# Warning: openssl_verify(): Supplied key param cannot be coerced into a public key in /var/www/app/src/Auth/JwtValidator.php:34

- **ID:** `php/openssl-certificate-verify-failed`
- **Domain:** php
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 83%

## Root Cause

The public key provided to openssl_verify() is not in a valid PEM format, is corrupted, or uses an unsupported algorithm (e.g., Ed25519 without proper OpenSSL support), preventing PHP from extracting the public key resource.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| PHP 8.0 | active | — | — |
| PHP 8.1 | active | — | — |
| PHP 8.2 | active | — | — |
| PHP 8.3 | active | — | — |

## Workarounds

1. **Validate the public key format: ensure it has proper PEM headers (-----BEGIN PUBLIC KEY-----) and is base64-decoded correctly. Use openssl_pkey_get_public() to check: $key = openssl_pkey_get_public($pemString); if ($key === false) { echo openssl_error_string(); }** (80% success)
   ```
   Validate the public key format: ensure it has proper PEM headers (-----BEGIN PUBLIC KEY-----) and is base64-decoded correctly. Use openssl_pkey_get_public() to check: $key = openssl_pkey_get_public($pemString); if ($key === false) { echo openssl_error_string(); }
   ```
2. **If using Ed25519 or other modern algorithms, ensure OpenSSL 1.1.1+ is installed and PHP is compiled with support. Check with: php -i | grep 'OpenSSL' and verify the algorithm is listed.** (75% success)
   ```
   If using Ed25519 or other modern algorithms, ensure OpenSSL 1.1.1+ is installed and PHP is compiled with support. Check with: php -i | grep 'OpenSSL' and verify the algorithm is listed.
   ```
3. **Regenerate the key pair using a supported algorithm like RSA-2048 or ECDSA with P-256. Example command: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem && openssl pkey -in private.pem -pubout -out public.pem** (90% success)
   ```
   Regenerate the key pair using a supported algorithm like RSA-2048 or ECDSA with P-256. Example command: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private.pem && openssl pkey -in private.pem -pubout -out public.pem
   ```

## Dead Ends

- **** — If the key is already malformed or uses an unsupported algorithm, DER conversion will also fail; the issue is the key itself, not the format. (60% fail)
- **** — This bypasses security entirely and only works for remote connections, not for local key verification; it does not fix the key parsing issue. (80% fail)
- **** — The OpenSSL extension is typically bundled with PHP and rarely the cause; reinstalling it does not fix a malformed key or algorithm mismatch. (50% fail)