Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should an RSA Public Key be exposed over HTTP?

We have a requirement to expose an RSA Public Key as an HTTP resource - so http://myhost.com/publickeys/akeyid returns a public key.

I would like to return it with a correct Internet Media Type. What should that be? I confess I find the crypto RFCs fairly impenetrable.

And as a bonus, how do I translate easily from and to that format using the java.security standard libraries?

(It's easy enough to go from and to a SubjectPublicKeyInfo byte array as defined in https://www.rfc-editor.org/rfc/rfc3280#section-4.1 using java.security.RSAPublicKey.getEncoded() to serialize to bytes and a java.security.spec.X509EncodedKeySpec to deserialize those same bytes; but I can't find a registered media type for that format which suggests to me that I should be using some other format (an x.509 Certificate?). But then I struggle to work out how to do the translation.)

Thanks.

like image 359
Robert Elliot Avatar asked Oct 22 '13 11:10

Robert Elliot


1 Answers

One alternative would be to encode the PKCS#1 format RSA public key as a PEM file, and then use the MIME type:

   "application/x-pem-file"

References:

  • http://www.cryptosys.net/pki/rsakeyformats.html
  • http://pki-tutorial.readthedocs.org/en/latest/mime.html

Note: "application/x-pem-file" is not registered ... obviously! ... but is referenced in a number of catalogues of "file types".


You probably ought to deliver the key over HTTPS ...

like image 142
Stephen C Avatar answered Nov 05 '22 17:11

Stephen C