1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
.\" Automatically generated by Pandoc 3.1.11.1
.\"
.TH "KEY2JWK" "1" "" "key2jwk User Manual" "LibJWT C Library"
.SH NAME
\f[B]key2jwk\f[R] \- Generate a JSON Web Key Set
.SH SYNOPSIS
.PP
\f[B]key2jwk\f[R] \f[B][options]\f[R] <FILE> [FILE]\&...
.SH DESCRIPTION
\f[B]key2jwk\f[R] Generates a JSON Web Key Set from one or more keys in
PEM or DER format.
.PP
This program will parse PEM/DER key files (public and private) into JSON
Web Keys and output a JWK Set.
Note that HMAC keys are \f[I]guessed\f[R] based on them not being parsed
by OpenSSL.
This may cause some issues.
You can disable this with the \f[B]\-m\f[R] option.
.PP
\f[I]HS256\f[R], \f[I]HS384\f[R], and \f[I]HS512\f[R] are assumed based
on the key size and are expected to be a file with binary data.
Using file size in bytes:
.PP
\f[I]\f[BI]HS256\f[I]\f[R]: size >= 32 AND size < 48
.PP
\f[I]\f[BI]HS384\f[I]\f[R]: size >= 48 AND size < 64
.PP
\f[I]\f[BI]HS512\f[I]\f[R]: size >= 64
.PP
The \f[B]\-o\f[R] options is required for output.
If the file exists, it will not be overwritten.
You can use \f[B]\-\-output \-\f[R] to write to \f[I]stdout\f[R].
If you write to \f[I]stdout\f[R], all other messages will be written to
\f[I]stderr\f[R].
.PP
RSA keys will not have an algorithm set as they are valid for
\f[I]RS256\f[R], \f[I]RS384\f[R], and \f[I]RS512\f[R], however, RSA\-PSS
keys will be set to \f[I]PS256\f[R], since otherwise they will look no
different than an RSA key.
RSA keys must be at least 1024 bits.
.PP
Private keys will have \f[B]sign\f[R] added to the \f[B]key_ops\f[R]
array while public keys will have the \f[B]use\f[R] attribute set to
\f[B]sig\f[R].
.PP
All keys will get a generated randomized uuidv4 \f[B]kid\f[R] attribute
unless you use the \f[B]\-k\f[R] option.
.PP
Example output:
.IP
.EX
$ key2jwk \-q \-o \- eddsa_key_ed25519.pem
{
\[dq]libjwt.io:comment\[dq]: \[dq]Generated by LibJWT 2.9.99\[dq],
\[dq]libjwt.io:date\[dq]: \[dq]Sun Jan 12 23:50:24 2025\[dq],
\[dq]libjwt.io:hostname\[dq]: \[dq]maClara.local\[dq],
\[dq]keys\[dq]: [
{
\[dq]key_ops\[dq]: [
\[dq]sign\[dq]
],
\[dq]kid\[dq]: \[dq]d74a55b0\-631a\-4dfb\-8842\-cecfcb50e728\[dq],
\[dq]kty\[dq]: \[dq]OKP\[dq],
\[dq]crv\[dq]: \[dq]Ed25519\[dq],
\[dq]alg\[dq]: \[dq]EdDSA\[dq],
\[dq]d\[dq]: \[dq]XY5oUZqGWVZhX7J09hG\-rRnAKXiw1g_aBh\-Bc52KZ_Y\[dq]
}
]
}
.EE
.SS Options
.TP
\f[B]\-h\f[R], \f[B]\-\-help\f[R]
Show common options and quit.
.TP
\f[B]\-l\f[R], \f[B]\-\-list\f[R]
List all supported algorithms that can be passed to the \f[B]\-a\f[R]
option and quit.
.TP
\f[B]\-q\f[R], \f[B]\-\-quiet\f[R]
Do not output anything except for hard errors (and the JWKS).
.TP
\f[B]\-k\f[R], \f[B]\-\-disable\-kid\f[R]
Disable generating \f[B]kid\f[R] attribute.
.TP
\f[B]\-m\f[R], \f[B]\-\-disable\-hmac\f[R]
Disable falling back to HAMC for key files that OpenSSL cannot read.
.TP
\f[B]\-o\f[R] \f[I]FILE\f[R], \f[B]\-\-output\f[R]=\f[I]FILE\f[R]
Use \f[I]FILE\f[R] to write the JWKS.
Use \f[B]\-\f[R] to write to stdout.
.SH BUGS
See GitHub Issues: \c
.UR https://github.com/benmcollins/libjwt/issues
.UE \c
.SH AUTHOR
\f[B]key2jwk\f[R] written by Ben Collins \c
.MT bcollins@libjwt.io
.ME \c
\&.
.SH SEE ALSO
\f[B]jwt\-verify(1)\f[R], \f[B]jwt\-generate(1)\f[R],
\f[B]jwk2key(1)\f[R]
|
