2019-03-05 11:55:31 +00:00
|
|
|
# Keypairs CLI
|
|
|
|
|
|
|
|
The most useful and easy-to-use crypto cli on the planet
|
|
|
|
(because `openssl` is confusing).
|
|
|
|
|
|
|
|
* [x] Universal Standards-based Crypto Support:
|
|
|
|
* [x] RSA (2048, 3072, 4096, 8192)
|
|
|
|
* [x] EC (NIST ECDSA) P-256 (prime256v1, secp256r1), P-384 (secp384r1)
|
|
|
|
* [x] Supported Encodings: PEM, JSON
|
|
|
|
* [x] Private Key Formats: PKCS1, SEC1, PKCS8, JWK, OpenSSH
|
|
|
|
* [x] Public Key Formats: PKCS1, PKIX (SPKI), SSH
|
|
|
|
* [x] Create JWT tokens
|
|
|
|
* [x] Sign JWT/JWS claims/tokens/payloads
|
2019-03-05 20:11:13 +00:00
|
|
|
* [x] Decode JWTs (without verifying)
|
|
|
|
* [x] Verify JWT/JWS tokens/json (by fetching public key)
|
2019-03-05 11:55:31 +00:00
|
|
|
|
|
|
|
# Install
|
|
|
|
|
|
|
|
You must have [node.js](https://nodejs.org) installed.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
npm install --global keypairs-cli
|
|
|
|
```
|
|
|
|
|
|
|
|
# Usage
|
|
|
|
|
|
|
|
Guess and check.
|
|
|
|
|
|
|
|
The keypairs CLI is pretty fuzzy. **If you just type at it, it'll probably work.**
|
|
|
|
|
|
|
|
That said, the fuzzy behavior is _not_ API-stable and is subject to change,
|
|
|
|
so you should only script to the documented syntax. ;)
|
|
|
|
|
|
|
|
# Overview
|
|
|
|
|
|
|
|
* Generate: `keypairs gen`
|
|
|
|
* Convert: `keypairs ./priv.pem`
|
2019-03-05 20:11:13 +00:00
|
|
|
* Sign: `keypairs sign ./priv.pem https://example.com/ '{"sub":"jon@example.com"}'`
|
2019-03-05 11:55:31 +00:00
|
|
|
* Verify: `keypairs verify 'xxxxx.yyyyy.zzzzz'`
|
2019-03-05 14:28:44 +00:00
|
|
|
* Decode: `keypairs decode 'xxxxx.yyyyy.zzzzz'`
|
2019-03-05 20:11:13 +00:00
|
|
|
* Debug: prefix any option with `debug` such as `keypairs debug gen pem key.pem jwk pub.json`
|
2019-03-05 11:55:31 +00:00
|
|
|
|
|
|
|
## Generate a New Key
|
|
|
|
|
|
|
|
No arguments - generates a universally compatible key of more-than-sufficient entropy.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs gen
|
|
|
|
```
|
|
|
|
|
|
|
|
Generate an ecdsa key:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs gen ec P-256
|
|
|
|
```
|
|
|
|
|
|
|
|
Generate an RSA key:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs gen rsa 2048
|
|
|
|
```
|
|
|
|
|
|
|
|
## Parse/Convert an existing key
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs ./priv.pem
|
|
|
|
```
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs '{"kty":"EC",...}'
|
|
|
|
```
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs ./priv.jwk.json
|
|
|
|
```
|
|
|
|
|
|
|
|
**Syntax**: `keypairs <in> [priv-out opts...] [pub-out opts...]`
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs <inkey> [[encoding|scheme] [priv-out]] [[encoding|scheme] [pub-out]] [public|private]
|
|
|
|
```
|
|
|
|
|
|
|
|
**Note**: If you specify a private _and_ a public key, and you want to specify the schema/encoding
|
|
|
|
of the public key, you must also specify the scheme and encoding of the public key. Order matters.
|
|
|
|
Private keys come first.
|
|
|
|
|
|
|
|
JWK Keypair to PEM-encoded Private and Public keys:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs ./priv.json pem pkcs1 ./priv.pem pem spki ./pub.pem
|
|
|
|
keypairs ./priv.json pem ./priv.pem ssh ./pub.json
|
|
|
|
keypairs ./priv.json pkcs8 ./priv.pem spki ./pub.json
|
|
|
|
```
|
|
|
|
|
|
|
|
PEM Keypair to JSON-encoded JWK (Public Key Only):
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs ./priv.pem jwk ./priv.pem public
|
|
|
|
keypairs ./priv.pem json ./priv.pem public
|
|
|
|
```
|
|
|
|
|
|
|
|
Generic PEM to JWK:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs priv.pem priv.jwk.json
|
|
|
|
```
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs priv.pem priv.jwk.json pub.jwk.json
|
|
|
|
```
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs priv.pem pub.jwk.json public
|
|
|
|
```
|
|
|
|
|
|
|
|
```bash
|
|
|
|
# fails if the input is public
|
|
|
|
keypairs priv.pem priv.jwk.json private
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
Generic JWK to PEM:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs '{"kty":"EC",...}' priv.pem
|
|
|
|
```
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs priv.json priv.pem
|
|
|
|
```
|
|
|
|
|
|
|
|
## Sign a Token (JWT)
|
|
|
|
|
|
|
|
<!-- or Payload (JWS) -->
|
|
|
|
|
2019-03-05 14:28:44 +00:00
|
|
|
**Syntax**:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs [key] sign [issuer url] <claims> [exp] [nbf]
|
|
|
|
```
|
|
|
|
|
|
|
|
_Note: The issuer url can be omitted if it's already included among the claims._
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs ./priv.pem sign https://example.com/ '{"sub":"jon@example.com"}' 1h -5m
|
|
|
|
```
|
|
|
|
|
2019-03-05 11:55:31 +00:00
|
|
|
```bash
|
2019-03-05 14:28:44 +00:00
|
|
|
keypairs '{"kty":"EC",...}' sign https://example.com/ '{"sub":"jon@example.com"}' 1h -5m
|
2019-03-05 11:55:31 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
## Verify a JWT (Token)
|
|
|
|
|
|
|
|
<!-- or JWS (Payload) -->
|
|
|
|
|
|
|
|
Verify a JWT based on its issuer
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs verify 'xxx.yyy.zzz'
|
|
|
|
```
|
|
|
|
|
|
|
|
<!--
|
|
|
|
Verify using a specific key
|
|
|
|
|
|
|
|
```bash
|
|
|
|
keypairs priv.pem verify 'xxx.yyy.zzz' nofetch
|
|
|
|
```
|
|
|
|
-->
|