OpenSSL utility: RSA encrypt/decrypt
05.08.2017

Let's play a little bit with openssl utility and RSA crypt/decrypt process..

Within utility there are 3 commands that are responsible for RSA:

  • openssl genrsa: Generate private RSA key
  • openssl rsa: Manages RSA key (for ex. extract public key from private)
  • openssl rsautl: RSA encrypt/decrypt

Let's generate private key, with key length of 1024 bits:

# openssl genrsa -out private.key 1024

Extract public key from the private:

# openssl rsa -in private.key -pubout > public.key

Prepare in advance two files we are going to experiment on:

# dd if=/dev/zero of=data8 count=8 bs=1
# dd if=/dev/zero of=data200 count=200 bs=1

It's worth mentioning, than RSA can encrypt only limited amount of data. For 2048-bit key its 256 bytes of data. For our 1024 even more less useful data.

# openssl rsautl -encrypt -inkey public.key -pubin -in data8 > data8.enc
# openssl rsautl -encrypt -inkey public.key -pubin -in data200 > data200.enc
RSA operation error
140107901544096:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151:

Decrypt what was recently encrypted:

# openssl rsautl -decrypt -inkey private.key -in data8.enc -out data8.enc.dec
# md5sum data8 data8.enc.dec
7dea362b3fac8e00956a4952a3d4f474  data8
7dea362b3fac8e00956a4952a3d4f474  data8.enc.dec
# rm -f data8.enc*

Decrypted successfully. We got the same content. Let's review reverse process, when we encrypt with private key, decrypt with public. In terms of public/private encription mechanism this is called signing data and verifing signature. Signing guarantees data integrity.

# openssl rsautl -sign -inkey private.key -in data8 > data8.enc
# openssl rsautl -verify -inkey public.key -pubin -in data8.enc -out data8.enc.dec
# md5sum data8 data8.enc.dec
7dea362b3fac8e00956a4952a3d4f474  data8
7dea362b3fac8e00956a4952a3d4f474  data8.enc.dec
# rm -f data8.enc*

As you see, content integrity is respected. Let's move to another inner openssl command...

openssl s_client

This command is said to be handy tool to debug https protocol. I'm going to try it on my own domain:

# echo "" | openssl s_client -servername ejz.ru -connect ejz.ru:443 -showcerts
Certificate chain
 0 s:/CN=ejz.ru
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

Argument -servername will do SNI negotiation. -showcerts shows all certificates including intermediate ones. Copy first certificate to subject.pem, latter one to issuer.pem. Validate them:

# openssl verify -CAfile issuer.pem subject.pem
subject.pem: OK
# openssl verify -CAfile /etc/ssl/certs/DST_Root_CA_X3.pem issuer.pem
issuer.pem: OK

CA certificate (that i found in my Ubuntu distribution) signed intermediate certificate. Intermediate certificate signed the certificate of my site.

I wish you all the best!

Теги → openssl rsa encrypt decrypt