User Guide - nxpcrypto

This user’s guide describes how to use nxpcrypto application.

Command line interface

nxpcrypto

Collection of utilities for cryptographic operations.

nxpcrypto [OPTIONS] COMMAND [ARGS]...

Options

-v, --verbose: Print more detailed information

-vv, --debug: Display more debugging information.

--version: Show the version and exit.

--help: Show this message and exit.

cert

Group of command for working with x509 certificates.

nxpcrypto cert [OPTIONS] COMMAND [ARGS]...

generate

Generate certificate.

The configuration template files could be generated by subcommand ‘get-template’.

nxpcrypto cert generate [OPTIONS]

Options

-c, --config <config>: Required Path to the YAML/JSON configuration file.

-o, --output <output>: Required Path to a file, where to store the output.

--force: Force overwriting of existing files.

-e, --encoding <encoding>

Encoding type. Default is PEM

Options: PEM | DER

get-template

Generate the template of Certificate generation YML configuration file.

nxpcrypto cert get-template [OPTIONS]

Options

-o, --output <output>: Required Path to a file, where to store the output.

--force: Force overwriting of existing files.

verify

Verify signature or public key in certificate.

nxpcrypto cert verify [OPTIONS]

Options

-c, --certificate <certificate>: Required Path to certificate to verify

-s, --sign <sign>: Path to key to verify certificate signature

-p, --puk <puk>: Path to key to verify public key in certificate

digest

Computes digest/hash of the given file.

nxpcrypto digest [OPTIONS]

Options

-h, --hash <hash_name>

Required Name of a hash to use.

Options: ripemd160 | sha3_224 | sha512 | blake2b | whirlpool | sha512_224 | sha3_512 | md4 | sha256 | sha1 | shake_128 | md5 | sha384 | blake2s | sm3 | shake_256 | sha224 | sha3_256 | sha512_256 | md5-sha1 | sha3_384

-i, --input-file <input_file>: Required Path to a file to digest.

-c, --compare <PATH | DIGEST>: Reference digest to compare. It may be directly on the command line or fetched from a file.

key

Group of commands for working with asymmetric keys.

nxpcrypto key [OPTIONS] COMMAND [ARGS]...

convert

Convert Asymmetric key into various formats.

nxpcrypto key convert [OPTIONS]

Options

-e, --encoding <encoding>

Desired output format.

Options: PEM | DER | RAW

-i, --input-file <input_file>: Required Path to key file to convert.

-o, --output <output>: Required Path to a file, where to store the output.

-p, --puk: Extract public key instead of converting private key.

generate

NXP Key Generator Tool.

nxpcrypto key generate [OPTIONS]

Options

-k, --key-type <KEY-TYPE>

Set of the supported key types.

Note: NXP DAT protocol is using encryption keys by this table:

NXP Protocol Version Key Type 1.0 RSA 2048 1.1 RSA 4096 2.0 SECP256R1 2.1 SECP384R1 2.2 SECP521R1

All possible options: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1, sm2.

Options: rsa2048 | rsa3072 | rsa4096 | secp256r1 | secp384r1 | secp521r1 | sm2

--password <PASSWORD>: Password with which the output file will be encrypted. If not provided, the output will be unencrypted.

-o, --output <output>: Required Path to a file, where to store the output.

--force: Force overwriting of existing files.

-e, --encoding <encoding>

Options: NXP | PEM | DER

verify

Check whether provided keys form a key pair or represent the same key.

The key could be private key, public key, or certificate. All combination are allowed. In case of certificates, the public key within certificate is considered. To verify certificate signature use nxpcrypto cert verify.

nxpcrypto key verify [OPTIONS]

Options

-k1, --key1 <key1>: Required Path to key to verify.

-k2, --key2 <key2>: Required Path to key for verification.

rot

Group of RoT commands.

nxpcrypto rot [OPTIONS] COMMAND [ARGS]...

calculate-hash

Calculate RoT hash.

nxpcrypto rot calculate-hash [OPTIONS]

Options

-f, --family <family>

Required Select the chip family.

Options: k32w1xx | kw45xx | lpc550x | lpc551x | lpc552x | lpc553x | lpc55s0x | lpc55s1x | lpc55s2x | lpc55s3x | lpc55s6x | mcxn9xx | mx8ulp | mx93 | nhs52sxx | rt101x | rt102x | rt105x | rt106x | rt116x | rt117x | rt118x | rt5xx | rt6xx | rw61x

-k, --key <key>: Path to one or multiple keys or certificates.

-p, --password <password>: Password when using encrypted private keys.

-o, --output <output>: Path to a file, where to store the output.

export

Export RoT table.

nxpcrypto rot export [OPTIONS]

Options

-f, --family <family>

Required Select the chip family.

Options: k32w1xx | kw45xx | lpc550x | lpc551x | lpc552x | lpc553x | lpc55s0x | lpc55s1x | lpc55s2x | lpc55s3x | lpc55s6x | mcxn9xx | mx8ulp | mx93 | nhs52sxx | rt101x | rt102x | rt105x | rt106x | rt116x | rt117x | rt118x | rt5xx | rt6xx | rw61x

-k, --key <key>: Path to one or multiple keys or certificates.

-p, --password <password>: Password when using encrypted private keys.

-o, --output <output>: Path to a file, where to store the output.