Provided by: openswan_2.4.9+dfsg-1build1_i386 bug


       ipsec rsasigkey - generate RSA signature key


       ipsec rsasigkey [--verbose] [--random filename] [--rounds nr]
             [--hostname hostname] [--noopt] nbits

       ipsec rsasigkey [--verbose] [--hostname hostname] [--noopt]
             [--oldkey filename]


       Rsasigkey  generates  an  RSA  public/private  key  pair,  suitable for
       digital signatures, of (exactly) nbits bits (that is, two  primes  each
       of  exactly nbits/2 bits, and related numbers) and emits it on standard
       output as ASCII (mostly hex) data. nbits must be a multiple of 16.

       The public exponent is forced to the value 3, which has important speed
       advantages  for signature checking. Beware that the resulting keys have
       known weaknesses as encryption keys and should not  be  used  for  that

       The  --verbose  option  makesrsasigkey  give  a  running  commentary on
       standard error. By default, it works in silence until it  is  ready  to
       generate output.

       The  --random option specifies a source for random bits. The default is
       /dev/random (see random(4)). Normally, rsasigkey  reads  exactly  nbits
       random  bits  from  the  source; in extremely-rare circumstances it may
       need more. Under Linux with hardware random support, the special device
       /dev/hw_random  is created. However, the driver does not guarantee FIPS
       compliant random, and  some  hardware  is  so  broken  that  it  return
       extremely non-random data. Therefor /dev/hw_random should never be used
       with the --random option. Instead, one should run the rngd(8) daemon to
       funnel randomness from /dev/hw_random into /dev/random.

       The  --rounds  option  specifies the number of rounds to be done by the
       pz_probab_prime_p probabilistic primality checker. The default, 30,  is
       fairly rigorous and should not normally have to be overridden.

       The --hostname option specifies what host name to use in the first line
       of the output (see below); the default is what gethostname(2)  returns.

       The --hostname option suppresses an optimization of the private key (to
       be precise, setting of the decryption exponent to  lcm(p-1,q-1)  rather
       than  (p-1)*(q-1))  which  speeds  up operations on it slightly but can
       cause it to flunk a validity check in old RSA implementations (notably,
       obsolete versions of ipsec_pluto(8)

       --oldkey  option  specifies  that  rather  than  generate  a  new  key,
       rsasigkey should read an old key from the  file  (the  name  ’-’  means
       ’standard  input’)  and  use  that  to generate its output. Input lines
       which do not look like rsasigkey  output  are  silently  ignored.  This
       permits updating old keys to the current format.

       The  output  format looks like this (with long numbers trimmed down for

            # RSA 2048 bits   Sat Apr 15 13:53:22 2000
            # for signatures only, UNSAFE FOR ENCRYPTION
            Modulus: 0xcc2a86fcf440...cf1011abb82d1
            PublicExponent: 0x03
            # everything after this point is secret
            PrivateExponent: 0x881c59fdf8...ab05c8c77d23
            Prime1: 0xf49fd1f779...46504c7bf3
            Prime2: 0xd5a9108453...321d43cb2b
            Exponent1: 0xa31536a4fb...536d98adda7f7
            Exponent2: 0x8e70b5ad8d...9142168d7dcc7
            Coefficient: 0xafb761d001...0c13e98d98

          The first (comment) line, indicating the nature and date of the key,
       and giving a host name, is used by ipsec_showhostkey(8) when generating
       some forms of key output.

       The commented-out pubkey= line contains  the  public  key,  the  public
       exponent and the modulus combined in approximately RFC 2537 format (the
       one deviation is that the combined value is given  with  a  0s  prefix,
       rather  than  in unadorned base-64), suitable for use in the ipsec.conf

       The Modulus, PublicExponent and PrivateExponent lines  give  the  basic
       signing and verification data.

       The  Prime1  and Prime2 lines give the primes themselves (aka p and q),
       largest first. The Exponent1  and  Exponent2  lines  give  the  private
       exponent  mod  p-1 and q-1 respectively. The Coefficient line gives the
       Chinese Remainder Theorem coefficient, which is the inverse of  q,  mod
       p.  These  additional  numbers (which must all be kept as secret as the
       private exponent) are precomputed aids to rapid signature generation.

       No attempt is made to break long lines.

       The US patent on the RSA algorithm expired 20 Sept 2000.


       ipsec rsasigkey --verbose 2192 >mykey.txt
              generates a 2192-bit signature key  and  puts  it  in  the  file
              mykey.txt,  with  running commentary on standard error. The file
              contents can be inserted verbatim into a suitable entry  in  the
              ipsec.secrets  file  (see  ipsec_secrets(5)), and the public key
              can then be  extracted  and  edited  into  the  ipsec.conf  (see

       ipsec rsasigkey --verbose --oldkey oldie >latest.txt
              takes  the  old signature key from file oldie and puts a version
              in the  current  format  into  the  file  latest,  with  running
              commentary on standard error.


       /dev/random, /dev/urandom


        random(4),  rngd(8),  ipsec_showhostkey(8), Applied Cryptography, 2nd.
       ed., by Bruce Schneier, Wiley 1996, RFCs 2537, 2313, GNU  MP,  the  GNU
       multiple precision arithmetic library, edition 2.0.2, by Torbj Granlund


       Written  for  the  Linux  FreeS/WAN  project  <> by Henry Spencer.


       There is an internal limit on nbits, currently 20000.

       rsasigkey’s  run  time  is  difficult  to  predict,  since  /dev/random
       outputcan be arbitrarily delayed if the systemâ

       The --oldkey option does not check its input format as rigorously as it
       might. Corrupted rsasigkey output may confuse it.