This tool is able to generate Ed25519 keypairs and output them in JSON Web Key (JWK) format per RFC 7517 and RFC 8037. Click the "Generate Keypair" button to randomly generate a keypair. A -byte seed may be provided, and the tool is able to output the date and time the keys were generated, and compute its user-defined expiry date.
This tool is able to generate the SHA-256 JWK Thumbprint of a Ed25519 JWK given the public JWK per RFC 7638 and RFC 8037. Enter the JWK into the "Public JWK" text box and click the "Generate JWK Thumbprint" button.
This tool is able to generate an Ed25519-signed JSON Web Signature (JWS) per RFC 7515 and RFC 8037. Enter the Secret JWK, JWS Protected Header, and JWS Payload, and then click the "Generate JWS Details" button. The JWS in Compact Serialization format will be computed.
This tool is able to extract the JWS Protected Header and JWS Payload of a given JWS in Compact Serialization format per RFC 7515. Enter the JWS Compact Serialization data, and click the "Deconstruct JWS" button. The JWS Protected Header and JWS Payload will be shown on their fields respectively.
This tool is able to validate an Ed25519-signed JWS per RFC 7515 and RFC 8037. Enter the Public JWK and JWS Compact Serialization data, and click the "Validate Ed25519-signed JWS" button. A prompt will show the result of the validation.
This tool is used to generate keys, sign, and verify using the Ed25519 signature algorithm in the context of:
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
All Base64 data used in this tool conform to the Base 64 URL-safe encoding without padding characters defined in RFC 4648 section 5.
Built using libsodium.js, the JavaScript port of libsodium, jQuery, and HTML5 Boilerplate.
It is NOT RECOMMENDED to use this tool to generate production keys. This is because the browser's in-built random number generator may not be cryptographically secure, and a browser may cache information, and may contain third-party plugins that could read the content on the page. Therefore, we RECOMMEND using a desktop tool designed to generate production keys in an air-gapped machine.
libsodium is able to generate a keypair given a seed. The seed must be exactly bytes, in Base 64 URL-safe format. Ideally, the seed should be a cryptographically-secure random number, used only once, and discarded thereafter. The using the same seed will always result in the same keypair.
The RFCs do not define "issued at" and "expiry" dates on JSON Web Keys (JWK). Hence, the fields, "iat" and "exp", used here are custom to this tool, and it is entirely up to the application to make use of these fields. Do note that these fields may be modified by hand and thus should not be entirely relied upon to manage key expiries.
The expiry years provided to this tool must be a positive number, in steps of 0.01 years.
The JWK Thumbprint according to RFC 7638 should be computed only with public key material (section 3.2.1), and only on mandatory parameters (section 3.2.2). Because this tool is designed for the Ed25519 signature algorithm, it only knows which are the mandatory public key parameters for the Ed25519 algorithm. Hence, this tool MUST NOT be used to generate JWK Thumbprints of non-Ed25519 JWKs.
According to RFC 7515 section 7.1, a JWS serialized according to the Compact Serialization format MUST contain a JWS Protected Header. And according to section 4, such header MUST contain the "alg" parameter. In a Ed25519-signed JWS, per RFC 8037, the "alg" parameter MUST be equal to "EdDSA". This tool will validate that the JWS Protected Header contains the "alg" parameter equal to "EdDSA". The tool will ignore other parameters in the header, and will not validate the "crit" parameter according to section 4.1.11.
For further details on how the components of the JWS Compact Serialization are computed, please refer to RFC 7515 section 5.1.