Supported signing key algorithms
For the signature verification, the Investment API supports the following algorithms:
ECDSA
The Upvest Investment API only accepts ECDSA signatures which use the P-521 curve and SHA-512 hashes, as described in RFC6979.
Private key generation with passphrase protection, as supported by the HTTP signature proxy:
openssl ecparam -genkey -name secp521r1 -outform PEM | openssl ec -aes256 -inform PEM -outform PEM -out upvest-investment-api-http-message-signing-key-ecdsa521.privMake sure to store the private key and the passphrase in a safe place.
Public key extraction:
openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ecdsa521.priv > upvest-investment-api-http-message-signing-key-ecdsa521.pubThe upvest-investment-api-http-message-signing-key-ecdsa521.pub file is the public key which you will submit to Upvest during the API credentials issuance process.
Less secure alternative:
Upvest recommends against it, but if you must, you can generate the private key without encrypting it. (Also, this is not supported by the HTTP signature proxy.)
Private key generation without passphrase protection:
openssl ecparam -genkey -name secp521r1 -outform PEM -out upvest-investment-api-http-message-signing-key-ecdsa521-unencrypted.privYou can then encrypt it in a separate step after creation:
openssl ec -aes256 -inform PEM -outform PEM -in upvest-investment-api-http-message-signing-key-ecdsa521-unencrypted.priv -out upvest-investment-api-http-message-signing-key-ecdsa521.privPublic key extraction:
openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ecdsa521-unencrypted.priv > upvest-investment-api-http-message-signing-key-ecdsa521.pubED25519
ED25519 signing algorithm uses the Curve25519 curve and SHA-512
hashing link.
For macOS users, install the latest OpenSSL using Homebrew (or other package manager of your choice) to be able to generate a ED25519 key pair. The LibreSSL version that is included in macOS does not support ED25519.
brew install openssl
/usr/local/opt/openssl@3/bin/openssl versionIn the following examples, replace openssl with /usr/local/opt/openssl@3/bin/openssl.
Private key generation with passphrase protection, as supported by the HTTP signature proxy:
openssl genpkey -algorithm ed25519 -aes256 -outform PEM -out upvest-investment-api-http-message-signing-key-ed25519.privMake sure to store the private key and the passphrase in a safe place.
Public key extraction:
openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ed25519.priv > upvest-investment-api-http-message-signing-key-ed25519.pubThe upvest-investment-api-http-message-signing-key-ed25519.pub file is the public key which you will submit to Upvest during the API credentials issuance process.
Less secure alternative:
Upvest recommends against it, but if you must, you can generate the private key without encrypting it. (Also, this is not supported by the HTTP signature proxy.)
Private key generation without passphrase protection:
openssl genpkey -algorithm ed25519 -outform PEM -out upvest-investment-api-http-message-signing-key-ed25519-unencrypted.privYou can then encrypt it in a separate step after creation:
openssl pkey -aes256 -inform PEM -outform PEM -in upvest-investment-api-http-message-signing-key-ed25519-unencrypted.priv -out upvest-investment-api-http-message-signing-key-ed25519.privPublic key extraction:
openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ed25519-unencrypted.priv > upvest-investment-api-http-message-signing-key-ed25519.pub