Questions on Assymetric Keys

I'm learning my way through this spec and lib and have a couple of questions.

Is there a way to generate AssymetricKeys without the following code:

$privateKey = new AsymmetricSecretKey(sodium_crypto_sign_keypair());
$publicKey = $privateKey->getPublicKey();
var_dump($privateKey->encode());
var_dump($publicKey->encode());

Meaning is it possible to supply my own custom key in place of sodium_crypto_sign_keypair() as the argument? Thus far I have been unsuccessful and have had to copy the output of the encoded private key and use it like so to decode:

$privateKey = AsymmetricSecretKey::fromEncodedString('62Z63Tlo27ijk355y-4BkPdTquSGgvftHncfTTqBsj1jhs6kGN63VYUh3ZpqLHOAur3n7bfHGepU3_d5_yz1yg');
echo Version4::verify($token, $privateKey->getPublicKey());

When trying building keys like this I am unable to decode them:

new AsymmetricSecretKey('mabdivRiQuavvunOtIkwalOwbocImsAls8SlafdovShatvegbisOfvaHedIcVenn');

When I decode public PASETOs I am not seeing footer data like I do with local ones:

{"claim_data":"is encrypted","sub":"5e28e9ed-f3e1-4eb2-aa88-8d618f4021ee","iat":"2022-05-26T03:47:35+00:00","nbf":"2022-05-26T03:47:35+00:00","exp":"2022-05-27T03:47:35+00:00"}

I take it that AsymmetricKeys are not a replacement for JWKS. But I am unsure whether KeyRings are the replacement or if PASERK is?

Yes:

paseto/src/Keys/AsymmetricSecretKey.php

Lines 156 to 166 in 2c8c4be

    
               /** 
        
                * Generate a secret key. 
        
                * 
        
                * @param ProtocolInterface|null $protocol 
        
                * @return self 
        
                * 
        
                * @throws Exception 
        
                * @throws TypeError 
        
                */ 
        
               public static function generate(ProtocolInterface $protocol = null): self 
        
               {

$key = AsymmetricSecretKey::generate($version);

Don't generate keys elsewhere then import them. Instead, generate with the library then export. PASERK helps here.

More information: https://github.com/paseto-standard/paserk

There are other methods. We intentionally don't clobber claim values with the footer, or vice-versa, and keep them separate. JsonToken has getFooterArray().
The KeyRing class does what a JWK does at runtime, but for advanced use-cases, PASERK provides those features instead of polluting PASETO with features.

Thanks for the answers.

Any thoughts about providing a shell command within this library to generate AssymetricKeys or is that found within PASERK?

We hadn't considered that, but it might be a useful thing to make.

Yes, would be nice if I could run something like vendor/bin/paseto keygen or vendor/bin/paseto keygen -encode or whatever...

Ps. @paragonie-security I could try my hand at building one. Just not sure if this library would prefer to roll its own command ala phpcs or would be okay pulling in a depedency like symfony/console to ease creation.

	/**
	* Generate a secret key.
	*
	* @param ProtocolInterface\|null $protocol
	* @return self
	*
	* @throws Exception
	* @throws TypeError
	*/
	public static function generate(ProtocolInterface $protocol = null): self
	{