A Simple Public Key Infrastructure implementation (pronounced “spooky”). The structure is defined as

PublicKeyAndChallenge ::= SEQUENCE {
  spki SubjectPublicKeyInfo,
  challenge IA5STRING

SignedPublicKeyAndChallenge ::= SEQUENCE {
  publicKeyAndChallenge PublicKeyAndChallenge,
  signatureAlgorithm AlgorithmIdentifier,
  signature BIT STRING

where the definitions of SubjectPublicKeyInfo and AlgorithmIdentifier can be found in RFC5280. SPKI is typically used in browsers for generating a public/private key pair and a subsequent certificate request, using the HTML <keygen> element.


Creating an SPKI

key = OpenSSL::PKey::RSA.new 2048
spki = OpenSSL::Netscape::SPKI.new
spki.challenge = "RandomChallenge"
spki.public_key = key.public_key
spki.sign(key, OpenSSL::Digest.new('SHA256'))
#send a request containing this to a server generating a certificate

Verifying an SPKI request

request = #...
spki = OpenSSL::Netscape::SPKI.new request
unless spki.verify(spki.public_key)
  # signature is invalid
Class Methods


  • request - optional raw request, either in PEM or DER format.

Instance Methods

Returns the challenge string associated with this SPKI.


  • str - the challenge string to be set for this instance

Sets the challenge to be associated with the SPKI. May be used by the server, e.g. to prevent replay.

Returns the public key associated with the SPKI, an instance of OpenSSL::PKey.


  • pub - the public key to be set for this instance

Sets the public key to be associated with the SPKI, an instance of OpenSSL::PKey. This should be the public key corresponding to the private key used for signing the SPKI.


  • key - the private key to be used for signing this instance

  • digest - the digest to be used for signing this instance

To sign an SPKI, the private key corresponding to the public key set for this instance should be used, in addition to a digest algorithm in the form of an OpenSSL::Digest. The private key should be an instance of OpenSSL::PKey.

Returns the DER encoding of this SPKI.

Returns the PEM encoding of this SPKI.

An alias for to_pem

Returns a textual representation of this SPKI, useful for debugging purposes.


  • key - the public key to be used for verifying the SPKI signature

Returns true if the signature is valid, false otherwise. To verify an SPKI, the public key contained within the SPKI should be used.