Strange code that generates a private key from a public one

I have this code with was written by someone else:

  @key "f266HhqytuyaIIaqfAgh5893425[and so on]"

  def pubkey(), do: @key

  @rsakey @key
    |> Base.decode64!()
    |> :erlang.binary_to_list()
    |> Enum.slice(26..-1)
    |> :erlang.list_to_binary()
    |> (&(:public_key.der_decode(:RSAPrivateKey, &1))).()

And then a jwt token is signed with it:

  def sign(input) do
      signature = :public_key.sign(input, :sha256, @rsakey)
      Base.url_encode64(signature, padding: false)

Fact - from a private key a public one can be generated.
But in this code it’s not the case - from a public key a private one is indeed generated.

The code works properly.

How can that be?

Or may be the code is meant to do something else? Meaning, @rsakey isn’t trully a private key but some derivative used only to sing a jwt in a simple manner that’s good enough for the task?

That code is a (slightly convoluted) way to chop the first 26 bytes off of the encoded data, and then treat the rest as a DER encoded RSA private key. So whatever that whole data structure is called, it embeds a full RSA private key. No private key is derived from a public key.


It produces a tuple which is RSAPrivateKey


    # multiple long numbers here


How, if there’s no deriving of a private key here?

There is a private key, it’s just not derived: the @key attribute has the private key inside it, the @rsakey is set by extracting and decoding it. This means @key cannot be called a public key: making it public would expose the private key.

Not sure how @key is used in a context where a public key is needed. Presumably some code exists somewhere that extracts/decodes the public part of the key.