Parses json and returns the resulting JWK.

Constructs a JWK wrapping the given map.

Constructs a JWK wrapping map with overrides merged in. String overrides are automatically boxed into JSON::Any.

JOSE::JWK.from_map(k1.map, kid: "sig")

Creates an oct (symmetric) JWK from raw key bytes.

Loads an EC or RSA key from PEM and returns the corresponding JWK. Returns a JWK with private fields if the PEM contains a private key, or a public-only JWK if it contains only a public key.

Accepted PEM formats and the OpenSSL commands that produce them:

# EC private key  (SEC 1 / RFC 5915)
openssl ecparam -name prime256v1 -genkey -noout -out ec-p256.pem

# EC public key  (SubjectPublicKeyInfo)
openssl ec -in ec-p256.pem -pubout -out ec-p256-pub.pem

# RSA private key  (PKCS#1)
openssl genrsa -out rsa-2048.pem 2048

# RSA public key  (SubjectPublicKeyInfo)
openssl rsa -in rsa-2048.pem -pubout -out rsa-2048-pub.pem

jwk = JOSE::JWK.from_pem(File.read("ec-p256.pem"))

Generates a new key according to params.

The params hash must contain at least "kty" and, depending on the key type, optional shape keys:

• "EC" — "crv": curve name ("P-256" … "P-521"), default "P-256"
• "RSA" — "bits": key size in bits, default 2048
• "oct" — "size": key length in bytes, default 32
• "OKP" — "crv": curve name ("Ed25519"), default "Ed25519"

NOTE RSA key generation is synchronous and may take a moment for large bit sizes. EC and OKP generation is near-instant.

Using OpenSSL to generate keys externally:

# EC
openssl ecparam -name prime256v1 -genkey -noout -out ec-p256.pem
# RSA
openssl genrsa -out rsa-2048.pem 2048

Load with JWK.from_pem(File.read("ec-p256.pem")).

Prefer the typed convenience wrappers .generate_key_ec, .generate_key_rsa, .generate_key_oct, and .generate_key_okp for common cases.

ec_key = JOSE::JWK.generate_key({"kty" => JSON::Any.new("EC"), "crv" => JSON::Any.new("P-384")})
rsa_key = JOSE::JWK.generate_key({"kty" => JSON::Any.new("RSA"), "bits" => JSON::Any.new(2048_i64)})
sym_key = JOSE::JWK.generate_key({"kty" => JSON::Any.new("oct"), "size" => JSON::Any.new(32_i64)})
okp_key = JOSE::JWK.generate_key({"kty" => JSON::Any.new("OKP"), "crv" => JSON::Any.new("Ed25519")})

Generates a new "EC" key. crv defaults to "P-256". See .generate_key for details.

Generates a new "oct" key. size defaults to 32. See .generate_key for details.

Generates a new "OKP" key. crv defaults to "Ed25519". See .generate_key for details.

Generates a new "RSA" key. bits defaults to 2048. See .generate_key for details.

Returns true if both JWKs have identical key parameters.

Returns the value for key from the key map.

Returns the value for key, or nil if absent.

Decrypts encrypted using this key. Delegates to JWE.block_decrypt.

Encrypts plain_text using this key. Delegates to JWE.block_encrypt.

Returns an EC_KEY with both public and private key set.

NOTE Caller must free the returned key with LibCrypto.ec_key_free.

Returns an EC_KEY with only the public key set.

NOTE Caller must free the returned key with LibCrypto.ec_key_free.

Returns the Ed25519 signing key for OKP private keys.

Returns the Ed25519 verify key for OKP keys.

See Object#hash(hasher)

Returns the raw symmetric key bytes for oct keys.

Returns the key type ("EC", "RSA", "oct", or "OKP").

The underlying JSON map holding all key parameters.

Returns true if this key contains private key material.

Returns true if this key contains no private key material.

Returns the raw LibCryptoJose::RSA handle built from this key's parameters.

NOTE Caller must free the returned handle with LibCryptoJose.RSA_free.

Signs plain_text using this key. Delegates to JWS.sign.

Serializes this key to a JSON string.

Returns the underlying JSON map.

Serializes this key to PEM format.

Returns a copy of this JWK with all private fields removed.

Verifies signed using this key. Delegates to JWS.verify.

Returns a copy of this JWK with the given string fields merged in. Existing fields are overwritten; all other fields are preserved.

jwk.with(kid: "sig")
jwk.with(kid: "sig", use: "sig", alg: "ES256")