RSA {PKI}R Documentation

PKI functions handling RSA keys


PKI.load.key loads an RSA key in PKCS#1/8 PEM or DER format. creates a PEM or DER representation of a RSA key.

PKI.genRSAkey generates RSA public/private key pair.

PKI.mkRSApubkey creates a RSA public key with the supplied modulus and exponent.

PKI.load.OpenSSH.pubkey loads public key in OpenSSH format (as used in .ssh/authorized_keys file)


PKI.load.key(what, format = c("PEM", "DER"), private, file, password=""), format = c("PEM", "DER"), private, target)
PKI.genRSAkey(bits = 2048L)
PKI.mkRSApubkey(modulus, exponent=65537L, format = c("DER", "PEM", "key"))
PKI.load.OpenSSH.pubkey(what, first=TRUE, format = c("DER", "PEM", "key"))



string, raw vector or connection to load the key from


RSA key object


format - PEM is ASCII (essentially base64-encoded DER with header/footer), DER is binary and key means an acutal key object


logical, whether to use the private key (TRUE), public key (FALSE) or whichever is available (NA or missing).


filename to load the key from - what and file are mutually exclusive


string, used only if what is an encrypted private key as the password to decrypt the key


optional connection or a file name to store the result in. If missing, the result is just returned form the function as either a character vector (PEM) or a raw vector (DER).


size of the generated key in bits. Must be 2 ^ n with integer n > 8.


modulus either as a raw vector (see as.BIGNUMint) or bigz object (from gmp package) or an integer.


exponent either as a raw vector (see as.BIGNUMint) or bigz object (from gmp package) or an integer.


logical, if TRUE only the first key will be used, otherwise the result is a list of keys.


PKI.load.key: private or public key object raw vector (DER format) or character vector (PEM format).

PKI.genRSAkey: private + public key object

PKI.mkRSApubkey, PKI.load.OpenSSH.pubkey: raw vector (DER format) or character vector (PEM format) or a "public.key" object.


The output format for private keys in PEM is PKCS#1, but for public keys it is X.509 SubjectPublicKeyInfo (certificate public key). This is consistent with OpenSSL RSA command line tool which uses the same convention.

PKI.load.key can auto-detect the contained format based on the header if 'PEM' format is used. In that case it supports PKCS#1 (naked RSA key), PKCS#8 (wrapped key with identifier - for public keys X.509 SubjectPublicKeyInfo) and encrypted private key in PKCS#8 (password must be passed to decrypt). 'DER' format provides no way to define the type so 'private' cannot be 'NA' and only the default format (PKCS#1 for private keys and X.509 SubjectPublicKeyInfo for public keys) is supported.

The OpenSSH format is one line beginning with "ssh-rsa ". SSH2 PEM public keys (rfc4716) are supported in PKI.load.key and the binary payload is the same as the OpenSSH, only with different wrapping.


Simon Urbanek

See Also

PKI.encrypt, PKI.decrypt, PKI.pubkey


# generate 2048-bit RSA key
key <- PKI.genRSAkey(bits = 2048L)

# extract private and public parts as PEM
priv.pem <-
pub.pem <-, private=FALSE)
# load back the public key separately
pub.k <- PKI.load.key(pub.pem)

# encrypt with the public key
x <- PKI.encrypt(charToRaw("Hello, world!"), pub.k)
# decrypt with private key
rawToChar(PKI.decrypt(x, key))

# compute SHA1 hash (fingerprint) of the public key
PKI.digest(, "DER", private=FALSE))

# convert OpenSSH public key to PEM format
PKI.load.OpenSSH.pubkey("ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuvOXqfZ3pJeWeqyQOIXZwmgM1RBqPUmVx3XgntpA+YtOZjKfuoJSpg3LhBuI/wXx8L2QZXNFibvX4qX2qoYsbHvkz2uonA3F7HRhCR/BJURR5nT135znVqALZo328v86HDsVWYR2/JzY1X8GI2R2iKUMGXF0hVuRphdwLB735CU= foo@mycomputer", format="PEM")

[Package PKI version 0.1-5 Index]