feat: add keygen tool (#972)

mattjohnsonpint · web-flow · commit 7c166cda9fce · 2025-09-03T18:38:34.000-07:00
diff --git a/go.work b/go.work
@@ -24,4 +24,5 @@ use (
 	./sdk/go/examples/time
 	./sdk/go/examples/vectors
 	./sdk/go/templates/default
+	./tools/keygen
 )
diff --git a/tools/keygen/.gitignore b/tools/keygen/.gitignore
@@ -0,0 +1,3 @@
+*.pem
+keygen
+keygen.exe
diff --git a/tools/keygen/README.md b/tools/keygen/README.md
@@ -0,0 +1,30 @@
+# Keygen Tool
+
+This is a small utility that will generate keys and tokens for use with Modus.
+
+## Usage
+
+You must have Go installed locally. We currently do not release this tool as a binary.
+
+From the `/tools/keygen` directory, run the utility via: `go run .`
+
+The output will contain the following:
+
+- A JSON encoded object containing an RSA public key, suitable for passing to `MODUS_PEMS`
+- A JWT token that is signed with that key, having a 1 year expiration date and no other claims,
+  suitable for passing as a bearer token for authorization
+
+The tool will also create two files in the current working directory:
+
+- `private-key.pem` - A 2048 bit RSA private key
+- `public-key.pem` - The corresponding public key
+
+If the private key file already exists in the working directory, the tool will re-use it instead of
+creating a new one.
+
+**IMPORTANT** - Keep the private key secret, and do not lose it! You will need it to issue new JWT
+tokens that can be validated with the public key.
+
+The public key file contains the same key that was given as JSON. It is there for convenience only.
+
+You can run the tool multiple times to generate additional JWTs from the same key pair.
diff --git a/tools/keygen/go.mod b/tools/keygen/go.mod
@@ -0,0 +1,5 @@
+module keygen
+
+go 1.25.0
+
+require github.com/golang-jwt/jwt/v5 v5.3.0
diff --git a/tools/keygen/go.sum b/tools/keygen/go.sum
@@ -0,0 +1,2 @@
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
diff --git a/tools/keygen/main.go b/tools/keygen/main.go
@@ -0,0 +1,157 @@
+package main
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+const privateKeyFileName = "private-key.pem"
+const publicKeyFileName = "public-key.pem"
+
+func main() {
+	fmt.Println()
+	privateKey, err := getPrivateKey()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error getting private key: %v\n", err)
+		os.Exit(1)
+	}
+
+	jsonPubKey, err := getPublicKeyJson(privateKey)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error getting public key JSON: %v\n", err)
+		os.Exit(1)
+	}
+	fmt.Println(jsonPubKey)
+	fmt.Println()
+
+	signedJWT, err := generateSignedJWT(privateKey)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error generating signed JWT: %v\n", err)
+		os.Exit(1)
+	}
+	fmt.Println(signedJWT)
+	fmt.Println()
+}
+
+func generateSignedJWT(priv *rsa.PrivateKey) (string, error) {
+	now := time.Now()
+	issued := now.Unix()
+	expires := now.AddDate(1, 0, 0).Unix()
+	claims := jwt.MapClaims{
+		"iat": issued,
+		"exp": expires,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	return token.SignedString(priv)
+}
+
+func getPrivateKey() (*rsa.PrivateKey, error) {
+	if _, err := os.Stat(privateKeyFileName); err == nil {
+		return loadPrivateKey()
+	} else if os.IsNotExist(err) {
+		return createPrivateKey()
+	} else {
+		return nil, err
+	}
+}
+
+func loadPrivateKey() (*rsa.PrivateKey, error) {
+	keyData, err := os.ReadFile(privateKeyFileName)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(keyData)
+	if block == nil || block.Type != "RSA PRIVATE KEY" {
+		return nil, fmt.Errorf("failed to decode PEM block containing private key")
+	}
+
+	priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	return priv, nil
+}
+
+func createPrivateKey() (*rsa.PrivateKey, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := writePrivateKey(privateKey); err != nil {
+		return nil, err
+	}
+
+	if err := writePublicKey(privateKey); err != nil {
+		return nil, err
+	}
+
+	return privateKey, nil
+}
+
+func writePrivateKey(priv *rsa.PrivateKey) error {
+	keyFile, err := os.Create(privateKeyFileName)
+	if err != nil {
+		return err
+	}
+	defer keyFile.Close()
+
+	pemBlock := &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(priv),
+	}
+	if err := pem.Encode(keyFile, pemBlock); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func writePublicKey(priv *rsa.PrivateKey) error {
+	publicKey := &priv.PublicKey
+
+	keyFile, err := os.Create(publicKeyFileName)
+	if err != nil {
+		return err
+	}
+	defer keyFile.Close()
+
+	pemBlock := &pem.Block{
+		Type:  "RSA PUBLIC KEY",
+		Bytes: x509.MarshalPKCS1PublicKey(publicKey),
+	}
+	if err := pem.Encode(keyFile, pemBlock); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func getPublicKeyJson(priv *rsa.PrivateKey) (string, error) {
+	publicKey := &priv.PublicKey
+	keyData := x509.MarshalPKCS1PublicKey(publicKey)
+	block := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PUBLIC KEY",
+		Bytes: keyData,
+	})
+
+	keys := map[string]string{
+		"key1": string(block),
+	}
+
+	jsonData, err := json.Marshal(keys)
+	if err != nil {
+		return "", err
+	}
+	return string(jsonData), nil
+}

Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,5 @@ use (`
`24`	`24`	`./sdk/go/examples/time`
`25`	`25`	`./sdk/go/examples/vectors`
`26`	`26`	`./sdk/go/templates/default`
	`27`	`+ ./tools/keygen`
`27`	`28`	`)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=`
	`2`	`+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=`