Supported signing key algorithms

For the signature verification, the Investment API supports the following algorithms:

ECDSA

WARNING

The Upvest Investment API only accepts ECDSA signatures which use the P-521 curve and SHA-512 hashes, as described in RFC6979.


Private key generation with passphrase protection, as supported by the HTTP signature proxy:

openssl ecparam -genkey -name secp521r1 -outform PEM | openssl ec -aes256 -inform PEM -outform PEM -out upvest-investment-api-http-message-signing-key-ecdsa521.priv
NOTE

Make sure to store the private key and the passphrase in a safe place.


Public key extraction:

openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ecdsa521.priv > upvest-investment-api-http-message-signing-key-ecdsa521.pub
NOTE

The upvest-investment-api-http-message-signing-key-ecdsa521.pub file is the public key which you will submit to Upvest during the API credentials issuance process.


Less secure alternative:

Upvest recommends against it, but if you must, you can generate the private key without encrypting it. (Also, this is not supported by the HTTP signature proxy.)

Private key generation without passphrase protection:

openssl ecparam -genkey -name secp521r1 -outform PEM -out upvest-investment-api-http-message-signing-key-ecdsa521-unencrypted.priv

You can then encrypt it in a separate step after creation:

openssl ec -aes256 -inform PEM -outform PEM -in upvest-investment-api-http-message-signing-key-ecdsa521-unencrypted.priv -out upvest-investment-api-http-message-signing-key-ecdsa521.priv

Public key extraction:

openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ecdsa521-unencrypted.priv > upvest-investment-api-http-message-signing-key-ecdsa521.pub

ED25519

ED25519 signing algorithm uses the Curve25519 curve and SHA-512 hashing link.

NOTE

For macOS users, install the latest OpenSSL using Homebrew (or other package manager of your choice) to be able to generate a ED25519 key pair. The LibreSSL version that is included in macOS does not support ED25519.

brew install openssl
/usr/local/opt/openssl@3/bin/openssl version

In the following examples, replace openssl with /usr/local/opt/openssl@3/bin/openssl.


Private key generation with passphrase protection, as supported by the HTTP signature proxy:

openssl genpkey -algorithm ed25519 -aes256 -outform PEM -out upvest-investment-api-http-message-signing-key-ed25519.priv
NOTE

Make sure to store the private key and the passphrase in a safe place.


Public key extraction:

openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ed25519.priv > upvest-investment-api-http-message-signing-key-ed25519.pub
NOTE

The upvest-investment-api-http-message-signing-key-ed25519.pub file is the public key which you will submit to Upvest during the API credentials issuance process.


Less secure alternative:

Upvest recommends against it, but if you must, you can generate the private key without encrypting it. (Also, this is not supported by the HTTP signature proxy.)

Private key generation without passphrase protection:

openssl genpkey -algorithm ed25519 -outform PEM -out upvest-investment-api-http-message-signing-key-ed25519-unencrypted.priv

You can then encrypt it in a separate step after creation:

openssl pkey -aes256 -inform PEM -outform PEM -in upvest-investment-api-http-message-signing-key-ed25519-unencrypted.priv -out upvest-investment-api-http-message-signing-key-ed25519.priv

Public key extraction:

openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ed25519-unencrypted.priv > upvest-investment-api-http-message-signing-key-ed25519.pub

Was this page helpful?

On this page