10

We have a requirement to expose an RSA Public Key as an HTTP resource - so http://myhost.com/publickeys/akeyid returns a public key.

I would like to return it with a correct Internet Media Type. What should that be? I confess I find the crypto RFCs fairly impenetrable.

And as a bonus, how do I translate easily from and to that format using the java.security standard libraries?

(It's easy enough to go from and to a SubjectPublicKeyInfo byte array as defined in https://www.rfc-editor.org/rfc/rfc3280#section-4.1 using java.security.RSAPublicKey.getEncoded() to serialize to bytes and a java.security.spec.X509EncodedKeySpec to deserialize those same bytes; but I can't find a registered media type for that format which suggests to me that I should be using some other format (an x.509 Certificate?). But then I struggle to work out how to do the translation.)

Thanks.

Community
  • 1
  • 1
Robert Elliot
  • 1,372
  • 13
  • 20

1 Answers1

8

One alternative would be to encode the PKCS#1 format RSA public key as a PEM file, and then use the MIME type:

   "application/x-pem-file"

References:

Note: "application/x-pem-file" is not registered ... obviously! ... but is referenced in a number of catalogues of "file types".

You probably ought to deliver the key over HTTPS ...

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • application/x-pem-file looks like the closest we are going to get, thanks. Shame there isn't a media type for a Binary DER-encoded public key, as that would be the ideal for us. I guess since the PEM one is not a standard either there's nothing stopping us defining our own... – Robert Elliot Oct 22 '13 at 12:51
  • 2
    ... or you could use application/octet-stream – Stephen C Oct 22 '13 at 13:52