vishalnayak/rsaTest.sh

## rsaTest.sh
#!/bin/bash
set -aex
vault mount transit
vault write transit/keys/rsa type=rsa-2048 exportable=true
vault read -format json transit/export/encryption-key/rsa | jq -r '.data.keys["1"]' > private.pem
vault read -format json transit/keys/rsa | jq -r '.data.keys["1"].public_key' > public.pem
# Verify parsing of public key
openssl rsa -inform PEM -pubin -in public.pem -text
# Verify parsing of private key
openssl rsa -in private.pem -pubout
echo -n "sampletext" | base64 | vault write -format json transit/sign/rsa input=- | jq -r '.data.signature' > signature
# Remove the vault specific prefix and decode the signature
cat signature | sed -e s/vault:v1:// | base64 -D > signaturedecoded

# Pading modes and option values can be found here: # "https://wiki.openssl.org/index.php/Manual:Pkeyutl(1)"
# -2 corresponds to rsa.PSSSaltLengthAuto
# -1 corresponds to rsa.PSSSaltLengthEqualsHash
# 'plaintext' file
echo -n "sampletext" > plaintext

openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-2 -sign private.pem -out rsasig plaintext
openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-2 -signature rsasig -verify public.pem plaintext


#openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature signaturedecoded -verify public.pem plaintext
openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-2 -signature signaturedecoded -verify public.pem plaintext
	#!/bin/bash
	set -aex
	vault mount transit
	vault write transit/keys/rsa type=rsa-2048 exportable=true
	vault read -format json transit/export/encryption-key/rsa \| jq -r '.data.keys["1"]' > private.pem
	vault read -format json transit/keys/rsa \| jq -r '.data.keys["1"].public_key' > public.pem
	# Verify parsing of public key
	openssl rsa -inform PEM -pubin -in public.pem -text
	# Verify parsing of private key
	openssl rsa -in private.pem -pubout
	echo -n "sampletext" \| base64 \| vault write -format json transit/sign/rsa input=- \| jq -r '.data.signature' > signature
	# Remove the vault specific prefix and decode the signature
	cat signature \| sed -e s/vault:v1:// \| base64 -D > signaturedecoded

	# Pading modes and option values can be found here: # "https://wiki.openssl.org/index.php/Manual:Pkeyutl(1)"
	# -2 corresponds to rsa.PSSSaltLengthAuto
	# -1 corresponds to rsa.PSSSaltLengthEqualsHash
	# 'plaintext' file
	echo -n "sampletext" > plaintext

	openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-2 -sign private.pem -out rsasig plaintext
	openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-2 -signature rsasig -verify public.pem plaintext


	#openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature signaturedecoded -verify public.pem plaintext
	openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-2 -signature signaturedecoded -verify public.pem plaintext