Search code examples
cryptographyrsax509public-keypem

Format of RSA public key inside X.509 certificate

I am trying to verify my understanding related to some aspects of RSA public key encoding.

First, here is my line of thoughts, please correct me if I am wrong:

  1. A public key in its most basic form it is a ASN.1 format, which is a structured way to describe the key.
  2. The DER format is a representation in octets of the ASN.1 language format.
  3. The PEM format is just a base 64 over the DER octets, surrounded by the additional "-----BEGIN.." and "...END-----" headers and footers.

Let's say we have a X.509 certificate, which contains a RSA public key inside. The certificate contains the RSA public key in the DER format (octets representing the modulus and exponent), as far as my understanding goes.

And now the question: Is there a way to tell if the public key contained in the x.509 certificate is in PKCS1 or another format?

Solution

  • There is no way I could tell if the public key contained in the x.509 certificate is in PKCS1 or another format, as it is not in PEM format, right?

    The certificate contains the public key in what is now called the SubjectPublicKeyInfo format (which as a standalone concept gets the PEM name "PUBLIC KEY"), because that's the data type from the spec:

    TBSCertificate  ::=  SEQUENCE  {
    <snip />
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    <snip />
    }

SubjectPublicKeyInfo  ::=  SEQUENCE  {
    algorithm            AlgorithmIdentifier,
    subjectPublicKey     BIT STRING  }

    The SubjectPublicKeyInfo.algorithm value concurrently identifies the format of the data in SubjectPublicKeyInfo.subjectPublicKey and the algorithm that key uses.

    From IETF RFC 3279 we learn

    The OID rsaEncryption identifies RSA public keys.

     pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
                rsadsi(113549) pkcs(1) 1 }

  rsaEncryption OBJECT IDENTIFIER ::=  { pkcs-1 1}

    The rsaEncryption OID is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field MUST
    have ASN.1 type NULL for this algorithm identifier.

    The RSA public key MUST be encoded using the ASN.1 type RSAPublicKey:

      RSAPublicKey ::= SEQUENCE {
     modulus            INTEGER,    -- n
     publicExponent     INTEGER  }  -- e

    where modulus is the modulus n, and publicExponent is the public
    exponent e. The DER encoded RSAPublicKey is the value of the BIT
    STRING subjectPublicKey.

    So, RSA keys, identified by the OID 1.2.840.113549.1.1.1, use the RSAPublicKey format which was originally defined in the spec called PKCS#1.