3 dsagen, rsagen, rsafill, asn12dsa, asn12rsa, dsa2pub, rsa2csr, rsa2pub, dsa2ssh, rsa2ssh, rsa2x509 \- generate and format dsa and rsa keys
84 Plan 9 represents DSA and RSA keys as attribute-value pair lists
85 prefixed with the string
87 this is the generic key format used by
89 A full DSA private key has the following attributes:
99 prime group order; divides
114 A full RSA private key has the following attributes:
121 the number of significant bits in
125 the encryption exponent
134 the decryption exponent
142 .B "!kp\fR, \fL!kq\fR, \fL!c2
143 parameters derived from the other attributes, cached to speed decryption
146 All the numbers in both keys are in hexadecimal except RSA's
149 A public key omits the attributes beginning with
151 A key may have other attributes as well (for example, a
153 attribute identifying how this key is typically used),
154 but to these utilities such attributes are merely comments.
156 For example, a very small (and thus insecure) private key and corresponding
160 key proto=rsa size=8 ek=7 n=8F !dk=67 !p=B !q=D !kp=3 !kq=7 !c2=6
161 key proto=rsa size=8 ek=7 n=8F
164 Note that the order of the attributes does not matter.
167 prints a randomly generated DSA private key using the
168 NIST-recommended algorithm.
171 is specified, it is printed between
177 is a sequence of attribute-value comments describing the key.
180 prints a randomly generated RSA private key
195 attributes if they are missing,
196 and prints a full key.
199 reads an DSA private key stored as ASN.1
200 encoded in the binary Distinguished Encoding Rules (DER)
201 and prints a Plan 9 DSA key,
207 ASN.1/DER is a popular key format on Unix and Windows;
208 it is often encoded in text form using the Privacy Enhanced Mail (PEM) format
209 in a section labeled as an
216 pemdecode 'DSA PRIVATE KEY' | asn12dsa
219 extracts the key section from a textual ASN.1/DER/PEM key
220 into binary ASN.1/DER format and then
221 converts it to a Plan 9 DSA key.
224 is similar but operates on RSA keys.
227 reads a Plan 9 DSA public or private key,
228 removes the private attributes, and prints the resulting public key.
229 Comment attribtes are preserved.
232 is similar but operates on RSA keys.
235 reads a Plan 9 DSA public or private key and prints the
236 public portion in the format used by SSH version 2 (version 1 did not support DSA).
239 attribute, that comment is appended to the key.
242 is similar but operates on RSA keys.
243 It decides whether to print in version 1 or version 2
244 format by inspecting the
251 are useful for generating SSH's
256 reads a Plan 9 RSA private key and writes a self-signed X.509 certificate
257 encoded in ASN.1/DER format to standard output.
258 (Note that ASN.1/DER X.509 certificates are different from ASN.1/DER private keys).
259 The certificate uses the current time as its start time and expires
264 It contains the public half of the key
267 as the issuer/subject string (also known as a ``Distinguished Name'').
268 This info is typically in the form:
271 C=US ST=NJ L=07974 O=Lucent OU='Bell Labs' CN=G.R.Emlin
274 The X.509 ASN.1/DER format is often encoded in text using a PEM section
276 .RB `` CERTIFICATE .''
280 rsa2x509 'C=US OU=''Bell Labs''' file |
281 pemencode CERTIFICATE
284 generates such a textual certificate.
285 Applications that serve TLS-encrypted sessions
286 typically expect certificates in ASN.1/DER/PEM format.
291 but writes an X.509 certificate request.
293 Generate a fresh key and use it to start the Plan 9 TLS-enabled web server:
296 rsagen -t 'service=tls owner=*' >key
297 rsa2x509 'C=US CN=*.cs.bell-labs.com' key |
298 pemencode CERTIFICATE >cert
299 cat key >/mnt/factotum/ctl
300 ip/httpd/httpd -c cert
303 Generate a fresh set of SSH keys (only one is necessary),
304 load them into factotum,
305 and configure a remote Unix system to allow those keys for logins:
308 rsagen -t 'service=ssh role=decrypt' >rsa1
309 rsagen -t 'service=ssh-rsa role=sign' >rsa2
310 dsagen -t 'service=ssh-dss role=sign' >dsa2
313 Convert existing Unix SSH version 2 keys instead of generating new ones:
317 pemdecode 'DSA PRIVATE KEY' id_dsa | asn12dsa >dsa2
318 pemdecode 'RSA PRIVATE KEY' id_rsa | asn12rsa >rsa2
321 Load those keys into factotum:
324 cat rsa1 rsa2 dsa2 | 9p write -l factotum/ctl
326 Allow use of those keys for logins on other systems:
329 rsa2ssh rsa1 >auth.keys
330 rsa2ssh rsa2 >>auth.keys
331 dsa2ssh dsa2 >>auth.keys
332 scp auth.keys unix:.ssh/authorized_keys
341 There are too many key formats.
343 There is no program to convert SSH version 1 RSA private keys.