Using OpenSSL command

JOSE RFC provides a method JWKRegistry.generate_key() for generating keys to be used for JWS/JWE/JWT. However, you can also use other tools to generate the keys, here lists some of the commands you might find helpful for openssl.

Generating EC keys

EC key with crv P-256

from joserfc.jwk import JWKRegistry

key = JWKRegistry.generate_key('EC', 'P-256', private=True)
private_pem = key.as_bytes(private=True)
public_pem = key.as_bytes(private=False)

Using OpenSSL command line tool:

# generate private key
openssl ecparam -name prime256v1 -genkey -noout -out ec-p256-private.pem

# extract public key
openssl ec -in ec-p256-private.pem -pubout -out ec-p256-public.pem

提示

OpenSSL encourage using prime256v1 instead of secp256r1

EC key with crv P-384

from joserfc.jwk import JWKRegistry

key = JWKRegistry.generate_key('EC', 'P-384', private=True)
private_pem = key.as_bytes(private=True)
public_pem = key.as_bytes(private=False)
# generate private key
openssl ecparam -name secp384r1 -genkey -noout -out ec-p384-private.pem

# extract public key
openssl ec -in ec-p384-private.pem -pubout -out ec-p384-public.pem

EC key with crv P-512

from joserfc.jwk import JWKRegistry

key = JWKRegistry.generate_key('EC', 'P-512', private=True)
private_pem = key.as_bytes(private=True)
public_pem = key.as_bytes(private=False)
# generate private key
openssl ecparam -name secp521r1 -genkey -noout -out ec-p512-private.pem

# extract public key
openssl ec -in ec-p512-private.pem -pubout -out ec-p512-public.pem

备注

It is secp521r1, not secp512r1. But the "crv" value in EC Key is "P-512".

EC key with crv secp256k1

from joserfc.jwk import JWKRegistry

key = JWKRegistry.generate_key('EC', 'secp256k1', private=True)
private_pem = key.as_bytes(private=True)
public_pem = key.as_bytes(private=False)
# generate private key
openssl ecparam -name secp256k1 -genkey -noout -out ec-secp256k1-private.pem

# extract public key
openssl ec -in ec-secp256k1-private.pem -pubout -out ec-secp256k1-public.pem