💯 ECDSA tools. Key Generation. PEM-to-JWK. JWK-to-PEM. Lightweight. Zero Dependencies. Universal compatibility.
Go to file
AJ ONeal d3357fdb23 update README, correct PKCS8 comments 2018-11-21 00:36:53 -07:00
bin output public jwk from private pem 2018-11-20 09:53:52 -07:00
fixtures update README, correct PKCS8 comments 2018-11-21 00:36:53 -07:00
lib update README, correct PKCS8 comments 2018-11-21 00:36:53 -07:00
.gitignore v0.1.0: Full PEM-to-JWK support 2018-11-18 22:50:08 -07:00
README.md update README, correct PKCS8 comments 2018-11-21 00:36:53 -07:00
index.js v0.1.0: Full PEM-to-JWK support 2018-11-18 22:50:08 -07:00
package.json update README, correct PKCS8 comments 2018-11-21 00:36:53 -07:00
test.sh v1.2.0 add ability to read ssh pub files 2018-11-20 23:55:17 -07:00

README.md

eckles.js

Sponsored by Root. Built for ACME.js and Greenlock.js

ECDSA (elliptic curve) tools. Lightweight. Zero Dependencies. Universal compatibility.

  • PEM-to-JWK
  • JWK-to-PEM
  • SSH "pub" format

This project is fully functional and tested (and the code is pretty clean).

It is considered to be complete, but if you find a bug please open an issue.

PEM-to-JWK

  • SEC1/X9.62, PKCS#8, SPKI/PKIX
  • P-256 (prime256v1, secp256r1), P-384 (secp384r1)
  • SSH (RFC4716), (RFC 4716/SSH2)
var eckles = require('eckles');
var pem = require('fs')
  .readFileSync('./node_modles/eckles/fixtures/privkey-ec-p256.sec1.pem', 'ascii');

eckles.import({ pem: pem }).then(function (jwk) {
  console.log(jwk);
});
{
  "kty": "EC",
  "crv": "P-256",
  "d": "iYydo27aNGO9DBUWeGEPD8oNi1LZDqfxPmQlieLBjVQ",
  "x": "IT1SWLxsacPiE5Z16jkopAn8_-85rMjgyCokrnjDft4",
  "y": "mP2JwOAOdMmXuwpxbKng3KZz27mz-nKWIlXJ3rzSGMo"
}

JWK-to-PEM

  • SEC1/X9.62, PKCS#8, SPKI/PKIX
  • P-256 (prime256v1, secp256r1), P-384 (secp384r1)
  • SSH (RFC4716), (RFC 4716/SSH2)
var eckles = require('eckles');
var jwk = require('eckles/fixtures/privkey-ec-p256.jwk.json');

eckles.export({ jwk: jwk }).then(function (pem) {
  // PEM in SEC1 (x9.62) format
  console.log(pem);
});
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIImMnaNu2jRjvQwVFnhhDw/KDYtS2Q6n8T5kJYniwY1UoAoGCCqGSM49
AwEHoUQDQgAEIT1SWLxsacPiE5Z16jkopAn8/+85rMjgyCokrnjDft6Y/YnA4A50
yZe7CnFsqeDcpnPbubP6cpYiVcnevNIYyg==
-----END EC PRIVATE KEY-----

Advanced Options

format: 'pkcs8':

The default output format is sec1/x9.62 (EC-specific format) is used for private keys. Use format: 'pkcs8' to output in PKCS#8 format instead.

eckles.export({ jwk: jwk, format: 'pkcs8' }).then(function (pem) {
  // PEM in PKCS#8 format
  console.log(pem);
});
-----BEGIN EC PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgiYydo27aNGO9DBUW
eGEPD8oNi1LZDqfxPmQlieLBjVShRANCAAQhPVJYvGxpw+ITlnXqOSikCfz/7zms
yODIKiSueMN+3pj9icDgDnTJl7sKcWyp4Nymc9u5s/pyliJVyd680hjK
-----END EC PRIVATE KEY-----

format: 'ssh':

Although SSH uses SEC1 for private keys, it uses ts own special non-ASN1 format (affectionately known as rfc4716) for public keys. I got curious and then decided to add this format as well.

To get the same format as you would get with ssh-keygen, pass ssh as the format option:

eckles.export({ jwk: jwk, format: 'ssh' }).then(function (pub) {
  // Special SSH2 Public Key format (RFC 4716)
  console.log(pub);
});
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCE9Uli8bGnD4hOWdeo5KKQJ/P/vOazI4MgqJK54w37emP2JwOAOdMmXuwpxbKng3KZz27mz+nKWIlXJ3rzSGMo= P-256@localhost

public: 'true':

If a private key is used as input, a private key will be output.

If you'd like to output a public key instead you can pass public: true or format: 'spki'.

eckles.export({ jwk: jwk, public: true }).then(function (pem) {
  // PEM in SPKI/PKIX format
  console.log(pem);
});
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIT1SWLxsacPiE5Z16jkopAn8/+85
rMjgyCokrnjDft6Y/YnA4A50yZe7CnFsqeDcpnPbubP6cpYiVcnevNIYyg==
-----END PUBLIC KEY-----

Testing

All cases are tested in test.sh.

You can compare these keys to the ones that you get from OpenSSL, ssh-keygen, and WebCrypto:

# Generate EC P-256 Keypair
openssl ecparam -genkey -name prime256v1 -noout -out ./privkey-ec-p256.sec1.pem

# Export Public-only EC Key (as SPKI)
openssl ec -in ./privkey-ec-p256.sec1.pem -pubout -out ./pub-ec-p256.spki.pem

# Convert SEC1 (traditional) EC Keypair to PKCS8 format
openssl pkcs8 -topk8 -nocrypt -in ./privkey-ec-p256.sec1.pem -out ./privkey-ec-p256.pkcs8.pem

# Convert EC public key to SSH format
ssh-keygen -f ./pub-ec-p256.spki.pem -i -mPKCS8 > ./pub-ec-p256.ssh.pub

Goals of this project

  • Zero Dependencies
  • Focused support for P-256 and P-384, which are already universally supported.
  • Convert both ways
  • Browser support as well (TODO)
  • OpenSSL, ssh-keygen, and WebCrypto compatibility

Licensed MPL-2.0

Terms of Use | Privacy Policy