[erlang-questions] public_key:pem_decode/1 and public_key:verify/4

Seth Falcon <>
Mon Jan 24 06:14:07 CET 2011


On Fri, Jan 21, 2011 at 12:48 AM, Ingela Andin <> wrote:
> Well PEM-files that only BEGIN PUBLIC KEY and not BEGIN RSA PUBLIC
> KEY are using another ASN1 spec and can contain both RSA and DSA
> keys. It seems that it is the ASN1-spec SubjectPublicKeyInfo from
> PKIXExplicit88.asn1 also part of public_key.

Thanks, that was a very useful hint :-)

I can now read RSA public key PEM files as generated by openssl.
Here's the recipe (assuming stock public_key module):

    read_rsa_public_key(Key) ->
        Bin = erlang:iolist_to_binary(public_key_lines(re:split(Key,
"\n"), [])),
        Spki = public_key:der_decode('SubjectPublicKeyInfo',
        {_, _, {0, KeyDer}} = Spki,
        public_key:der_decode('RSAPublicKey', KeyDer).

    public_key_lines([<<"-----BEGIN PUBLIC KEY-----">>|Rest], Acc) ->
        public_key_lines(Rest, Acc);
    public_key_lines([<<"-----END PUBLIC KEY-----">>|Rest], Acc) ->
    public_key_lines([Line|Rest], Acc) ->
        public_key_lines(Rest, [Line|Acc]).

I have a patch to the public_key module that makes this easier by
introducing three new functions: public_key_type/1,
pem_decode_public_key/1, and der_decode_public_key/1.

public_key_type takes either a SubjectPublicKeyInfo record (as
returned by der_decode/2 when given type 'SubjectPublicKeyInfo') or
the algorithm id tuple that is a part of the 'SubjectPublicKeyInfo'
record.  It is a wrapper for


    takes a PEM binary and in the case that pem_decode(PEM) returns
    'SubjectPublicKeyInfo', it determines the public key type and does
    der_decode so that the return value is the public key in a form
    usable by functions like public_key:decrypt_public/2.  If the PEM
    does not contain 'SubjectPublicKeyInfo', then it is passed through
    unchanged.  I think this would be useful for Joakim's use case.


    behaves similarly, but is given the DER encoded version of the
    public key to start with.  Here, as I understand it, the problem
    is a bit stickier because you can't know what type it is.  So it
    tries each of ['SubjectPublicKeyInfo', 'RSAPublicKey',
    'DSAPublicKey'] and returns similar to pem_decode_public_key.

I've put the work-in-progress on a branch here:


I'm not sure if this is going in the right direction, so wrote this up
(sorry for the length) to get some feedback.  I'm willing to make
adjustments and spend time polishing a patch if there is some
agreement on general direction.


+ seth

Seth Falcon | @sfalcon | http://userprimary.net/

More information about the erlang-questions mailing list