Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ (8) — Plan9 4th Edition

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

factotum(4)

pem(8)

ssh(1)

RSA(8)

NAME

rsagen, rsafill, asn12rsa, rsa2pub, rsa2ssh, rsa2x509 − generate and format rsa keys

SYNOPSIS

­rsagen [ ­-b ­nbits ] [ ­-t ­tag ]

­rsafill [ ­file ]

­asn12rsa [ ­-t ­tag ] [ ­file ]

­rsa2pub [ ­file ]

­rsa2ssh [ ­file ]

­rsa2x509 [ ­-e ­expiretime ] ­certinfo [ ­file ]

DESCRIPTION

Plan 9 represents an RSA key as an attribute-value pair list prefixed with the string key; this is the generic key format used by factotum(4). A full RSA private key has the following attributes:

­proto
must be ­rsa

­size the number of significant bits in ­n

­ek the encryption exponent

­n the product of ­!p and ­!q

­!dk the decryption exponent

­!p a large prime

­!q another large prime

­!kp, !kq, !c2
parameters derived from the other attributes, cached to speed decryption

All the numbers are in hexadecimal except ­size , which is decimal.  An RSA public key omits the attributes beginning with ­! .  A key may have other attributes as well (for example, a ­service attribute identifying how this key is typically used), but to these utilities such attributes are merely comments. 

For example, a very small (and thus insecure) private key and corresponding public key might be:

key proto=rsa size=8 ek=7 n=8F !dk=67 !p=B !q=D !kp=3 !kq=7 !c2=6
key proto=rsa size=8 ek=7 n=8F

Note that the order of the attributes does not matter. 

­Rsagen prints a randomly generated RSA private key whose ­n has exactly ­nbits (default 1024) significant bits.  If ­tag is specified, it is printed between ­key and proto=rsa; typically, ­tag is a sequence of attribute-value comments describing the key. 

­Rsafill reads a private key, recomputes the !kp, !kq, and !c2 attributes if they are missing, and prints a full key. 

­Asn12rsa reads an RSA private key stored as ASN.1 encoded in the binary Distinguished Encoding Rules (DER) and prints a Plan 9 RSA key, inserting ­tag exactly as ­rsagen does.  ASN.1/DER is a popular key format on Unix and Windows; it is often encoded in text form using the Privacy Enhanced Mail (PEM) format in a section labeled as an “RSA ­PRIVATE KEY.” The command:

auth/pemdecode ’RSA PRIVATE KEY’ | auth/asn12rsa

extracts the key section from a textual ASN.1/DER/PEM key into binary ASN.1/DER format and then converts it to a Plan 9 RSA key. 

­Rsa2pub reads a Plan 9 RSA public or private key, removes the private attributes, and prints the resulting public key.  Comment attributes are preserved. 

­Rsa2ssh reads a Plan 9 RSA public or private key and prints the public portion in the format used by SSH: three space-separated decimal numbers size, ek, and n.  For compatibility with external SSH implementations, the public keys in ­/sys/lib/ssh/keyring and ­$home/lib/keyring are stored in this format. 

­Rsa2x509 reads a Plan 9 RSA private key and writes a self-signed X.509 certificate encoded in ASN.1/DER format to standard output.  (Note that ASN.1/DER X.509 certificates are different from ASN.1/DER private keys).  The certificate uses the current time as its start time and expires ­expiretime seconds (default 3 years) later.  It contains the public half of the key and includes ­certinfo as the issuer/subject string (also known as a “Distinguished Name”).  This info is typically in the form:

C=US ST=NJ L=07974 O=Lucent OU=’Bell Labs’ CN=G.R.Emlin

The X.509 ASN.1/DER format is often encoded in text using a PEM section labeled as a “CERTIFICATE.” The command:

auth/rsa2x509 ’C=US OU=”Bell Labs file |
auth/pemencode CERTIFICATE

generates such a textual certificate.  Applications that serve TLS-encrypted sessions (for example, httpd(8), pop3(8), and tlssrv(8)) expect certificates in ASN.1/DER/PEM format.

EXAMPLES

Generate a fresh key and use it to start a TLS-enabled web server:

auth/rsagen -t ’service=tls owner=∗’ >key
auth/rsa2x509 ’C=US CN=∗.cs.bell-labs.com’ key |
auth/pemencode CERTIFICATE >cert
cat key >/mnt/factotum/ctl
ip/httpd/httpd -c cert

Generate a fresh key and configure a remote Unix system to allow use of that key for logins:

auth/rsagen -t ’service=ssh’ >key
auth/rsa2ssh key | ssh unix ’cat >>.ssh/authorized_keys’
cat key >/mnt/factotum/ctl
ssh unix

SOURCE

­/sys/src/cmd/auth

SEE ALSO

factotum(4), pem(8), ssh(1)

BUGS

There are too many key formats. 

Plan 9  —  July 11, 2003

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026