eckles.js/README.md

eckles.js
=========

Sponsored by [Root](https://therootcompany.com).
Built for [ACME.js](https://git.coolaj86.com/coolaj86/acme.js)
and [Greenlock.js](https://git.coolaj86.com/coolaj86/greenlock.js)

ECDSA (elliptic curve) tools. Lightweight. Zero Dependencies. Universal compatibility.

* [x] PEM-to-JWK
* [x] JWK-to-PEM
* [x] SSH "pub" format

This project is fully functional and tested (and the code is pretty clean).

It is considered to be complete, but if you find a bug please open an issue.

## PEM-to-JWK

* [x] SEC1/X9.62, PKCS#8, SPKI/PKIX
* [x] P-256 (prime256v1, secp256r1), P-384 (secp384r1)
* [x] SSH (RFC4716), (RFC 4716/SSH2)

```js
var eckles = require('eckles');
var pem = require('fs')
  .readFileSync('./node_modles/eckles/fixtures/privkey-ec-p256.sec1.pem', 'ascii');

eckles.import({ pem: pem }).then(function (jwk) {
  console.log(jwk);
});
```

```js
{
  "kty": "EC",
  "crv": "P-256",
  "d": "iYydo27aNGO9DBUWeGEPD8oNi1LZDqfxPmQlieLBjVQ",
  "x": "IT1SWLxsacPiE5Z16jkopAn8_-85rMjgyCokrnjDft4",
  "y": "mP2JwOAOdMmXuwpxbKng3KZz27mz-nKWIlXJ3rzSGMo"
}
```

## JWK-to-PEM

* [x] SEC1/X9.62, PKCS#8, SPKI/PKIX
* [x] P-256 (prime256v1, secp256r1), P-384 (secp384r1)
* [x] SSH (RFC4716), (RFC 4716/SSH2)

```js
var eckles = require('eckles');
var jwk = require('eckles/fixtures/privkey-ec-p256.jwk.json');

eckles.export({ jwk: jwk }).then(function (pem) {
  // PEM in SEC1 (x9.62) format
  console.log(pem);
});
```

```
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIImMnaNu2jRjvQwVFnhhDw/KDYtS2Q6n8T5kJYniwY1UoAoGCCqGSM49
AwEHoUQDQgAEIT1SWLxsacPiE5Z16jkopAn8/+85rMjgyCokrnjDft6Y/YnA4A50
yZe7CnFsqeDcpnPbubP6cpYiVcnevNIYyg==
-----END EC PRIVATE KEY-----
```

### Advanced Options

`format: 'pkcs8'`:

The default output format is `sec1`/`x9.62` (EC-specific format) is used for private keys.
Use `format: 'pkcs8'` to output in PKCS#8 format instead.

```js
eckles.export({ jwk: jwk, format: 'pkcs8' }).then(function (pem) {
  // PEM in PKCS#8 format
  console.log(pem);
});
```

```
-----BEGIN EC PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgiYydo27aNGO9DBUW
eGEPD8oNi1LZDqfxPmQlieLBjVShRANCAAQhPVJYvGxpw+ITlnXqOSikCfz/7zms
yODIKiSueMN+3pj9icDgDnTJl7sKcWyp4Nymc9u5s/pyliJVyd680hjK
-----END EC PRIVATE KEY-----
```

`format: 'ssh'`:

Although SSH uses SEC1 for private keys, it uses ts own special non-ASN1 format
(affectionately known as rfc4716) for public keys. I got curious and then decided
to add this format as well.

To get the same format as you
would get with `ssh-keygen`, pass `ssh` as the format option:

```js
eckles.export({ jwk: jwk, format: 'ssh' }).then(function (pub) {
  // Special SSH2 Public Key format (RFC 4716)
  console.log(pub);
});
```

```
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCE9Uli8bGnD4hOWdeo5KKQJ/P/vOazI4MgqJK54w37emP2JwOAOdMmXuwpxbKng3KZz27mz+nKWIlXJ3rzSGMo= P-256@localhost
```

`public: 'true'`:

If a private key is used as input, a private key will be output.

If you'd like to output a public key instead you can pass `public: true` or `format: 'spki'`.

```js
eckles.export({ jwk: jwk, public: true }).then(function (pem) {
  // PEM in SPKI/PKIX format
  console.log(pem);
});
```

```
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIT1SWLxsacPiE5Z16jkopAn8/+85
rMjgyCokrnjDft6Y/YnA4A50yZe7CnFsqeDcpnPbubP6cpYiVcnevNIYyg==
-----END PUBLIC KEY-----
```

Testing
-------

All cases are tested in `test.sh`.

You can compare these keys to the ones that you get from OpenSSL, ssh-keygen, and WebCrypto:

```bash
# Generate EC P-256 Keypair
openssl ecparam -genkey -name prime256v1 -noout -out ./privkey-ec-p256.sec1.pem

# Export Public-only EC Key (as SPKI)
openssl ec -in ./privkey-ec-p256.sec1.pem -pubout -out ./pub-ec-p256.spki.pem

# Convert SEC1 (traditional) EC Keypair to PKCS8 format
openssl pkcs8 -topk8 -nocrypt -in ./privkey-ec-p256.sec1.pem -out ./privkey-ec-p256.pkcs8.pem

# Convert EC public key to SSH format
ssh-keygen -f ./pub-ec-p256.spki.pem -i -mPKCS8 > ./pub-ec-p256.ssh.pub
```

Goals of this project
-----

* Zero Dependencies
* Focused support for P-256 and P-384, which are already universally supported.
* Convert both ways
* Browser support as well (TODO)
* OpenSSL, ssh-keygen, and WebCrypto compatibility

Legal
-----

Licensed MPL-2.0

[Terms of Use](https://therootcompany.com/legal/#terms) |
[Privacy Policy](https://therootcompany.com/legal/#privacy)
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00			`eckles.js`
			`=========`

v1.0.1: update README 2018-11-20 06:31:03 +00:00			`Sponsored by [Root](https://therootcompany.com).`
			`Built for [ACME.js](https://git.coolaj86.com/coolaj86/acme.js)`
			`and [Greenlock.js](https://git.coolaj86.com/coolaj86/greenlock.js)`

v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00			`ECDSA (elliptic curve) tools. Lightweight. Zero Dependencies. Universal compatibility.`
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00
v0.7.2: update docs 2018-11-20 05:28:17 +00:00			`* [x] PEM-to-JWK`
v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00			`* [x] JWK-to-PEM`
v1.2.0 add ability to read ssh pub files 2018-11-21 06:55:17 +00:00			`* [x] SSH "pub" format`
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00
v1.0.1: update README 2018-11-20 06:31:03 +00:00			`This project is fully functional and tested (and the code is pretty clean).`

			`It is considered to be complete, but if you find a bug please open an issue.`

v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00			`## PEM-to-JWK`
v0.7.2: update docs 2018-11-20 05:28:17 +00:00
			`* [x] SEC1/X9.62, PKCS#8, SPKI/PKIX`
			`* [x] P-256 (prime256v1, secp256r1), P-384 (secp384r1)`
v1.2.0 add ability to read ssh pub files 2018-11-21 06:55:17 +00:00			`* [x] SSH (RFC4716), (RFC 4716/SSH2)`
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00
			```js
output json in example 2018-11-19 15:53:52 +00:00			`var eckles = require('eckles');`
v1.0.1: update README 2018-11-20 06:31:03 +00:00			`var pem = require('fs')`
			`.readFileSync('./node_modles/eckles/fixtures/privkey-ec-p256.sec1.pem', 'ascii');`
output json in example 2018-11-19 15:53:52 +00:00
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00			`eckles.import({ pem: pem }).then(function (jwk) {`
			`console.log(jwk);`
			`});`
			```

v0.7.2: update docs 2018-11-20 05:28:17 +00:00			```js
			`{`
			`"kty": "EC",`
			`"crv": "P-256",`
			`"d": "iYydo27aNGO9DBUWeGEPD8oNi1LZDqfxPmQlieLBjVQ",`
			`"x": "IT1SWLxsacPiE5Z16jkopAn8_-85rMjgyCokrnjDft4",`
			`"y": "mP2JwOAOdMmXuwpxbKng3KZz27mz-nKWIlXJ3rzSGMo"`
			`}`
			```

v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00			`## JWK-to-PEM`
v0.7.2: update docs 2018-11-20 05:28:17 +00:00
v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00			`* [x] SEC1/X9.62, PKCS#8, SPKI/PKIX`
v0.7.2: update docs 2018-11-20 05:28:17 +00:00			`* [x] P-256 (prime256v1, secp256r1), P-384 (secp384r1)`
v1.1.0: support ssh public key out 2018-11-20 17:43:47 +00:00			`* [x] SSH (RFC4716), (RFC 4716/SSH2)`
v0.7.2: update docs 2018-11-20 05:28:17 +00:00
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00			```js
v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00			`var eckles = require('eckles');`
			`var jwk = require('eckles/fixtures/privkey-ec-p256.jwk.json');`

v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00			`eckles.export({ jwk: jwk }).then(function (pem) {`
v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00			`// PEM in SEC1 (x9.62) format`
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00			`console.log(pem);`
			`});`
			```

v0.7.2: update docs 2018-11-20 05:28:17 +00:00			```
			`-----BEGIN EC PRIVATE KEY-----`
			`MHcCAQEEIImMnaNu2jRjvQwVFnhhDw/KDYtS2Q6n8T5kJYniwY1UoAoGCCqGSM49`
			`AwEHoUQDQgAEIT1SWLxsacPiE5Z16jkopAn8/+85rMjgyCokrnjDft6Y/YnA4A50`
			`yZe7CnFsqeDcpnPbubP6cpYiVcnevNIYyg==`
			`-----END EC PRIVATE KEY-----`
			```

v1.0.1: update README 2018-11-20 06:31:03 +00:00			`### Advanced Options`
v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00
			`format: 'pkcs8'`:

			The default output format is `sec1`/`x9.62` (EC-specific format) is used for private keys.
			Use `format: 'pkcs8'` to output in PKCS#8 format instead.

			```js
			`eckles.export({ jwk: jwk, format: 'pkcs8' }).then(function (pem) {`
			`// PEM in PKCS#8 format`
			`console.log(pem);`
			`});`
			```

v1.1.1: show key examples in docs 2018-11-20 19:07:50 +00:00			```
			`-----BEGIN EC PRIVATE KEY-----`
			`MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgiYydo27aNGO9DBUW`
			`eGEPD8oNi1LZDqfxPmQlieLBjVShRANCAAQhPVJYvGxpw+ITlnXqOSikCfz/7zms`
			`yODIKiSueMN+3pj9icDgDnTJl7sKcWyp4Nymc9u5s/pyliJVyd680hjK`
			`-----END EC PRIVATE KEY-----`
			```

v1.1.0: support ssh public key out 2018-11-20 17:43:47 +00:00			`format: 'ssh'`:

			`Although SSH uses SEC1 for private keys, it uses ts own special non-ASN1 format`
			`(affectionately known as rfc4716) for public keys. I got curious and then decided`
			`to add this format as well.`

			`To get the same format as you`
			would get with `ssh-keygen`, pass `ssh` as the format option:

			```js
			`eckles.export({ jwk: jwk, format: 'ssh' }).then(function (pub) {`
			`// Special SSH2 Public Key format (RFC 4716)`
			`console.log(pub);`
			`});`
			```

v1.1.1: show key examples in docs 2018-11-20 19:07:50 +00:00			```
			`ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCE9Uli8bGnD4hOWdeo5KKQJ/P/vOazI4MgqJK54w37emP2JwOAOdMmXuwpxbKng3KZz27mz+nKWIlXJ3rzSGMo= P-256@localhost`
			```

v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00			`public: 'true'`:

			`If a private key is used as input, a private key will be output.`

			If you'd like to output a public key instead you can pass `public: true` or `format: 'spki'`.

v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00			```js
v1.0.0: full PEM-to-JWK support 2018-11-20 06:17:39 +00:00			`eckles.export({ jwk: jwk, public: true }).then(function (pem) {`
			`// PEM in SPKI/PKIX format`
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00			`console.log(pem);`
			`});`
			```

v1.1.1: show key examples in docs 2018-11-20 19:07:50 +00:00			```
			`-----BEGIN PUBLIC KEY-----`
			`MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIT1SWLxsacPiE5Z16jkopAn8/+85`
			`rMjgyCokrnjDft6Y/YnA4A50yZe7CnFsqeDcpnPbubP6cpYiVcnevNIYyg==`
			`-----END PUBLIC KEY-----`
			```

update README, correct PKCS8 comments 2018-11-21 07:36:53 +00:00			`Testing`
			`-------`

			All cases are tested in `test.sh`.

			`You can compare these keys to the ones that you get from OpenSSL, ssh-keygen, and WebCrypto:`

			```bash
			`# Generate EC P-256 Keypair`
			`openssl ecparam -genkey -name prime256v1 -noout -out ./privkey-ec-p256.sec1.pem`

			`# Export Public-only EC Key (as SPKI)`
			`openssl ec -in ./privkey-ec-p256.sec1.pem -pubout -out ./pub-ec-p256.spki.pem`

			`# Convert SEC1 (traditional) EC Keypair to PKCS8 format`
			`openssl pkcs8 -topk8 -nocrypt -in ./privkey-ec-p256.sec1.pem -out ./privkey-ec-p256.pkcs8.pem`

			`# Convert EC public key to SSH format`
			`ssh-keygen -f ./pub-ec-p256.spki.pem -i -mPKCS8 > ./pub-ec-p256.ssh.pub`
			```

v1.0.1: update README 2018-11-20 06:31:03 +00:00			`Goals of this project`
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00			`-----`

add zero deps note 2018-11-19 05:53:11 +00:00			`* Zero Dependencies`
v0.1.0: Full PEM-to-JWK support 2018-11-19 05:50:08 +00:00			`* Focused support for P-256 and P-384, which are already universally supported.`
			`* Convert both ways`
v1.0.1: update README 2018-11-20 06:31:03 +00:00			`* Browser support as well (TODO)`
update README, correct PKCS8 comments 2018-11-21 07:36:53 +00:00			`* OpenSSL, ssh-keygen, and WebCrypto compatibility`
v1.0.1: update README 2018-11-20 06:31:03 +00:00
			`Legal`
			`-----`

			`Licensed MPL-2.0`

			`[Terms of Use](https://therootcompany.com/legal/#terms) \|`
			`[Privacy Policy](https://therootcompany.com/legal/#privacy)`