Skip to content

thales-e-security/keyremix

Repository files navigation

keyremix

This is a simple tool to convert between key formats.

Build

dep ensure
make
./keyremix --help

Use

Converting Keys

The convert subcommand converts between formats.

$ keyremix convert -i e512.crt -t jwk -T indent=2
{
  "keys": [
    {
      "crv": "P-521",
      "kty": "EC",
      "x": "Afwd8BEgOWwUjTecj3FfBZTK2zkbSgrb8Wpjsnl8f6gm6hoK4HRyZHzr2LYPNQkjFJOndJObGHPNKIU5s48HwzJ_",
      "y": "MMmq4TGaqPb0kNiWCacWGmrwkE24nArit4C3Nv--AfEbK6d1VXQLKJZmFPhD92sin6TV6y4Scj5hl36_yObj-yQ"
    }
  ]
}

The possible arguments are:

  • -i PATH to set the input filename. The default is standard input.
  • -f FORMAT to set the input format. The default is to guess.
  • -F NAME=VALUE to set an input argument.
  • -o PATH to set the output filename. The default is standard output.
  • -t FORMAT to set the output format.
  • -T NAME=VALUE to set an output argument.

See below for input and output arguments and supported formats.

Getting Public Keys

The public subcommand is very similar to convert except that it extracts public key values from private keys.

$ keyremix public -i ecdsa-pkcs8.pem -t text
curve: P-256
x: 0xe813085693c472af2d56d01740a9d45a5d93b53c02697d05444dcfe5bb835cc
y: 0xd27d598acbe5d9b5fbb52fd555fb3879b9a2eec9e8d476ac9ca60cc3d1ffd956

The possible arguments are:

  • -i PATH to set the input filename. The default is standard input.
  • -f FORMAT to set the input format. The default is to guess.
  • -F NAME=VALUE to set an input argument.
  • -o PATH to set the output filename. The default is standard output.
  • -t FORMAT to set the output format. The default is based on the input format.
  • -T NAME=VALUE to set an output argument.

See below for input and output arguments and supported formats.

Formats

The formats subcommand displays recognized formats.

$ keyremix formats
jwk       RFC7517 JWK
pkcs1     RFC8017/PKCS#1 format (RSA only)
pkcs1der  RFC8017/PKCS#1 format (raw DER)
[...]

Many formats have PEM variants (e.g. pkcs1) and DER variants (e.g. pkcs1der). They differ only in whether PEM wrapping is used.

jwk

RFC7517 JWK format.

  • Inputs may be either single JWKs or JWK sets. Where a JWK set is used, use -F index=N to select the Nth key. An index of 0 means the first key.
  • Outputs are JWK sets by default. Use -T set=false to output just the key.
  • Outputs are single-line by default. Use -T indent=N to select multi-line output indentation of N spaces.

pkcs1 and pkcs1der

PKCS#1/RFC8017 format.

  • Only RSA private and public keys can be used.

pkcs8 and pksc8der

PKCS#8/RFC5208 format.

  • Only RSA and ECDSA private keys can be used.

pkcs12

PKCS#12/RFC7292 format.

  • Only RSA and ECDSA private keys can be used.
  • A password must be supplied for input. It can specified with -F password=STRING for input or read from standard input.
  • A password must be supplied for output. It can be specified with -T password=STRING or read from standard input.
  • Input files must have exactly one key and associated certificate.
  • For output, a certificate may be specified with -T certificate=FILENAME.
  • For input, a path to write a certificacte may be specified with -F certificate=FILENAME.

pkix and pkixder

RFC3279 format.

  • Only RSA and ECDSA public keys can be used.

text

Textual representation of keys.

  • Only usable as an output format.

x509 and x509der

X.509 certificate format.

  • Only usable as an input format.
  • Only RSA and ECDSA public keys can be used.

General Remarks

  • The set of key types and formats reflects what is easy to do with Go.
  • Encryption and decryption of keys is poorly supported.
  • Test coverage is a bit weak.

About

Translate cryptographic keys between formats

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published