Warning: openssl_verify(): Supplied key param cannot be coerced into a public key in /var/www/app/src/Auth/JwtValidator.php:34
ID: php/openssl-certificate-verify-failed
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| PHP 8.0 | active | — | — | — |
| PHP 8.1 | active | — | — | — |
| PHP 8.2 | active | — | — | — |
| PHP 8.3 | active | — | — | — |
Root Cause
The public key provided to openssl_verify() is not in a valid PEM format, is corrupted, or uses an unsupported algorithm (e.g., Ed25519 without proper OpenSSL support), preventing PHP from extracting the public key resource.
generic中文
提供给openssl_verify()的公钥不是有效的PEM格式、已损坏或使用了不受支持的算法(例如,未正确支持OpenSSL的Ed25519),导致PHP无法提取公钥资源。
Official Documentation
https://www.php.net/manual/en/function.openssl-verify.phpWorkarounds
-
80% success Validate the public key format: ensure it has proper PEM headers (-----BEGIN PUBLIC KEY-----) and is base64-decoded correctly. Use openssl_pkey_get_public() to check: $key = openssl_pkey_get_public($pemString); if ($key === false) { echo openssl_error_string(); }
Validate the public key format: ensure it has proper PEM headers (-----BEGIN PUBLIC KEY-----) and is base64-decoded correctly. Use openssl_pkey_get_public() to check: $key = openssl_pkey_get_public($pemString); if ($key === false) { echo openssl_error_string(); } -
75% success If using Ed25519 or other modern algorithms, ensure OpenSSL 1.1.1+ is installed and PHP is compiled with support. Check with: php -i | grep 'OpenSSL' and verify the algorithm is listed.
If using Ed25519 or other modern algorithms, ensure OpenSSL 1.1.1+ is installed and PHP is compiled with support. Check with: php -i | grep 'OpenSSL' and verify the algorithm is listed.
-
90% success Regenerate the key pair using a supported algorithm like RSA-2048 or ECDSA with P-256. Example command: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem && openssl pkey -in private.pem -pubout -out public.pem
Regenerate the key pair using a supported algorithm like RSA-2048 or ECDSA with P-256. Example command: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem && openssl pkey -in private.pem -pubout -out public.pem
中文步骤
Validate the public key format: ensure it has proper PEM headers (-----BEGIN PUBLIC KEY-----) and is base64-decoded correctly. Use openssl_pkey_get_public() to check: $key = openssl_pkey_get_public($pemString); if ($key === false) { echo openssl_error_string(); }If using Ed25519 or other modern algorithms, ensure OpenSSL 1.1.1+ is installed and PHP is compiled with support. Check with: php -i | grep 'OpenSSL' and verify the algorithm is listed.
Regenerate the key pair using a supported algorithm like RSA-2048 or ECDSA with P-256. Example command: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem && openssl pkey -in private.pem -pubout -out public.pem
Dead Ends
Common approaches that don't work:
-
60% fail
If the key is already malformed or uses an unsupported algorithm, DER conversion will also fail; the issue is the key itself, not the format.
-
80% fail
This bypasses security entirely and only works for remote connections, not for local key verification; it does not fix the key parsing issue.
-
50% fail
The OpenSSL extension is typically bundled with PHP and rarely the cause; reinstalling it does not fix a malformed key or algorithm mismatch.