auth/asn12rsa [ -t tag ] [ file ]
auth/rsa2x509 [ -e expiretime ] certinfo [ file ]
proto must be rsa
size the number of significant bits in n
ek the encryption exponent
n the product of !p and !q
!dk the decryption exponent
!p a large prime
!q another large prime
"!kp, \fL!kq, \fL!c2 parameters derived from the other attributes, cached to speed decryption
All the numbers are in hexadecimal except size , which is decimal. An RSA public key omits the attributes beginning with .LR ! . A key may have other attributes as well (for example, a service attribute identifying how this key is typically used), but to these utilities such attributes are merely comments.
For example, a very small (and thus insecure) private key and corresponding public key might be:
.EX key proto=rsa size=8 ek=7 n=8F !dk=67 !p=B !q=D !kp=3 !kq=7 !c2=6 key proto=rsa size=8 ek=7 n=8FNote that the order of the attributes does not matter.
Rsagen prints a randomly generated RSA private key whose n has exactly nbits (default 1024) significant bits. If tag is specified, it is printed between key and proto=rsa ; typically, tag is a sequence of attribute-value comments describing the key.
Rsafill reads a private key, recomputes the !kp , !kq , and !c2 attributes if they are missing, and prints a full key.
Asn12rsa reads an RSA private key stored as ASN.1 encoded in the binary Distinguished Encoding Rules (DER) and prints a Plan 9 RSA key, inserting tag exactly as rsagen does. ASN.1/DER is a popular key format on Unix and Windows; it is often encoded in text form using the Privacy Enhanced Mail (PEM) format in a section labeled as an `` RSA PRIVATE KEY .'' The command:
.EX auth/pemdecode 'RSA PRIVATE KEY' | auth/asn12rsaextracts the key section from a textual ASN.1/DER/PEM key into binary ASN.1/DER format and then converts it to a Plan 9 RSA key.
Rsa2pub reads a Plan 9 RSA public or private key, removes the private attributes, and prints the resulting public key. Comment attributes are preserved.
Rsa2ssh reads a Plan 9 RSA public or private key and prints the public portion in the format used by SSH: three space-separated decimal numbers size , ek , and n . For compatibility with external SSH implementations, the public keys in /sys/lib/ssh/keyring and $home/lib/keyring are stored in this format.
Rsa2x509 reads a Plan 9 RSA private key and writes a self-signed X.509 certificate encoded in ASN.1/DER format to standard output. (Note that ASN.1/DER X.509 certificates are different from ASN.1/DER private keys). The certificate uses the current time as its start time and expires expiretime seconds (default 3 years) later. It contains the public half of the key and includes certinfo as the issuer/subject string (also known as a ``Distinguished Name''). This info is typically in the form:
.EX C=US ST=NJ L=07974 O=Lucent OU='Bell Labs' CN=G.R.EmlinThe X.509 ASN.1/DER format is often encoded in text using a PEM section labeled as a `` CERTIFICATE .'' The command:
.EX auth/rsa2x509 'C=US OU=''Bell Labs''' file | auth/pemencode CERTIFICATEgenerates such a textual certificate. Applications that serve TLS-encrypted sessions (for example, httpd (8), pop3 (8), and tlssrv (8)) expect certificates in ASN.1/DER/PEM format.
Generate a fresh key and configure a remote Unix system to allow use of that key for logins:
.EX auth/rsagen -t 'service=ssh' >key auth/rsa2ssh key | ssh unix 'cat >>.ssh/authorized_keys' cat key >/mnt/factotum/ctl ssh unix