What causes "Neither PUB key nor PRIV key:: nested asn1 error" when building a public key in ruby?

ruby-on-rails ssl certificate rsa apple-push-notifications

50,097

Solution 1

A pem file is not a public key, it is a base64-encoded X509 certificate that contains, among its many fields, a public key. I don't know Ruby, or the OpenSSL ruby module, but I would look for some function that reads in PEM files and outputs an X509 certificate, then another function to extract the public key from the certificate.

Solution 2

I've got the same problem and it had a different cause. Now guess what :)

...

The damn password was wrong :( Searched 3 days for that "solution". Could have been a "Sorry dude, that's the wrong password!" instead of "nested asn1 error" imho but anyways, maybe this will help somebody.

Solution 3

If you are using dotenv for instance, you have to surround the value with " and have \n for newlines.

PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIICW  ... UcuUtU0eIl\n-----END RSA PRIVATE KEY-----"

Solution 4

Make sure your .pem files are in this format.

public_key_file.pem:

-----BEGIN PUBLIC KEY-----

// Your public key goes here

-----END PUBLIC KEY-----

private_key_file.pem:

-----BEGIN RSA PRIVATE KEY-----

// Your private key goes here

-----END RSA PRIVATE KEY-----

Solution 5

I had a similar problem too, but for me I wasn't creating a pem file for my id_rsa.pub file in the first place. For me I needed to create a pem file out of my existing public key:

ssh-keygen -f testing_rsa.pub  -e -m pem > pem

Then I copied that OpenSSL string into my test file where it was being used. It looked like this in the end for me.

@pub_key = "-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAoxi2V0bSKqAqUtoQHxWkOPnErCS541r6/MOSHmKOd6VSNHoBbnas\nZRQSDUTbffB6C++DbmBCOHmvzYORD0ZWYgyMcgbYJD48Z2fe0nm+WMYN5u8DPnTP\nvf8b/rJBxGF0dsaoFAWlB81tTnKFCxAbCSgfmQt+Vd4qupGZ5gGu9uoKlaPjmYuA\nIxIjUMcu3dov7PQ+PZIvdkM0fiz8YIl8zo+iWWyI2s6/XLoZJ4bYs2YJHZDf6biU\nsZhs8xqh/F6qlcRt3Ta25KMa0TB9zE3HHmqA/EJHFubWFRCrQqpboB0+nwCbmZUl\nhaxA79FRvYtORvFAoncoFD4tq3rGXcUQQwIDAQAB\n-----END RSA PUBLIC KEY-----\n"
.
.
.
OpenSSL::PKey::RSA.new(@pub_key)

After that the method stopped throwing that error.

View more solutions

50,097

Author by

Matthew

Hi, I'm Matthew. I'm a developer and entrepreneur in San Francisco.

Updated on July 09, 2022

Comments

Matthew almost 2 years

When building a public key using the OpenSSL::PKey::RSA module by passing it a .pem file, what is the cause for a response:

OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key:: nested asn1 error
from /Users/Matt/projects/placepop/lib/apn.rb:48:in `initialize'
from /Users/Matt/projects/placepop/lib/apn.rb:48:in `new'
from /Users/Matt/projects/placepop/lib/apn.rb:48:in `open'
from (irb):1

Here is the source:

cert = File.join(rails_root, 'config', 'apns', 'sandbox-cert.pem')
APN_CONFIG = { :delivery => { 
                              :host => 'gateway.sandbox.push.apple.com', 
                              :cert => cert,
                              :passphrase => "",
                              :port => 2195 },
               :feedback => {  
                              :host => 'feedback.sandbox.push.apple.com',
                              :port => 2196,
                              :passphrase => "",
                              :cert => cert} }


options = APN_CONFIG[:delivery].merge(options)
cert = File.read(options[:cert])
ctx = OpenSSL::SSL::SSLContext.new
ctx.key = OpenSSL::PKey::RSA.new(cert, options[:passphrase])
ctx.cert = OpenSSL::X509::Certificate.new(cert)

sock = TCPSocket.new(options[:host], options[:port])
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.sync = true
ssl.connect

Matthew over 14 years

You're correct. The problem was from the way that the pem file was exported from the certificate. The private key was not included.
tobyc over 14 years

I'm having the same problem. What exactly did you do wrong when exporting the certificate? My .pem file contains my private key at the bottom of the file.
Smar about 9 years

Someone should poke upstream with sturdy stick about this too... escapes
Rahul Goyal over 7 years

I am having the same issue...i pass only my private key !
lkartono almost 7 years

I confirm, had the same issue and a wrong password was causing it. Thanks to your post, I was able to fix it. The error message is definitely not accurate.
skplunkerin almost 6 years

This solved my problem: stackoverflow.com/a/39115092/1180523. Store the PEM contents as a single line (using \n) in an ENV variable, and then make sure to use the .gsub suggestion in the link.
sab over 5 years

@2called-chaos as of 2018 I can't thank you enough haha thinking that the pw had typos was the last thing I thought about when checking some code that wasn't working, that error message couldn't be more useless
bradw2k about 4 years

My (silly) problem was, even though I was feeding it the private key, there was whitespace on the left of the lines of the private key, because it had been indented. Left-justifying every line of the key string got rid of this error.
Khulani M almost 4 years

You da man! I don't know I messed up the password. But recreating the keys fixed this. Many thanks!
theotherdy over 3 years

Just adding the link to the LTI 1.3 reference implementation which was giving me this error until I followed your advice to leave in the BEGIN and END comments: lti-ri.imsglobal.org