openssl/RSA - Using a Public key to decrypt

Question

I'm looking to secure the software update procedure for a little device I'm maintaining that runs Linux. I want to generate an md5sum of the update package's contents and then encrypt that hash with a private key before sending it out to the customer. When they load the update, the device should then decrypt the hash, verify it, and proceed with installation of the package.

I'm trying to do this with OpenSSL and RSA. I found this thread, and was discouraged. I then found this thread and wondered how Perl gets around the purported impossibility of it all. I'm doing this in C, so perhaps there's a parallel function in an SSL library somewhere?

So my question really is: can I force command line Linux to take a public key as the decryption input, or perhaps use C to circumvent that limitation?

Thanks in advance, all.

Answer 1

NOTE: I recommend you use the sign and verify routines instead of trying to implement them yourself with the underlying RSA encrypt and decrypt routines.

Nonetheless, Openssl CLI can achieve "decrypting with the public key" via the rsautl subcommand like so:

openssl rsautl -verify -inkey public_key.pem -pubin -in data.sig -raw -hexdump

Answer 2

Let's assume you have generated a public and private RSA key using openssl genrsa:

$ openssl genrsa -out mykey
Generating RSA private key, 512 bit long modulus
...++++++++++++
..........++++++++++++
e is 65537 (0x10001)
$ openssl rsa -in mykey -pubout -out mykey.pub
writing RSA key

You can sign something with the private key like this:

$ md5sum myfile | openssl rsautl -inkey mykey -sign > checksum.signed

You can verify this data using the public key:

$ openssl rsautl -inkey mykey.pub -pubin -in checksum.signed
df713741d8e92b15977ccd6e019730a5  myfile

Is this what you're looking for?