[openssl-users] Get raw RSA public key from X509 certificate

Ken Goldman kgoldman at us.ibm.com
Fri Apr 27 14:01:19 UTC 2018

On 04/27/18 04:50, Matt Caswell wrote:
> On 26/04/18 23:48, Ken Goldman wrote:
>> On 04/26/18 16:37, Matt Caswell wrote:
>>> On 26/04/18 21:17, Ken Goldman wrote:
>>>> I have to get the raw public modulus, but I cannot X509_get_pubkey()
>>>> because of a non-standard object identifier.
>>>> I can use X509_get_X509_PUBKEY() to get part way there.  I see the DER
>>>> wrapped key in the public_key.data element, but I don't know an API to
>>>> get to that element.
>>> How about X509_PUBKEY_get0_param():
>>> https://www.openssl.org/docs/man1.1.0/crypto/X509_PUBKEY_get0_param.html
>> Thanks!  That got me halfway there.
>> That gives me a DER steam that is a SEQUENCE of two INTEGERs.  The first
>> is the public modulus and the second one is the exponent.
>> How do I go from that SEQUENCE to the components, and then from the
>> components to their byte streams and lengths?
>> I assume it's some raw DER function like d2i_something.
> How about create a mem-bio backed by the buffer containing the raw data
> and then call d2i_RSAPublicKey_bio()?

That was it!  What threw me off is that the documentation says:

	 TYPE *d2i_TYPE(TYPE **a, unsigned char **ppin, long length);

but RSAPublicKey isn't a type.  So the pattern of TYPE being a structure 
name didn't hold.

(There is  a d2i_RSAPublicKey() function, so I didn't need the BIO.)

For the record. here's the resulting set of calls:

X509 * = d2i_X509()
X509_PUBKEY * = X509_get_X509_PUBKEY()
RSA * = d2i_RSAPublicKey()

For a more standard certificate, the first 4 calls can be replaced by:

X509 * = d2i_X509()
EVP_PKEY * = X509_get_pubkey();
RSA * = EVP_PKEY_get1_RSA()

More information about the openssl-users mailing list