Strange code that generates a private key from a public one

jadorushi · April 4, 2020, 11:47am

I have this code with was written by someone else:

  @key "f266HhqytuyaIIaqfAgh5893425[and so on]"

  def pubkey(), do: @key


  @rsakey @key
    |> Base.decode64!()
    |> :erlang.binary_to_list()
    |> Enum.slice(26..-1)
    |> :erlang.list_to_binary()
    |> (&(:public_key.der_decode(:RSAPrivateKey, &1))).()

And then a jwt token is signed with it:

  def sign(input) do
      signature = :public_key.sign(input, :sha256, @rsakey)
      Base.url_encode64(signature, padding: false)
  end

Fact - from a private key a public one can be generated.
But in this code it’s not the case - from a public key a private one is indeed generated.

The code works properly.

How can that be?

Or may be the code is meant to do something else? Meaning, @rsakey isn’t trully a private key but some derivative used only to sing a jwt in a simple manner that’s good enough for the task?

voltone · April 4, 2020, 12:13pm

That code is a (slightly convoluted) way to chop the first 26 bytes off of the encoded data, and then treat the rest as a DER encoded RSA private key. So whatever that whole data structure is called, it embeds a full RSA private key. No private key is derived from a public key.

jadorushi · April 5, 2020, 10:44am

It produces a tuple which is RSAPrivateKey


  {
    :RSAPrivateKey,
    :"two-prime",

    # multiple long numbers here

}

How, if there’s no deriving of a private key here?

voltone · April 5, 2020, 11:01am

There is a private key, it’s just not derived: the @key attribute has the private key inside it, the @rsakey is set by extracting and decoding it. This means @key cannot be called a public key: making it public would expose the private key.

Not sure how @key is used in a context where a public key is needed. Presumably some code exists somewhere that extracts/decodes the public part of the key.