RSA(8) RSA(8)
NAME
rsagen, rsafill, asn12rsa, rsa2pub, rsa2ssh, rsa2x509 -
generate and format rsa keys
SYNOPSIS
rsagen [ -b nbits ] [ -t tag ]
rsafill [ file ]
asn12rsa [ -t tag ] [ file ]
rsa2pub [ file ]
rsa2ssh [ file ]
rsa2x509 [ -e expiretime ] certinfo [ file ]
DESCRIPTION
Plan 9 represents an RSA key as an attribute-value pair list
prefixed with the string key; this is the generic key format
used by factotum(4). A full RSA private key has the follow-
ing attributes:
proto must be rsa
size the number of significant bits in n
ek the encryption exponent
n the product of !p and !q
!dk the decryption exponent
!p a large prime
!q another large prime
!kp, !kq, !c2
parameters derived from the other attributes, cached
to speed decryption
All the numbers are in hexadecimal except size , which is
decimal. An RSA public key omits the attributes beginning
with `! .' A key may have other attributes as well (for
example, a service attribute identifying how this key is
typically used), but to these utilities such attributes are
merely comments.
For example, a very small (and thus insecure) private key
Page 1 Plan 9 (printed 11/18/24)
RSA(8) RSA(8)
and corresponding public key might be:
key proto=rsa size=8 ek=7 n=8F !dk=67 !p=B !q=D !kp=3 !kq=7 !c2=6
key proto=rsa size=8 ek=7 n=8F
Note that the order of the attributes does not matter.
Rsagen prints a randomly generated RSA private key whose n
has exactly nbits (default 1024) significant bits. If tag
is specified, it is printed between key and proto=rsa; typi-
cally, tag is a sequence of attribute-value comments
describing the key.
Rsafill reads a private key, recomputes the !kp, !kq, and
!c2 attributes if they are missing, and prints a full key.
Asn12rsa reads an RSA private key stored as ASN.1 encoded in
the binary Distinguished Encoding Rules (DER) and prints a
Plan 9 RSA key, inserting tag exactly as rsagen does.
ASN.1/DER is a popular key format on Unix and Windows; it is
often encoded in text form using the Privacy Enhanced Mail
(PEM) format in a section labeled as an ``RSA PRIVATE KEY.''
The command:
auth/pemdecode 'RSA PRIVATE KEY' | auth/asn12rsa
extracts the key section from a textual ASN.1/DER/PEM key
into binary ASN.1/DER format and then converts it to a Plan
9 RSA key.
Rsa2pub reads a Plan 9 RSA public or private key, removes
the private attributes, and prints the resulting public key.
Comment attributes are preserved.
Rsa2ssh reads a Plan 9 RSA public or private key and prints
the public portion in the format used by SSH: three space-
separated decimal numbers size, ek, and n. For compatibil-
ity with external SSH implementations, the public keys in
/sys/lib/ssh/keyring and $home/lib/keyring are stored in
this format.
Rsa2x509 reads a Plan 9 RSA private key and writes a self-
signed X.509 certificate encoded in ASN.1/DER format to
standard output. (Note that ASN.1/DER X.509 certificates
are different from ASN.1/DER private keys). The certificate
uses the current time as its start time and expires
expiretime seconds (default 3 years) later. It contains the
public half of the key and includes certinfo as the
issuer/subject string (also known as a ``Distinguished
Name''). This info is typically in the form:
C=US ST=NJ L=07974 O=Lucent OU='Bell Labs' CN=G.R.Emlin
Page 2 Plan 9 (printed 11/18/24)
RSA(8) RSA(8)
The X.509 ASN.1/DER format is often encoded in text using a
PEM section labeled as a ``CERTIFICATE.'' The command:
auth/rsa2x509 'C=US OU=''Bell Labs''' file |
auth/pemencode CERTIFICATE
generates such a textual certificate. Applications that
serve TLS-encrypted sessions (for example, httpd(8),
pop3(8), and tlssrv(8)) expect certificates in ASN.1/DER/PEM
format.
EXAMPLES
Generate a fresh key and use it to start a TLS-enabled web
server:
auth/rsagen -t 'service=tls owner=*' >key
auth/rsa2x509 'C=US CN=*.cs.bell-labs.com' key |
auth/pemencode CERTIFICATE >cert
cat key >/mnt/factotum/ctl
ip/httpd/httpd -c cert
Generate a fresh key and configure a remote Unix system to
allow use of that key for logins:
auth/rsagen -t 'service=ssh' >key
auth/rsa2ssh key | ssh unix 'cat >>.ssh/authorized_keys'
cat key >/mnt/factotum/ctl
ssh unix
SOURCE
/sys/src/cmd/auth
SEE ALSO
factotum(4), pem(8), ssh(1)
BUGS
There are too many key formats.
Page 3 Plan 9 (printed 11/18/24)