keypairs - npm Package Compare versions

Comparing version 1.2.5 to 1.2.6

611

bin/keypairs.js

		#!/usr/bin/env node
		'use strict';

		// I'm not proud of the way this code is written - it snowballed from a thought
		// experiment into a full-fledged CLI, literally overnight (as it it's 4:30am
		// right now), but I love what it accomplishes!

		/global Promise/
		var fs = require('fs');
		var Rasha = require('rasha');
		var Eckles = require('eckles');
		var Keypairs = require('../');
		var pkg = require('../package.json');

		var args = process.argv.slice(2);
		var opts = { keys: [], jwts: [], jwss: [], payloads: [], names: [], filenames: [], files: [] };
		var conflicts = {
		'namedCurve': 'modulusLength'
		, 'public': 'private'
		};
		Object.keys(conflicts).forEach(function (k) {
		conflicts[conflicts[k]] = k;
		});
		function set(key, val) {
		if (opts[conflicts[key]]) {
		console.error("cannot set '" + key + "' to '" + val + "': '" + conflicts[key] + "' already set as '" + opts[conflicts[key]] + "'");
		process.exit(1);
		}
		if (opts[key]) {
		console.error("cannot set '" + key + "' to '" + val + "': already set as '" + opts[key] + "'");
		process.exit(1);
		}
		opts[key] = val;
		}

		// duck type all the things
		// TODO segment off by actions (gen, sign, verify) and allow parse/convert or gen before sign
		args.forEach(function (arg) {
		var larg = arg.toLowerCase().replace(/[^\w]/g, '');
		var narg = parseInt(arg, 10) \|\| 0;
		if (narg.toString() !== arg) {
		// i.e. 2048.pem is a valid file name
		narg = false;
		}

		if ('version' === arg) {
		console.info(pkg.name, 'v' + pkg.version);
		process.exit(0);
		}

		if (setTimes(arg)) {
		var cmd = "npm install --global keypairs-cli";
		console.error(cmd);
		require('child_process').exec(cmd, function (err) {
		if (err) {
		console.error(err);
		return;
		}
		if (setIssuer(arg)) {
		return;
		}
		if (setSubject(arg)) {
		return;
		}

		if ('ecdsa' === larg \|\| 'ec' === larg) {
		set('kty', "EC");
		if (opts.modulusLength) {
		console.error("EC keys do not have bit lengths such as '" + opts.modulusLength + "'. Choose either the P-256 or P-384 'curve' instead.");
		process.exit(1);
		}
		}
		if ('rsa' === larg) {
		set('kty', "RSA");
		if (opts.namedCurve) {
		console.error("RSA keys do not have curves such as '" + opts.namedCurve + "'. Choose a modulus bit length, such as 2048 instead.");
		process.exit(1);
		}
		return;
		}

		// P-384
		if (-1 !== ['256', 'p256', 'prime256v1', 'secp256r1'].indexOf(larg)) {
		set('namedCurve', "P-256");
		return;
		}

		// P-384
		if (-1 !== ['384', 'p384', 'secp384r1'].indexOf(larg)) {
		set('namedCurve', "P-384");
		return;
		}

		// RSA Modulus Length
		if (narg) {
		if (narg < 2048 \|\| narg % 8 \|\| narg > 8192) {
		console.error("RSA modulusLength must be >=2048, <=8192 and divisible by 8");
		process.exit(1);
		}
		set('modulusLength', narg);
		return;
		}

		// Booleans
		if (-1 !== [ 'private', 'public', 'nocompact', 'nofetch', 'debug', 'overwrite' ].indexOf(arg)) {
		set(arg, true);
		return;
		}
		if ('uncompressed' === arg) {
		set('uncompressed', true);
		return;
		}
		if (-1 !== [ 'gen', 'sign', 'verify', 'decode' ].indexOf(arg)) {
		set('action', arg);
		return;
		}

		// Key format and encoding
		if (-1 !== [ 'spki', 'pkix' ].indexOf(larg)) {
		set('pubFormat', 'spki');
		return;
		}
		// TODO add ssh private key support (it's already built in jwk-to-ssh)
		if ('ssh' === larg) {
		set('pubFormat', 'ssh');
		return;
		}
		if (-1 !== [ 'openssh', 'sec1', 'pkcs1', 'pkcs8' ].indexOf(larg)) {
		// pkcs1 can be public or private, it's ambiguous
		if (!opts.privFormat) {
		set('privFormat', larg);
		return;
		}

		if ('pkcs1' === larg \|\| 'ssh' === larg) {
		set('pubFormat', larg);
		return;
		}
		if ('openssh' === larg) {
		console.warn("specifying 'openssh' twice? ...assuming that you meant 'ssh'");
		set('pubFormat', 'ssh');
		return;
		}
		if ('pkcs8' === larg) {
		console.warn("specifying 'pkcs8' twice? ...assuming that you meant 'spki' (pkix)");
		set('pubFormat', 'spki');
		return;
		}
		if ('sec1' === larg) {
		console.warn("specifying 'sec1' twice? ...assuming that you meant 'spki' (pkix)");
		set('pubFormat', 'spki');
		return;
		}
		return;
		}
		if ('jwk' === larg) {
		if (!opts.privFormat) {
		set('privFormat', larg);
		} else {
		set('pubFormat', larg);
		}
		return;
		}
		if ('pem' === larg \|\| 'der' === larg \|\| 'json' === larg) {
		if (!opts.privEncoding) {
		set('privEncoding', larg);
		} else {
		set('pubEncoding', larg);
		}
		return;
		}

		// Filename
		try {
		fs.accessSync(arg);
		opts.filenames.push(arg);
		opts.names.push({ taken: true, name: arg });
		if (!guessFile(arg)) {
		opts.files.push(arg);
		}
		return;
		} catch(e) { /* not keypath */ }

		// Test for JWK-ness / payload-ness
		if (guess(arg)) {
		return;
		}

		// Test for JWT-ness
		if (setJwt(arg)) {
		return;
		}

		// Possibly the output file
		if (opts.names.length < 3) {
		opts.names.push({ taken: false, name: arg });
		return;
		}
		// check if it's a valid output key

		console.error("too many arguments or didn't understand argument '" + arg + "'");
		if (opts.debug) {
		console.warn(opts);
		}
		process.exit(1);
		console.info("Run 'keypairs help' to see what you can do!");
		});

		function guessFile(filename) {
		try {
		// TODO der support
		var txt = fs.readFileSync(filename).toString('utf8');
		return guess(txt, filename);
		} catch(e) {
		return false;
		}
		}

		function guess(txt, filename) {
		try {
		var json = JSON.parse(txt);
		if (-1 !== [ 'RSA', 'EC' ].indexOf(json.kty)) {
		opts.keys.push({ raw: txt, jwk: json, filename: filename });
		return true;
		} else if (json.signature && json.payload && (json.header \|\| json.protected)) {
		opts.jwss.push(json);
		return true;
		} else {
		opts.payloads.push(txt);
		return true;
		}
		} catch(e) {
		try {
		var jwk = Eckles.importSync({ pem: txt });
		// pem._string = txt;
		opts.keys.push({ jwk: jwk, pem: true, raw: txt });
		return true;
		} catch(e) {
		try {
		var jwk = Rasha.importSync({ pem: txt });
		// pem._string = txt;
		opts.keys.push({ jwk: jwk, pem: true, raw: txt });
		return true;
		} catch(e) {
		// ignore
		}
		}
		}
		return false;
		}

		// node bin/keypairs.js debug spki pem json pkcs1 ~/.ssh/id_rsa.pub foo.pem bar.pem 'abc.abc.abc' '{"kty":"EC"}' '{}' '{"signature":"x", "payload":"x", "header":"x"}' '{"signature":"x", "payload":"x", "protected":"x"}' verify
		if (opts.debug) {
		console.warn(opts);
		}

		var kp;

		if ('gen' === opts.action \|\| (!opts.action && !opts.names.length)) {
		if (opts.names.length > 2) {
		console.error("there should only be two output files at most when generating keypairs");
		console.error(opts.names.map(function (t) { return t.name; }));
		process.exit(1);
		return;
		}

		kp = genKeypair();
		} else if ('decode' === opts.action) {
		if (!opts.jwts.length) {
		console.error("no JWTs specified to decode");
		process.exit(1);
		return;
		}

		return Promise.all(opts.jwts.map(function (jwt, i) {
		try {
		var decoded = decodeJwt(jwt);
		console.info("Decoded #" + (i + 1) + ":");
		console.info(JSON.stringify(decoded, null, 2));
		} catch(e) {
		console.error("Failed to decode #" + (i + 1) + ":");
		console.error(e);
		}
		}));
		} else if ('verify' === opts.action \|\| (!opts.action && opts.jwts.length)) {
		if (!opts.jwts.length) {
		console.error("no JWTs specified to verify");
		process.exit(1);
		return;
		}

		return Promise.all(opts.jwts.map(function (jwt, i) {
		return require('keyfetch').verify({ jwt: jwt }).then(function (decoded) {
		console.info("Verified #" + (i + 1) + ":");
		console.info(JSON.stringify(decoded, null, 2));
		}).catch(function (err) {
		console.error("Failed to verify #" + (i + 1) + ":");
		console.error(err);
		});
		}));
		} else {
		if (opts.names.length > 3) {
		console.error("there should only be one input file and up to two output files when converting keypairs");
		console.error(opts.names.map(function (t) { return t.name; }));
		process.exit(1);
		return;
		}
		var pair = readKeypair();
		pair._convert = true;
		kp = Promise.resolve(pair);
		}

		if ('sign' === opts.action) {
		return kp.then(function (pair) {
		var jwk = pair.private;
		if (!jwk \|\| !jwk.d) {
		console.error("the first key was not a private key");
		console.error(opts.names.map(function (t) { return t.name; }));
		process.exit(1);
		return;
		}
		if (!opts.payloads.length) {
		opts.payloads.push('{}');
		}
		return Promise.all(opts.payloads.map(function (payload) {
		var claims = JSON.parse(payload);
		if (!claims.iss) { claims.iss = opts.issuer; }
		if (!claims.iss) { console.warn("No issuer given, token will not be verifiable"); }
		if (!claims.sub) { claims.sub = opts.sub; }
		if (!claims.exp) {
		if (!opts.expiresAt) { setTimes('15m'); }
		claims.exp = opts.expiresAt;
		}
		if (!claims.iat) { claims.iat = opts.issuedAt; }
		if (!claims.nbf) { claims.nbf = opts.nbf; }
		return Keypairs.signJwt({ jwk: pair.private, claims: claims }).then(function (jwt) {
		console.info(jwt);
		});
		}));
		});
		} else {
		return kp.then(function (pair) {
		if (pair._convert) {
		return convertKeypair(pair);
		}
		});
		}

		function readKeypair() {
		// note that the jwk may be a string
		var keyopts = opts.keys.shift();
		var jwk = keyopts && keyopts.jwk;
		if (!jwk) {
		console.error("no keys could be parsed from the given arguments");
		console.error(opts.names.map(function (t) { return t.name; }));
		process.exit(1);
		return;
		}

		// omit the primary private key from the list of actual (or soon-to-be) files
		if (keyopts.filename) {
		opts.names = opts.names.filter(function (name) {
		return name.name !== keyopts.filename;
		});
		}

		var pair = { private: null, public: null, pem: keyopts.pem, raw: keyopts.raw };
		if (jwk.d) {
		pair.private = jwk;
		}
		pair.public = Keypairs._neuter({ jwk: jwk });
		return pair;
		}

		// Note: some of the conditions can be factored out
		// this was all built in high-speed iterative during the 3ams+
		function convertKeypair(pair) {
		//var pair = readKeypair();

		var ps = [];
		// if it's private only, or if it's not public-only, produce the private key
		if (pair.private \|\| !opts.public) {
		// if it came from pem (or is explicitly json), it should go to jwk
		// otherwise, if it came from jwk, it should go to pem
		if (((!opts.privEncoding && pair.pem) \|\| 'json' === opts.privEncoding)
		&& ((!opts.privFormat && pair.pem) \|\| 'jwk' === opts.privFormat)) {
		ps.push(Promise.resolve(pair.private));
		} else {
		ps.push(Keypairs.export({ jwk: pair.private, format: opts.privFormat, encoding: opts.privEncoding }));
		}
		}

		// if it's not private key only, we want to produce the public key
		if (!opts.private) {
		if (opts.public) {
		// if it's public-only the ambigious options will fall to the private key
		// so we need to fix that
		if (!opts.pubFormat) { opts.pubFormat = opts.privFormat; }
		if (!opts.pubEncoding) { opts.pubEncoding = opts.privEncoding; }
		}

		// same as above - swap formats by default
		if (((!opts.pubEncoding && pair.pem) \|\| 'json' === opts.pubEncoding)
		&& ((!opts.pubFormat && pair.pem) \|\| 'jwk' === opts.pubFormat)) {
		ps.push(Promise.resolve(pair.public));
		} else {
		ps.push(Keypairs.export({ jwk: pair.public, format: opts.pubFormat, encoding: opts.pubEncoding, public: true }));
		}
		}

		return Promise.all(ps).then(function (exported) {
		// start with the first key, annotating if it should be public
		var index = 0;
		var key = stringifyIfJson(index, opts.public);

		// re: opts.names
		// if we're only doing the public key we can end early
		// (if the source key was from a file and was in opts.names,
		// we're safe here because we already removed it earlier)

		if (opts.public) {
		if (opts.names.length) {
		writeFile(opts.names[index].name, key, !opts.public);
		} else {
		// output public keys to stderr
		printPublic(key);
		}
		// end <-- we're not outputting other keys
		return;
		}

		// private key stuff
		if (opts.names.length >= 1) {
		writeFile(opts.names[index].name, key, true);
		} else {
		printPrivate(key);
		}

		// pub key stuff
		// we have to output the private key,
		// but the public key can be derived at any time
		// so we don't need to put the same noise to the screen
		if (!opts.private && opts.names.length >= 2) {
		index = 1;
		key = stringifyIfJson(index, false);
		writeFile(opts.names[index].name, key, false);
		}

		return pair;

		function stringifyIfJson(i, pub) {
		if (exported[i].kty) {
		if (pub) {
		if (opts.expiresAt) { exported[i].exp = opts.expiresAt; }
		exported[i].use = "sig";
		}
		exported[i] = JSON.stringify(exported[i]);
		}
		return exported[i];
		}
		});
		}

		function genKeypair() {
		return Keypairs.generate({
		kty: opts.kty
		, modulusLength: opts.modulusLength
		, namedCurve: opts.namedCurve
		}).then(function (pair) {
		// always generate as jwk by default
		var ps = [];
		if ((!opts.privEncoding \|\| 'json' === opts.privEncoding) && (!opts.privFormat \|\| 'jwk' === opts.privFormat)) {
		ps.push(Promise.resolve(pair.private));
		} else {
		ps.push(Keypairs.export({ jwk: pair.private, format: opts.privFormat, encoding: opts.privEncoding }));
		}
		if ((!opts.pubEncoding \|\| 'json' === opts.pubEncoding) && (!opts.pubFormat \|\| 'jwk' === opts.pubFormat)) {
		ps.push(Promise.resolve(pair.public));
		} else {
		ps.push(Keypairs.export({ jwk: pair.public, format: opts.pubFormat, encoding: opts.pubEncoding, public: true }));
		}
		return Promise.all(ps).then(function (arr) {
		if (arr[0].kty) {
		arr[0] = JSON.stringify(arr[0]);
		}
		if (arr[1].kty) {
		if (opts.expiresAt) { arr[1].exp = opts.expiresAt; }
		arr[1].use = "sig";
		arr[1] = JSON.stringify(arr[1]);
		}
		if (!opts.names.length) {
		console.info(arr[0] + "\n");
		console.warn(arr[1] + "\n");
		}
		if (opts.names.length >= 1) {
		writeFile(opts.names[0].name, arr[0], true);
		if (!opts.private && opts.names.length >= 2) {
		writeFile(opts.names[1].name, arr[1]);
		}
		}

		return pair;
		});
		});
		}

		function writeFile(name, key, priv) {
		var overwrite;
		try {
		fs.accessSync(name);
		overwrite = opts.overwrite;
		if (!opts.overwrite) {
		if (priv) {
		// output private keys to stdout
		console.info(key + "\n");
		} else {
		// output public keys to stderr
		console.warn(key + "\n");
		}
		console.error("'" + name + "' exists! force overwrite with 'overwrite'");
		process.exit(1);
		return;
		}
		} catch(e) {
		// the file does not exist (or cannot be accessed)
		}
		fs.writeFileSync(name, key);
		if (overwrite) {
		console.info("Overwrote " + (priv ? "private" : "public") + " key at '" + name + "'");
		} else {
		console.info("Wrote " + (priv ? "private" : "public") + " key to '" + name + "'");
		}
		}

		function setJwt(arg) {
		try {
		var jwt = arg.match(/^([\w-]+)\.([\w-]+)\.([\w-]+)$/);
		// make sure header is a JWT header
		JSON.parse(Buffer.from(jwt[1], 'base64'));
		opts.jwts.push(arg);
		return true;
		} catch(e) {
		// ignore
		}
		}

		function setSubject(arg) {
		if (!/.+@[a-z0-9_-]+\.[a-z0-9_-]+/i.test(arg)) {
		return false;
		}

		opts.subject = arg;
		return false;
		}

		function setIssuer(arg) {
		if (!/^https?:\/\/[a-z0-9_-]+\.[a-z0-9_-]+/i.test(arg)) {
		return false;
		}

		try {
		new URL(arg);
		opts.issuer = arg.replace(/\/$/, '');
		return true;
		} catch(e) {
		}
		return false;
		}

		function setTimes(arg) {
		var t = arg.match(/^(\-?\d+)([dhms])$/i);
		if (!t \|\| !t[0]) {
		return false;
		}

		var num = parseInt(t[1], 10);
		var unit = t[2];
		var mult = 1;
		opts.issuedAt = Math.round(Date.now()/1000);
		switch(unit) {
		// fancy fallthrough, what fun!
		case 'd':
		mult *= 24;
		/falls through/
		case 'h':
		mult *= 60;
		/falls through/
		case 'm':
		mult *= 60;
		/falls through/
		case 's':
		mult *= 1;
		}
		if (!opts.expiresIn) {
		opts.expiresIn = mult * num;
		opts.expiresAt = opts.issuedAt + opts.expiresIn;
		} else {
		opts.nbf = opts.issuedAt + (mult * num);
		}
		return true;
		}

		function decodeJwt(jwt) {
		var parts = jwt.split('.');
		return {
		header: JSON.parse(Buffer.from(parts[0], 'base64'))
		, payload: JSON.parse(Buffer.from(parts[1], 'base64'))
		, signature: parts[2] //Buffer.from(parts[2], 'base64')
		};
		}

		function printPrivate(key) {
		console.info(key + "\n");
		}
		function printPublic(key) {
		console.warn(key + "\n");
		}

keypairs.js

		@@ -90,3 +90,5 @@ 'use strict';

		Keypairs._neuter = function (opts) {
		// Chopping off the private parts is now part of the public API.
		// I thought it sounded a little too crude at first, but it really is the best name in every possible way.
		Keypairs.neuter = Keypairs._neuter = function (opts) {
		// trying to find the best balance of an immutable copy with custom attributes
		@@ -101,6 +103,7 @@ var jwk = {};
		};

		Keypairs.publish = function (opts) {
		if ('object' !== typeof opts.jwk \|\| !opts.jwk.kty) { throw new Error("invalid jwk: " + JSON.stringify(opts.jwk)); }

		var jwk = Keypairs._neuter(opts);
		var jwk = Keypairs.neuter(opts);

		@@ -107,0 +110,0 @@ if (!jwk.exp) {

package.json

		{
		"name": "keypairs",
		"version": "1.2.5",
		"version": "1.2.6",
		"description": "Lightweight RSA/ECDSA keypair generation and JWK <-> PEM",
		@@ -14,3 +14,3 @@ "main": "keypairs.js",
		"bin": {
		"keypairs": "bin/keypairs.js"
		"keypairs-install": "bin/keypairs.js"
		},
		@@ -17,0 +17,0 @@ "repository": {

keypairs - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics