keypairs-cli.js/README.md

# Keypairs CLI

The most useful and easy-to-use crypto cli on the planet
(because `openssl` is confusing).

* [x] Universal Standards-based Crypto Support:
  * [x] RSA (2048, 3072, 4096, 8192)
  * [x] EC (NIST ECDSA) P-256 (prime256v1, secp256r1), P-384 (secp384r1)
* [x] Supported Encodings: PEM, JSON
* [x] Private Key Formats: PKCS1, SEC1, PKCS8, JWK, OpenSSH
* [x] Public Key Formats: PKCS1, PKIX (SPKI), SSH
* [x] Create JWT tokens
* [x] Sign JWT/JWS claims/tokens/payloads
* [x] Decode JWTs (without verifying)
* [x] Verify JWT/JWS tokens/json (by fetching public key)

# Install

You must have [node.js](https://nodejs.org) installed.

```bash
npm install --global keypairs-cli
```

# Usage

Guess and check.

The keypairs CLI is pretty fuzzy. **If you just type at it, it'll probably work.**

That said, the fuzzy behavior is _not_ API-stable and is subject to change,
so you should only script to the documented syntax. ;)

# Overview

* Generate: `keypairs gen`
* Convert: `keypairs ./priv.pem`
* Sign: `keypairs sign ./priv.pem https://example.com/ '{"sub":"jon@example.com"}'`
* Verify: `keypairs verify 'xxxxx.yyyyy.zzzzz'`
* Decode: `keypairs decode 'xxxxx.yyyyy.zzzzz'`
* Debug: prefix any option with `debug` such as `keypairs debug gen pem key.pem jwk pub.json`

## Generate a New Key

No arguments - generates a universally compatible key of more-than-sufficient entropy.

```bash
keypairs gen
```

Generate an ecdsa key:

```bash
keypairs gen ec P-256
```

Generate an RSA key:

```bash
keypairs gen rsa 2048
```

## Parse/Convert an existing key

```bash
keypairs ./priv.pem
```

```bash
keypairs '{"kty":"EC",...}'
```

```bash
keypairs ./priv.jwk.json
```

**Syntax**: `keypairs <in> [priv-out opts...] [pub-out opts...]`

```bash
keypairs <inkey> [[encoding|scheme] [priv-out]] [[encoding|scheme] [pub-out]] [public|private]
```

**Note**: If you specify a private _and_ a public key, and you want to specify the schema/encoding
of the public key, you must also specify the scheme and encoding of the public key. Order matters.
Private keys come first.

JWK Keypair to PEM-encoded Private and Public keys:

```bash
keypairs ./priv.json pem pkcs1 ./priv.pem pem spki ./pub.pem
keypairs ./priv.json pem ./priv.pem ssh ./pub.json
keypairs ./priv.json pkcs8 ./priv.pem spki ./pub.json
```

PEM Keypair to JSON-encoded JWK (Public Key Only):

```bash
keypairs ./priv.pem jwk ./priv.pem public
keypairs ./priv.pem json ./priv.pem public
```

Generic PEM to JWK:

```bash
keypairs priv.pem priv.jwk.json
```

```bash
keypairs priv.pem priv.jwk.json pub.jwk.json
```

```bash
keypairs priv.pem pub.jwk.json public
```

```bash
# fails if the input is public
keypairs priv.pem priv.jwk.json private
```


Generic JWK to PEM:

```bash
keypairs '{"kty":"EC",...}' priv.pem
```

```bash
keypairs priv.json priv.pem
```

## Sign a Token (JWT)

<!-- or Payload (JWS) -->

**Syntax**:

```bash
keypairs [key] sign [issuer url] <claims> [exp] [nbf]
```

_Note: The issuer url can be omitted if it's already included among the claims._

Example:

```bash
keypairs ./priv.pem sign https://example.com/ '{"sub":"jon@example.com"}' 1h -5m
```

```bash
keypairs '{"kty":"EC",...}' sign https://example.com/ '{"sub":"jon@example.com"}' 1h -5m
```

## Verify a JWT (Token)

<!-- or JWS (Payload) -->

Verify a JWT based on its issuer

```bash
keypairs verify 'xxx.yyy.zzz'
```

<!--
Verify using a specific key

```bash
keypairs priv.pem verify 'xxx.yyy.zzz' nofetch
```
-->
initial commit (wip) 2019-03-05 04:55:31 -07:00			`# Keypairs CLI`

			`The most useful and easy-to-use crypto cli on the planet`
			(because `openssl` is confusing).

			`* [x] Universal Standards-based Crypto Support:`
			`* [x] RSA (2048, 3072, 4096, 8192)`
			`* [x] EC (NIST ECDSA) P-256 (prime256v1, secp256r1), P-384 (secp384r1)`
			`* [x] Supported Encodings: PEM, JSON`
			`* [x] Private Key Formats: PKCS1, SEC1, PKCS8, JWK, OpenSSH`
			`* [x] Public Key Formats: PKCS1, PKIX (SPKI), SSH`
			`* [x] Create JWT tokens`
			`* [x] Sign JWT/JWS claims/tokens/payloads`
v1.2.1: move cli code into here, add help 2019-03-05 13:11:13 -07:00			`* [x] Decode JWTs (without verifying)`
			`* [x] Verify JWT/JWS tokens/json (by fetching public key)`
initial commit (wip) 2019-03-05 04:55:31 -07:00
			`# Install`

			`You must have [node.js](https://nodejs.org) installed.`

			```bash
			`npm install --global keypairs-cli`
			```

			`# Usage`

			`Guess and check.`

			`The keypairs CLI is pretty fuzzy. If you just type at it, it'll probably work.`

			`That said, the fuzzy behavior is _not_ API-stable and is subject to change,`
			`so you should only script to the documented syntax. ;)`

			`# Overview`

			* Generate: `keypairs gen`
			* Convert: `keypairs ./priv.pem`
v1.2.1: move cli code into here, add help 2019-03-05 13:11:13 -07:00			* Sign: `keypairs sign ./priv.pem https://example.com/ '{"sub":"jon@example.com"}'`
initial commit (wip) 2019-03-05 04:55:31 -07:00			* Verify: `keypairs verify 'xxxxx.yyyyy.zzzzz'`
v1.2.0: lots of fun with keypairs 2019-03-05 07:28:44 -07:00			* Decode: `keypairs decode 'xxxxx.yyyyy.zzzzz'`
v1.2.1: move cli code into here, add help 2019-03-05 13:11:13 -07:00			* Debug: prefix any option with `debug` such as `keypairs debug gen pem key.pem jwk pub.json`
initial commit (wip) 2019-03-05 04:55:31 -07:00
			`## Generate a New Key`

			`No arguments - generates a universally compatible key of more-than-sufficient entropy.`

			```bash
			`keypairs gen`
			```

			`Generate an ecdsa key:`

			```bash
			`keypairs gen ec P-256`
			```

			`Generate an RSA key:`

			```bash
			`keypairs gen rsa 2048`
			```

			`## Parse/Convert an existing key`

			```bash
			`keypairs ./priv.pem`
			```

			```bash
			`keypairs '{"kty":"EC",...}'`
			```

			```bash
			`keypairs ./priv.jwk.json`
			```

			Syntax: `keypairs <in> [priv-out opts...] [pub-out opts...]`

			```bash
			`keypairs <inkey> [[encoding\|scheme] [priv-out]] [[encoding\|scheme] [pub-out]] [public\|private]`
			```

			`Note: If you specify a private _and_ a public key, and you want to specify the schema/encoding`
			`of the public key, you must also specify the scheme and encoding of the public key. Order matters.`
			`Private keys come first.`

			`JWK Keypair to PEM-encoded Private and Public keys:`

			```bash
			`keypairs ./priv.json pem pkcs1 ./priv.pem pem spki ./pub.pem`
			`keypairs ./priv.json pem ./priv.pem ssh ./pub.json`
			`keypairs ./priv.json pkcs8 ./priv.pem spki ./pub.json`
			```

			`PEM Keypair to JSON-encoded JWK (Public Key Only):`

			```bash
			`keypairs ./priv.pem jwk ./priv.pem public`
			`keypairs ./priv.pem json ./priv.pem public`
			```

			`Generic PEM to JWK:`

			```bash
			`keypairs priv.pem priv.jwk.json`
			```

			```bash
			`keypairs priv.pem priv.jwk.json pub.jwk.json`
			```

			```bash
			`keypairs priv.pem pub.jwk.json public`
			```

			```bash
			`# fails if the input is public`
			`keypairs priv.pem priv.jwk.json private`
			```


			`Generic JWK to PEM:`

			```bash
			`keypairs '{"kty":"EC",...}' priv.pem`
			```

			```bash
			`keypairs priv.json priv.pem`
			```

			`## Sign a Token (JWT)`

			`<!-- or Payload (JWS) -->`

v1.2.0: lots of fun with keypairs 2019-03-05 07:28:44 -07:00			`Syntax:`

			```bash
			`keypairs [key] sign [issuer url] <claims> [exp] [nbf]`
			```

			`_Note: The issuer url can be omitted if it's already included among the claims._`

			`Example:`

			```bash
			`keypairs ./priv.pem sign https://example.com/ '{"sub":"jon@example.com"}' 1h -5m`
			```

initial commit (wip) 2019-03-05 04:55:31 -07:00			```bash
v1.2.0: lots of fun with keypairs 2019-03-05 07:28:44 -07:00			`keypairs '{"kty":"EC",...}' sign https://example.com/ '{"sub":"jon@example.com"}' 1h -5m`
initial commit (wip) 2019-03-05 04:55:31 -07:00			```

			`## Verify a JWT (Token)`

			`<!-- or JWS (Payload) -->`

			`Verify a JWT based on its issuer`

			```bash
			`keypairs verify 'xxx.yyy.zzz'`
			```

			`<!--`
			`Verify using a specific key`

			```bash
			`keypairs priv.pem verify 'xxx.yyy.zzz' nofetch`
			```
			`-->`