[erlang-questions] public_key:pem_decode/1 and public_key:verify/4

Ingela Andin <>
Fri Jan 21 09:48:01 CET 2011


Well PEM-files that only BEGIN PUBLIC KEY and not BEGIN RSA PUBLIC KEY are
using another ASN1 spec and can contain both RSA and DSA keys. It
seems that it is the
ASN1-spec SubjectPublicKeyInfo from PKIXExplicit88.asn1 also part of public_key.

Regards Ingela Erlang/OTP team - Ericsson AB


Some time ago someone asked for  PKCS-8
http://tools.ietf.org/html/rfc5208  support,
which ASN1 specs are not currently part of the public_key application
and therefore needs to be added,
in order to support them. I do not know if this is intrests you it is
only so you know.

2011/1/20 Seth Falcon <>:
> Hi there,
> I'm very interested in adding support for RSA public key decoding to
> the public_key module.  My use case is similar in that I need to be
> able to verify/decrypt when all I have is the RSA public key in PEM
> format.
> 2011/1/20 Ingela Andin <>:
>> The PKCS-1 asn-1 spec is part of public key. PEM-files are mainly
>> base64-encoded  asn1 DER data.
> [snip]
>> Adding support for the something = RSA PUBLIC KEY should be fairly
>> simple as the ASN1- spec is alredy in place.
> I started working on such a patch and you are right that the changes
> to read in the pem data are fairly simple.
> However, once I have the DER format, I'm getting stuck with an error
> coming out of public_key:der_decode.  Not sure if I'm doing it wrong
> or if there is something wrong with the asn1 definition for RSA public
> keys.
> Here's what I'm trying (skipping the pem conversion for now):
> shell:
>  openssl genrsa > mykey.private
>  openssl rsa -in mykey.private -outform der -pubout > mykey.public.der
> erl:
>  {ok, PubDer} = file:read_file("mykey.public.der").
>  public_key:der_decode('RSAPublicKey', PubDer)
> ** exception error: no match of right hand side value {error,
>                                                       {asn1,
>                                                        {function_clause,
> [{'OTP-PUB-KEY',decode_integer,
> [{error,{asn1,{wrong_tag,{16,2}}}}]},
> {'OTP-PUB-KEY',decode_integer,3},
> {'OTP-PUB-KEY',dec_RSAPublicKey,2},
> {'OTP-PUB-KEY',decode,2},
> {public_key,der_decode,2},
>                                                          {erl_eval,do_apply,5},
>                                                          {shell,exprs,7},
> {shell,eval_exprs,7}]}}}
>     in function  public_key:der_decode/2
> Aside: when I use openssl to extract the public key, the output I get
> looks like:
> -----BEGIN PUBLIC KEY-----
> ztRytqJoIdvbzNFYsnJqFhabzhQx2DdPvTiHLZM1QHQ1Ma5yw5hjaQcCAwEAAQ==
> -----END PUBLIC KEY-----
> Note that it only says "PUBLIC KEY", not "RSA PUBLIC KEY".  You will
> get identical header values when extracting a DSA public key.
> So I'm unsure about how one can detect what type of public key one
> has.  Anyone know the details of how that's supposed to work?  This
> throws a wrinkle in pem_decode/1.  It may be that one needs to have
> pem_decode/2 for public keys where the user specifies what type of key
> is expected.
> If I can get a bit further I will put together a patch.
> Thanks,
>  + seth
> --
> Seth Falcon | @sfalcon | http://userprimary.net/
> ________________________________________________________________
> erlang-questions (at) erlang.org mailing list.
> See http://www.erlang.org/faq.html
> To unsubscribe; mailto:

More information about the erlang-questions mailing list