coolaj86/old-keypairs.js
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
old-keypairs.js/bin/keypairs.js

586 lines
15 KiB
JavaScript
Executable File
Raw Permalink Blame History

#!/usr/bin/env node
'use strict';
// I'm not proud of the way this code is written - it snowballed from a thought
// experiment into a full-fledged CLI, literally overnight (as it it's 4:30am
// right now), but I love what it accomplishes!
/*global Promise*/
var fs = require('fs');
var Rasha = require('rasha');
var Eckles = require('eckles');
var Keypairs = require('../');
var pkg = require('../package.json');
var args = process.argv.slice(2);
var opts = { jwks: [], jwts: [], jwss: [], payloads: [], names: [], filenames: [], files: [], pems: [] };
var conflicts = {
'namedCurve': 'modulusLength'
, 'public': 'private'
};
Object.keys(conflicts).forEach(function (k) {
conflicts[conflicts[k]] = k;
});
function set(key, val) {
if (opts[conflicts[key]]) {
console.error("cannot set '" + key + "' to '" + val + "': '" + conflicts[key] + "' already set as '" + opts[conflicts[key]] + "'");
process.exit(1);
}
if (opts[key]) {
console.error("cannot set '" + key + "' to '" + val + "': already set as '" + opts[key] + "'");
process.exit(1);
}
opts[key] = val;
}
// duck type all the things
// TODO segment off by actions (gen, sign, verify) and allow parse/convert or gen before sign
args.forEach(function (arg) {
var larg = arg.toLowerCase().replace(/[^\w]/g, '');
var narg = parseInt(arg, 10) || 0;
if (narg.toString() !== arg) {
// i.e. 2048.pem is a valid file name
narg = false;
}
if ('version' === arg) {
console.info(pkg.name, 'v' + pkg.version);
process.exit(0);
}
if (setTimes(arg)) {
return;
}
if (setIssuer(arg)) {
return;
}
if (setSubject(arg)) {
return;
}
if ('ecdsa' === larg || 'ec' === larg) {
set('kty', "EC");
if (opts.modulusLength) {
console.error("EC keys do not have bit lengths such as '" + opts.modulusLength + "'. Choose either the P-256 or P-384 'curve' instead.");
process.exit(1);
}
}
if ('rsa' === larg) {
set('kty', "RSA");
if (opts.namedCurve) {
console.error("RSA keys do not have curves such as '" + opts.namedCurve + "'. Choose a modulus bit length, such as 2048 instead.");
process.exit(1);
}
return;
}
// P-384
if (-1 !== ['256', 'p256', 'prime256v1', 'secp256r1'].indexOf(larg)) {
set('namedCurve', "P-256");
return;
}
// P-384
if (-1 !== ['384', 'p384', 'secp384r1'].indexOf(larg)) {
set('namedCurve', "P-384");
return;
}
// RSA Modulus Length
if (narg) {
if (narg < 2048 || narg % 8 || narg > 8192) {
console.error("RSA modulusLength must be >=2048, <=8192 and divisible by 8");
process.exit(1);
}
set('modulusLength', narg);
return;
}
// Booleans
if (-1 !== [ 'private', 'public', 'nocompact', 'nofetch', 'debug', 'overwrite' ].indexOf(arg)) {
set(arg, true);
return;
}
if ('uncompressed' === arg) {
set('uncompressed', true);
return;
}
if (-1 !== [ 'gen', 'sign', 'verify', 'decode' ].indexOf(arg)) {
set('action', arg);
return;
}
// Key format and encoding
if (-1 !== [ 'spki', 'pkix' ].indexOf(larg)) {
set('pubFormat', 'spki');
return;
}
// TODO add ssh private key support (it's already built in jwk-to-ssh)
if ('ssh' === larg) {
set('pubFormat', 'ssh');
return;
}
if (-1 !== [ 'openssh', 'sec1', 'pkcs1', 'pkcs8' ].indexOf(larg)) {
// pkcs1 can be public or private, it's ambiguous
if (!opts.privFormat) {
set('privFormat', larg);
return;
}
if ('pkcs1' === larg || 'ssh' === larg) {
set('pubFormat', larg);
return;
}
if ('openssh' === larg) {
console.warn("specifying 'openssh' twice? ...assuming that you meant 'ssh'");
set('pubFormat', 'ssh');
return;
}
if ('pkcs8' === larg) {
console.warn("specifying 'pkcs8' twice? ...assuming that you meant 'spki' (pkix)");
set('pubFormat', 'spki');
return;
}
if ('sec1' === larg) {
console.warn("specifying 'sec1' twice? ...assuming that you meant 'spki' (pkix)");
set('pubFormat', 'spki');
return;
}
return;
}
if ('jwk' === larg) {
if (!opts.privFormat) {
set('privFormat', larg);
} else {
set('pubFormat', larg);
}
return;
}
if ('pem' === larg || 'der' === larg || 'json' === larg) {
if (!opts.privEncoding) {
set('privEncoding', larg);
} else {
set('pubEncoding', larg);
}
return;
}
// Filename
try {
fs.accessSync(arg);
opts.filenames.push(arg);
opts.names.push({ taken: true, name: arg });
if (!guessFile(arg)) {
opts.files.push(arg);
}
return;
} catch(e) { /* not keypath */ }
// Test for JWK-ness / payload-ness
if (guess(arg)) {
return;
}
// Test for JWT-ness
if (setJwt(arg)) {
return;
}
// Possibly the output file
if (!opts.extra1) {
opts.extra1 = arg;
opts.names.push({ taken: false, name: arg });
return;
}
if (!opts.extra2) {
opts.extra2 = arg;
opts.names.push({ taken: false, name: arg });
return;
}
// check if it's a valid output key
console.error("too many arguments or didn't understand argument '" + arg + "'");
if (opts.debug) {
console.warn(opts);
}
process.exit(1);
});
function guessFile(filename) {
try {
// TODO der support
var txt = fs.readFileSync(filename).toString('utf8');
return guess(txt, filename);
} catch(e) {
return false;
}
}
function guess(txt, filename) {
try {
var json = JSON.parse(txt);
if (-1 !== [ 'RSA', 'EC' ].indexOf(json.kty)) {
opts.jwks.push({ jwk: json, filename: filename });
return true;
} else if (json.signature && json.payload && (json.header || json.protected)) {
opts.jwss.push(json);
return true;
} else {
opts.payloads.push(txt);
return true;
}
} catch(e) {
try {
var pem = Eckles.importSync({ pem: txt });
// pem._string = txt;
opts.pems.push(pem);
return true;
} catch(e) {
try {
var pem = Rasha.importSync({ pem: txt });
// pem._string = txt;
opts.pems.push(pem);
return true;
} catch(e) {
// ignore
}
}
}
return false;
}
// node bin/keypairs.js debug spki pem json pkcs1 ~/.ssh/id_rsa.pub foo.pem bar.pem 'abc.abc.abc' '{"kty":"EC"}' '{}' '{"signature":"x", "payload":"x", "header":"x"}' '{"signature":"x", "payload":"x", "protected":"x"}' verify
if (opts.debug) {
console.warn(opts);
}
var kp;
if ('gen' === opts.action || (!opts.action && !opts.names.length)) {
if (opts.names.length > 2) {
console.error("there should only be two output files at most when generating keypairs");
console.error(opts.names.map(function (t) { return t.name; }));
process.exit(1);
return;
}
kp = genKeypair();
} else if ('decode' === opts.action) {
if (!opts.jwts.length) {
console.error("no JWTs specified to decode");
process.exit(1);
return;
}
return Promise.all(opts.jwts.map(function (jwt, i) {
try {
var decoded = decodeJwt(jwt);
console.info("Decoded #" + (i + 1) + ":");
console.info(JSON.stringify(decoded, null, 2));
} catch(e) {
console.error("Failed to decode #" + (i + 1) + ":");
console.error(e);
}
}));
} else if ('verify' === opts.action || (!opts.action && opts.jwts.length)) {
if (!opts.jwts.length) {
console.error("no JWTs specified to verify");
process.exit(1);
return;
}
return Promise.all(opts.jwts.map(function (jwt, i) {
return require('keyfetch').verify({ jwt: jwt }).then(function (decoded) {
console.info("Verified #" + (i + 1) + ":");
console.info(JSON.stringify(decoded, null, 2));
}).catch(function (err) {
console.error("Failed to verify #" + (i + 1) + ":");
console.error(err);
});
}));
} else {
if (opts.names.length > 3) {
console.error("there should only be one input file and up to two output files when converting keypairs");
console.error(opts.names.map(function (t) { return t.name; }));
process.exit(1);
return;
}
var pair = readKeypair();
pair._convert = true;
kp = Promise.resolve(pair);
}
if ('sign' === opts.action) {
return kp.then(function (pair) {
var jwk = pair.private;
if (!jwk || !jwk.d) {
console.error("the first key was not a private key");
console.error(opts.names.map(function (t) { return t.name; }));
process.exit(1);
return;
}
if (!opts.payloads.length) {
opts.payloads.push('{}');
}
return Promise.all(opts.payloads.map(function (payload) {
var claims = JSON.parse(payload);
if (!claims.iss) { claims.iss = opts.issuer; }
if (!claims.iss) { console.warn("No issuer given, token will not be verifiable"); }
if (!claims.sub) { claims.sub = opts.sub; }
if (!claims.exp) {
if (!opts.expiresAt) { setTimes('15m'); }
claims.exp = opts.expiresAt;
}
if (!claims.iat) { claims.iat = opts.issuedAt; }
if (!claims.nbf) { claims.nbf = opts.nbf; }
return Keypairs.signJwt({ jwk: pair.private, claims: claims }).then(function (jwt) {
console.info(jwt);
});
}));
});
} else {
return kp.then(function (pair) {
if (pair._convert) {
return convertKeypair(pair);
}
});
}
function readKeypair() {
// note that the jwk may be a string
var jwkopts = opts.jwks.shift();
var jwk = jwkopts && jwkopts.jwk;
if (!jwk) {
console.error("no keys could be parsed from the given arguments");
console.error(opts.names.map(function (t) { return t.name; }));
process.exit(1);
return;
}
// omit the primary private key from the list of actual (or soon-to-be) files
if (jwkopts.filename) {
opts.names = opts.names.filter(function (name) {
return name.name !== jwkopts.filename;
});
}
var pair = { private: null, public: null };
if (jwk.d) {
pair.private = jwk;
}
pair.public = Keypairs._neuter({ jwk: jwk });
return pair;
}
function convertKeypair(pair) {
//var pair = readKeypair();
var ps = [];
if (pair.private && !opts.public) {
if ((!opts.privEncoding || 'json' === opts.privEncoding) && (!opts.privFormat || 'jwk' === opts.privFormat)) {
ps.push(Promise.resolve(pair.private));
} else {
ps.push(Keypairs.export({ jwk: pair.private, format: opts.privFormat, encoding: opts.privEncoding }));
}
}
if (!opts.private) {
if (opts.public) {
if (!opts.pubFormat) { opts.pubFormat = opts.privFormat; }
if (!opts.pubEncoding) { opts.pubEncoding = opts.privEncoding; }
}
if ((!opts.pubEncoding || 'json' === opts.pubEncoding) && (!opts.pubFormat || 'jwk' === opts.pubFormat)) {
ps.push(Promise.resolve(pair.public));
} else {
ps.push(Keypairs.export({ jwk: pair.public, format: opts.pubFormat, encoding: opts.pubEncoding, public: true }));
}
}
return Promise.all(ps).then(function (arr) {
// only use the first key
var key = convert(0, opts.public);
if (opts.public) {
// end early
if (opts.names.length) {
writeFile(opts.names[0].name, key, !opts.public); // todo make pub/priv param consistent, not flip-flop
} else {
console.warn(key + "\n");
}
return;
}
// private key stuff
if (opts.names.length) {
writeFile(opts.names[0].name, key, true);
} else {
console.info(key + "\n");
}
// pub key stuff
if (!opts.private) {
if (opts.names.length >= 2) {
writeFile(opts.names[1].name, key, false);
} else {
console.warn(key + "\n");
}
}
return pair;
function convert(i, pub) {
if (arr[i].kty) {
if (pub) {
if (opts.expiresAt) { arr[i].exp = opts.expiresAt; }
arr[i].use = "sig";
}
arr[i] = JSON.stringify(arr[i]);
}
return arr[i];
}
});
}
function genKeypair() {
return Keypairs.generate({
kty: opts.kty
, modulusLength: opts.modulusLength
, namedCurve: opts.namedCurve
}).then(function (pair) {
var ps = [];
if ((!opts.privEncoding || 'json' === opts.privEncoding) && (!opts.privFormat || 'jwk' === opts.privFormat)) {
ps.push(Promise.resolve(pair.private));
} else {
ps.push(Keypairs.export({ jwk: pair.private, format: opts.privFormat, encoding: opts.privEncoding }));
}
if ((!opts.pubEncoding || 'json' === opts.pubEncoding) && (!opts.pubFormat || 'jwk' === opts.pubFormat)) {
ps.push(Promise.resolve(pair.public));
} else {
ps.push(Keypairs.export({ jwk: pair.public, format: opts.pubFormat, encoding: opts.pubEncoding, public: true }));
}
return Promise.all(ps).then(function (arr) {
if (arr[0].kty) {
arr[0] = JSON.stringify(arr[0]);
}
if (arr[1].kty) {
if (opts.expiresAt) { arr[1].exp = opts.expiresAt; }
arr[1].use = "sig";
arr[1] = JSON.stringify(arr[1]);
}
if (!opts.names.length) {
console.info(arr[0] + "\n");
console.warn(arr[1] + "\n");
}
if (opts.names.length >= 1) {
writeFile(opts.names[0].name, arr[0], true);
if (!opts.private && opts.names.length >= 2) {
writeFile(opts.names[1].name, arr[1]);
}
}
return pair;
});
});
}
function writeFile(name, key, priv) {
var overwrite;
try {
fs.accessSync(name);
overwrite = opts.overwrite;
if (!opts.overwrite) {
if (priv) {
console.info(key + "\n");
} else {
console.warn(key + "\n");
}
console.error("'" + name + "' exists! force overwrite with 'overwrite'");
process.exit(1);
return;
}
} catch(e) {
// the file does not exist (or cannot be accessed)
}
fs.writeFileSync(name, key);
if (overwrite) {
console.info("Overwrote " + (priv ? "private" : "public") + " key at '" + name + "'");
} else {
console.info("Wrote " + (priv ? "private" : "public") + " key to '" + name + "'");
}
}
function setJwt(arg) {
try {
var jwt = arg.match(/^([\w-]+)\.([\w-]+)\.([\w-]+)$/);
// make sure header is a JWT header
JSON.parse(Buffer.from(jwt[1], 'base64'));
opts.jwts.push(arg);
return true;
} catch(e) {
// ignore
}
}
function setSubject(arg) {
if (!/.+@[a-z0-9_-]+\.[a-z0-9_-]+/i.test(arg)) {
return false;
}
opts.subject = arg;
return false;
}
function setIssuer(arg) {
if (!/^https?:\/\/[a-z0-9_-]+\.[a-z0-9_-]+/i.test(arg)) {
return false;
}
try {
new URL(arg);
opts.issuer = arg.replace(/\/$/, '');
return true;
} catch(e) {
}
return false;
}
function setTimes(arg) {
var t = arg.match(/^(\-?\d+)([dhms])$/i);
if (!t || !t[0]) {
return false;
}
var num = parseInt(t[1], 10);
var unit = t[2];
var mult = 1;
opts.issuedAt = Math.round(Date.now()/1000);
switch(unit) {
// fancy fallthrough, what fun!
case 'd':
mult *= 24;
/*falls through*/
case 'h':
mult *= 60;
/*falls through*/
case 'm':
mult *= 60;
/*falls through*/
case 's':
mult *= 1;
}
if (!opts.expiresIn) {
opts.expiresIn = mult * num;
opts.expiresAt = opts.issuedAt + opts.expiresIn;
} else {
opts.nbf = opts.issuedAt + (mult * num);
}
return true;
}
function decodeJwt(jwt) {
var parts = jwt.split('.');
return {
header: JSON.parse(Buffer.from(parts[0], 'base64'))
, payload: JSON.parse(Buffer.from(parts[1], 'base64'))
, signature: parts[2] //Buffer.from(parts[2], 'base64')
};
}
Reference in New Issue View Git Blame Copy Permalink