> From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo > Sent: Tuesday, October 28, 2014 02:03
> I use SSL_get_peer_certificate(), X509_get_pubkey() API to get web > site https certificate public key, when I dump public key, I find > which is not same as I see in browser (In Chrome, click padlock in URL > address bar, -> Connection -> Certificate information -> > Certificate->Details -> Public Key (field) ). > > I am curious about what are these two kind of public key data? > > On Windows (at least) Chrome (like IE) uses the Windows cert display which displays the subjectPublicKey value as encoded in the cert where it is DER nested in opaque OCTET STRING for extensibility. I don't know Chrome on other platforms but I'd expect it's the same. openssl stores and X509_get_pubkey() returns an EVP_PKEY structure, which has been decoded from the cert and converted to internal form, ready to be used by openssl logic to do things like encrypt a premaster for akRSA or verify a signature for (EC)DHE . How are you "dump"ing it and what type of key is it? If you mean EVP_PKEY_print_public (which is the simplest way) on an RSA key (which is the most common on the public web), that displays the two fields, pubexpt and modulus, separately. If you want to get an encoding that should match what is shown in your browser, use i2d_RSAPublicKey on an RSA* extracted from the EVP_PKEY* or the DSA or ECC equivalents as appropriate. Alternatively encode the whole EVP_PKEY to an X509 "SPKI" with i2d_PUBKEY, and then discard the outer (prefixed) SEQUENCE and the AlgorithmIdentifier and the tag and length, leaving only the value part of the subjectPublicKey field. Alternatively, take the encoding shown in the browser and parse as DER to extract the fields of the publickey. For RSA this is easy; for DSA parameters are fairly complicated; for ECC parameters can be very complicated if explicit but that is rarely used, and the public point value can be compressed which is a little confusing. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
