|
|
@ -1,611 +1,12 @@ |
|
|
|
#!/usr/bin/env node
|
|
|
|
'use strict'; |
|
|
|
|
|
|
|
// I'm not proud of the way this code is written - it snowballed from a thought
|
|
|
|
// experiment into a full-fledged CLI, literally overnight (as it it's 4:30am
|
|
|
|
// right now), but I love what it accomplishes!
|
|
|
|
|
|
|
|
/*global Promise*/ |
|
|
|
var fs = require('fs'); |
|
|
|
var Rasha = require('rasha'); |
|
|
|
var Eckles = require('eckles'); |
|
|
|
var Keypairs = require('../'); |
|
|
|
var pkg = require('../package.json'); |
|
|
|
|
|
|
|
var args = process.argv.slice(2); |
|
|
|
var opts = { keys: [], jwts: [], jwss: [], payloads: [], names: [], filenames: [], files: [] }; |
|
|
|
var conflicts = { |
|
|
|
'namedCurve': 'modulusLength' |
|
|
|
, 'public': 'private' |
|
|
|
}; |
|
|
|
Object.keys(conflicts).forEach(function (k) { |
|
|
|
conflicts[conflicts[k]] = k; |
|
|
|
}); |
|
|
|
function set(key, val) { |
|
|
|
if (opts[conflicts[key]]) { |
|
|
|
console.error("cannot set '" + key + "' to '" + val + "': '" + conflicts[key] + "' already set as '" + opts[conflicts[key]] + "'"); |
|
|
|
process.exit(1); |
|
|
|
} |
|
|
|
if (opts[key]) { |
|
|
|
console.error("cannot set '" + key + "' to '" + val + "': already set as '" + opts[key] + "'"); |
|
|
|
process.exit(1); |
|
|
|
} |
|
|
|
opts[key] = val; |
|
|
|
} |
|
|
|
|
|
|
|
// duck type all the things
|
|
|
|
// TODO segment off by actions (gen, sign, verify) and allow parse/convert or gen before sign
|
|
|
|
args.forEach(function (arg) { |
|
|
|
var larg = arg.toLowerCase().replace(/[^\w]/g, ''); |
|
|
|
var narg = parseInt(arg, 10) || 0; |
|
|
|
if (narg.toString() !== arg) { |
|
|
|
// i.e. 2048.pem is a valid file name
|
|
|
|
narg = false; |
|
|
|
} |
|
|
|
|
|
|
|
if ('version' === arg) { |
|
|
|
console.info(pkg.name, 'v' + pkg.version); |
|
|
|
process.exit(0); |
|
|
|
} |
|
|
|
|
|
|
|
if (setTimes(arg)) { |
|
|
|
return; |
|
|
|
} |
|
|
|
if (setIssuer(arg)) { |
|
|
|
return; |
|
|
|
} |
|
|
|
if (setSubject(arg)) { |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
if ('ecdsa' === larg || 'ec' === larg) { |
|
|
|
set('kty', "EC"); |
|
|
|
if (opts.modulusLength) { |
|
|
|
console.error("EC keys do not have bit lengths such as '" + opts.modulusLength + "'. Choose either the P-256 or P-384 'curve' instead."); |
|
|
|
process.exit(1); |
|
|
|
} |
|
|
|
} |
|
|
|
if ('rsa' === larg) { |
|
|
|
set('kty', "RSA"); |
|
|
|
if (opts.namedCurve) { |
|
|
|
console.error("RSA keys do not have curves such as '" + opts.namedCurve + "'. Choose a modulus bit length, such as 2048 instead."); |
|
|
|
process.exit(1); |
|
|
|
} |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// P-384
|
|
|
|
if (-1 !== ['256', 'p256', 'prime256v1', 'secp256r1'].indexOf(larg)) { |
|
|
|
set('namedCurve', "P-256"); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// P-384
|
|
|
|
if (-1 !== ['384', 'p384', 'secp384r1'].indexOf(larg)) { |
|
|
|
set('namedCurve', "P-384"); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// RSA Modulus Length
|
|
|
|
if (narg) { |
|
|
|
if (narg < 2048 || narg % 8 || narg > 8192) { |
|
|
|
console.error("RSA modulusLength must be >=2048, <=8192 and divisible by 8"); |
|
|
|
process.exit(1); |
|
|
|
} |
|
|
|
set('modulusLength', narg); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// Booleans
|
|
|
|
if (-1 !== [ 'private', 'public', 'nocompact', 'nofetch', 'debug', 'overwrite' ].indexOf(arg)) { |
|
|
|
set(arg, true); |
|
|
|
var cmd = "npm install --global keypairs-cli"; |
|
|
|
console.error(cmd); |
|
|
|
require('child_process').exec(cmd, function (err) { |
|
|
|
if (err) { |
|
|
|
console.error(err); |
|
|
|
return; |
|
|
|
} |
|
|
|
if ('uncompressed' === arg) { |
|
|
|
set('uncompressed', true); |
|
|
|
return; |
|
|
|
} |
|
|
|
if (-1 !== [ 'gen', 'sign', 'verify', 'decode' ].indexOf(arg)) { |
|
|
|
set('action', arg); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// Key format and encoding
|
|
|
|
if (-1 !== [ 'spki', 'pkix' ].indexOf(larg)) { |
|
|
|
set('pubFormat', 'spki'); |
|
|
|
return; |
|
|
|
} |
|
|
|
// TODO add ssh private key support (it's already built in jwk-to-ssh)
|
|
|
|
if ('ssh' === larg) { |
|
|
|
set('pubFormat', 'ssh'); |
|
|
|
return; |
|
|
|
} |
|
|
|
if (-1 !== [ 'openssh', 'sec1', 'pkcs1', 'pkcs8' ].indexOf(larg)) { |
|
|
|
// pkcs1 can be public or private, it's ambiguous
|
|
|
|
if (!opts.privFormat) { |
|
|
|
set('privFormat', larg); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
if ('pkcs1' === larg || 'ssh' === larg) { |
|
|
|
set('pubFormat', larg); |
|
|
|
return; |
|
|
|
} |
|
|
|
if ('openssh' === larg) { |
|
|
|
console.warn("specifying 'openssh' twice? ...assuming that you meant 'ssh'"); |
|
|
|
set('pubFormat', 'ssh'); |
|
|
|
return; |
|
|
|
} |
|
|
|
if ('pkcs8' === larg) { |
|
|
|
console.warn("specifying 'pkcs8' twice? ...assuming that you meant 'spki' (pkix)"); |
|
|
|
set('pubFormat', 'spki'); |
|
|
|
return; |
|
|
|
} |
|
|
|
if ('sec1' === larg) { |
|
|
|
console.warn("specifying 'sec1' twice? ...assuming that you meant 'spki' (pkix)"); |
|
|
|
set('pubFormat', 'spki'); |
|
|
|
return; |
|
|
|
} |
|
|
|
return; |
|
|
|
} |
|
|
|
if ('jwk' === larg) { |
|
|
|
if (!opts.privFormat) { |
|
|
|
set('privFormat', larg); |
|
|
|
} else { |
|
|
|
set('pubFormat', larg); |
|
|
|
} |
|
|
|
return; |
|
|
|
} |
|
|
|
if ('pem' === larg || 'der' === larg || 'json' === larg) { |
|
|
|
if (!opts.privEncoding) { |
|
|
|
set('privEncoding', larg); |
|
|
|
} else { |
|
|
|
set('pubEncoding', larg); |
|
|
|
} |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// Filename
|
|
|
|
try { |
|
|
|
fs.accessSync(arg); |
|
|
|
opts.filenames.push(arg); |
|
|
|
opts.names.push({ taken: true, name: arg }); |
|
|
|
if (!guessFile(arg)) { |
|
|
|
opts.files.push(arg); |
|
|
|
} |
|
|
|
return; |
|
|
|
} catch(e) { /* not keypath */ } |
|
|
|
|
|
|
|
// Test for JWK-ness / payload-ness
|
|
|
|
if (guess(arg)) { |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// Test for JWT-ness
|
|
|
|
if (setJwt(arg)) { |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// Possibly the output file
|
|
|
|
if (opts.names.length < 3) { |
|
|
|
opts.names.push({ taken: false, name: arg }); |
|
|
|
return; |
|
|
|
} |
|
|
|
// check if it's a valid output key
|
|
|
|
|
|
|
|
console.error("too many arguments or didn't understand argument '" + arg + "'"); |
|
|
|
if (opts.debug) { |
|
|
|
console.warn(opts); |
|
|
|
} |
|
|
|
process.exit(1); |
|
|
|
console.info("Run 'keypairs help' to see what you can do!"); |
|
|
|
}); |
|
|
|
|
|
|
|
function guessFile(filename) { |
|
|
|
try { |
|
|
|
// TODO der support
|
|
|
|
var txt = fs.readFileSync(filename).toString('utf8'); |
|
|
|
return guess(txt, filename); |
|
|
|
} catch(e) { |
|
|
|
return false; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
function guess(txt, filename) { |
|
|
|
try { |
|
|
|
var json = JSON.parse(txt); |
|
|
|
if (-1 !== [ 'RSA', 'EC' ].indexOf(json.kty)) { |
|
|
|
opts.keys.push({ raw: txt, jwk: json, filename: filename }); |
|
|
|
return true; |
|
|
|
} else if (json.signature && json.payload && (json.header || json.protected)) { |
|
|
|
opts.jwss.push(json); |
|
|
|
return true; |
|
|
|
} else { |
|
|
|
opts.payloads.push(txt); |
|
|
|
return true; |
|
|
|
} |
|
|
|
} catch(e) { |
|
|
|
try { |
|
|
|
var jwk = Eckles.importSync({ pem: txt }); |
|
|
|
// pem._string = txt;
|
|
|
|
opts.keys.push({ jwk: jwk, pem: true, raw: txt }); |
|
|
|
return true; |
|
|
|
} catch(e) { |
|
|
|
try { |
|
|
|
var jwk = Rasha.importSync({ pem: txt }); |
|
|
|
// pem._string = txt;
|
|
|
|
opts.keys.push({ jwk: jwk, pem: true, raw: txt }); |
|
|
|
return true; |
|
|
|
} catch(e) { |
|
|
|
// ignore
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
return false; |
|
|
|
} |
|
|
|
|
|
|
|
// node bin/keypairs.js debug spki pem json pkcs1 ~/.ssh/id_rsa.pub foo.pem bar.pem 'abc.abc.abc' '{"kty":"EC"}' '{}' '{"signature":"x", "payload":"x", "header":"x"}' '{"signature":"x", "payload":"x", "protected":"x"}' verify
|
|
|
|
if (opts.debug) { |
|
|
|
console.warn(opts); |
|
|
|
} |
|
|
|
|
|
|
|
var kp; |
|
|
|
|
|
|
|
if ('gen' === opts.action || (!opts.action && !opts.names.length)) { |
|
|
|
if (opts.names.length > 2) { |
|
|
|
console.error("there should only be two output files at most when generating keypairs"); |
|
|
|
console.error(opts.names.map(function (t) { return t.name; })); |
|
|
|
process.exit(1); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
kp = genKeypair(); |
|
|
|
} else if ('decode' === opts.action) { |
|
|
|
if (!opts.jwts.length) { |
|
|
|
console.error("no JWTs specified to decode"); |
|
|
|
process.exit(1); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
return Promise.all(opts.jwts.map(function (jwt, i) { |
|
|
|
try { |
|
|
|
var decoded = decodeJwt(jwt); |
|
|
|
console.info("Decoded #" + (i + 1) + ":"); |
|
|
|
console.info(JSON.stringify(decoded, null, 2)); |
|
|
|
} catch(e) { |
|
|
|
console.error("Failed to decode #" + (i + 1) + ":"); |
|
|
|
console.error(e); |
|
|
|
} |
|
|
|
})); |
|
|
|
} else if ('verify' === opts.action || (!opts.action && opts.jwts.length)) { |
|
|
|
if (!opts.jwts.length) { |
|
|
|
console.error("no JWTs specified to verify"); |
|
|
|
process.exit(1); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
return Promise.all(opts.jwts.map(function (jwt, i) { |
|
|
|
return require('keyfetch').verify({ jwt: jwt }).then(function (decoded) { |
|
|
|
console.info("Verified #" + (i + 1) + ":"); |
|
|
|
console.info(JSON.stringify(decoded, null, 2)); |
|
|
|
}).catch(function (err) { |
|
|
|
console.error("Failed to verify #" + (i + 1) + ":"); |
|
|
|
console.error(err); |
|
|
|
}); |
|
|
|
})); |
|
|
|
} else { |
|
|
|
if (opts.names.length > 3) { |
|
|
|
console.error("there should only be one input file and up to two output files when converting keypairs"); |
|
|
|
console.error(opts.names.map(function (t) { return t.name; })); |
|
|
|
process.exit(1); |
|
|
|
return; |
|
|
|
} |
|
|
|
var pair = readKeypair(); |
|
|
|
pair._convert = true; |
|
|
|
kp = Promise.resolve(pair); |
|
|
|
} |
|
|
|
|
|
|
|
if ('sign' === opts.action) { |
|
|
|
return kp.then(function (pair) { |
|
|
|
var jwk = pair.private; |
|
|
|
if (!jwk || !jwk.d) { |
|
|
|
console.error("the first key was not a private key"); |
|
|
|
console.error(opts.names.map(function (t) { return t.name; })); |
|
|
|
process.exit(1); |
|
|
|
return; |
|
|
|
} |
|
|
|
if (!opts.payloads.length) { |
|
|
|
opts.payloads.push('{}'); |
|
|
|
} |
|
|
|
return Promise.all(opts.payloads.map(function (payload) { |
|
|
|
var claims = JSON.parse(payload); |
|
|
|
if (!claims.iss) { claims.iss = opts.issuer; } |
|
|
|
if (!claims.iss) { console.warn("No issuer given, token will not be verifiable"); } |
|
|
|
if (!claims.sub) { claims.sub = opts.sub; } |
|
|
|
if (!claims.exp) { |
|
|
|
if (!opts.expiresAt) { setTimes('15m'); } |
|
|
|
claims.exp = opts.expiresAt; |
|
|
|
} |
|
|
|
if (!claims.iat) { claims.iat = opts.issuedAt; } |
|
|
|
if (!claims.nbf) { claims.nbf = opts.nbf; } |
|
|
|
return Keypairs.signJwt({ jwk: pair.private, claims: claims }).then(function (jwt) { |
|
|
|
console.info(jwt); |
|
|
|
}); |
|
|
|
})); |
|
|
|
}); |
|
|
|
} else { |
|
|
|
return kp.then(function (pair) { |
|
|
|
if (pair._convert) { |
|
|
|
return convertKeypair(pair); |
|
|
|
} |
|
|
|
}); |
|
|
|
} |
|
|
|
|
|
|
|
function readKeypair() { |
|
|
|
// note that the jwk may be a string
|
|
|
|
var keyopts = opts.keys.shift(); |
|
|
|
var jwk = keyopts && keyopts.jwk; |
|
|
|
if (!jwk) { |
|
|
|
console.error("no keys could be parsed from the given arguments"); |
|
|
|
console.error(opts.names.map(function (t) { return t.name; })); |
|
|
|
process.exit(1); |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// omit the primary private key from the list of actual (or soon-to-be) files
|
|
|
|
if (keyopts.filename) { |
|
|
|
opts.names = opts.names.filter(function (name) { |
|
|
|
return name.name !== keyopts.filename; |
|
|
|
}); |
|
|
|
} |
|
|
|
|
|
|
|
var pair = { private: null, public: null, pem: keyopts.pem, raw: keyopts.raw }; |
|
|
|
if (jwk.d) { |
|
|
|
pair.private = jwk; |
|
|
|
} |
|
|
|
pair.public = Keypairs._neuter({ jwk: jwk }); |
|
|
|
return pair; |
|
|
|
} |
|
|
|
|
|
|
|
// Note: some of the conditions can be factored out
|
|
|
|
// this was all built in high-speed iterative during the 3ams+
|
|
|
|
function convertKeypair(pair) { |
|
|
|
//var pair = readKeypair();
|
|
|
|
|
|
|
|
var ps = []; |
|
|
|
// if it's private only, or if it's not public-only, produce the private key
|
|
|
|
if (pair.private || !opts.public) { |
|
|
|
// if it came from pem (or is explicitly json), it should go to jwk
|
|
|
|
// otherwise, if it came from jwk, it should go to pem
|
|
|
|
if (((!opts.privEncoding && pair.pem) || 'json' === opts.privEncoding) |
|
|
|
&& ((!opts.privFormat && pair.pem) || 'jwk' === opts.privFormat)) { |
|
|
|
ps.push(Promise.resolve(pair.private)); |
|
|
|
} else { |
|
|
|
ps.push(Keypairs.export({ jwk: pair.private, format: opts.privFormat, encoding: opts.privEncoding })); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
// if it's not private key only, we want to produce the public key
|
|
|
|
if (!opts.private) { |
|
|
|
if (opts.public) { |
|
|
|
// if it's public-only the ambigious options will fall to the private key
|
|
|
|
// so we need to fix that
|
|
|
|
if (!opts.pubFormat) { opts.pubFormat = opts.privFormat; } |
|
|
|
if (!opts.pubEncoding) { opts.pubEncoding = opts.privEncoding; } |
|
|
|
} |
|
|
|
|
|
|
|
// same as above - swap formats by default
|
|
|
|
if (((!opts.pubEncoding && pair.pem) || 'json' === opts.pubEncoding) |
|
|
|
&& ((!opts.pubFormat && pair.pem) || 'jwk' === opts.pubFormat)) { |
|
|
|
ps.push(Promise.resolve(pair.public)); |
|
|
|
} else { |
|
|
|
ps.push(Keypairs.export({ jwk: pair.public, format: opts.pubFormat, encoding: opts.pubEncoding, public: true })); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
return Promise.all(ps).then(function (exported) { |
|
|
|
// start with the first key, annotating if it should be public
|
|
|
|
var index = 0; |
|
|
|
var key = stringifyIfJson(index, opts.public); |
|
|
|
|
|
|
|
// re: opts.names
|
|
|
|
// if we're only doing the public key we can end early
|
|
|
|
// (if the source key was from a file and was in opts.names,
|
|
|
|
// we're safe here because we already removed it earlier)
|
|
|
|
|
|
|
|
if (opts.public) { |
|
|
|
if (opts.names.length) { |
|
|
|
writeFile(opts.names[index].name, key, !opts.public); |
|
|
|
} else { |
|
|
|
// output public keys to stderr
|
|
|
|
printPublic(key); |
|
|
|
} |
|
|
|
// end <-- we're not outputting other keys
|
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// private key stuff
|
|
|
|
if (opts.names.length >= 1) { |
|
|
|
writeFile(opts.names[index].name, key, true); |
|
|
|
} else { |
|
|
|
printPrivate(key); |
|
|
|
} |
|
|
|
|
|
|
|
// pub key stuff
|
|
|
|
// we have to output the private key,
|
|
|
|
// but the public key can be derived at any time
|
|
|
|
// so we don't need to put the same noise to the screen
|
|
|
|
if (!opts.private && opts.names.length >= 2) { |
|
|
|
index = 1; |
|
|
|
key = stringifyIfJson(index, false); |
|
|
|
writeFile(opts.names[index].name, key, false); |
|
|
|
} |
|
|
|
|
|
|
|
return pair; |
|
|
|
|
|
|
|
function stringifyIfJson(i, pub) { |
|
|
|
if (exported[i].kty) { |
|
|
|
if (pub) { |
|
|
|
if (opts.expiresAt) { exported[i].exp = opts.expiresAt; } |
|
|
|
exported[i].use = "sig"; |
|
|
|
} |
|
|
|
exported[i] = JSON.stringify(exported[i]); |
|
|
|
} |
|
|
|
return exported[i]; |
|
|
|
} |
|
|
|
}); |
|
|
|
} |
|
|
|
|
|
|
|
function genKeypair() { |
|
|
|
return Keypairs.generate({ |
|
|
|
kty: opts.kty |
|
|
|
, modulusLength: opts.modulusLength |
|
|
|
, namedCurve: opts.namedCurve |
|
|
|
}).then(function (pair) { |
|
|
|
// always generate as jwk by default
|
|
|
|
var ps = []; |
|
|
|
if ((!opts.privEncoding || 'json' === opts.privEncoding) && (!opts.privFormat || 'jwk' === opts.privFormat)) { |
|
|
|
ps.push(Promise.resolve(pair.private)); |
|
|
|
} else { |
|
|
|
ps.push(Keypairs.export({ jwk: pair.private, format: opts.privFormat, encoding: opts.privEncoding })); |
|
|
|
} |
|
|
|
if ((!opts.pubEncoding || 'json' === opts.pubEncoding) && (!opts.pubFormat || 'jwk' === opts.pubFormat)) { |
|
|
|
ps.push(Promise.resolve(pair.public)); |
|
|
|
} else { |
|
|
|
ps.push(Keypairs.export({ jwk: pair.public, format: opts.pubFormat, encoding: opts.pubEncoding, public: true })); |
|
|
|
} |
|
|
|
return Promise.all(ps).then(function (arr) { |
|
|
|
if (arr[0].kty) { |
|
|
|
arr[0] = JSON.stringify(arr[0]); |
|
|
|
} |
|
|
|
if (arr[1].kty) { |
|
|
|
if (opts.expiresAt) { arr[1].exp = opts.expiresAt; } |
|
|
|
arr[1].use = "sig"; |
|
|
|
arr[1] = JSON.stringify(arr[1]); |
|
|
|
} |
|
|
|
if (!opts.names.length) { |
|
|
|
console.info(arr[0] + "\n"); |
|
|
|
console.warn(arr[1] + "\n"); |
|
|
|
} |
|
|
|
if (opts.names.length >= 1) { |
|
|
|
writeFile(opts.names[0].name, arr[0], true); |
|
|
|
if (!opts.private && opts.names.length >= 2) { |
|
|
|
writeFile(opts.names[1].name, arr[1]); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
return pair; |
|
|
|
}); |
|
|
|
}); |
|
|
|
} |
|
|
|
|
|
|
|
function writeFile(name, key, priv) { |
|
|
|
var overwrite; |
|
|
|
try { |
|
|
|
fs.accessSync(name); |
|
|
|
overwrite = opts.overwrite; |
|
|
|
if (!opts.overwrite) { |
|
|
|
if (priv) { |
|
|
|
// output private keys to stdout
|
|
|
|
console.info(key + "\n"); |
|
|
|
} else { |
|
|
|
// output public keys to stderr
|
|
|
|
console.warn(key + "\n"); |
|
|
|
} |
|
|
|
console.error("'" + name + "' exists! force overwrite with 'overwrite'"); |
|
|
|
process.exit(1); |
|
|
|
return; |
|
|
|
} |
|
|
|
} catch(e) { |
|
|
|
// the file does not exist (or cannot be accessed)
|
|
|
|
} |
|
|
|
fs.writeFileSync(name, key); |
|
|
|
if (overwrite) { |
|
|
|
console.info("Overwrote " + (priv ? "private" : "public") + " key at '" + name + "'"); |
|
|
|
} else { |
|
|
|
console.info("Wrote " + (priv ? "private" : "public") + " key to '" + name + "'"); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
function setJwt(arg) { |
|
|
|
try { |
|
|
|
var jwt = arg.match(/^([\w-]+)\.([\w-]+)\.([\w-]+)$/); |
|
|
|
// make sure header is a JWT header
|
|
|
|
JSON.parse(Buffer.from(jwt[1], 'base64')); |
|
|
|
opts.jwts.push(arg); |
|
|
|
return true; |
|
|
|
} catch(e) { |
|
|
|
// ignore
|
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
function setSubject(arg) { |
|
|
|
if (!/.+@[a-z0-9_-]+\.[a-z0-9_-]+/i.test(arg)) { |
|
|
|
return false; |
|
|
|
} |
|
|
|
|
|
|
|
opts.subject = arg; |
|
|
|
return false; |
|
|
|
} |
|
|
|
|
|
|
|
function setIssuer(arg) { |
|
|
|
if (!/^https?:\/\/[a-z0-9_-]+\.[a-z0-9_-]+/i.test(arg)) { |
|
|
|
return false; |
|
|
|
} |
|
|
|
|
|
|
|
try { |
|
|
|
new URL(arg); |
|
|
|
opts.issuer = arg.replace(/\/$/, ''); |
|
|
|
return true; |
|
|
|
} catch(e) { |
|
|
|
} |
|
|
|
return false; |
|
|
|
} |
|
|
|
|
|
|
|
function setTimes(arg) { |
|
|
|
var t = arg.match(/^(\-?\d+)([dhms])$/i); |
|
|
|
if (!t || !t[0]) { |
|
|
|
return false; |
|
|
|
} |
|
|
|
|
|
|
|
var num = parseInt(t[1], 10); |
|
|
|
var unit = t[2]; |
|
|
|
var mult = 1; |
|
|
|
opts.issuedAt = Math.round(Date.now()/1000); |
|
|
|
switch(unit) { |
|
|
|
// fancy fallthrough, what fun!
|
|
|
|
case 'd': |
|
|
|
mult *= 24; |
|
|
|
/*falls through*/ |
|
|
|
case 'h': |
|
|
|
mult *= 60; |
|
|
|
/*falls through*/ |
|
|
|
case 'm': |
|
|
|
mult *= 60; |
|
|
|
/*falls through*/ |
|
|
|
case 's': |
|
|
|
mult *= 1; |
|
|
|
} |
|
|
|
if (!opts.expiresIn) { |
|
|
|
opts.expiresIn = mult * num; |
|
|
|
opts.expiresAt = opts.issuedAt + opts.expiresIn; |
|
|
|
} else { |
|
|
|
opts.nbf = opts.issuedAt + (mult * num); |
|
|
|
} |
|
|
|
return true; |
|
|
|
} |
|
|
|
|
|
|
|
function decodeJwt(jwt) { |
|
|
|
var parts = jwt.split('.'); |
|
|
|
return { |
|
|
|
header: JSON.parse(Buffer.from(parts[0], 'base64')) |
|
|
|
, payload: JSON.parse(Buffer.from(parts[1], 'base64')) |
|
|
|
, signature: parts[2] //Buffer.from(parts[2], 'base64')
|
|
|
|
}; |
|
|
|
} |
|
|
|
|
|
|
|
function printPrivate(key) { |
|
|
|
console.info(key + "\n"); |
|
|
|
} |
|
|
|
function printPublic(key) { |
|
|
|
console.warn(key + "\n"); |
|
|
|
} |
|
|
|