Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is the PEM encoding for RSA public keys? #48

Open
erickt opened this issue Aug 7, 2019 · 2 comments
Open

What is the PEM encoding for RSA public keys? #48

erickt opened this issue Aug 7, 2019 · 2 comments

Comments

@erickt
Copy link
Contributor

erickt commented Aug 7, 2019

In section 4.2, the spec states that RSA public keys are stored in PEM format, but may be vague. RSA PEM keys support two forms of encoding, RSAPublicKey form, as in:

-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA4XLc9x7DX00eSQ4WvlqyojG1D/hr+X5Sn7dtd0Lq2MUarOqCRNDC
liKVni4ljwOADTn/+/JOgyS7Qf9RSi3KhKFMqEO83vKrbxJQHI4jK9kXlDtTPWmb
fdPzAMkc3tMNmp7M1DrYRUKR1++z5rb1AKCLIylhMp6j4oxOhKAc5ySKppMdr0EU
5Yih2kcqF/BmcIc6h/XNXS+iLOnOq9uT0+1VBhQ1iK542AM6XpXg3VADgq9PUzRf
ZfU4hVgbL6nTLH9j/lTyRn6Rl/rWgKSHo2xoAXrRTNJ5IEjfrSpsWrI4c9nSHs07
JosZDpmwJlC0GDET0ps18m1X8BTfj55UxQIDAQAB
-----END RSA PUBLIC KEY-----

And the newer SubjectPublicKeyInfo form, as in:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4XLc9x7DX00eSQ4Wvlqy
ojG1D/hr+X5Sn7dtd0Lq2MUarOqCRNDCliKVni4ljwOADTn/+/JOgyS7Qf9RSi3K
hKFMqEO83vKrbxJQHI4jK9kXlDtTPWmbfdPzAMkc3tMNmp7M1DrYRUKR1++z5rb1
AKCLIylhMp6j4oxOhKAc5ySKppMdr0EU5Yih2kcqF/BmcIc6h/XNXS+iLOnOq9uT
0+1VBhQ1iK542AM6XpXg3VADgq9PUzRfZfU4hVgbL6nTLH9j/lTyRn6Rl/rWgKSH
o2xoAXrRTNJ5IEjfrSpsWrI4c9nSHs07JosZDpmwJlC0GDET0ps18m1X8BTfj55U
xQIDAQAB
-----END PUBLIC KEY-----

Should we support both forms of key encoding, or just one? Presumably we need to at least support SubjectPublicKeyInfo for ECDSA keys.
@trishankatdatadog
Copy link
Member

I vote for only one: SubjectPublicKeyInfo (looks like what we do, but needs to be confirmed)

@lukpueh
Copy link
Member

lukpueh commented Aug 8, 2019

Confirming what @trishankatdatadog says:
We, i.e. the TUF reference implementation via securesystemslib, expect the -----BEGIN PUBLIC KEY----- header when parsing RSA pubkeys.

The issue of different PEM formats (IIRC there are more than two) and how to parse them is discussed in secure-systems-lab/securesystemslib#54.

That said (and mildly in contrast to it), I don't think the spec needs to be more specific about the PEM format. The format is only important to parse out a key, in order to use it for signature creation/verification, which to me seems an implementation detail.

OTOH, when it comes to creating/verifying a signature over a piece of metadata that may contain public keys, the value of PUBLIC in { ..., "keyval" : {"public" : PUBLIC}} is just an opaque blob.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@erickt @lukpueh @trishankatdatadog