >/mnt/factotum/ctl
300 a784b110 2005-02-13 devnull ip/httpd/httpd -c cert
303 a784b110 2005-02-13 devnull Generate a fresh set of SSH keys (only one is necessary),
304 a784b110 2005-02-13 devnull load them into factotum,
305 a784b110 2005-02-13 devnull and configure a remote Unix system to allow those keys for logins:
308 30f6ae14 2005-02-13 devnull rsagen -t 'service=ssh role=decrypt' >rsa1
309 30f6ae14 2005-02-13 devnull rsagen -t 'service=ssh-rsa role=sign' >rsa2
310 30f6ae14 2005-02-13 devnull dsagen -t 'service=ssh-dss role=sign' >dsa2
313 a784b110 2005-02-13 devnull Convert existing Unix SSH version 2 keys instead of generating new ones:
316 a784b110 2005-02-13 devnull cd $HOME/.ssh
317 a784b110 2005-02-13 devnull pemdecode 'DSA PRIVATE KEY' id_dsa | asn12dsa >dsa2
318 a784b110 2005-02-13 devnull pemdecode 'RSA PRIVATE KEY' id_rsa | asn12rsa >rsa2
321 a784b110 2005-02-13 devnull Load those keys into factotum:
324 a784b110 2005-02-13 devnull cat rsa1 rsa2 dsa2 | 9p write -l factotum/ctl
326 a784b110 2005-02-13 devnull Allow use of those keys for logins on other systems:
329 a784b110 2005-02-13 devnull rsa2ssh rsa1 >auth.keys
330 a784b110 2005-02-13 devnull rsa2ssh rsa2 >>auth.keys
331 a784b110 2005-02-13 devnull dsa2ssh dsa2 >>auth.keys
332 a784b110 2005-02-13 devnull scp auth.keys unix:.ssh/authorized_keys
334 a784b110 2005-02-13 devnull .SH SOURCE
335 a784b110 2005-02-13 devnull .B \*9/src/cmd/auth
336 a784b110 2005-02-13 devnull .SH "SEE ALSO
337 a784b110 2005-02-13 devnull .IR factotum (4),
338 a784b110 2005-02-13 devnull .IR pem (1),
339 a784b110 2005-02-13 devnull .IR ssh (1)
340 a784b110 2005-02-13 devnull .SH BUGS
341 a784b110 2005-02-13 devnull There are too many key formats.
343 a784b110 2005-02-13 devnull There is no program to convert SSH version 1 RSA private keys.