User Guide - nxpcrypto#

This user’s guide describes how to use nxpcrypto application.

Command line interface#

nxpcrypto#

Collection of utilities for cryptographic operations.

nxpcrypto [OPTIONS] COMMAND [ARGS]...

Options

-v, --verbose#

Print more detailed information

-vv, --debug#

Display more debugging information.

--version#

Show the version and exit.

--help#

Show this message and exit.

cert#

Group of command for working with x509 certificates.

nxpcrypto cert [OPTIONS] COMMAND [ARGS]...
generate#

Generate certificate.

The configuration template files could be generated by subcommand ‘get-template’.

nxpcrypto cert generate [OPTIONS]

Options

-c, --config <config>#

Required Path to the YAML/JSON configuration file.

-o, --output <output>#

Required Path to a file, where to store the output.

--force#

Force overwriting of existing files.

-e, --encoding <encoding>#

Encoding type. Default is PEM

Options:

PEM | DER

get-template#

Generate the template of Certificate generation YML configuration file.

nxpcrypto cert get-template [OPTIONS]

Options

-o, --output <output>#

Required Path to a file, where to store the output.

--force#

Force overwriting of existing files.

verify#

Verify signature or public key in certificate.

nxpcrypto cert verify [OPTIONS]

Options

-c, --certificate <certificate>#

Required Path to certificate to verify

-s, --sign <sign>#

Path to key to verify certificate signature

-p, --puk <puk>#

Path to key to verify public key in certificate

digest#

Computes digest/hash of the given file.

nxpcrypto digest [OPTIONS]

Options

-h, --hash <hash_name>#

Required Name of a hash to use.

Options:

sm3 | sha512 | sha1 | blake2s | sha224 | md5 | sha256 | shake_256 | blake2b | shake_128 | sha3_256 | sha512_224 | sha384 | sha3_512 | sha3_384 | sha3_224 | sha512_256 | md5-sha1

-i, --input-file <input_file>#

Required Path to a file to digest.

-c, --compare <PATH | DIGEST>#

Reference digest to compare. It may be directly on the command line or fetched from a file.

key#

Group of commands for working with asymmetric keys.

nxpcrypto key [OPTIONS] COMMAND [ARGS]...
convert#

Convert Asymmetric key into various formats.

nxpcrypto key convert [OPTIONS]

Options

-e, --encoding <encoding>#

Required Desired output format.

Options:

PEM | DER | RAW

-i, --input-file <input_file>#

Required Path to key file to convert.

-o, --output <output>#

Required Path to a file, where to store the output.

-p, --puk#

Extract public key instead of converting private key.

generate#

NXP Key Generator Tool.

nxpcrypto key generate [OPTIONS]

Options

-k, --key-type <KEY-TYPE>#
Set of the supported key types.

Note: NXP DAT protocol is using encryption keys by this table:

NXP Protocol Version Key Type 1.0 RSA 2048 1.1 RSA 4096 2.0 SECP256R1 2.1 SECP384R1 2.2 SECP521R1

All possible options: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1, sm2.

Options:

rsa2048 | rsa3072 | rsa4096 | secp256r1 | secp384r1 | secp521r1 | sm2

--password <PASSWORD>#

Password with which the output file will be encrypted. If not provided, the output will be unencrypted.

-o, --output <output>#

Required Path to a file, where to store the output.

--force#

Force overwriting of existing files.

-e, --encoding <encoding>#
Options:

NXP | PEM | DER

verify#

Check whether provided keys form a key pair or represent the same key.

The key could be private key, public key, or certificate. All combination are allowed. In case of certificates, the public key within certificate is considered. To verify certificate signature use nxpcrypto cert verify.

nxpcrypto key verify [OPTIONS]

Options

-k1, --key1 <key1>#

Required Path to key to verify.

-k2, --key2 <key2>#

Required Path to key for verification.

rot#

Group of RoT commands.

nxpcrypto rot [OPTIONS] COMMAND [ARGS]...
calculate-hash#

Calculate RoT hash.

nxpcrypto rot calculate-hash [OPTIONS]

Options

-f, --family <family>#

Required Select the chip family.

Options:

k32w1xx | kw45xx | lpc55s0x | lpc55s1x | lpc55s2x | lpc55s3x | lpc55s6x | mc56f81xxx | mcxn23x | mcxn9xx | mwct20d2x | mx8ulp | mx93 | mx95 | nhs52sxx | rt101x | rt102x | rt104x | rt105x | rt106x | rt116x | rt117x | rt118x | rt5xx | rt6xx | rw61x

-k, --key <key>#

Path to one or multiple keys or certificates.

-p, --password <password>#

Password when using encrypted private keys.

-o, --output <output>#

Path to a file, where to store the output.

export#

Export RoT table.

nxpcrypto rot export [OPTIONS]

Options

-f, --family <family>#

Required Select the chip family.

Options:

k32w1xx | kw45xx | lpc55s0x | lpc55s1x | lpc55s2x | lpc55s3x | lpc55s6x | mc56f81xxx | mcxn23x | mcxn9xx | mwct20d2x | mx8ulp | mx93 | mx95 | nhs52sxx | rt101x | rt102x | rt104x | rt105x | rt106x | rt116x | rt117x | rt118x | rt5xx | rt6xx | rw61x

-k, --key <key>#

Path to one or multiple keys or certificates.

-p, --password <password>#

Password when using encrypted private keys.

-o, --output <output>#

Path to a file, where to store the output.

signature#

Group of commands for working with signature.

nxpcrypto signature [OPTIONS] COMMAND [ARGS]...
create#

Sign the data with given private key.

nxpcrypto signature create [OPTIONS]

Options

-k, --private-key <private_key>#
Path to private key to be used for signing.
Supported private keys:
rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1, sm2.
-sp, --signature-provider <signature_provider>#

Signature provider configuration string.

-p, --password <password>#

Password when using encrypted private keys.

-a, --algorithm <algorithm>#

Hash algorithm used when signing the message.

Options:

sha1 | sha256 | sha384 | sha512 | md5 | sm3

-i, --input-file <input_file>#

Required Path to file containing binary data to be signed.

-e, --encoding <encoding>#

Encoding of output signature. This option is applicable only when signing with ECC keys.

Options:

NXP | DER

-r, --regions <regions>#
Region(s) of data that will be signed. Multiple regions can be specified.

Format of region option is similar to Python’s list indices syntax:

[1]

Byte with index 1

[:20]

Fist 20 bytes

[0x10:0x20]

Between 0x10 and 0x20

[-20:]

Last 20 bytes

-o, --output <output>#

Required Path to a file, where to store the output.

--force#

Force overwriting of existing files.

verify#

Verify the given signature with public key.

nxpcrypto signature verify [OPTIONS]

Options

-k, --public-key <public_key>#

Required  Path to public key to be used for verification.

Supported public keys: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1, sm2.

-a, --algorithm <algorithm>#

Hash algorithm used when signing the message. If not set, default algorithm will be used.

Options:

sha1 | sha256 | sha384 | sha512 | md5 | sm3

-i, --input-file <input_file>#

Required Path to file containing original binary data.

-s, --signature <signature>#

Required Path to file containing data signature.

-r, --regions <regions>#
Region(s) of data that will be signed. Multiple regions can be specified.

Format of region option is similar to Python’s list indices syntax:

[1]

Byte with index 1

[:20]

Fist 20 bytes

[0x10:0x20]

Between 0x10 and 0x20

[-20:]

Last 20 bytes