Why does openssl accept multiple keys after BEGIN PUBLIC KEY?
David Bürgin
dbuergin at gluet.ch
Tue Oct 10 10:07:51 UTC 2023
Hello!
When you inspect the following key with ‘openssl pkey’, it works fine:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9oaro18Mt4FITtXvhy/v2N0d0
aQJ285MgstG5QSgvFnXA+7Bww20hnLQZD4vOZbeIhdu4g5s8S6LWczqswDjVyD97
9j+RcZM+JcnHPEIvkn7YCKYnM3mvSQKmeRtm9kDVL0waKf+iZ5ZDYiLcfXCSIDnT
2SMxp3D9UNEfEZDMoQIDAQABMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK
A5hv8tKZBw3cx+j0NMrbsOY5QfoUtxGeXjmGI89q63iFxBdSgrJW5wpthZfHcVHl
roPW885ToeSrEdyUIVCokR7L8PP7Up0PGXUDPIFCQB7+jVV8ezLyxHSLGT81u7Be
el5ybAgsal/GmhpeQXcEpnYpiqVcHL3XTlY8+34EQQIDAQAB
-----END PUBLIC KEY-----
However, there is something odd about it, openssl seems to be interested
only in the first half of the key data:
$ openssl pkey -pubin -in thekey.pem -text
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9oaro18Mt4FITtXvhy/v2N0d0
aQJ285MgstG5QSgvFnXA+7Bww20hnLQZD4vOZbeIhdu4g5s8S6LWczqswDjVyD97
9j+RcZM+JcnHPEIvkn7YCKYnM3mvSQKmeRtm9kDVL0waKf+iZ5ZDYiLcfXCSIDnT
2SMxp3D9UNEfEZDMoQIDAQAB
-----END PUBLIC KEY-----
Public-Key: (1024 bit)
Modulus:
00:bd:a1:aa:e8:d7:c3:2d:e0:52:13:b5:7b:e1:cb:
fb:f6:37:47:74:69:02:76:f3:93:20:b2:d1:b9:41:
28:2f:16:75:c0:fb:b0:70:c3:6d:21:9c:b4:19:0f:
8b:ce:65:b7:88:85:db:b8:83:9b:3c:4b:a2:d6:73:
3a:ac:c0:38:d5:c8:3f:7b:f6:3f:91:71:93:3e:25:
c9:c7:3c:42:2f:92:7e:d8:08:a6:27:33:79:af:49:
02:a6:79:1b:66:f6:40:d5:2f:4c:1a:29:ff:a2:67:
96:43:62:22:dc:7d:70:92:20:39:d3:d9:23:31:a7:
70:fd:50:d1:1f:11:90:cc:a1
Exponent: 65537 (0x10001)
Well, that key actually contains two, concatenated
SubjectPublicKeyInfos! I noticed this when I first used a different
library, and processing failed.
• Is openssl right in accepting this key? Why does it use only the first
one?
• Is the other library wrong in rejecting this key?
• Do relevant RFCs say something about such a ‘concatenated’ format?
Cheers,
--
David
More information about the openssl-users
mailing list