User Guide - nxpcrypto

This user’s guide describes how to use nxpcrypto application.

Command line interface

nxpcrypto

Collection of utilities for cryptographic operations.

nxpcrypto [OPTIONS] COMMAND [ARGS]...

Options

-v, --verbose: Print more detailed information

-vv, --debug: Display more debugging information.

--version: Show the version and exit.

--help: Show this message and exit.

cert

Group of command for working with x509 certificates.

nxpcrypto cert [OPTIONS] COMMAND [ARGS]...

generate

Generate certificate.

nxpcrypto cert generate [OPTIONS]

Options

-j, -c, --config <config>: Required Path to yaml/json configuration file containing the parameters for certificate.

-o, --output <output>: Required Path where certificate will be stored.

-e, --encoding <encoding>

Encoding type. Default is PEM

Options: PEM | DER

--force: Force overwriting of an existing file. Create destination folder, if doesn’t exist already.

get-cfg-template

Generate the template of Certificate generation YML configuration file.

PATH - file name path to write template config file

nxpcrypto cert get-cfg-template [OPTIONS] PATH

Options

-f, --force: Force overwriting of an existing file. Create destination folder, if doesn’t exist already.

Arguments

PATH: Required argument

verify

Verify signature or public key in certificate.

PATH - path to certificate

nxpcrypto cert verify [OPTIONS] PATH

Options

-s, --sign <sign>: Path to key to verify certificate signature

-p, --puk <puk>: Path to key to verify private key in certificate

Arguments

PATH: Required argument

digest

Computes digest/hash of the given file.

nxpcrypto digest [OPTIONS]

Options

-h, --hash <hash_name>

Required Name of a hash to use.

Options: DSA-SHA | dsaWithSHA | MD5 | SHA | sha3_224 | SHA256 | MD4 | ecdsa-with-SHA1 | whirlpool | dsaEncryption | sha3_384 | blake2s | sha1 | ripemd160 | RIPEMD160 | SHA1 | blake2b | sha3_512 | shake_256 | DSA | SHA512 | sha224 | SHA384 | sha384 | sha512 | sha3_256 | sha256 | sha | SHA224 | md4 | md5 | shake_128

-i, --infile <infile>: Required Path to a file to digest.

-c, --compare <PATH | DIGEST>: Reference digest to compare. It may be directly on the command line or fetched from a file.

key

Group of commands for working with asymmetric keys.

nxpcrypto key [OPTIONS] COMMAND [ARGS]...

convert

Convert Asymmetric key into various formats.

nxpcrypto key convert [OPTIONS]

Options

-f, --output-format <output_format>

Desired output format.

Options: PEM | DER | RAW

-i, --infile <infile>: Required Path to key file to convert.

-o, --outfile <outfile>: Path to output file.

-p, --puk: Extract public key instead of converting private key.

--use-pkcs8, --no-pkcs8: Use/don’t use PKCS8 encoding for private keys, default: –use-pkcs8

generate

NXP Key Generator Tool.

PATH - output file path, where the key pairs (private and public key) will be stored.

Each key will be stored in separate file (.pub and .pem).

nxpcrypto key generate [OPTIONS] PATH

Options

-v, --verbose: Print more detailed information

-vv, --debug: Display more debugging information.

--version: Show the version and exit.

--help: Show this message and exit.

-k, --key-type <KEY-TYPE>

Set of the supported key types. Default is RSA2048.

Note: NXP DAT protocol is using encryption keys by this table:

NXP Protocol Version Encryption Type: 1.0 RSA 2048 1.1 RSA 4096 2.0 SECP256R1 2.1 SECP384R1 2.2 SECP521R1

All possible options: rsa2048, rsa3072, rsa4096, prime192v1, prime256v1, secp192r1, secp224r1, secp256r1, secp384r1, secp521r1, secp256k1, sect163k1, sect233k1, sect283k1, sect409k1, sect571k1, sect163r2, sect233r1, sect283r1, sect409r1, sect571r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1.

Options: rsa2048 | rsa3072 | rsa4096 | prime192v1 | prime256v1 | secp192r1 | secp224r1 | secp256r1 | secp384r1 | secp521r1 | secp256k1 | sect163k1 | sect233k1 | sect283k1 | sect409k1 | sect571k1 | sect163r2 | sect233r1 | sect283r1 | sect409r1 | sect571r1 | brainpoolP256r1 | brainpoolP384r1 | brainpoolP512r1

--password <PASSWORD>: Password with which the output file will be encrypted. If not provided, the output will be unencrypted.

--force: Force overwriting of an existing file.

Arguments

PATH: Required argument

verify

Check whether provided keys form a key pair or represent the same key.

nxpcrypto key verify [OPTIONS] KEY1 KEY2

Arguments

KEY1: Required argument

KEY2: Required argument