Thanks Dave's quick and detail explanation. I use RSA_print_fp to dump RSA in EVP_PKEY.
Now I use i2d_RSAPublicKey() to encode on RSA* from EVP_PKEY which will show same as browser. Thanks a lot. One more thing, I find use i2d_RSAPublicKey() will be get same public between openssl API and browser for some sites (twitter.com, developer.apple.com), but for www.google.com, I find that is not exactly same (just has same begin 30 82 01 0a 02 82 01 01 and others are not same). so why google is not same? On Tue, Oct 28, 2014 at 3:41 PM, Dave Thompson <dthomp...@prinpay.com> wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo >> Sent: Tuesday, October 28, 2014 02:03 > >> I use SSL_get_peer_certificate(), X509_get_pubkey() API to get web >> site https certificate public key, when I dump public key, I find >> which is not same as I see in browser (In Chrome, click padlock in URL >> address bar, -> Connection -> Certificate information -> >> Certificate->Details -> Public Key (field) ). >> >> I am curious about what are these two kind of public key data? >> >> > On Windows (at least) Chrome (like IE) uses the Windows cert display > which displays the subjectPublicKey value as encoded in the cert > where it is DER nested in opaque OCTET STRING for extensibility. > I don't know Chrome on other platforms but I'd expect it's the same. > > openssl stores and X509_get_pubkey() returns an EVP_PKEY structure, > which has been decoded from the cert and converted to internal form, > ready to be used by openssl logic to do things like encrypt a > premaster for akRSA or verify a signature for (EC)DHE . > > How are you "dump"ing it and what type of key is it? > If you mean EVP_PKEY_print_public (which is the simplest way) > on an RSA key (which is the most common on the public web), > that displays the two fields, pubexpt and modulus, separately. > > If you want to get an encoding that should match what is shown > in your browser, use i2d_RSAPublicKey on an RSA* extracted > from the EVP_PKEY* or the DSA or ECC equivalents as appropriate. > Alternatively encode the whole EVP_PKEY to an X509 "SPKI" > with i2d_PUBKEY, and then discard the outer (prefixed) SEQUENCE > and the AlgorithmIdentifier and the tag and length, leaving only > the value part of the subjectPublicKey field. > > Alternatively, take the encoding shown in the browser and parse > as DER to extract the fields of the publickey. For RSA this is easy; > for DSA parameters are fairly complicated; for ECC parameters > can be very complicated if explicit but that is rarely used, and the > public point value can be compressed which is a little confusing. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Rejoice,I Desire! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
