keypairs-cli

Keypairs CLI

The most useful and easy-to-use crypto cli on the planet (because openssl is confusing).

• Universal Standards-based Crypto Support:
  • RSA (2048, 3072, 4096, 8192)
  • EC (NIST ECDSA) P-256 (prime256v1, secp256r1), P-384 (secp384r1)
• Supported Encodings: PEM, JSON
• Private Key Formats: PKCS1, SEC1, PKCS8, JWK, OpenSSH
• Public Key Formats: PKCS1, PKIX (SPKI), SSH
• Create JWT tokens
• Sign JWT/JWS claims/tokens/payloads
• Decode JWTs (without verifying)
• Verify JWT/JWS tokens/json (by fetching public key)

Install

You must have node.js installed.

npm install --global keypairs-cli

Usage

Guess and check.

The keypairs CLI is pretty fuzzy. If you just type at it, it'll probably work.

That said, the fuzzy behavior is not API-stable and is subject to change, so you should only script to the documented syntax. ;)

Overview

• Generate: keypairs gen
• Convert: keypairs ./priv.pem
• Sign: keypairs sign ./priv.pem https://example.com/ '{"sub":"jon@example.com"}'
• Verify: keypairs verify 'xxxxx.yyyyy.zzzzz'
• Decode: keypairs decode 'xxxxx.yyyyy.zzzzz'
• Debug: prefix any option with debug such as keypairs debug gen pem key.pem jwk pub.json

Generate a New Key

No arguments - generates a universally compatible key of more-than-sufficient entropy.

keypairs gen

Generate an ecdsa key:

keypairs gen ec P-256

Generate an RSA key:

keypairs gen rsa 2048

Parse/Convert an existing key

keypairs ./priv.pem

keypairs '{"kty":"EC",...}'

keypairs ./priv.jwk.json

Syntax: keypairs <in> [priv-out opts...] [pub-out opts...]

keypairs <inkey> [[encoding|scheme] [priv-out]] [[encoding|scheme] [pub-out]] [public|private]

Note: If you specify a private and a public key, and you want to specify the schema/encoding of the public key, you must also specify the scheme and encoding of the public key. Order matters. Private keys come first.

JWK Keypair to PEM-encoded Private and Public keys:

keypairs ./priv.json pem pkcs1 ./priv.pem pem spki ./pub.pem
keypairs ./priv.json pem ./priv.pem ssh ./pub.json
keypairs ./priv.json pkcs8 ./priv.pem spki ./pub.json

PEM Keypair to JSON-encoded JWK (Public Key Only):

keypairs ./priv.pem jwk ./priv.pem public
keypairs ./priv.pem json ./priv.pem public

Generic PEM to JWK:

keypairs priv.pem priv.jwk.json

keypairs priv.pem priv.jwk.json pub.jwk.json

keypairs priv.pem pub.jwk.json public

# fails if the input is public
keypairs priv.pem priv.jwk.json private

Generic JWK to PEM:

keypairs '{"kty":"EC",...}' priv.pem

keypairs priv.json priv.pem

Sign a Token (JWT)

Syntax:

keypairs [key] sign [issuer url] <claims> [exp] [nbf]

Note: The issuer url can be omitted if it's already included among the claims.

Example:

keypairs ./priv.pem sign https://example.com/ '{"sub":"jon@example.com"}' 1h -5m

keypairs '{"kty":"EC",...}' sign https://example.com/ '{"sub":"jon@example.com"}' 1h -5m

Verify a JWT (Token)

Verify a JWT based on its issuer

keypairs verify 'xxx.yyy.zzz'