User Guide - nxpcrypto

This user’s guide describes how to use nxpcrypto application.

Command line interface

nxpcrypto

Collection of utilities for cryptographic operations.

Usage

nxpcrypto [OPTIONS] COMMAND [ARGS]...

Options

-v, --verbose

Print more detailed information

-vv, --debug

Display more debugging information.

--version

Show the version and exit.

--help

Show this message and exit.

cert

Group of command for working with x509 certificates.

Usage

nxpcrypto cert [OPTIONS] COMMAND [ARGS]...

convert

Convert certificate format.

Usage

nxpcrypto cert convert [OPTIONS]

Options

-e, --encoding <encoding>

Required Desired output format.

Options:

PEM | DER

-i, --input-file <input_file>

Required Path to certificate file to convert.

-p, --puk

Extract public key instead of converting certificate.

-o, --output <output>

Required Path to a file, where to store the output.

generate

Generate certificate.

The configuration template files could be generated by subcommand ‘get-template’.

Usage

nxpcrypto cert generate [OPTIONS]

Options

-c, --config <config>

Required Path to the YAML/JSON configuration file.

-oc, --override-config <key_path=value>

Allows override the individual configuration settings. The use is simple: ‘key_path=value’, like ‘family=mimxrt595s’ or in structural configuration with separating character ‘/’ like ‘containers/0/binary_container=my_container.bin’. It could be used multiple times.

-o, --output <output>

Required Path to a file, where to store the output.

--force

Force overwriting of existing files.

-e, --encoding <encoding>

Encoding type. Default is PEM

Options:

PEM | DER

get-template

Generate the template of Certificate generation YML configuration file.

Usage

nxpcrypto cert get-template [OPTIONS]

Options

-o, --output <output>

Required Path to a file, where to store the output.

--force

Force overwriting of existing files.

verify

Verify signature or public key in certificate.

Usage

nxpcrypto cert verify [OPTIONS]

Options

-c, --certificate <certificate>

Required Path to certificate to verify

-s, --sign <sign>

Path to key to verify certificate signature

-p, --puk <puk>

Path to key to verify public key in certificate

digest

Computes digest/hash of the given file.

Usage

nxpcrypto digest [OPTIONS]

Options

-h, --hash <hash_name>

Required Name of a hash to use.

Options:

sm3 | md5-sha1 | sha512 | blake2b | shake_128 | sha3_256 | sha224 | sha3_224 | shake_256 | sha512_256 | md5 | sha384 | sha256 | blake2s | sha512_224 | sha1 | sha3_512 | sha3_384

-i, --input-file <input_file>

Required Path to a file to digest.

-c, --compare <PATH | DIGEST>

Reference digest to compare. It may be directly on the command line or fetched from a file.

key

Group of commands for working with asymmetric keys.

Usage

nxpcrypto key [OPTIONS] COMMAND [ARGS]...

convert

Convert Asymmetric key into various formats.

Usage

nxpcrypto key convert [OPTIONS]

Options

-e, --encoding <encoding>

Required Desired output format.

Options:

PEM | DER | RAW

-i, --input-file <input_file>

Required Path to key file to convert.

-o, --output <output>

Required Path to a file, where to store the output.

-p, --puk

Extract public key instead of converting private key.

generate

NXP Key Generator Tool.

Usage

nxpcrypto key generate [OPTIONS]

Options

-k, --key-type <key_type>

Required Type of key to generate

Options:

rsa2048 | rsa3072 | rsa4096 | secp256r1 | secp384r1 | secp521r1 | sm2 | dil2 | dil3 | dil5 | mldsa44 | mldsa65 | mldsa87

-p, --password <PASSWORD>

Password with which the output file will be encrypted. If not provided, the output will be unencrypted.

-o, --output <output>

Required Path to a file, where to store the output.

--force

Force overwriting of existing files.

-e, --encoding <encoding>

Options:

NXP | PEM | DER

verify

Check whether provided keys form a key pair or represent the same key.

The key could be private key, public key, or certificate. All combination are allowed. In case of certificates, the public key within certificate is considered. To verify certificate signature use nxpcrypto cert verify.

Usage

nxpcrypto key verify [OPTIONS]

Options

-k1, --key1 <key1>

Required Path to key to verify.

-k2, --key2 <key2>

Required Path to key for verification.

pki-tree

Group of commands for generation of PKI tree.

Usage

nxpcrypto pki-tree [OPTIONS] COMMAND [ARGS]...

ahab

Generates a basic AHAB PKI tree.

If the SRKs are chosen to be CA certificates then this command will generate the following PKI tree:

CA Certificate

| | |

——– + | +—————

/ |

SRK0 SRK1 … SRK N

| | |

| | |

SGK0 SGK1 SGK N

where: N can be 1 to 4.

If the SRKs are chosen to be non-CA certificates then this command will generate the following PKI tree:

CA Certificate

| | |

——– + | +—————

/ |

SRK0 SRK1 … SRK N

Usage

nxpcrypto pki-tree ahab [OPTIONS]

Options

-k, --key-type <KEY-TYPE>

Required  All possible options: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1.

Options:

rsa2048 | rsa3072 | rsa4096 | secp256r1 | secp384r1 | secp521r1

-p, --password <PASSWORD>

Password with which the keys will be encrypted. If not provided, the keys will be unencrypted.

-o, --output <output>

Required Path to a directory, where to store generated/parsed files.

--force

Force overwriting of existing files.

-e, --encoding <encoding>

Options:

PEM | DER

-n, --keys-number <keys_number>

Number of SRK keys and certificates that will be created (default 4)

-d, --duration <duration>

Duration of certificates validity in years (default 10)

-s, --serial <serial>

Serial number of SRK certificates. Must be specified for each certificate. E.g.: -s 0x12345679 -s 0x1234567a for two certificates. Default is 0x1234567{9…c}.

-ca, --srk-is-ca

True if SRK is certificate authority. In this case SGK keys will be generated

ahab-extend

Extend a basic AHAB PKI tree.

This command will extend the existing AHAB PKI tree with additional SRK keys and certificates. If the SRKs are chosen to be CA certificates then this command will generate the following PKI tree:

CA Certificate

| | |

——– + | +—————

/ |

SRK1 SRK2 … SRK N

| | |

| | |

SGK1 SGK2 SGK N

Usage

nxpcrypto pki-tree ahab-extend [OPTIONS]

Options

-e, --encoding <encoding>

Options:

PEM | DER

-n, --keys-number <keys_number>

Number of SRK keys and certificates that will be created (default 1)

-d, --duration <duration>

Duration of certificates validity in years (default 10)

-s, --serial <serial>

Serial number of SRK certificates. If not specified, random number will be used.

-p, --password <PASSWORD>

Password with which the keys will be encrypted. If not provided, the keys will be unencrypted.

-i, --input <tree_path>

Required Path to the existing AHAB PKI tree.

hab

Generates a basic HABv4 PKI tree.

If the SRKs are chosen to be CA certificate then this command will generate the following PKI tree:

CA Certificate

| | |

——– + | +—————

/ |

SRK0 SRK1 … SRK N

/ / /

/ / /

CSF0_0 IMG0_0 CSF1_0 IMG1_0 … CSF N_0 IMG N_0

If the SRKs are chosen to be non-CA certificate then this command will generate the following PKI Certificate:

CA Certificate

| | |

——– + | +—————

/ |

SRK0 SRK1 … SRK N

Usage

nxpcrypto pki-tree hab [OPTIONS]

Options

-k, --key-type <KEY-TYPE>

Required  All possible options: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1.

Options:

rsa2048 | rsa3072 | rsa4096 | secp256r1 | secp384r1 | secp521r1

-p, --password <PASSWORD>

Password with which the keys will be encrypted. If not provided, the keys will be unencrypted.

-o, --output <output>

Required Path to a directory, where to store generated/parsed files.

--force

Force overwriting of existing files.

-e, --encoding <encoding>

Options:

PEM | DER

-n, --keys-number <keys_number>

Number of SRK keys and certificates that will be created (default 4)

-d, --duration <duration>

Duration of certificates validity in years (default 10)

-s, --serial <serial>

Serial number of SRK certificates. Must be specified for each certificate. E.g.: -s 0x12345679 -s 0x1234567a for two certificates. Default is 0x1234567{9…c}.

-ca, --srk-is-ca

True if SRK is certificate authority. In this case IMG and CSF keys will be generated

hab-extend

Extends a basic HABv4 PKI tree.

1) If the path provided is a path to root directory of tree, then this command will extend the existing HAB PKI tree with additional SRK keys and certificates and their corresponding CSF and IMG keys if SRK is CA certificate.

2) If the path provided is a path to SRK certificate, then this command will generate additional CSF and IMG keys for the given SRK certificate.

If the SRKs are chosen to be CA certificate then this command will generate the following PKI tree:

CA Certificate

| | |

——– + | +—————

/ |

SRK0 SRK1 … SRK N

/ / /

/ / /

CSF0_0 IMG0_0 CSF1_0 IMG1_0 … CSF N_0 IMG N_0

If the SRKs are chosen to be non-CA certificate then this command will generate the following PKI Certificate:

CA Certificate

| | |

——– + | +—————

/ |

SRK0 SRK1 … SRK N

Usage

nxpcrypto pki-tree hab-extend [OPTIONS]

Options

-e, --encoding <encoding>

Options:

PEM | DER

-n, --keys-number <keys_number>

Number of SRK keys and certificates that will be created (default 1)

-d, --duration <duration>

Duration of certificates validity in years (default 10)

-s, --serial <serial>

Serial number of SRK certificates. If not specified, random number will be used.

-p, --password <PASSWORD>

Password with which the keys will be encrypted. If not provided, the keys will be unencrypted.

-i, --input <tree_path>

Required Path to the existing AHAB PKI tree or SRK certificate.

rot

Group of RoT commands.

Usage

nxpcrypto rot [OPTIONS] COMMAND [ARGS]...

calculate-hash

Calculate RoT hash.

Usage

nxpcrypto rot calculate-hash [OPTIONS]

Options

-f, --family <family>

[required] Select the chip family.

Options:

k32w148 | kw45b41z5 | kw45b41z8 | kw45z41052 | kw45z41053 | kw45z41082 | kw45z41083 | kw47b42z83 | kw47b42z96 | kw47b42z97 | kw47b42zb2 | kw47b42zb3 | kw47b42zb6 | kw47b42zb7 | kw47z42082 | kw47z42092 | kw47z420b2 | kw47z420b3 | lpc55s04 | lpc55s06 | lpc55s14 | lpc55s16 | lpc55s26 | lpc55s28 | lpc55s36 | lpc55s66 | lpc55s69 | mc56f81866 | mc56f81868 | mcxn235 | mcxn236 | mcxn247 | mcxn526 | mcxn527 | mcxn536 | mcxn537 | mcxn546 | mcxn547 | mcxn556s | mcxn557s | mcxn946 | mcxn947 | mcxw235 | mcxw236 | mcxw716a | mcxw716c | mcxw727a | mcxw727c | mcxw727d | mimx8dxl | mimx8qm | mimx8qxp | mimx8ulp | mimx9131 | mimx9352 | mimx943 | mimx95294 | mimx9596 | mimxrt1010 | mimxrt1015 | mimxrt1020 | mimxrt1024 | mimxrt1040 | mimxrt1043 | mimxrt1046 | mimxrt1050 | mimxrt1060 | mimxrt1064 | mimxrt1165 | mimxrt1166 | mimxrt1171 | mimxrt1172 | mimxrt1173 | mimxrt1175 | mimxrt1176 | mimxrt1181 | mimxrt1182 | mimxrt1186 | mimxrt1187 | mimxrt1189 | mimxrt533s | mimxrt555s | mimxrt595s | mimxrt685s | mimxrt735s | mimxrt758s | mimxrt798s | mwct20d2 | mwct20d2a | nhs52s04 | rw610 | rw612

-r, --revision <revision>

Chip revision; if not specified, most recent one will be used

-k, --key <key>

Path to one or multiple keys or certificates.

-p, --password <password>

Password when using encrypted private keys.

-b, --base64

Apply base64 encoding on the final RoT hash.

-h, --hash-algorithm <hash_algorithm>

Name of a hash algorithm to use.

Options:

sha1 | sha256 | sha384 | sha512 | md5 | sm3 | sha3_256 | sha3_384 | sha3_512 | shake_128_256 | shake_256_512 | sha224 | none

-o, --output <output>

Path to a file, where to store the output.

export

Export RoT table.

Usage

nxpcrypto rot export [OPTIONS]

Options

-f, --family <family>

[required] Select the chip family.

Options:

k32w148 | kw45b41z5 | kw45b41z8 | kw45z41052 | kw45z41053 | kw45z41082 | kw45z41083 | kw47b42z83 | kw47b42z96 | kw47b42z97 | kw47b42zb2 | kw47b42zb3 | kw47b42zb6 | kw47b42zb7 | kw47z42082 | kw47z42092 | kw47z420b2 | kw47z420b3 | lpc55s04 | lpc55s06 | lpc55s14 | lpc55s16 | lpc55s26 | lpc55s28 | lpc55s36 | lpc55s66 | lpc55s69 | mc56f81866 | mc56f81868 | mcxn235 | mcxn236 | mcxn247 | mcxn526 | mcxn527 | mcxn536 | mcxn537 | mcxn546 | mcxn547 | mcxn556s | mcxn557s | mcxn946 | mcxn947 | mcxw235 | mcxw236 | mcxw716a | mcxw716c | mcxw727a | mcxw727c | mcxw727d | mimx8dxl | mimx8qm | mimx8qxp | mimx8ulp | mimx9131 | mimx9352 | mimx943 | mimx95294 | mimx9596 | mimxrt1010 | mimxrt1015 | mimxrt1020 | mimxrt1024 | mimxrt1040 | mimxrt1043 | mimxrt1046 | mimxrt1050 | mimxrt1060 | mimxrt1064 | mimxrt1165 | mimxrt1166 | mimxrt1171 | mimxrt1172 | mimxrt1173 | mimxrt1175 | mimxrt1176 | mimxrt1181 | mimxrt1182 | mimxrt1186 | mimxrt1187 | mimxrt1189 | mimxrt533s | mimxrt555s | mimxrt595s | mimxrt685s | mimxrt735s | mimxrt758s | mimxrt798s | mwct20d2 | mwct20d2a | nhs52s04 | rw610 | rw612

-r, --revision <revision>

Chip revision; if not specified, most recent one will be used

-k, --key <key>

Path to one or multiple keys or certificates.

-p, --password <password>

Password when using encrypted private keys.

-o, --output <output>

Path to a file, where to store the output.

get-families

Shows the full family info for commands in this group.

Usage

nxpcrypto rot get-families [OPTIONS]

Options

-c, --cmd-name <cmd_name>

Choose the command name to get full information about NXP families support.

Options:

export | parse | calculate-hash

parse

Parse RoT table from binary data and extract public keys.

Usage

nxpcrypto rot parse [OPTIONS]

Options

-f, --family <family>

[required] Select the chip family.

Options:

k32w148 | kw45b41z5 | kw45b41z8 | kw45z41052 | kw45z41053 | kw45z41082 | kw45z41083 | kw47b42z83 | kw47b42z96 | kw47b42z97 | kw47b42zb2 | kw47b42zb3 | kw47b42zb6 | kw47b42zb7 | kw47z42082 | kw47z42092 | kw47z420b2 | kw47z420b3 | lpc55s04 | lpc55s06 | lpc55s14 | lpc55s16 | lpc55s26 | lpc55s28 | lpc55s36 | lpc55s66 | lpc55s69 | mc56f81866 | mc56f81868 | mcxn235 | mcxn236 | mcxn247 | mcxn526 | mcxn527 | mcxn536 | mcxn537 | mcxn546 | mcxn547 | mcxn556s | mcxn557s | mcxn946 | mcxn947 | mcxw235 | mcxw236 | mcxw716a | mcxw716c | mcxw727a | mcxw727c | mcxw727d | mimx8dxl | mimx8qm | mimx8qxp | mimx8ulp | mimx9131 | mimx9352 | mimx943 | mimx95294 | mimx9596 | mimxrt1010 | mimxrt1015 | mimxrt1020 | mimxrt1024 | mimxrt1040 | mimxrt1043 | mimxrt1046 | mimxrt1050 | mimxrt1060 | mimxrt1064 | mimxrt1165 | mimxrt1166 | mimxrt1171 | mimxrt1172 | mimxrt1173 | mimxrt1175 | mimxrt1176 | mimxrt1181 | mimxrt1182 | mimxrt1186 | mimxrt1187 | mimxrt1189 | mimxrt533s | mimxrt555s | mimxrt595s | mimxrt685s | mimxrt735s | mimxrt758s | mimxrt798s | mwct20d2 | mwct20d2a | nhs52s04 | rw610 | rw612

-r, --revision <revision>

Chip revision; if not specified, most recent one will be used

-b, --binary <binary>

Required Path to binary RoT table file to parse.

-o, --output <output>

Required Output directory where public keys will be saved.

-e, --encoding <encoding>

Encoding format for output public keys (default: PEM).

Options:

PEM | DER

signature

Group of commands for working with signature.

Usage

nxpcrypto signature [OPTIONS] COMMAND [ARGS]...

create

Sign the data with given private key.

Usage

nxpcrypto signature create [OPTIONS]

Options

-s, --signer <signer>

Required  Signature provider configuration string or path to private key to be used for signing. Supported private keys: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1, sm2, dil2, dil3, dil5, mldsa44, mldsa65, mldsa87.

-p, --password <password>

Password when using encrypted private keys.

-a, --algorithm <algorithm>

Hash algorithm used when signing the message.

Options:

sha1 | sha256 | sha384 | sha512 | md5 | sm3 | sha3_256 | sha3_384 | sha3_512 | shake_128_256 | shake_256_512 | sha224 | none

-i, --input-file <input_file>

Required Path to file containing binary data to be signed.

-e, --encoding <encoding>

Encoding of output signature. This option is applicable only when signing with ECC keys.

Options:

NXP | DER

-pp, --pss-padding

Use PSS padding in case of RSA

-r, --regions <regions>

Region(s) of data that will be signed. Multiple regions can be specified.

Format of region option is similar to Python’s list indices syntax:

[1]	Byte with index 1
[:20]	Fist 20 bytes
[0x10:0x20]	Between 0x10 and 0x20
[-20:]	Last 20 bytes

-o, --output <output>

Required Path to a file, where to store the output.

--force

Force overwriting of existing files.

verify

Verify the given signature with public key.

Usage

nxpcrypto signature verify [OPTIONS]

Options

-k, --public-key <public_key>

Required  Path to public key to be used for verification.

Supported public keys: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1, sm2, dil2, dil3, dil5, mldsa44, mldsa65, mldsa87.

-a, --algorithm <algorithm>

Hash algorithm used when signing the message. If not set, default algorithm will be used.

Options:

sha1 | sha256 | sha384 | sha512 | md5 | sm3 | sha3_256 | sha3_384 | sha3_512 | shake_128_256 | shake_256_512 | sha224 | none

-i, --input-file <input_file>

Required Path to file containing original binary data.

-s, --signature <signature>

Required Path to file containing data signature.

-pp, --pss-padding

Indicate whether the signature uses PSS padding in case of RSA

-r, --regions <regions>

Region(s) of data that will be signed. Multiple regions can be specified.

Format of region option is similar to Python’s list indices syntax:

[1]	Byte with index 1
[:20]	Fist 20 bytes
[0x10:0x20]	Between 0x10 and 0x20
[-20:]	Last 20 bytes