Class Index | File Index



class for RSA/ECC/DSA key utility
Defined in: keyutil-1.0.js.

Class Summary
Constructor Attributes Constructor Name and Description

KEYUTIL class is an update of former PKCS5PKEY class.
Field Summary
Field Attributes Field Name and Description
decrypt private key by shared key version string of KEYUTIL class
Method Summary
Method Attributes Method Name and Description
KEYUTIL.generateKeypair(alg, keylenOrCurve)
This method generates a key pair of public key algorithm.
KEYUTIL.getDecryptedKeyHex(sEncryptedPEM, passcode)
decrypt PEM formatted protected PKCS#5 private key with passcode
KEYUTIL.getJWK(keyinfo, nokid, nox5c, nox5t, nox5t2)
convert from certificate, public/private key object to RFC 7517 JSON Web Key(JWK)
This static method provides RFC 7517 JSON Web Key(JWK) JSON object from following argument types:
  • JWK private key
    • RSAKey or KJUR.crypto.
convert from RSAKey/KJUR.crypto.ECDSA public/private key object to RFC 7517 JSON Web Key(JWK) (DEPRECATED)
This static method convert from RSAKey/KJUR.crypto.ECDSA public/private key object to RFC 7517 JSON Web Key(JWK)
KEYUTIL.getKey(param, passcode, hextype)
get private or public key object from any arguments This method gets private or public key object(RSAKey, KJUR.crypto.DSA or KJUR.crypto.ECDSA) for RSA, DSA and ECC.
KEYUTIL.getKeyAndUnusedIvByPasscodeAndIvsalt(algName, passcode, hexadecimal)
the same function as OpenSSL EVP_BytsToKey to generate shared key and IV
get RSAKey/DSA/ECDSA public key object from hexadecimal string of PKCS#10 CSR
get RSAKey/DSA/ECDSA public key object from PEM formatted PKCS#10 CSR string
KEYUTIL.getKeyFromEncryptedPKCS8PEM(pkcs8PEM, passcode)
get RSAKey/ECDSA private key object from encrypted PEM PKCS#8 private key
get RSAKey/DSA/ECDSA private key object from HEX plain PEM PKCS#8 private key
get RSAKey/ECDSA private key object from PEM plain PEM PKCS#8 private key
get key ID by public key object for subject or authority key identifier This static method generates a key identifier from a public key by the method described in RFC 5280
KEYUTIL.getPBKDF2KeyHexFromParam(info, passcode)
generate PBKDF2 key hexstring with specified passcode and information As for info, this uses following properties:
  • info.pbkdf2Salt - hexadecimal string of PBKDF2 salt
  • info.pkbdf2Iter - iteration count
Currently, this method only supports PKCS#5v2.0 with PBES2/PBDKF2 of HmacSHA1 and TripleDES.
KEYUTIL.getPEM(keyObjOrHex, formatType, passwd, encAlg, hexType, ivsaltHex)
get PEM formatted private or public key file from a RSA/ECDSA/DSA key object
PKCS#5 encrypted private key protection algorithm supports DES-CBC, DES-EDE3-CBC and AES-{128,192,256}-CBC
OpenSSL supports
Parameter "ivsaltHex" supported since jsrsasign 8.0.0 keyutil 1.2.0.
parse hexadecimal string of PKCS#10 CSR (certificate signing request) Resulted associative array has following properties:
  • p8pubkeyhex - hexadecimal string of subject public key in PKCS#8
generate PBKDF2 key hexstring with specified passcode and information The associative array which is returned by this method has following properties:
  • info.pbkdf2Salt - hexadecimal string of PBKDF2 salt
  • info.pkbdf2Iter - iteration count
  • info.ciphertext - hexadecimal string of encrypted private key
  • info.encryptionSchemeAlg - encryption algorithm name (currently TripleDES only)
  • info.encryptionSchemeIV - initial vector for encryption algorithm
Currently, this method only supports PKCS#5v2.0 with PBES2/PBDKF2 of HmacSHA1 and TripleDES.
parse PEM formatted passcode protected PKCS#5 private key Resulted hash has following attributes.
parse hexadecimal string of plain PKCS#8 private key Resulted associative array has following properties:
  • algoid - hexadecimal string of OID of asymmetric key algorithm
  • algparam - hexadecimal string of OID of ECC curve name or null
  • keyidx - string starting index of key in pkcs8PrvHex
parse hexadecimal string of PKCS#8 RSA/EC/DSA public key Resulted hash has following attributes.
parse hexadecimal string of plain PKCS#8 private key Resulted associative array has following properties:
  • n - hexadecimal string of public key
  • e - hexadecimal string of public exponent
Class Detail

KEYUTIL class is an update of former PKCS5PKEY class. KEYUTIL class has following features:
key loading - KEYUTIL.getKey
  • supports RSAKey and KJUR.crypto.{ECDSA,DSA} key object
  • supports private key and public key
  • supports encrypted and plain private key
  • supports PKCS#1, PKCS#5 and PKCS#8 key
  • supports public key in X.509 certificate
  • key represented by JSON object
NOTE1: Encrypted PKCS#8 only supports PBKDF2/HmacSHA1/3DES
NOTE2: Encrypted PKCS#5 supports DES-CBC, DES-EDE3-CBC, AES-{128,192.256}-CBC
exporting key - KEYUTIL.getPEM
KEYUTIL.getPEM method supports following formats:
  • supports RSA/EC/DSA keys
  • PKCS#1 plain RSA/EC/DSA private key
  • PKCS#5 encrypted RSA/EC/DSA private key with DES-CBC, DES-EDE3-CBC, AES-{128,192.256}-CBC
  • PKCS#8 plain RSA/EC/DSA private key
  • PKCS#8 encrypted RSA/EC/DSA private key with PBKDF2_HmacSHA1_3DES
keypair generation - KEYUTIL.generateKeypair
  • generate key pair of RSAKey or KJUR.crypto.ECDSA.
  • generate private key and convert it to PKCS#5 encrypted private key.
NOTE: KJUR.crypto.DSA is not yet supported.
// 1. loading PEM private key
var key = KEYUTIL.getKey(pemPKCS1PrivateKey);
var key = KEYUTIL.getKey(pemPKCS5EncryptedPrivateKey, "passcode");
var key = KEYUTIL.getKey(pemPKCS5PlainRsaDssEcPrivateKey);
var key = KEYUTIL.getKey(pemPKC85PlainPrivateKey);
var key = KEYUTIL.getKey(pemPKC85EncryptedPrivateKey, "passcode");
// 2. loading PEM public key
var key = KEYUTIL.getKey(pemPKCS8PublicKey);
var key = KEYUTIL.getKey(pemX509Certificate);
// 3. exporting private key
var pem = KEYUTIL.getPEM(privateKeyObj, "PKCS1PRV");
var pem = KEYUTIL.getPEM(privateKeyObj, "PKCS5PRV", "passcode"); // DES-EDE3-CBC by default
var pem = KEYUTIL.getPEM(privateKeyObj, "PKCS5PRV", "passcode", "DES-CBC");
var pem = KEYUTIL.getPEM(privateKeyObj, "PKCS8PRV");
var pem = KEYUTIL.getPEM(privateKeyObj, "PKCS8PRV", "passcode");
// 4. exporting public key
var pem = KEYUTIL.getPEM(publicKeyObj);
Field Detail
<static> KEYUTIL.version
decrypt private key by shared key version string of KEYUTIL class
Method Detail
<static> {Array} KEYUTIL.generateKeypair(alg, keylenOrCurve)
This method generates a key pair of public key algorithm. The result will be an associative array which has following parameters: NOTE1: As for RSA algoirthm, public exponent has fixed value '0x10001'. NOTE2: As for EC algorithm, supported names of curve are secp256r1, secp256k1, secp384r1 and secp521r1. NOTE3: DSA is not supported yet.
var rsaKeypair = KEYUTIL.generateKeypair("RSA", 1024);
var ecKeypair = KEYUTIL.generateKeypair("EC", "secp256r1");
{String} alg
'RSA' or 'EC'
{Object} keylenOrCurve
key length for RSA or curve name for EC
keyutil 1.0.1
{Array} associative array of keypair which has prvKeyObj and pubKeyObj parameters

<static> {String} KEYUTIL.getDecryptedKeyHex(sEncryptedPEM, passcode)
decrypt PEM formatted protected PKCS#5 private key with passcode
{String} sEncryptedPEM
PEM formatted protected passcode protected PKCS#5 private key
{String} passcode
passcode to decrypt private key (ex. 'password')
{String} hexadecimal string of decrypted RSA priavte key

<static> {Object} KEYUTIL.getJWK(keyinfo, nokid, nox5c, nox5t, nox5t2)
convert from certificate, public/private key object to RFC 7517 JSON Web Key(JWK)
This static method provides RFC 7517 JSON Web Key(JWK) JSON object from following argument types:
kp1 = KEYUTIL.generateKeypair("EC", "P-256");
jwkPrv1 = KEYUTIL.getJWK(kp1.prvKeyObj);
jwkPub1 = KEYUTIL.getJWK(kp1.pubKeyObj);

kp2 = KEYUTIL.generateKeypair("RSA", 2048);
jwkPrv2 = KEYUTIL.getJWK(kp2.prvKeyObj);
jwkPub2 = KEYUTIL.getJWK(kp2.pubKeyObj);

// from PEM certificate
  kty: "EC", crv: "P-521", x: "...", y: "...",
  x5c: ["MI..."],
  x5t: "...",
  "x5t#S256": "...",
  kid: "..."

// from X509 object
x509obj = new X509("-----BEGIN CERTIFICATE...");
KEYUTIL.getJWK(x509obj) →
  kty: "EC", crv: "P-521", x: "...", y: "...",

// from PEM certificate without kid, x5t and x5t#S256 (i.e. only x5c)
KEYUTIL.getJWK("-----BEGIN CERTIFICATE...", true, false, true, true) →
  kty: "EC", crv: "P-521", x: "...", y: "...",
  x5c: ["MI..."]
{Object or string} keyinfo
public/private key object, PEM key or PEM certificate
{boolean} nokid
set true if you don't need kid (OPTION, DEFAULT=undefined)
{boolean} nox5c
set true if you don't need x5c of certificate (OPTION, DEFAULT=undefined)
{boolean} nox5t
set true if you don't need x5t of certificate (OPTION, DEFAULT=undefined)
{boolean} nox5t2
set true if you don't need x5c#S256 of certificate (OPTION, DEFAULT=undefined)
keyutil 1.2.5 jsrsasign 10.5.1
{Object} JWK object

<static> {Object} KEYUTIL.getJWKFromKey()
convert from RSAKey/KJUR.crypto.ECDSA public/private key object to RFC 7517 JSON Web Key(JWK) (DEPRECATED)
This static method convert from RSAKey/KJUR.crypto.ECDSA public/private key object to RFC 7517 JSON Web Key(JWK)
kp1 = KEYUTIL.generateKeypair("EC", "P-256");
jwkPrv1 = KEYUTIL.getJWKFromKey(kp1.prvKeyObj);
jwkPub1 = KEYUTIL.getJWKFromKey(kp1.pubKeyObj);

kp2 = KEYUTIL.generateKeypair("RSA", 2048);
jwkPrv2 = KEYUTIL.getJWKFromKey(kp2.prvKeyObj);
jwkPub2 = KEYUTIL.getJWKFromKey(kp2.pubKeyObj);

// if you need RFC 7638 JWK thumprint as kid do like this:
jwkPub2.kid = KJUR.jws.JWS.getJWKthumbprint(jwkPub2);
{Object} RSAKey/KJUR.crypto.ECDSA
public/private key object
since jsrsasign 10.5.1 keyutil 1.2.5 please use getJWK method
keyutil 1.0.13 jsrsasign 5.0.14
{Object} JWK object

<static> {Object} KEYUTIL.getKey(param, passcode, hextype)
get private or public key object from any arguments This method gets private or public key object(RSAKey, KJUR.crypto.DSA or KJUR.crypto.ECDSA) for RSA, DSA and ECC. Arguments for this methods depends on a key format you specify. Following key representations are supported. Please note following limitation on encrypted keys: NOTE1: RFC 7517 JSON Web Key(JWK) support for RSA/ECC private/public key from jsrsasign 4.8.1.
NOTE2: X509v1 support is added since jsrsasign 5.0.11.
// 1. loading private key from PEM string
keyObj = KEYUTIL.getKey("-----BEGIN RSA PRIVATE KEY...");
keyObj = KEYUTIL.getKey("-----BEGIN RSA PRIVATE KEY..., "passcode");
keyObj = KEYUTIL.getKey("-----BEGIN PRIVATE KEY...");
keyObj = KEYUTIL.getKey("-----BEGIN PRIVATE KEY...", "passcode");
// 2. loading public key from PEM string
keyObj = KEYUTIL.getKey("-----BEGIN PUBLIC KEY...");
keyObj = KEYUTIL.getKey("-----BEGIN X509 CERTIFICATE...");
// 3. loading hexadecimal PKCS#5/PKCS#8 key
keyObj = KEYUTIL.getKey("308205c1...", null, "pkcs8pub");
keyObj = KEYUTIL.getKey("3082048b...", null, "pkcs5prv");
// 4. loading JSON Web Key(JWK)
keyObj = KEYUTIL.getKey({kty: "RSA", n: "0vx7...", e: "AQAB"});
keyObj = KEYUTIL.getKey({kty: "EC", crv: "P-256", 
                         x: "MKBC...", y: "4Etl6...", d: "870Mb..."});
// 5. bare hexadecimal key
keyObj = KEYUTIL.getKey({n: "75ab..", e: "010001"});
{Object} param
parameter to get key object. see description in detail.
{String} passcode
(OPTION) parameter to get key object. see description in detail.
{String} hextype
(OPTOIN) parameter to get key object. see description in detail.
keyutil 1.0.0
{Object} RSAKey, KJUR.crypto.ECDSA or KJUR.crypto.ECDSA object

<static> {Hash} KEYUTIL.getKeyAndUnusedIvByPasscodeAndIvsalt(algName, passcode, hexadecimal)
the same function as OpenSSL EVP_BytsToKey to generate shared key and IV
{String} algName
name of symmetric key algorithm (ex. 'DES-EBE3-CBC')
{String} passcode
passcode to decrypt private key (ex. 'password')
{String} hexadecimal
string of IV. heading 8 bytes will be used for passcode salt
{Hash} hash of key and unused IV (ex. {keyhex:2fe3..., ivhex:3fad..})

<static> {Object} KEYUTIL.getKeyFromCSRHex(csrHex)
get RSAKey/DSA/ECDSA public key object from hexadecimal string of PKCS#10 CSR
{String} csrHex
hexadecimal string of PKCS#10 CSR
keyutil 1.0.5
{Object} RSAKey/DSA/ECDSA public key object

<static> {Object} KEYUTIL.getKeyFromCSRPEM(csrPEM)
get RSAKey/DSA/ECDSA public key object from PEM formatted PKCS#10 CSR string
{String} csrPEM
PEM formatted PKCS#10 CSR string
keyutil 1.0.5
{Object} RSAKey/DSA/ECDSA public key object

<static> {Object} KEYUTIL.getKeyFromEncryptedPKCS8PEM(pkcs8PEM, passcode)
get RSAKey/ECDSA private key object from encrypted PEM PKCS#8 private key
{String} pkcs8PEM
string of PEM formatted PKCS#8 private key
{String} passcode
passcode string to decrypt key
pkcs5pkey 1.0.5
{Object} RSAKey or KJUR.crypto.ECDSA private key object

<static> {Object} KEYUTIL.getKeyFromPlainPrivatePKCS8Hex(prvKeyHex)
get RSAKey/DSA/ECDSA private key object from HEX plain PEM PKCS#8 private key
{String} prvKeyHex
hexadecimal string of plain PKCS#8 private key
pkcs5pkey 1.0.5
{Object} RSAKey or KJUR.crypto.{DSA,ECDSA} private key object

<static> {Object} KEYUTIL.getKeyFromPlainPrivatePKCS8PEM(pkcs8PEM)
get RSAKey/ECDSA private key object from PEM plain PEM PKCS#8 private key
{String} pkcs8PEM
string of plain PEM formatted PKCS#8 private key
pkcs5pkey 1.0.5
{Object} RSAKey or KJUR.crypto.ECDSA private key object

<static> KEYUTIL.getKeyID(obj)
get key ID by public key object for subject or authority key identifier This static method generates a key identifier from a public key by the method described in RFC 5280 Subject Key Identifier (1).
pubkeyobj = KEYUTIL.getKey(...);
KEYTUTIL.getKey(pubkeyobj) → "a612..."
{Object} obj
RSAKey/KJUR.crypto.ECDSA,DSA public key object or public key PEM string
keyutil 1.2.2 jsrsasign 5.0.16
hexadecimal string of public key identifier

<static> {String} KEYUTIL.getPBKDF2KeyHexFromParam(info, passcode)
generate PBKDF2 key hexstring with specified passcode and information As for info, this uses following properties: Currently, this method only supports PKCS#5v2.0 with PBES2/PBDKF2 of HmacSHA1 and TripleDES.
// to convert plain PKCS#5 private key to encrypted PKCS#8 private
// key with PBKDF2 with TripleDES
% openssl pkcs8 -in plain_p5.pem -topk8 -v2 -des3 -out encrypted_p8.pem
{Array} info
result of parseHexOfEncryptedPKCS8 which has preference of PKCS#8 file
{String} passcode
passcode to decrypto private key
pkcs5pkey 1.0.3
{String} hexadecimal string of PBKDF2 key

<static> KEYUTIL.getPEM(keyObjOrHex, formatType, passwd, encAlg, hexType, ivsaltHex)
get PEM formatted private or public key file from a RSA/ECDSA/DSA key object
PKCS#5 encrypted private key protection algorithm supports DES-CBC, DES-EDE3-CBC and AES-{128,192,256}-CBC
OpenSSL supports
Parameter "ivsaltHex" supported since jsrsasign 8.0.0 keyutil 1.2.0.
KEUUTIL.getPEM(publicKey) → generates PEM PKCS#8 public key 
KEUUTIL.getPEM(privateKey) → generates PEM PKCS#8 plain private key by default
KEUUTIL.getPEM(privateKey, "PKCS1PRV") → generates PEM PKCS#1 plain private key
KEUUTIL.getPEM(privateKey, "PKCS5PRV", "pass") → generates PEM PKCS#5 encrypted private key 
                                                         with DES-EDE3-CBC (DEFAULT)
KEUUTIL.getPEM(privateKey, "PKCS5PRV", "pass", "DES-CBC") → generates PEM PKCS#5 encrypted 
                                                                private key with DES-CBC
KEUUTIL.getPEM(privateKey, "PKCS8PRV") → generates PEM PKCS#8 plain private key
KEUUTIL.getPEM(privateKey, "PKCS8PRV", "pass") → generates PEM PKCS#8 encrypted private key
                                                     with PBKDF2_HmacSHA1_3DES
{Object} keyObjOrHex
key object RSAKey, KJUR.crypto.ECDSA or KJUR.crypto.DSA to encode to
{String} formatType
(OPTION) output format type of "PKCS1PRV", "PKCS5PRV" or "PKCS8PRV" for private key
{String} passwd
(OPTION) password to protect private key
{String} encAlg
(OPTION) encryption algorithm for PKCS#5. currently supports DES-CBC, DES-EDE3-CBC and AES-{128,192,256}-CBC
{String} hexType
(OPTION) type of hex string (ex. pkcs5prv, pkcs8prv)
{String} ivsaltHex
hexadecimal string of IV and salt (default generated random IV)
keyutil 1.0.4

<static> {Array} KEYUTIL.parseCSRHex(csrHex)
parse hexadecimal string of PKCS#10 CSR (certificate signing request) Resulted associative array has following properties:
{String} csrHex
hexadecimal string of PKCS#10 CSR
keyutil 1.0.5
{Array} associative array of parsed CSR

<static> {Array} KEYUTIL.parseHexOfEncryptedPKCS8(passcode)
generate PBKDF2 key hexstring with specified passcode and information The associative array which is returned by this method has following properties: Currently, this method only supports PKCS#5v2.0 with PBES2/PBDKF2 of HmacSHA1 and TripleDES.
// to convert plain PKCS#5 private key to encrypted PKCS#8 private
// key with PBKDF2 with TripleDES
% openssl pkcs8 -in plain_p5.pem -topk8 -v2 -des3 -out encrypted_p8.pem
{String} passcode
passcode to decrypto private key
pkcs5pkey 1.0.3
{Array} info associative array of PKCS#8 parameters

<static> {Hash} KEYUTIL.parsePKCS5PEM(sEncryptedPEM)
parse PEM formatted passcode protected PKCS#5 private key Resulted hash has following attributes.
{String} sEncryptedPEM
PEM formatted protected passcode protected PKCS#5 private key
{Hash} hash of key information

<static> {Array} KEYUTIL.parsePlainPrivatePKCS8Hex(pkcs8PrvHex)
parse hexadecimal string of plain PKCS#8 private key Resulted associative array has following properties:
{String} pkcs8PrvHex
hexadecimal string of PKCS#8 plain private key
pkcs5pkey 1.0.5
{Array} associative array of parsed key

<static> {Hash} KEYUTIL.parsePublicPKCS8Hex(pkcs8PubHex)
parse hexadecimal string of PKCS#8 RSA/EC/DSA public key Resulted hash has following attributes.
{String} pkcs8PubHex
hexadecimal string of PKCS#8 public key
{Hash} hash of key information

<static> {Array} KEYUTIL.parsePublicRawRSAKeyHex(pubRawRSAHex)
parse hexadecimal string of plain PKCS#8 private key Resulted associative array has following properties:
{String} pubRawRSAHex
hexadecimal string of ASN.1 encoded PKCS#8 public key
pkcs5pkey 1.0.5
{Array} associative array of parsed key

© 2012-2023 Kenji Urushima, All rights reserved
Documentation generated by JsDoc Toolkit 2.4.0