lokey

lokey is a tool that makes it easy to work with and convert between cryptographic key formats.

Named after the shape shifting and mischief-making Trickster from Norse mythology, this tool serves to test the bounds of possibilities and order.

Installing lokey

The fastest way to get lokey is to use pip:

$ pip install lokey

Using lokey

lokey makes it easy to fetch cryptographic keys from public sources like Keybase and PGP keyservers, for example:

Fetch my Keybase key using my Twitter handle:

$ lokey fetch keybase twitter:jf

Search for PGP keys from journalists at the New York Times:

$ lokey fetch pgp nytimes.com

You can see all of the fetching commands that lokey has by typing:

$ lokey fetch

lokey is also a tool for converting between cryptographic key formats, for example:

Make it easier to grant your friends access to your SSH server:

$ sudo adduser jf
$ mkdir ~jf/.ssh
$ lokey fetch keybase twitter:jf | lokey to ssh > ~jf/.ssh/authorized_keys

Send an S/MIME encrypted email to an administrator of a TLS secured webserver:

$ echo "A ship journeys from the east, Muspell's people are coming" > message.txt
$ lokey fetch tls example.com > example.com.pem
$ openssl smime -encrypt -des3 -in message.txt example.com.pem > smime.p7m

One of the administrators of the TLS secured webserver could read the message using this command:

openssl smime -decrypt -in smime.p7m -passin pass:[password for key] -inkey /path/to/webserver.key

lokey will also give you information about keys that you pipe into it:

$ cat ~/.ssh/id_rsa.pub | lokey

Inspiration

Many things inspired this project. The genesis of this project comes from the many conversations I had with my dad about his implementation of OpenPGP in Common Lisp. One of those conversations was when I first learned that all RSA keys derived from the numbers ("e", "n", "d"). My dad's paper "Why RSA Works", gave me the grounding I needed to reason and understand RSA cryptography.

Other inspirations include Zed Shaw's vulnarb.com project, which was the first time I considered using TLS certificates for encrypting email. The Monkeysphere Project which inspired me to think of using the PGP web of trust for something other than email.

My work at Okta on key pinning introduced me to Python's outstanding cryptographic library "cryptography". And most recently, my work on converting JWK formatted keys to PEM formatted keys proved how useful a command line utility for key conversion could be.

Learn more

$ lokey --help
$ lokey fetch
$ lokey to

What's missing

This release works, but only barely so. I'd like to know if other people find it useful and have ideas for what they'd want to use this tool for.

That said, I already know of many things that will need to be fixed or corrected soon:

1. I don't know if the keys generated by this tool will actually work in The Real World.

   PGP and X.509 certificates in particular have a lot of options, I haven't done any testing with software like Outlook, Mail.app, GPGTools (for Mac), iOS, etc. Please let me know what needs to be fixed here!

2. I'd like lokey to be able to genereate X.509 keys that could be used for S/MIME and SSL "client authentication" (where a browser authenticates with a web server).

   I got a "proof of concept" working for this by turning lokey into a very simple "certificate authority", this didn't seem ideal though.

3. I want to add support for all the various fingerprint formats in use.

4. Passphrases for encrypted private keys shouldn't be passed via a command line argument.

   This could expose your passphrase!

5. I need to release my tests for "Eris" the class I use to convert keys.

   Before I do this, I need to make sure all the private keys are just test keys.

6. Documentation. This should be a literate document.

7. The text output for keys to match what you get with a tool like pgpdump or openssl x509 -text

8. Support the various key stores for Java, macOS, GPG, etc

9. I want to support more key formats (Pu

   • PuTTY
   • SSH Certificates
   • pkcs12?
   • DKIM?

10. I have no idea how people use key bundles, or how lokey should support them

See also, FIXME notes in the source as well as my planned work in README.org