Skip to content

Instantly share code, notes, and snippets.

@gwpl

gwpl/clean.sh

Last active March 15, 2024 15:56
Show Gist options
  • Star 19 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save gwpl/2c7636f0b200cbfbe82cc9d4f6338585 to your computer and use it in GitHub Desktop.
Save gwpl/2c7636f0b200cbfbe82cc9d4f6338585 to your computer and use it in GitHub Desktop.
Download ZIP
`openssl pkeyutl` how to: -sign -verify -encrypt -decrypt , using openssh keys snippets/examples
Raw
readme.md

Those are examples of how to sign, verify signature, encrypt, decrypt using openssl and ssh private-public keys based on :

They require creation of two files with public-private key pair. Those can be links to your ssh public-private key pair:

  • private_key - file with private key you want to use. Can be link to ~/.ssh/id_rsa private key
  • pub_ssh_key - file with public ssh key you want to use. Can be link to ~/.ssh/id_rsa.ssh private key

To try generation of file with signature using private key and later verifying signature against public key:

./sign.sh
./verify.sh

To try to encrypt with public key and descrypt with private key:

./encrypt.sh
./decrypt.sh
Raw
clean.sh
rm -v pub.pkcs8 test.sign test.txt.decrypted test.txt.encrypted
Raw
decrypt.sh
#!/bin/bash
# based on http://sandilands.info/sgordon/public-key-encryption-and-digital-signatures-using-openssl
#Priv Key can be even ssh
PRIVKEY=private_key #Can be link to ssh priv key: ~/.ssh/id_rsa
ENCRYPTED_FILE=test.txt.encrypted
DECRYPTED_FILE=test.txt.decrypted
ORIGINAL_TO_COMPARE=test.txt
set -x
#ssh-keygen -e -f "${PUBSSHKEY}" -m PKCS8 > "${PUBKEY}"
openssl pkeyutl -decrypt -inkey "${PRIVKEY}" -in "${ENCRYPTED_FILE}" -out "${DECRYPTED_FILE}"
cmp test.txt.decrypted test.txt && echo 'Decrypted is same as original'
Raw
encrypt.sh
#!/bin/bash
# based on http://sandilands.info/sgordon/public-key-encryption-and-digital-signatures-using-openssl
PUBSSHKEY=pub_ssh_key # can be link to ssh public key e.g. ~/.ssh/id_rsa.pub
PUBKEY=pub.pkcs8
FILE_TO_ENCRYPT=test.txt
ENCRYPTED_FILE=test.txt.encrypted
set -x
ssh-keygen -e -f "${PUBSSHKEY}" -m PKCS8 > "${PUBKEY}"
openssl pkeyutl -encrypt -pubin -inkey "${PUBKEY}" -in "${FILE_TO_ENCRYPT}" -out "${ENCRYPTED_FILE}"
Raw
sign.sh
#!/bin/bash
# based on http://superuser.com/a/498684
PRIVKEY=private_key # can be link to ssh priv key: ~/.ssh/id_rsa
FILE_TO_SIGN=test.txt
OUTPUT_SIGNATURE_FILE=test.sign
set -x
openssl pkeyutl -sign -inkey "${PRIVKEY}" -in "${FILE_TO_SIGN}" -out "${OUTPUT_SIGNATURE_FILE}"
Raw
verify.sh
#!/bin/bash
# based on http://superuser.com/a/498684
PUBSSHKEY=pub_ssh_key # can be link to ssh public key e.g. ~/.ssh/id_rsa.pub
PUBKEY=pub.pkcs8
FILE_TO_VERIFY=test.txt
SIGNATURE_FILE=test.sign
set -x
ssh-keygen -e -f "${PUBSSHKEY}" -m PKCS8 > "${PUBKEY}"
openssl pkeyutl -verify -pubin -inkey "${PUBKEY}" -in "${FILE_TO_VERIFY}" -sigfile "${SIGNATURE_FILE}"
@ramarov
Copy link

ramarov commented Feb 25, 2022

Thank you for the code

@leso-kn
Copy link

leso-kn commented Jul 7, 2022
edited

Addition to sign.sh: As of openssl 3.0.0 the -rawin option is required:

> openssl pkeyutl -sign -inkey "${PRIVKEY}" -rawin -in "${FILE_TO_SIGN}" -out "${OUTPUT_SIGNATURE_FILE}"

@stokito
Copy link

stokito commented Oct 24, 2023

FYI: you can use openssh cms to produce PKCS#7 signature files with .p7s extension

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment