Lib.rs

Command line utilities | Cryptography
#encryption #rsa #cli

bin+lib cryptrsa

RSA encryption and signing CLI tool

by neuralsorcerer

1 unstable release

0.1.3 Aug 11, 2025
0.1.2 Jun 8, 2025
0.1.1 Jun 8, 2025

#2471 in Command line utilities

Download history 61/week @ 2025-08-05 57/week @ 2025-08-12 10/week @ 2025-08-19 1/week @ 2025-08-26 4/week @ 2025-09-30

205 downloads per month

MIT license

35KB
722 lines

cryptrsa: RSA CLI and library

A small Rust CLI/library that demonstrates RSA primitives for learning, and provides secure flows using OAEP (encryption), PSS (signing), and a hybrid RSA+AES-GCM scheme for large files.

Highlights

  • Raw RSA primitives (BigUint) for teaching and simple demos
  • Chunked raw RSA file encryption with a length header
  • RSA-OAEP (SHA-256) encryption/decryption with PEM keys
  • RSA-PSS (SHA-256) signing/verification with PEM keys
  • Hybrid RSA+AES-256-GCM for large files
  • JSON keypair I/O for raw RSA; PEM I/O for OAEP/PSS
  • Clean CLI plus a usable library API

Installation

cargo install cryptrsa

Build from source

git clone https://github.com/neuralsorcerer/cryptrsa
cd cryptrsa
cargo build

Quick start (raw RSA, JSON keys)

  • Generate JSON keypair: 
    cryptrsa gen --bits 2048 --out keypair.json --public-out public.json
  • Encrypt/Decrypt a short UTF-8 message (must be numerically < n): 
    cryptrsa encrypt --key public.json --message "hello"

cryptrsa decrypt --key keypair.json --ciphertext BASE64
  • Encrypt/Decrypt arbitrary files with raw RSA chunking: 
    cryptrsa encrypt-bytes --key public.json --in-file input.bin --out-file cipher.b64

cryptrsa decrypt-bytes --key keypair.json --in-file cipher.b64 --out-file output.bin --base64

Secure modes (PEM keys)

  • Generate PEM keys (PKCS#8 private, SPKI public): 
    cryptrsa gen-pem --bits 2048 --private-out private.pem --public-out public.pem
  • RSA-OAEP (SHA-256) encryption/decryption: 
    cryptrsa encrypt-oaep --public-pem public.pem --in-file msg.bin --out-file ct.b64

cryptrsa decrypt-oaep --private-pem private.pem --in-file ct.b64 --out-file msg.bin
  • RSA-PSS (SHA-256) signing/verification: 
    cryptrsa sign-pss --private-pem private.pem --in-file msg.bin --sig-out sig.b64

cryptrsa verify-pss --public-pem public.pem --in-file msg.bin --sig-file sig.b64

Hybrid RSA + AES-GCM (recommended for large files)

  • Encrypt: AES-256-GCM for data, RSA-OAEP for the AES key. Output is JSON with base64 fields enc_key, nonce, ct. 
    cryptrsa encrypt-hybrid --public-pem public.pem --in-file large.bin --out-file package.json
  • Decrypt: 
    cryptrsa decrypt-hybrid --private-pem private.pem --in-file package.json --out-file large.bin

CLI reference (subcommands)

  • gen: Generate a JSON keypair; optionally write public part separately
  • encrypt / decrypt: Raw RSA for short messages (as base64)
  • sign / verify: Raw RSA signing; use --hash to sign SHA-256(msg)
  • fingerprint: Print SHA-256 fingerprint of a public key (e||n)
  • encrypt-bytes / decrypt-bytes: Raw RSA for arbitrary files (chunked); decrypt supports --base64
  • info: Print basic info (type, bits, e, n)
  • pubout: Extract public key JSON from a keypair JSON
  • gen-pem: Generate RSA PEM keys
  • encrypt-oaep / decrypt-oaep: RSA-OAEP (SHA-256) with PEM
  • sign-pss / verify-pss: RSA-PSS (SHA-256) with PEM
  • encrypt-hybrid / decrypt-hybrid: Hybrid RSA-OAEP + AES-256-GCM for large files

Library usage (examples)

  • Raw RSA keygen and encrypt/decrypt:
use cryptrsa::{RSAKeyPair, encrypt, decrypt};
use num_bigint::BigUint;

let kp = RSAKeyPair::generate(1024);
let m = BigUint::from(42u32);
let c = encrypt(&m, &kp.e, &kp.n);
let p = decrypt(&c, &kp.d, &kp.n);
assert_eq!(m, p);
  • OAEP/PSS with PEM:
use cryptrsa::RsaOaep;

let kp = RsaOaep::generate(2048)?;
let ct = kp.encrypt(b"secret")?;
let pt = kp.decrypt(&ct)?;
assert_eq!(pt, b"secret");
let sig = kp.sign_pss(b"msg")?;
assert!(kp.verify_pss(b"msg", &sig)?);
  • Hybrid AES-GCM:
use cryptrsa::crypto::hybrid::{gen_random_key, encrypt_aes_gcm, decrypt_aes_gcm};
let key = gen_random_key();
let (ct, nonce) = encrypt_aes_gcm(&key, b"data")?;
let pt = decrypt_aes_gcm(&key, &ct, &nonce)?;
assert_eq!(pt, b"data");

Security notes

  • Prefer OAEP/PSS and the hybrid mode for any real use. Raw RSA (no padding) is for learning and is not CCA-secure.
  • AES-GCM uses a random 96-bit nonce from the OS RNG; never reuse nonces with the same key.
  • Always keep private keys secure; PEM files are written in plaintext by default.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Dependencies

~8.5MB
~165K SLoC