forked from Layer7-Community/Utilities
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpem-to-jwk.sh
executable file
·203 lines (164 loc) · 4.4 KB
/
pem-to-jwk.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
#!/bin/bash
#
# Script to convert a PEM private key file to a JWK object
#
#
#
# Requires the following command line utilities:
# - openssl
# - sed
# - xxd
# - base64
# - tr
set +m
shopt -s lastpipe
################################
# Set some default values
VERBOSE="true"
DEBUG="false"
##################
# Define functions
print_help () {
echo "Command line parameters:"
echo " -k <file> : Private key PEM file name"
echo " -r <string> : Root file name - output will be <string>.key.jwk and"
echo " <string>.pub.jwk"
echo " -p <password> : Password to unlock private key in PEM file"
echo " -h : Print this list and exit"
echo ""
echo "Exit status 0 if success, 1 if not"
}
################################################### Start main work
echo "$0 - Convert a PEM private key into JWK private and public key files"
echo ""
# Confirm external commands are available
COMMANDS='openssl sed xxd base64 tr'
for COMMAND in $COMMANDS ; do
which $COMMAND > /dev/null
if [ $? -ne 0 ] ; then
echo "ERROR: Can't run required command: $COMMAND"
echo "Please ensure that it is available and executable"
echo ""
print_help
exit 1
fi
done
# Parse the command line options (override defaults set above)
OPTS="k:r:p:h"
while getopts $OPTS opt ; do
case $opt in
k) KEYFILE=$OPTARG;;
r) ROOTNAME=$OPTARG;;
p) PASSWD=$OPTARG;;
h) print_help
exit 0;;
?) exit 1;;
esac
done
if [ -z "$KEYFILE" ] ; then
>&2 echo "ERROR: Missing private key file to process"
>&2 echo "Syntax: $0 -k <PrivateKeyPEMFile> -r <RootName> -p <password>"
exit 1
fi
if [ ! -f "$KEYFILE" ] ; then
>&2 echo "ERROR: Can't find $KEYFILE"
>&2 echo "Syntax: $0 -k <PrivateKeyPEMFile> -r <RootName> -p <password>"
exit 1
fi
if [ -z "$ROOTNAME" ] ; then
>&2 echo "ERROR: ROOTNAME is required. Set with -r"
>&2 echo "Syntax: $0 -k <PrivateKeyPEMFile> -r <RootName> -p <password>"
exit 1
fi
if [ -z "$PASSWD" ] ; then
>&2 echo "ERROR: Missing password to unlock private key"
>&2 echo "Syntax: $0 -k <PrivateKeyPEMFile> -r <RootName> -p <password>"
exit 1
fi
openssl rsa -in $KEYFILE -passin pass:$PASSWD -noout > /dev/null
if [ $? -ne 0 ] ; then
echo ""
echo "ERROR: Failed to load $KEYFILE"
exit 1
fi
openssl rsa -in $KEYFILE -passin pass:$PASSWD -text -noout | while read l ; do
case $l in
modulus:* )
context='modulus';;
publicExponent:* )
context='publicExponent'
e=$(printf "%06x" $(echo $l | sed 's/publicExponent: \([0-9]\+\) .*/\1/') | xxd -r -p | base64)
;;
privateExponent:* )
context='privateExponent';;
prime1:* )
context='prime1';;
prime2:* )
context='prime2';;
exponent1:* )
context='exponent1';;
exponent2:* )
context='exponent2';;
coefficient:* )
context='coefficient';;
* )
l=$(echo $l | sed 's/://g') # Remove colons from line
case $context in
'modulus' )
n="$n$l"
;;
'prime1' )
p="$p$l"
;;
'prime2' )
q="$q$l"
;;
'privateExponent' )
d="$d$l"
;;
'exponent1' )
dp="$dp$l"
;;
'exponent2' )
dq="$dq$l"
;;
'coefficient' )
qi="$qi$l"
;;
esac
esac
done
# strip leading 00, convert to binary, base64 encode, convert to base64url, strip trailing =
n=$(echo $n | sed 's/^00//' | xxd -r -p | base64 -w 0 | tr '+/' '-_' | sed 's/=*$//')
d=$(echo $d | sed 's/^00//' | xxd -r -p | base64 -w 0 | tr '+/' '-_' | sed 's/=*$//')
p=$(echo $p | sed 's/^00//' | xxd -r -p | base64 -w 0 | tr '+/' '-_' | sed 's/=*$//')
q=$(echo $q | sed 's/^00//' | xxd -r -p | base64 -w 0 | tr '+/' '-_' | sed 's/=*$//')
dp=$(echo $dp | sed 's/^00//' | xxd -r -p | base64 -w 0 | tr '+/' '-_' | sed 's/=*$//')
dq=$(echo $dq | sed 's/^00//' | xxd -r -p | base64 -w 0 | tr '+/' '-_' | sed 's/=*$//')
qi=$(echo $qi | sed 's/^00//' | xxd -r -p | base64 -w 0 | tr '+/' '-_' | sed 's/=*$//')
echo "==> Writing $ROOTNAME.key.jwk"
cat <<EOF > $ROOTNAME.key.jwk
{
"kty": "RSA",
"use": "sig",
"kid": "$ROOTNAME.key",
"n": "$n",
"e": "$e",
"d": "$d",
"p": "$p",
"q": "$q",
"dp": "$dp",
"dq": "$dq",
"qi": "$qi"
}
EOF
echo "==> Writing $ROOTNAME.pub.jwk"
cat <<EOF > $ROOTNAME.pub.jwk
{
"kty": "RSA",
"use": "enc",
"kid": "$ROOTNAME.pub",
"n": "$n",
"e": "$e",
}
EOF