How can I extract the public key from the x.509 certificate ?

[tngan]

I have a x.509 certificate in string format, e.g. MIIB+jCCAWOgAwIBAgIB...
How can I extract the public key just using the string, without saving it as .pem manually first.

[dlongley]

// this string format is base64-encoded DER bytes
var certString = 'MIIB+jCCAWOgAwIBAgIB...';

// base64-decode DER bytes
var certDerBytes = forge.util.decode64(certString);

// parse DER to an ASN.1 object
var obj = forge.asn1.fromDer(certDerBytes);

// convert ASN.1 object to forge certificate object
var cert = forge.pki.certificateFromAsn1(obj);

// get forge public key object
var publicKey = cert.publicKey;

// `publicKey` can now be used to verify, encrypt, etc.
publicKey.verify(...);
publicKey.encrypt(...);

// if you did want to convert it to PEM format for transport:
var pem = forge.pki.publicKeyToPem(publicKey);

[tngan]

It works, thanks very much.

[petermikitsh]

Works great! Thanks.

[kyeotic]

@dlongley I must be missing something, because I am getting an error when calling verify.

Encrypted message length is invalid.] length: 342, expected: 256

I am able to get the public key with the directions above. I have used this public key via the pem package, and validated this payload. I am confident it is correct.

I have tried

var md = forge.md.sha1.create()
md.update(jwt.payload, 'base64')
return key.verify(md.digest().getBytes(), jwt.signature)

and

var buf = new Buffer(jwt.payload, 'base64')
return key.verify(buf, jwt.signature)

both are failing. Am I using the verify method incorrectly?

[dlongley]

@tyrsius,

The message digest update API in forge 0.6.x does not support base64 as an encoding. It should really be throwing an error to warn you of this. You'll need to use: forge.util.decode64(foo) on your data to decode it first. Also, you may need to be using a base64url decoder library for JWTs -- they don't use standard base64 encoding.

[yackermann]

Cannot read public key. OID is not RSA.

*(