I have this code with was written by someone else:
@key "f266HhqytuyaIIaqfAgh5893425[and so on]"
def pubkey(), do: @key
|> (&(:public_key.der_decode(:RSAPrivateKey, &1))).()
And then a jwt token is signed with it:
def sign(input) do
signature = :public_key.sign(input, :sha256, @rsakey)
Base.url_encode64(signature, padding: false)
Fact - from a private key a public one can be generated.
But in this code it’s not the case - from a public key a private one is indeed generated.
The code works properly.
How can that be?
Or may be the code is meant to do something else? Meaning,
@rsakey isn’t trully a private key but some derivative used only to sing a jwt in a simple manner that’s good enough for the task?
That code is a (slightly convoluted) way to chop the first 26 bytes off of the encoded data, and then treat the rest as a DER encoded RSA private key. So whatever that whole data structure is called, it embeds a full RSA private key. No private key is derived from a public key.
It produces a tuple which is
# multiple long numbers here
How, if there’s no deriving of a private key here?
There is a private key, it’s just not derived: the
@key attribute has the private key inside it, the
@rsakey is set by extracting and decoding it. This means
@key cannot be called a public key: making it public would expose the private key.
Not sure how
@key is used in a context where a public key is needed. Presumably some code exists somewhere that extracts/decodes the public part of the key.