erlang-jose
erlang-jose copied to clipboard
Published
20 hours ago •
potatosalad
potatosalad
Cannot import RSA key from DER using SubjectPublicKeyInfo field
I need to exchange public keys between an Erlang service and AWS Key Management Service (KMS). KMS exports public keys in DER format, using the SubjectPublicKeyInfo field. erlang-jose is able to import Elliptic Curve keys in this format, but not RSA ones. Here's a demonstration of the steps to reproduce.
export_pubkey(KeyPair) ->
PubKey = jose_jwk:to_public(KeyPair),
case jose_jwk:to_der(PubKey) of
{_, Key} -> base64:encode(Key)
end.
import_pubkey(Base64PubKey) ->
jose_jwk:from_der(base64:decode(Base64PubKey)).
ErlEcB64PubKey = native:export_pubkey(jose_jwk:generate_key({ec, secp521r1})).
ErlRsaB64PubKey = native:export_pubkey(jose_jwk:generate_key({rsa, 2048})).
KmsEcB64PubKey = <<"MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBmZrMzcA/2+KJ+3+0VyRuLtcIe3JicanmFPKKBi+ugVDG1Uf02tFLYehP2MSp3o56gp4Y4s9SBMsrFh3dFR/qz4cA1xHyTGLeAWwhZSBzb8oxH+n+N0Z3qxzTN5UzBeEk2y/oqFI5iNvSf+1ALDt66xC/E06vOC3Q1kM5kATWYIDVNAk=">>.
KmsRsaB64PubKey = <<"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4UJLZ9GqN9i1oNcdi5j0etJE5hhOvnk7NeLCr4rJYjzcrWOy8wFe3Cslae0fNdBTmoK2o/cql7Is8lCM/xlF4goTHpwIlaHFF7ZxcsyPgDC81ko8V+edagT0fzMsiqWmRKtxZsR40JAVcfYfMMfTisi6GB2CnbPkgabjTBVWZdffQkh2WYzGZSfeLAE7W7oUjZ7fZWnZtSs5fCwy98psclZlG0crefKlraFukP/7o5vqHLnvXKUltvpT5RmXp3l5tkWsFgZw+bzManQxZRJSsuzjxutELrVUBRUMDyCLBi/GviFv+tV9zwdyZQWCkNwTgPl/Vnpa1G7aUK8qv7S2ywIDAQAB">>.
As expected, erlang-jose can import RSA and EC keys it itself exported:
import_pubkey(ErlEcB64PubKey).
%% =>
{jose_jwk,undefined,
{jose_jwk_kty_ec,{{'ECPoint',<<4,0,9,32,100,98,109,175,
65,115,207,106,249,36,187,
61,35,233,223,10,220,...>>},
{namedCurve,{1,3,132,0,35}}}},
#{}}
native:import_pubkey(ErlRsaB64PubKey).
%% =>
{jose_jwk,undefined,
{jose_jwk_kty_rsa,{'RSAPublicKey',29229431251077342377711301528098719337896144290518787223367061785244191329262768961018711585394071187981025672037878190835135127726248187994392465207511089015582817985855824990317384034847100689716200472731903910935125947878646658003343463414244237265752705896716703550484577297595268886931844681766995644861812625873054865363460817837971278157126809520544029737464526278541718172171981744425540812988727408219955935829871837899599917063002839997929569475286063354139567400340393996505479602139198338949241290421025423995089557706458268328760435344663681209750368744850807160709504071226258763100111421663273336503673,
65537}},
#{}}
It can also import an EC key exported from KMS:
import_pubkey(KmsEcB64PubKey).
{jose_jwk,undefined,
{jose_jwk_kty_ec,{{'ECPoint',<<4,1,153,154,204,205,192,
63,219,226,137,251,127,
180,87,36,110,46,215,8,
123,...>>},
{namedCurve,{1,3,132,0,35}}}},
#{}}
5> native:import_pubkey(KmsRsaB64PubKey).
%% =>
{error,{unknown_key,{'SubjectPublicKeyInfo',{'AlgorithmIdentifier',{1,
2,840,113549,1,1,1},
<<5,0>>},
<<48,130,1,10,2,130,1,1,0,225,66,75,103,209,170,55,216,
181,160,215,29,139,...>>}}}
However, when trying to import an RSA key exported by KMS, I get an error:
import_pubkey(KmsRsaB64PubKey).
%% =>
{error,{unknown_key,{'SubjectPublicKeyInfo',{'AlgorithmIdentifier',{1,
2,840,113549,1,1,1},
<<5,0>>},
<<48,130,1,10,2,130,1,1,0,225,66,75,103,209,170,55,216,
181,160,215,29,139,...>>}}}
I'm happy to fix this and send a pull request, but I thought I'd open an issue first to see if this is something that you're aware of and think is worth supporting. :)
