coolaj86
/
old-keypairs.js
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
Browse Source

v1.2.0: add CLI stuff

master v1.2.0
AJ ONeal 5 years ago
parent
7099943db7
commit
4ac6e7f8dd
5 changed files with 601 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      README.md
  2. 581
      bin/keypairs.js
  3. 10
      keypairs.js
  4. 2
      package-lock.json
  5. 10
      package.json

6
README.md
View File

@ -11,13 +11,15 @@ and [Rasha.js (RSA)](https://git.coolaj86.com/coolaj86/rasha.js/).
* [x] Generate keypairs
* [x] RSA
* [x] ECDSA (P-256, P-384)
* [x] PEM-to-JWK
* [x] JWK-to-PEM
* [x] PEM-to-JWK (and SSH-to-JWK)
* [x] JWK-to-PEM (and JWK-to-SSH)
* [x] Create JWTs (and sign JWS)
* [x] SHA256 JWK Thumbprints
* [ ] JWK fetching. See [Keyfetch.js](https://npmjs.com/packages/keyfetch/)
* [ ] OIDC
* [ ] Auth0
* [ ] CLI
* See [keypairs-cli](https://npmjs.com/packages/keypairs-cli/)
<!--

581
bin/keypairs.js
View File

@ -0,0 +1,581 @@
#!/usr/bin/env node
'use strict';
// I'm not proud of the way this code is written - it snowballed from a thought
// experiment into a full-fledged CLI, literally overnight (as it it's 4:30am
// right now), but I love what it accomplishes!
/*global Promise*/
var fs = require('fs');
var Rasha = require('rasha');
var Eckles = require('eckles');
var Keypairs = require('../');
var pkg = require('../package.json');
var args = process.argv.slice(2);
var opts = { jwks: [], jwts: [], jwss: [], payloads: [], names: [], filenames: [], files: [], pems: [] };
var conflicts = {
'namedCurve': 'modulusLength'
, 'public': 'private'
};
Object.keys(conflicts).forEach(function (k) {
conflicts[conflicts[k]] = k;
});
function set(key, val) {
if (opts[conflicts[key]]) {
console.error("cannot set '" + key + "' to '" + val + "': '" + conflicts[key] + "' already set as '" + opts[conflicts[key]] + "'");
process.exit(1);
}
if (opts[key]) {
console.error("cannot set '" + key + "' to '" + val + "': already set as '" + opts[key] + "'");
process.exit(1);
}
opts[key] = val;
}
// duck type all the things
// TODO segment off by actions (gen, sign, verify) and allow parse/convert or gen before sign
args.forEach(function (arg) {
var larg = arg.toLowerCase().replace(/[^\w]/g, '');
var narg = parseInt(arg, 10) || 0;
if (narg.toString() !== arg) {
// i.e. 2048.pem is a valid file name
narg = false;
}
if ('version' === arg) {
console.info(pkg.name, 'v' + pkg.version);
process.exit(0);
}
if (setTimes(arg)) {
return;
}
if (setIssuer(arg)) {
return;
}
if (setSubject(arg)) {
return;
}
if ('ecdsa' === larg || 'ec' === larg) {
set('kty', "EC");
if (opts.modulusLength) {
console.error("EC keys do not have bit lengths such as '" + opts.modulusLength + "'. Choose either the P-256 or P-384 'curve' instead.");
process.exit(1);
}
}
if ('rsa' === larg) {
set('kty', "RSA");
if (opts.namedCurve) {
console.error("RSA keys do not have curves such as '" + opts.namedCurve + "'. Choose a modulus bit length, such as 2048 instead.");
process.exit(1);
}
return;
}
// P-384
if (-1 !== ['256', 'p256', 'prime256v1', 'secp256r1'].indexOf(larg)) {
set('namedCurve', "P-256");
return;
}
// P-384
if (-1 !== ['384', 'p384', 'secp384r1'].indexOf(larg)) {
set('namedCurve', "P-384");
return;
}
// RSA Modulus Length
if (narg) {
if (narg < 2048 || narg % 8 || narg > 8192) {
console.error("RSA modulusLength must be >=2048, <=8192 and divisible by 8");
process.exit(1);
}
set('modulusLength', narg);
return;
}
// Booleans
if (-1 !== [ 'private', 'public', 'nocompact', 'nofetch', 'debug', 'overwrite' ].indexOf(arg)) {
console.log(arg);
set(arg, true);
return;
}
if ('uncompressed' === arg) {
set('uncompressed', true);
return;
}
if (-1 !== [ 'gen', 'sign', 'verify', 'decode' ].indexOf(arg)) {
set('action', arg);
return;
}
// Key format and encoding
if (-1 !== [ 'spki', 'pkix' ].indexOf(larg)) {
set('pubFormat', 'spki');
return;
}
// TODO add ssh private key support (it's already built in jwk-to-ssh)
if ('ssh' === larg) {
set('pubFormat', 'ssh');
return;
}
if (-1 !== [ 'openssh', 'sec1', 'pkcs1', 'pkcs8' ].indexOf(larg)) {
// pkcs1 can be public or private, it's ambiguous
if (!opts.privFormat) {
set('privFormat', larg);
return;
}
if ('pkcs1' === larg || 'ssh' === larg) {
set('pubFormat', larg);
return;
}
if ('openssh' === larg) {
console.warn("specifying 'openssh' twice? ...assuming that you meant 'ssh'");
set('pubFormat', 'ssh');
return;
}
if ('pkcs8' === larg) {
console.warn("specifying 'pkcs8' twice? ...assuming that you meant 'spki' (pkix)");
set('pubFormat', 'spki');
return;
}
if ('sec1' === larg) {
console.warn("specifying 'sec1' twice? ...assuming that you meant 'spki' (pkix)");
set('pubFormat', 'spki');
return;
}
return;
}
if ('jwk' === larg) {
if (!opts.privFormat) {
set('privFormat', larg);
} else {
set('pubFormat', larg);
}
return;
}
if ('pem' === larg || 'der' === larg || 'json' === larg) {
if (!opts.privEncoding) {
set('privEncoding', larg);
} else {
set('pubEncoding', larg);
}
return;
}
// Filename
try {
fs.accessSync(arg);
opts.filenames.push(arg);
opts.names.push({ taken: true, name: arg });
if (!guessFile(arg)) {
opts.files.push(arg);
}
return;
} catch(e) { /* not keypath */ }
// Test for JWK-ness / payload-ness
if (guess(arg)) {
return;
}
// Test for JWT-ness
if (setJwt(arg)) {
return;
}
// Possibly the output file
if (!opts.extra1) {
opts.extra1 = arg;
opts.names.push({ taken: false, name: arg });
return;
}
if (!opts.extra2) {
opts.extra2 = arg;
opts.names.push({ taken: false, name: arg });
return;
}
// check if it's a valid output key
console.error("too many arguments or didn't understand argument '" + arg + "'");
if (opts.debug) {
console.warn(opts);
}
process.exit(1);
});
function guessFile(filename) {
try {
// TODO der support
var txt = fs.readFileSync(filename).toString('utf8');
return guess(txt, filename);
} catch(e) {
return false;
}
}
function guess(txt, filename) {
try {
var json = JSON.parse(txt);
if (-1 !== [ 'RSA', 'EC' ].indexOf(json.kty)) {
opts.jwks.push({ jwk: json, filename: filename });
return true;
} else if (json.signature && json.payload && (json.header || json.protected)) {
opts.jwss.push(json);
return true;
} else {
opts.payloads.push(txt);
return true;
}
} catch(e) {
try {
var pem = Eckles.importSync({ pem: txt });
// pem._string = txt;
opts.pems.push(pem);
return true;
} catch(e) {
try {
var pem = Rasha.importSync({ pem: txt });
// pem._string = txt;
opts.pems.push(pem);
return true;
} catch(e) {
// ignore
}
}
}
return false;
}
// node bin/keypairs.js debug spki pem json pkcs1 ~/.ssh/id_rsa.pub foo.pem bar.pem 'abc.abc.abc' '{"kty":"EC"}' '{}' '{"signature":"x", "payload":"x", "header":"x"}' '{"signature":"x", "payload":"x", "protected":"x"}' verify
if (opts.debug) {
console.warn(opts);
}
var kp;
if ('gen' === opts.action || (!opts.action && !opts.names.length)) {
if (opts.names.length > 2) {
console.error("there should only be two output files at most when generating keypairs");
console.error(opts.names.map(function (t) { return t.name; }));
process.exit(1);
return;
}
kp = genKeypair();
} else if ('decode' === opts.action) {
if (!opts.jwts.length) {
console.error("no JWTs specified to decode");
process.exit(1);
return;
}
return Promise.all(opts.jwts.map(function (jwt, i) {
try {
var decoded = decodeJwt(jwt);
console.info("Decoded #" + (i + 1) + ":");
console.info(JSON.stringify(decoded, null, 2));
} catch(e) {
console.error("Failed to decode #" + (i + 1) + ":");
console.error(e);
}
}));
} else if ('verify' === opts.action || (!opts.action && opts.jwts.length)) {
if (!opts.jwts.length) {
console.error("no JWTs specified to verify");
process.exit(1);
return;
}
return Promise.all(opts.jwts.map(function (jwt, i) {
return require('keyfetch').verify({ jwt: jwt }).then(function (decoded) {
console.info("Verified #" + (i + 1) + ":");
console.info(JSON.stringify(decoded, null, 2));
}).catch(function (err) {
console.error("Failed to verify #" + (i + 1) + ":");
console.error(err);
});
}));
} else {
if (opts.names.length > 3) {
console.error("there should only be one input file and up to two output files when converting keypairs");
console.error(opts.names.map(function (t) { return t.name; }));
process.exit(1);
return;
}
kp = Promise.resolve(readKeypair());
}
if ('sign' === opts.action) {
return kp.then(function (pair) {
var jwk = pair.private;
if (!jwk || !jwk.d) {
console.error("the first key was not a private key");
console.error(opts.names.map(function (t) { return t.name; }));
process.exit(1);
return;
}
if (!opts.payloads.length) {
opts.payloads.push('{}');
}
return Promise.all(opts.payloads.map(function (payload) {
var claims = JSON.parse(payload);
if (!claims.iss) { claims.iss = opts.issuer; }
if (!claims.iss) { console.warn("No issuer given, token will not be verifiable"); }
if (!claims.sub) { claims.sub = opts.sub; }
if (!claims.exp) {
if (!opts.expiresAt) { setTimes('15m'); }
claims.exp = opts.expiresAt;
}
if (!claims.iat) { claims.iat = opts.issuedAt; }
if (!claims.nbf) { claims.nbf = opts.nbf; }
return Keypairs.signJwt({ jwk: pair.private, claims: claims }).then(function (jwt) {
console.info(jwt);
});
}));
});
} else {
return convertKeypair();
}
function readKeypair() {
// note that the jwk may be a string
var jwkopts = opts.jwks.shift();
var jwk = jwkopts && jwkopts.jwk;
if (!jwk) {
console.error("no keys could be parsed from the given arguments");
console.error(opts.names.map(function (t) { return t.name; }));
process.exit(1);
return;
}
// omit the primary private key from the list of actual (or soon-to-be) files
if (jwkopts.filename) {
opts.names = opts.names.filter(function (name) {
console.log(jwkopts.filename, name.name);
return name.name !== jwkopts.filename;
});
}
var pair = { private: null, public: null };
if (jwk.d) {
pair.private = jwk;
}
pair.public = Keypairs._neuter({ jwk: jwk });
return pair;
}
function convertKeypair() {
var pair = readKeypair();
var ps = [];
if (pair.private && !opts.public) {
if ((!opts.privEncoding || 'json' === opts.privEncoding) && (!opts.privFormat || 'jwk' === opts.privFormat)) {
ps.push(Promise.resolve(pair.private));
} else {
ps.push(Keypairs.export({ jwk: pair.private, format: opts.privFormat, encoding: opts.privEncoding }));
}
}
if (!opts.private) {
if (opts.public) {
if (!opts.pubFormat) { opts.pubFormat = opts.privFormat; }
if (!opts.pubEncoding) { opts.pubEncoding = opts.privEncoding; }
}
if ((!opts.pubEncoding || 'json' === opts.pubEncoding) && (!opts.pubFormat || 'jwk' === opts.pubFormat)) {
ps.push(Promise.resolve(pair.public));
} else {
ps.push(Keypairs.export({ jwk: pair.public, format: opts.pubFormat, encoding: opts.pubEncoding, public: true }));
}
}
return Promise.all(ps).then(function (arr) {
// only use the first key
var key = convert(0, opts.public);
if (opts.public) {
// end early
if (opts.names.length) {
writeFile(opts.names[0].name, key, !opts.public); // todo make pub/priv param consistent, not flip-flop
} else {
console.warn(key + "\n");
}
return;
}
// private key stuff
if (opts.names.length) {
writeFile(opts.names[0].name, key, true);
} else {
console.info(key + "\n");
}
// pub key stuff
if (!opts.private) {
if (opts.names.length >= 2) {
writeFile(opts.names[1].name, key, false);
} else {
console.warn(key + "\n");
}
}
return pair;
function convert(i, pub) {
if (arr[i].kty) {
if (pub) {
if (opts.expiresAt) { arr[i].exp = opts.expiresAt; }
arr[i].use = "sig";
}
arr[i] = JSON.stringify(arr[i]);
}
return arr[i];
}
});
}
function genKeypair() {
return Keypairs.generate({
kty: opts.kty
, modulusLength: opts.modulusLength
, namedCurve: opts.namedCurve
}).then(function (pair) {
var ps = [];
if ((!opts.privEncoding || 'json' === opts.privEncoding) && (!opts.privFormat || 'jwk' === opts.privFormat)) {
ps.push(Promise.resolve(pair.private));
} else {
ps.push(Keypairs.export({ jwk: pair.private, format: opts.privFormat, encoding: opts.privEncoding }));
}
if ((!opts.pubEncoding || 'json' === opts.pubEncoding) && (!opts.pubFormat || 'jwk' === opts.pubFormat)) {
ps.push(Promise.resolve(pair.public));
} else {
ps.push(Keypairs.export({ jwk: pair.public, format: opts.pubFormat, encoding: opts.pubEncoding, public: true }));
}
return Promise.all(ps).then(function (arr) {
if (arr[0].kty) {
arr[0] = JSON.stringify(arr[0]);
}
if (arr[1].kty) {
if (opts.expiresAt) { arr[1].exp = opts.expiresAt; }
arr[1].use = "sig";
arr[1] = JSON.stringify(arr[1]);
}
if (!opts.names.length) {
console.info(arr[0] + "\n");
console.warn(arr[1] + "\n");
}
if (opts.names.length >= 1) {
writeFile(opts.names[0].name, arr[0], true);
if (!opts.private && opts.names.length >= 2) {
writeFile(opts.names[1].name, arr[1]);
}
}
return pair;
});
});
}
function writeFile(name, key, priv) {
var overwrite;
try {
fs.accessSync(name);
overwrite = opts.overwrite;
if (!opts.overwrite) {
if (priv) {
console.info(key + "\n");
} else {
console.warn(key + "\n");
}
console.error("'" + name + "' exists! force overwrite with 'overwrite'");
process.exit(1);
return;
}
} catch(e) {
// the file does not exist (or cannot be accessed)
}
fs.writeFileSync(name, key);
if (overwrite) {
console.info("Overwrote " + (priv ? "private" : "public") + " key at '" + name + "'");
} else {
console.info("Wrote " + (priv ? "private" : "public") + " key to '" + name + "'");
}
}
function setJwt(arg) {
try {
var jwt = arg.match(/^([\w-]+)\.([\w-]+)\.([\w-]+)$/);
// make sure header is a JWT header
JSON.parse(Buffer.from(jwt[1], 'base64'));
opts.jwts.push(arg);
return true;
} catch(e) {
// ignore
}
}
function setSubject(arg) {
if (!/.+@[a-z0-9_-]+\.[a-z0-9_-]+/i.test(arg)) {
return false;
}
opts.subject = arg;
return false;
}
function setIssuer(arg) {
if (!/^https?:\/\/[a-z0-9_-]+\.[a-z0-9_-]+/i.test(arg)) {
return false;
}
try {
new URL(arg);
opts.issuer = arg.replace(/\/$/, '');
return true;
} catch(e) {
}
return false;
}
function setTimes(arg) {
var t = arg.match(/^(\-?\d+)([dhms])$/i);
if (!t || !t[0]) {
return false;
}
var num = parseInt(t[1], 10);
var unit = t[2];
var mult = 1;
opts.issuedAt = Math.round(Date.now()/1000);
switch(unit) {
// fancy fallthrough, what fun!
case 'd':
mult *= 24;
/*falls through*/
case 'h':
mult *= 60;
/*falls through*/
case 'm':
mult *= 60;
/*falls through*/
case 's':
mult *= 1;
}
if (!opts.expiresIn) {
opts.expiresIn = mult * num;
opts.expiresAt = opts.issuedAt + opts.expiresIn;
} else {
opts.nbf = opts.issuedAt + (mult * num);
}
return true;
}
function decodeJwt(jwt) {
var parts = jwt.split('.');
return {
header: JSON.parse(Buffer.from(parts[0], 'base64'))
, payload: JSON.parse(Buffer.from(parts[1], 'base64'))
, signature: parts[2] //Buffer.from(parts[2], 'base64')
};
}

10
keypairs.js
View File

@ -87,9 +87,7 @@ Keypairs.export = function (opts) {
});
};
Keypairs.publish = function (opts) {
if ('object' !== typeof opts.jwk || !opts.jwk.kty) { throw new Error("invalid jwk: " + JSON.stringify(opts.jwk)); }
Keypairs._neuter = function (opts) {
// trying to find the best balance of an immutable copy with custom attributes
var jwk = {};
Object.keys(opts.jwk).forEach(function (k) {
@ -97,6 +95,12 @@ Keypairs.publish = function (opts) {
if (-1 !== ['d', 'p', 'q', 'dp', 'dq', 'qi'].indexOf(k)) { return; }
jwk[k] = JSON.parse(JSON.stringify(opts.jwk[k]));
});
return jwk;
};
Keypairs.publish = function (opts) {
if ('object' !== typeof opts.jwk || !opts.jwk.kty) { throw new Error("invalid jwk: " + JSON.stringify(opts.jwk)); }
var jwk = Keypairs._neuter(opts);
if (!jwk.exp) {
if (opts.expiresIn) { jwk.exp = Math.round(Date.now()/1000) + opts.expiresIn; }

2
package-lock.json
View File

@ -1,6 +1,6 @@
{
"name": "keypairs",
"version": "1.1.0",
"version": "1.2.0",
"lockfileVersion": 1,
"requires": true,
"dependencies": {

10
package.json
View File

@ -1,12 +1,18 @@
{
"name": "keypairs",
"version": "1.1.0",
"version": "1.2.0",
"description": "Lightweight RSA/ECDSA keypair generation and JWK <-> PEM",
"main": "keypairs.js",
"files": [],
"files": [
"CLI.md",
"bin/keypairs.js"
],
"scripts": {
"test": "node test.js"
},
"bin": {
"keypairs": "bin/keypairs.js"
},
"repository": {
"type": "git",
"url": "https://git.coolaj86.com/coolaj86/keypairs.js"

Write Preview
Loading…
Cancel
Save