Add support extracting public key from X.509 certificate

Problem/Motivation

I just struggled getting around to integrate the key algo with a service providing a X.509 certificate pem file as signature source.
The only thing missing was / is that keys with a -----BEGIN CERTIFICATE----- header are handled the same as Keys with a -----BEGIN PUBLIC KEY----- header.

This also could help when working with RFC7517 which seems to rely on X.509 certificates too.

Steps to reproduce

Set the following certificate as key:

-----BEGIN CERTIFICATE-----
MIIDkzCCAnugAwIBAgIUPJid/IedbX8iY2Y+A9zjK4RP/HYwDQYJKoZIhvcNAQEL
BQAwWTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
MRUwEwYDVQQKDAxPcmdhbml6YXRpb24xFDASBgNVBAMMC2V4YW1wbGUuY29tMB4X
DTI2MDMyNzEzNTAyNFoXDTI3MDMyNzEzNTAyNFowWTELMAkGA1UEBhMCVVMxDjAM
BgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRUwEwYDVQQKDAxPcmdhbml6YXRp
b24xFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAzVEth/66pqdJisyaQ9okQssncWOBrMw7PNtsRB1urbFqLcxHGIa5
uLuknc8K4di4yKT74hbJ7z4yQ5pUuS6HYCTdyMe3NzGyHyZ0sEsXVYeL2zcMWG71
phq3pjTmTT5e68XAUeeIXmko13GYyxnqnr7cRf+iakg00LHUJ4SxGZ8fnGiWBVK8
KIU4jjGrpWvgCU2B205FR/CkoKwUSCXBz9Nd1hAUJR7lXMzJO2hr4rtBmvpgNW88
Lg6c+LjRr+Fpp8uWbJMF8NUIjfgt+6hEt2CJDNSNbuCSBi9mlJqUff73mZvnCatX
2czH96jKVzRDdjb6ywxbO4vwl9q//PLXtwIDAQABo1MwUTAdBgNVHQ4EFgQU1i+A
pwOu5S/QQVP7KTJSMJGFzocwHwYDVR0jBBgwFoAU1i+ApwOu5S/QQVP7KTJSMJGF
zocwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEArdzT41oreQpI
xumCGvXDIawmN1hr2NEkDla1LvKAnnm8etsyccWWY9ghxdKRylPOaigElj5s6Kyg
Ssyg+wZq2JFylm4JnLAfL5lMQu35WhvOGz6qxupHm04J+4gDUvJwGkinntVRetzL
a00+WSYnBqJpSWOiCLDHOzyLzXcA+b3nQhUrksTfBqEsXNigZyVvutxDUmY0JVUK
0618NgoZC8mlispiPXgBGwQIt4IoOIL3lkWDEVwkQ9sGs//MVbdvqy8JHJ6H98lb
Zhxfr/6DtK+i9kU+TA6wp+Jc2SUMtDn2Ounwc6DilnbEkLiSdTg2U47iMwqJAnAG
x4XbP9o1KQ==
-----END CERTIFICATE-----

It actually contains the following public key but currently yields no key.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzVEth/66pqdJisyaQ9ok
QssncWOBrMw7PNtsRB1urbFqLcxHGIa5uLuknc8K4di4yKT74hbJ7z4yQ5pUuS6H
YCTdyMe3NzGyHyZ0sEsXVYeL2zcMWG71phq3pjTmTT5e68XAUeeIXmko13GYyxnq
nr7cRf+iakg00LHUJ4SxGZ8fnGiWBVK8KIU4jjGrpWvgCU2B205FR/CkoKwUSCXB
z9Nd1hAUJR7lXMzJO2hr4rtBmvpgNW88Lg6c+LjRr+Fpp8uWbJMF8NUIjfgt+6hE
t2CJDNSNbuCSBi9mlJqUff73mZvnCatX2czH96jKVzRDdjb6ywxbO4vwl9q//PLX
twIDAQAB
-----END PUBLIC KEY-----

Proposed resolution

Check for -----BEGIN CERTIFICATE----- file header and handle it the same as key with the -----BEGIN PUBLIC KEY-----.
openssl_pkey_get_public() works just fine with that.

Remaining tasks

Write Code & Test
Review
Profit

User interface changes

None

API changes

None

Data model changes

None

Issue fork jwt-3581908

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3581908-add-support-extracting_2x changes, plain diff MR !36
Check out this branch for the first time

Check out existing branch, if you already have it locally
3581908-add-support-extracting changes, plain diff MR !35
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

27 March 2026 at 13:54

das-peter created an issue. See original summary.

Log in or register to post comments

Comment #2

27 March 2026 at 14:15

das-peter opened merge request !35

Log in or register to post comments

Comment #3

27 March 2026 at 14:21

das-peter opened merge request !36

Log in or register to post comments

Comment #4

das-peter commented 27 March 2026 at 14:31

Assigned:	das-peter	» Unassigned
Status:	Active	» Needs review

Log in or register to post comments