Using OpenSSL command¶
JOSE RFC provides a method JWKRegistry.generate_key()
for
generating keys to be used for JWS/JWE/JWT. However, you can also
use other tools to generate the keys, here lists some of the
commands you might find helpful for openssl
.
Generating EC keys¶
EC key with crv P-256¶
from joserfc.jwk import JWKRegistry
key = JWKRegistry.generate_key('EC', 'P-256', private=True)
private_pem = key.as_bytes(private=True)
public_pem = key.as_bytes(private=False)
Using OpenSSL command line tool:
# generate private key
openssl ecparam -name prime256v1 -genkey -noout -out ec-p256-private.pem
# extract public key
openssl ec -in ec-p256-private.pem -pubout -out ec-p256-public.pem
提示
OpenSSL encourage using prime256v1 instead of secp256r1
EC key with crv P-384¶
from joserfc.jwk import JWKRegistry
key = JWKRegistry.generate_key('EC', 'P-384', private=True)
private_pem = key.as_bytes(private=True)
public_pem = key.as_bytes(private=False)
# generate private key
openssl ecparam -name secp384r1 -genkey -noout -out ec-p384-private.pem
# extract public key
openssl ec -in ec-p384-private.pem -pubout -out ec-p384-public.pem
EC key with crv P-512¶
from joserfc.jwk import JWKRegistry
key = JWKRegistry.generate_key('EC', 'P-512', private=True)
private_pem = key.as_bytes(private=True)
public_pem = key.as_bytes(private=False)
# generate private key
openssl ecparam -name secp521r1 -genkey -noout -out ec-p512-private.pem
# extract public key
openssl ec -in ec-p512-private.pem -pubout -out ec-p512-public.pem
备注
It is secp521r1, not secp512r1. But the "crv" value in EC Key is "P-512".
EC key with crv secp256k1¶
from joserfc.jwk import JWKRegistry
key = JWKRegistry.generate_key('EC', 'secp256k1', private=True)
private_pem = key.as_bytes(private=True)
public_pem = key.as_bytes(private=False)
# generate private key
openssl ecparam -name secp256k1 -genkey -noout -out ec-secp256k1-private.pem
# extract public key
openssl ec -in ec-secp256k1-private.pem -pubout -out ec-secp256k1-public.pem