User Guide - nxpcrypto

This user’s guide describes how to use nxpcrypto application.

Command line interface

nxpcrypto

Collection of utilities for cryptographic operations.

nxpcrypto [OPTIONS] COMMAND [ARGS]...

Options

-v, --verbose

Print more detailed information

-vv, --debug

Display more debugging information.

--version

Show the version and exit.

--help

Show this message and exit.

cert

Group of command for working with x509 certificates.

nxpcrypto cert [OPTIONS] COMMAND [ARGS]...

convert

Convert certificate format.

nxpcrypto cert convert [OPTIONS]

Options

-e, --encoding <encoding>

Required Desired output format.

Options:

PEM | DER

-i, --input-file <input_file>

Required Path to certificate file to convert.

-o, --output <output>

Required Path to a file, where to store the output.

generate

Generate certificate.

The configuration template files could be generated by subcommand ‘get-template’.

nxpcrypto cert generate [OPTIONS]

Options

-c, --config <config>

Required Path to the YAML/JSON configuration file.

-o, --output <output>

Required Path to a file, where to store the output.

--force

Force overwriting of existing files.

-e, --encoding <encoding>

Encoding type. Default is PEM

Options:

PEM | DER

get-template

Generate the template of Certificate generation YML configuration file.

nxpcrypto cert get-template [OPTIONS]

Options

-o, --output <output>

Required Path to a file, where to store the output.

--force

Force overwriting of existing files.

verify

Verify signature or public key in certificate.

nxpcrypto cert verify [OPTIONS]

Options

-c, --certificate <certificate>

Required Path to certificate to verify

-s, --sign <sign>

Path to key to verify certificate signature

-p, --puk <puk>

Path to key to verify public key in certificate

digest

Computes digest/hash of the given file.

nxpcrypto digest [OPTIONS]

Options

-h, --hash <hash_name>

Required Name of a hash to use.

Options:

sha512 | sha384 | sha3_224 | blake2b | sha3_512 | sha512_224 | md5 | shake_128 | sm3 | sha3_384 | sha256 | md5-sha1 | sha224 | blake2s | sha1 | shake_256 | sha3_256 | sha512_256

-i, --input-file <input_file>

Required Path to a file to digest.

-c, --compare <PATH | DIGEST>

Reference digest to compare. It may be directly on the command line or fetched from a file.

key

Group of commands for working with asymmetric keys.

nxpcrypto key [OPTIONS] COMMAND [ARGS]...

convert

Convert Asymmetric key into various formats.

nxpcrypto key convert [OPTIONS]

Options

-e, --encoding <encoding>

Required Desired output format.

Options:

PEM | DER | RAW

-i, --input-file <input_file>

Required Path to key file to convert.

-o, --output <output>

Required Path to a file, where to store the output.

-p, --puk

Extract public key instead of converting private key.

generate

NXP Key Generator Tool.

nxpcrypto key generate [OPTIONS]

Options

-k, --key-type <key_type>

Required Type of key to generate

Options:

rsa2048 | rsa3072 | rsa4096 | secp256r1 | secp384r1 | secp521r1 | sm2 | dil2 | dil3 | dil5

-p, --password <PASSWORD>

Password with which the output file will be encrypted. If not provided, the output will be unencrypted.

-o, --output <output>

Required Path to a file, where to store the output.

--force

Force overwriting of existing files.

-e, --encoding <encoding>

Options:

NXP | PEM | DER

verify

Check whether provided keys form a key pair or represent the same key.

The key could be private key, public key, or certificate. All combination are allowed. In case of certificates, the public key within certificate is considered. To verify certificate signature use nxpcrypto cert verify.

nxpcrypto key verify [OPTIONS]

Options

-k1, --key1 <key1>

Required Path to key to verify.

-k2, --key2 <key2>

Required Path to key for verification.

pki-tree

Group of commands for generation of PKI tree.

nxpcrypto pki-tree [OPTIONS] COMMAND [ARGS]...

ahab

Generates a basic AHAB PKI tree.

If the SRKs are chosen to be CA certificates then this command will generate the following PKI tree:

CA Certificate

| | |

——– + | +—————

/ |

SRK1 SRK2 … SRK N

| | |

| | |

SGK1 SGK2 SGK N

where: N can be 1 to 4.

If the SRKs are chosen to be non-CA certificates then this command will generate the following PKI tree:

CA Certificate

| | |

——– + | +—————

/ |

SRK1 SRK2 … SRK N

nxpcrypto pki-tree ahab [OPTIONS]

Options

-k, --key-type <KEY-TYPE>

Required  All possible options: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1.

Options:

rsa2048 | rsa3072 | rsa4096 | secp256r1 | secp384r1 | secp521r1

-p, --password <PASSWORD>

Password with which the keys will be encrypted. If not provided, the keys will be unencrypted.

-o, --output <output>

Required Path to a directory, where to store generated/parsed files.

--force

Force overwriting of existing files.

-e, --encoding <encoding>

Options:

PEM | DER

-n, --keys-number <keys_number>

Number of SRK keys and certificates that will be created (default 4)

-d, --duration <duration>

Duration of certificates validity in years (default 10)

-s, --serial <serial>

Serial number of SRK certificates. Must be specified for each certificate. E.g.: -s 0x12345679 -s 0x1234567a for two certificates. Default is 0x1234567{9…c}.

-ca, --srk-is-ca

True if SRK is certificate authority. In this case SGK keys will be generated

hab

Generates a basic HABv4 PKI tree.

If the SRKs are chosen to be CA certificate then this command will generate the following PKI tree:

CA Certificate

| | |

——– + | +—————

/ |

SRK1 SRK2 … SRK N

/ / /

/ / /

CSF1_1 IMG1_1 CSF2_1 IMG2_1 … CSF N_1 IMG N_1

where: N can be 1 to 4.

If the SRKs are chosen to be non-CA certificate then this command will generate the following PKI Certificate:

CA Certificate

| | |

——– + | +—————

/ |

SRK1 SRK2 … SRK N

nxpcrypto pki-tree hab [OPTIONS]

Options

-k, --key-type <KEY-TYPE>

Required  All possible options: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1.

Options:

rsa2048 | rsa3072 | rsa4096 | secp256r1 | secp384r1 | secp521r1

-p, --password <PASSWORD>

Password with which the keys will be encrypted. If not provided, the keys will be unencrypted.

-o, --output <output>

Required Path to a directory, where to store generated/parsed files.

--force

Force overwriting of existing files.

-e, --encoding <encoding>

Options:

PEM | DER

-n, --keys-number <keys_number>

Number of SRK keys and certificates that will be created (default 4)

-d, --duration <duration>

Duration of certificates validity in years (default 10)

-s, --serial <serial>

Serial number of SRK certificates. Must be specified for each certificate. E.g.: -s 0x12345679 -s 0x1234567a for two certificates. Default is 0x1234567{9…c}.

-ca, --srk-is-ca

True if SRK is certificate authority. In this case SGK keys will be generated

rot

Group of RoT commands.

nxpcrypto rot [OPTIONS] COMMAND [ARGS]...

calculate-hash

Calculate RoT hash.

nxpcrypto rot calculate-hash [OPTIONS]

Options

-f, --family <family>

Select the chip family.

Options:

k32w148 | kw45b41z5 | kw45b41z8 | lpc55s04 | lpc55s06 | lpc55s14 | lpc55s16 | lpc55s26 | lpc55s28 | lpc55s36 | lpc55s66 | lpc55s69 | mc56f81866 | mc56f81868 | mcxn235 | mcxn236 | mcxn546 | mcxn547 | mcxn946 | mcxn947 | mcxw716a | mcxw716c | mimx8ulp | mimx9131 | mimx9352 | mimx9596 | mimxrt1010 | mimxrt1015 | mimxrt1020 | mimxrt1024 | mimxrt1040 | mimxrt1050 | mimxrt1060 | mimxrt1064 | mimxrt1165 | mimxrt1166 | mimxrt1171 | mimxrt1172 | mimxrt1173 | mimxrt1175 | mimxrt1176 | mimxrt1181 | mimxrt1182 | mimxrt1187 | mimxrt1189 | mimxrt533s | mimxrt555s | mimxrt595s | mimxrt685s | mimxrt798s | mwct20d2 | mwct20d2a | nhs52s04 | rw610 | rw612

-r, --revision <revision>

Chip revision; if not specified, most recent one will be used

-k, --key <key>

Path to one or multiple keys or certificates.

-p, --password <password>

Password when using encrypted private keys.

-b, --base64

Apply base64 encoding on the final RoT hash.

-o, --output <output>

Path to a file, where to store the output.

export

Export RoT table.

nxpcrypto rot export [OPTIONS]

Options

-f, --family <family>

Select the chip family.

Options:

k32w148 | kw45b41z5 | kw45b41z8 | lpc55s04 | lpc55s06 | lpc55s14 | lpc55s16 | lpc55s26 | lpc55s28 | lpc55s36 | lpc55s66 | lpc55s69 | mc56f81866 | mc56f81868 | mcxn235 | mcxn236 | mcxn546 | mcxn547 | mcxn946 | mcxn947 | mcxw716a | mcxw716c | mimx8ulp | mimx9131 | mimx9352 | mimx9596 | mimxrt1010 | mimxrt1015 | mimxrt1020 | mimxrt1024 | mimxrt1040 | mimxrt1050 | mimxrt1060 | mimxrt1064 | mimxrt1165 | mimxrt1166 | mimxrt1171 | mimxrt1172 | mimxrt1173 | mimxrt1175 | mimxrt1176 | mimxrt1181 | mimxrt1182 | mimxrt1187 | mimxrt1189 | mimxrt533s | mimxrt555s | mimxrt595s | mimxrt685s | mimxrt798s | mwct20d2 | mwct20d2a | nhs52s04 | rw610 | rw612

-r, --revision <revision>

Chip revision; if not specified, most recent one will be used

-k, --key <key>

Path to one or multiple keys or certificates.

-p, --password <password>

Password when using encrypted private keys.

-o, --output <output>

Path to a file, where to store the output.

get-families

Shows the full family info for commands in this group.

nxpcrypto rot get-families [OPTIONS]

Options

-c, --cmd-name <cmd_name>

Choose the command name to get full information about NXP families support.

Options:

export | calculate-hash

signature

Group of commands for working with signature.

nxpcrypto signature [OPTIONS] COMMAND [ARGS]...

create

Sign the data with given private key.

nxpcrypto signature create [OPTIONS]

Options

-k, --private-key <private_key>

Path to private key to be used for signing.

Supported private keys:

rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1, sm2, dil2, dil3, dil5.

-sp, --signature-provider <signature_provider>

Signature provider configuration string.

-p, --password <password>

Password when using encrypted private keys.

-a, --algorithm <algorithm>

Hash algorithm used when signing the message.

Options:

sha1 | sha256 | sha384 | sha512 | md5 | sm3 | none

-i, --input-file <input_file>

Required Path to file containing binary data to be signed.

-e, --encoding <encoding>

Encoding of output signature. This option is applicable only when signing with ECC keys.

Options:

NXP | DER

-pp, --pss-padding

Use PSS padding in case of RSA

-r, --regions <regions>

Region(s) of data that will be signed. Multiple regions can be specified.

Format of region option is similar to Python’s list indices syntax:

[1]	Byte with index 1
[:20]	Fist 20 bytes
[0x10:0x20]	Between 0x10 and 0x20
[-20:]	Last 20 bytes

-o, --output <output>

Required Path to a file, where to store the output.

--force

Force overwriting of existing files.

verify

Verify the given signature with public key.

nxpcrypto signature verify [OPTIONS]

Options

-k, --public-key <public_key>

Required  Path to public key to be used for verification.

Supported public keys: rsa2048, rsa3072, rsa4096, secp256r1, secp384r1, secp521r1, sm2, dil2, dil3, dil5.

-a, --algorithm <algorithm>

Hash algorithm used when signing the message. If not set, default algorithm will be used.

Options:

sha1 | sha256 | sha384 | sha512 | md5 | sm3 | none

-i, --input-file <input_file>

Required Path to file containing original binary data.

-s, --signature <signature>

Required Path to file containing data signature.

-pp, --pss-padding

Indicate whether the signature uses PSS padding in case of RSA

-r, --regions <regions>

Region(s) of data that will be signed. Multiple regions can be specified.

Format of region option is similar to Python’s list indices syntax:

[1]	Byte with index 1
[:20]	Fist 20 bytes
[0x10:0x20]	Between 0x10 and 0x20
[-20:]	Last 20 bytes