Geek Answers Handbook

How can I find out if a .pem file contains a public or private key?

I have a .pem file (cryptography information encoded in base64). Which OpenSSL command line should be used to determine if it contains a public key or private key?

As explained in https://stackoverflow.com/a/420658/ ... , .pem can contain both.

Since the contents of the file are juste distorted by base64, when sending the .pem certificate to another machine, I would like to make sure that I am exporting the public key and not issuing my private key.

+7
openssl public-key pem private-key
source share
2 answers

I have a .pem file (cryptography information encoded in base64). Which OpenSSL command line should be used to determine if it contains a public key or private key?

In general, you need to check the first line of the PEM file to determine what is present.

OpenSSL can detect a subset of the available encoded things (due to the lack of a better term). You can see a list of what OpenSSL can decode by examining <openssl src>/crypto/pem/pem.h . From file:

 #define PEM_STRING_X509_OLD "X509 CERTIFICATE" #define PEM_STRING_X509 "CERTIFICATE" #define PEM_STRING_X509_PAIR "CERTIFICATE PAIR" #define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE" #define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST" #define PEM_STRING_X509_REQ "CERTIFICATE REQUEST" #define PEM_STRING_X509_CRL "X509 CRL" #define PEM_STRING_EVP_PKEY "ANY PRIVATE KEY" #define PEM_STRING_PUBLIC "PUBLIC KEY" #define PEM_STRING_RSA "RSA PRIVATE KEY" #define PEM_STRING_RSA_PUBLIC "RSA PUBLIC KEY" #define PEM_STRING_DSA "DSA PRIVATE KEY" #define PEM_STRING_DSA_PUBLIC "DSA PUBLIC KEY" #define PEM_STRING_PKCS7 "PKCS7" #define PEM_STRING_PKCS7_SIGNED "PKCS #7 SIGNED DATA" #define PEM_STRING_PKCS8 "ENCRYPTED PRIVATE KEY" #define PEM_STRING_PKCS8INF "PRIVATE KEY" #define PEM_STRING_DHPARAMS "DH PARAMETERS" #define PEM_STRING_SSL_SESSION "SSL SESSION PARAMETERS" #define PEM_STRING_DSAPARAMS "DSA PARAMETERS" #define PEM_STRING_ECDSA_PUBLIC "ECDSA PUBLIC KEY" #define PEM_STRING_ECPARAMETERS "EC PARAMETERS" #define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY" #define PEM_STRING_PARAMETERS "PARAMETERS" #define PEM_STRING_CMS "CMS"

Some things will be more difficult than others. For example, it is obvious that a RSA PUBLIC KEY , but it is not so obvious what a PUBLIC KEY . In this case, you are doing one of two things. First, you decode a thing by ASN.1 / DER, and then look at its OID, if available. Secondly, you are trying to load into the data structure what you expect it to be.

As an example of the second strategy, you will try to load the PEM frame into the RSA private key using PEM_read_bio_RSAPrivateKey . If he succeeds, then his secret key is RSA. If this fails, then it may be a damaged RSA private key, or it may be an EC private key, or it may not be a PEM blob.

In 2006, a request was made to standardize the names of things in the PKIX working group. He fell on deaf ears as part of the IETF. See Request a black and white version of a PEM file .

+2
source share

As a practical approximation that should catch most (all?) Of human errors, I would recommend just file and grep :

 (file $KEYFILE | grep -i private >/dev/null) && echo Private || echo Public-or-unknown

To screen some key materials before it goes dark:

  for f in *; do (file $f | grep -i private >/dev/null) && file $f; done

Empty conclusion = I hope there are no secrets, you can continue.

+2
source share

More articles:


All Articles