1pki(n) public key encryption pki(n)
2______________________________________________________________________________
6
8 pki - Implementation of the public key cipher
9
11 package require Tcl 8.5
12 package require pki ?0.10?
14 ::pki::encrypt ?-binary? ?-hex? ?-pad? ?-nopad? ?-priv? ?-pub? ?--?
16 input key
17 ::pki::decrypt ?-binary? ?-hex? ?-unpad? ?-nounpad? ?-priv? ?-pub? ?--?
19 input key
20 ::pki::sign input key ?algo?
22 ::pki::verify signedmessage plaintext key ?algo?
24 ::pki::key key ?password? ?encodePem?
26 ::pki::pkcs::parse_key key ?password?
28 ::pki::x509::parse_cert cert
30 ::pki::rsa::generate bitlength ?exponent?
32 ::pki::x509::verify_cert cert trustedcerts ?intermediatecerts?
34 ::pki::x509::validate_cert cert ?-sign_message dn_of_signer?
36 ?-encrypt_message dn_of_signer? ?-sign_cert dn_to_be_signed ca_depth?
37 ?-ssl dn?
38 ::pki::pkcs::create_csr keylist namelist ?encodePem? ?algo?
40 ::pki::pkcs::parse_csr csr
42 ::pki::x509::create_cert signreqlist cakeylist serial_number notBefore
44 notAfter isCA extensions ?encodePem? ?algo?
45______________________________________________________________________________
47
50 ::pki::encrypt ?-binary? ?-hex? ?-pad? ?-nopad? ?-priv? ?-pub? ?--?
51 input key
52 Encrypt a message using PKI (probably RSA). Requires the caller
53 to specify either -priv to encrypt with the private key or -pub
54 to encrypt with the public key. The default option is to pad
55 and return in hex. One of -pub or -priv must be specified. The
56 -hex option causes the data to be returned in encoded as a hex‐
57 idecimal string, while the -binary option causes the data to be
58 returned as a binary string. If they are specified multiple
59 times, the last one specified is used. The -pad option causes
60 the data to be padded per PKCS#1 prior to being encrypted. The
61 -nopad inhibits this behaviour. If they are specified multiple
62 times, the last one specified is used. The input to encrypt is
63 specified as input. The key parameter, holding the key to use,
64 is a return value from either ::pki::pkcs::parse_key,
65 ::pki::x509::parse_cert, or ::pki::rsa::generate.
66 Mapping to OpenSSL's openssl application:
68 [1] "openssl rsautl -encrypt" == "::pki::encrypt -binary
70 -pub"
71 [2] "openssl rsautl -sign" == "::pki::encrypt -binary
73 -priv"
74 ::pki::decrypt ?-binary? ?-hex? ?-unpad? ?-nounpad? ?-priv? ?-pub? ?--?
76 input key
77 Decrypt a message using PKI (probably RSA). See ::pki::encrypt
78 for option handling.
79 Mapping to OpenSSL's openssl application:
81 [1] "openssl rsautl -decrypt" == "::pki::decrypt -binary
83 -priv"
84 [2] "openssl rsautl -verify" == "::pki::decrypt -binary
86 -pub"
87 ::pki::sign input key ?algo?
89 Digitally sign message input using the private key. If algo is
90 ommited "sha1" is assumed. Possible values for algo include
91 "md5", "sha1", "sha256", and "raw". Specifyin "raw" for algo
92 will inhibit the building of an ASN.1 structure to encode which
93 hashing algorithm was chosen. The input should be the plain
94 text, hashing will be performed on it. The key should include
95 the private key.
96 ::pki::verify signedmessage plaintext key ?algo?
98 Verify a digital signature using a public key. Returns true or
99 false.
100 ::pki::key key ?password? ?encodePem?
102 Convert a key structure into a serialized PEM (default) or DER
103 encoded private key suitable for other applications. For RSA
104 keys this means PKCS#1.
105 ::pki::pkcs::parse_key key ?password?
107 Convert a PKCS#1 private key into a usable key, i.e. one which
108 can be used as argument for ::pki::encrypt, ::pki::decrypt,
109 ::pki::sign, and ::pki::verify.
110 ::pki::x509::parse_cert cert
112 Convert an X.509 certificate to a usable (public) key, i.e. one
113 which can be used as argument for ::pki:encrypt, ::pki::decrypt,
114 and ::pki::verify. The cert argument can be either PEM or DER
115 encoded.
116 ::pki::rsa::generate bitlength ?exponent?
118 Generate a new RSA key pair, the parts of which can be used as
119 argument for ::pki::encrypt, ::pki::decrypt, ::pki::sign, and
120 ::pki::verify. The bitlength argument is the length of the pub‐
121 lic key modulus. The exponent argument should generally not be
122 specified unless you really know what you are doing.
123 ::pki::x509::verify_cert cert trustedcerts ?intermediatecerts?
125 Verify that a trust can be found between the certificate speci‐
126 fied in the cert argument and one of the certificates specified
127 in the list of certificates in the trustedcerts argument.
128 (Eventually the chain can be through untrusted certificates
129 listed in the intermediatecerts argument, but this is currently
130 unimplemented). The certificates specified in the cert and
131 trustedcerts option should be parsed (from
132 ::pki::x509::parse_cert).
133 ::pki::x509::validate_cert cert ?-sign_message dn_of_signer?
135 ?-encrypt_message dn_of_signer? ?-sign_cert dn_to_be_signed ca_depth?
136 ?-ssl dn?
137 Validate that a certificate is valid to be used in some capac‐
138 ity. If multiple options are specified they must all be met for
139 this procedure to return "true". Currently, only the -sign_cert
140 option is functional. Arguments for the -sign_cert option are
141 dn_to_be_signed and ca_depth. The dn_to_be_signed is the dis‐
142 tinguished from the subject of a certificate to verify that the
143 certificate specified in the cert argument can sign. The
144 ca_depth argument is used to indicate at which depth the verifi‐
145 cation should be done at. Some certificates are limited to how
146 far down the chain they can be used to verify a given certifi‐
147 cate.
148 ::pki::pkcs::create_csr keylist namelist ?encodePem? ?algo?
150 Generate a certificate signing request from a key pair specified
151 in the keylist argument. The namelist argument is a list of
152 "name" followed by "value" pairs to encoding as the requested
153 distinguished name in the CSR. The encodePem option specifies
154 whether or not the result should be PEM encoded or DER encoded.
155 A "true" value results in the result being PEM encoded, while
156 any other value 9results in the the result being DER encoded.
157 DER encoding is the default. The algo argument specifies the
158 hashing algorithm we should use to sign this certificate signing
159 request with. The default is "sha1". Other possible values
160 include "md5" and "sha256".
161 ::pki::pkcs::parse_csr csr
163 Parse a Certificate Signing Request. The csr argument can be
164 either PEM or DER encoded.
165 ::pki::x509::create_cert signreqlist cakeylist serial_number notBefore
167 notAfter isCA extensions ?encodePem? ?algo?
168 Sign a signing request (usually from ::pki::pkcs::create_csr or
169 ::pki::pkcs::parse_csr) with a Certificate Authority (CA) cer‐
170 tificate. The signreqlist argument should be the parsed signing
171 request. The cakeylist argument should be the parsed CA cer‐
172 tificate. The serial_number argument should be a serial number
173 unique to this certificate from this certificate authority. The
174 notBefore and notAfter arguments should contain the time before
175 and after which (respectively) the certificate should be consid‐
176 ered invalid. The time should be encoded as something clock
177 format will accept (i.e., the results of clock seconds and clock
178 add). The isCA argument is a boolean argumen describing whether
179 or not the signed certificate should be a a CA certificate. If
180 specified as true the "id-ce-basicConstraints" extension is
181 added with the arguments of "critical" being true, "allowCA"
182 being true, and caDepth being -1 (infinite). The extensions
183 argument is a list of extensions and their parameters that
184 should be encoded into the created certificate. Currently only
185 one extension is understood ("id-ce-basicConstraints"). It
186 accepts three arguments critical allowCA caDepth. The critical
187 argument to this extension (and any extension) whether or not
188 the validator should reject the certificate as invalid if it
189 does not understand the extension (if set to "true") or should
190 ignore the extension (if set to "false"). The allowCA argument
191 is used to specify as a boolean value whether or not we can be
192 used a certificate authority (CA). The caDepth argument indi‐
193 cates how many children CAs can be children of this CA in a
194 depth-wise fashion. A value of "0" for the caDepth argument
195 means that this CA cannot sign a CA certificate and have the
196 result be valid. A value of "-1" indicates infinite depth.
197
200 [1]
201
203 Roy Keene
204
206 This document, and the package it describes, will undoubtedly contain
207 bugs and other problems. Please report such in the category rsa of the
208 Tcllib Trackers [http://core.tcl.tk/tcllib/reportlist]. Please also
209 report any ideas for enhancements you may have for either package
210 and/or documentation.
211 When proposing code changes, please provide unified diffs, i.e the out‐
213 put of diff -u.
214 Note further that attachments are strongly preferred over inlined
216 patches. Attachments can be made by going to the Edit form of the
217 ticket immediately after its creation, and then using the left-most
218 button in the secondary navigation bar.
219
221 aes(n), blowfish(n), des(n), md5(n), sha1(n)
222
224 cipher, data integrity, encryption, public key cipher, rsa, security
225
227 Hashes, checksums, and encryption
228
230 Copyright (c) 2010, 2011, 2012, 2013, Roy Keene, Andreas Kupries
231tcllib 0.10 pki(n)