Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)

Standard preamble:
========================================================================
..

..

.. Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.

If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.

Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================

Title "OPENSSL-RSAUTL 1ossl" For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
openssl-rsautl - RSA command Header "SYNOPSIS" \fBopenssl rsautl [-help] [-in file] [-passin arg] [-rev] [-out file] [-inkey filename|uri] [-keyform \s-1DER\s0|\s-1PEM\s0|P12|\s-1ENGINE\s0] [-pubin] [-certin] [-sign] [-verify] [-encrypt] [-decrypt] [-pkcs] [-x931] [-oaep] [-raw] [-hexdump] [-asn1parse] [-engine id] [-rand files] [-writerand file] [-provider name] [-provider-path path] [-propquery propq] Header "DESCRIPTION" This command has been deprecated. The openssl-pkeyutl\|(1) command should be used instead.

This command can be used to sign, verify, encrypt and decrypt data using the \s-1RSA\s0 algorithm.

Header "OPTIONS" Item "-help" Print out a usage message. Item "-in filename" This specifies the input filename to read data from or standard input if this option is not specified. Item "-passin arg" The passphrase used in the output file. See see openssl-passphrase-options\|(1). Item "-rev" Reverse the order of the input. Item "-out filename" Specifies the output filename to write to or standard output by default. Item "-inkey filename|uri" The input key, by default it should be an \s-1RSA\s0 private key. Item "-keyform DER|PEM|P12|ENGINE" The key format; unspecified by default. See openssl-format-options\|(1) for details. Item "-pubin" The input file is an \s-1RSA\s0 public key. Item "-certin" The input is a certificate containing an \s-1RSA\s0 public key. Item "-sign" Sign the input data and output the signed result. This requires an \s-1RSA\s0 private key. Item "-verify" Verify the input data and output the recovered data. Item "-encrypt" Encrypt the input data using an \s-1RSA\s0 public key. Item "-decrypt" Decrypt the input data using an \s-1RSA\s0 private key. Item "-pkcs, -oaep, -x931, -raw" The padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP, ANSI X9.31,\s0 or no padding, respectively. For signatures, only -pkcs and -raw can be used. Item "-hexdump" Hex dump the output data. Item "-asn1parse" Parse the \s-1ASN.1\s0 output data, this is useful when combined with the \fB-verify option. Item "-engine id" See \*(L"Engine Options\*(R" in openssl\|(1). This option is deprecated. Item "-rand files, -writerand file" See \*(L"Random State Options\*(R" in openssl\|(1) for details. Item "-provider name"

0

Item "-provider-path path" Item "-propquery propq"

See \*(L"Provider Options\*(R" in openssl\|(1), provider\|(7), and property\|(7).

Header "NOTES" Since this command uses the \s-1RSA\s0 algorithm directly, it can only be used to sign or verify small pieces of data. Header "EXAMPLES" Examples equivalent to these can be found in the documentation for the non-deprecated openssl-pkeyutl\|(1) command.

Sign some data using a private key:

.Vb 1 openssl rsautl -sign -in file -inkey key.pem -out sig .Ve

Recover the signed data

.Vb 1 openssl rsautl -verify -in sig -inkey key.pem .Ve

Examine the raw signed data:

.Vb 1 openssl rsautl -verify -in sig -inkey key.pem -raw -hexdump \& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0020 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0030 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0040 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0050 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64 .....hello world .Ve

The PKCS#1 block formatting is evident from this. If this was done using encrypt and decrypt the block would have been of type 2 (the second byte) and random padding data visible instead of the 0xff bytes.

It is possible to analyse the signature of certificates using this command in conjunction with openssl-asn1parse\|(1). Consider the self signed example in certs/pca-cert.pem. Running openssl-asn1parse\|(1) as follows yields:

.Vb 1 openssl asn1parse -in pca-cert.pem \& 0:d=0 hl=4 l= 742 cons: SEQUENCE 4:d=1 hl=4 l= 591 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 1 prim: INTEGER :00 16:d=2 hl=2 l= 13 cons: SEQUENCE 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 29:d=3 hl=2 l= 0 prim: NULL 31:d=2 hl=2 l= 92 cons: SEQUENCE 33:d=3 hl=2 l= 11 cons: SET 35:d=4 hl=2 l= 9 cons: SEQUENCE 37:d=5 hl=2 l= 3 prim: OBJECT :countryName 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU .... 599:d=1 hl=2 l= 13 cons: SEQUENCE 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 612:d=2 hl=2 l= 0 prim: NULL 614:d=1 hl=3 l= 129 prim: BIT STRING .Ve

The final \s-1BIT STRING\s0 contains the actual signature. It can be extracted with:

.Vb 1 openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614 .Ve

The certificate public key can be extracted with:

.Vb 1 openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem .Ve

The signature can be analysed with:

.Vb 1 openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin \& 0:d=0 hl=2 l= 32 cons: SEQUENCE 2:d=1 hl=2 l= 12 cons: SEQUENCE 4:d=2 hl=2 l= 8 prim: OBJECT :md5 14:d=2 hl=2 l= 0 prim: NULL 16:d=1 hl=2 l= 16 prim: OCTET STRING 0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5 .F...Js.7...H%.. .Ve

This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that the digest used was md5. The actual part of the certificate that was signed can be extracted with:

.Vb 1 openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4 .Ve

and its digest computed with:

.Vb 2 openssl md5 -c tbs MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5 .Ve

which it can be seen agrees with the recovered value above.

Header "SEE ALSO" \fBopenssl\|(1), \fBopenssl-pkeyutl\|(1), \fBopenssl-dgst\|(1), \fBopenssl-rsa\|(1), \fBopenssl-genrsa\|(1) Header "HISTORY" This command was deprecated in OpenSSL 3.0.

The -engine option was deprecated in OpenSSL 3.0.

Header "COPYRIGHT" Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.