# Warning: openssl_verify(): Supplied key param cannot be coerced into a public key in /var/www/app/src/Auth/JwtValidator.php on line 42

- **ID:** `php/openssl-key-format-mismatch`
- **Domain:** php
- **Category:** auth_error
- **Error Code:** `E_WARNING`
- **Verification:** ai_generated
- **Fix Rate:** 90%

## Root Cause

The public key provided to openssl_verify() is in an unsupported format (e.g., PKCS#1 instead of PKCS#8, or missing proper PEM headers), causing OpenSSL to reject the key.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| PHP 7.4 | active | — | — |
| PHP 8.0 | active | — | — |
| PHP 8.1 | active | — | — |
| PHP 8.2 | active | — | — |
| PHP 8.3 | active | — | — |
| OpenSSL 1.1.1 | active | — | — |
| OpenSSL 3.0 | active | — | — |

## Workarounds

1. **Ensure the public key is in PKCS#8 PEM format. Convert if needed using OpenSSL CLI: `openssl pkey -in private_key.pem -pubout -out public_key.pem`. Then load it in PHP with `$key = file_get_contents('/path/to/public_key.pem');` and ensure no extra whitespace.** (95% success)
   ```
   Ensure the public key is in PKCS#8 PEM format. Convert if needed using OpenSSL CLI: `openssl pkey -in private_key.pem -pubout -out public_key.pem`. Then load it in PHP with `$key = file_get_contents('/path/to/public_key.pem');` and ensure no extra whitespace.
   ```
2. **Use `openssl_get_publickey()` instead of passing the key string directly; this function auto-detects and converts formats. Example: `$pubKey = openssl_get_publickey(file_get_contents('key.pem')); if ($pubKey === false) { echo openssl_error_string(); }`** (90% success)
   ```
   Use `openssl_get_publickey()` instead of passing the key string directly; this function auto-detects and converts formats. Example: `$pubKey = openssl_get_publickey(file_get_contents('key.pem')); if ($pubKey === false) { echo openssl_error_string(); }`
   ```

## Dead Ends

- **** — The issue is the key format structure (PEM headers, line breaks), not just encoding. A raw binary key without proper boundaries will fail the same way. (90% fail)
- **** — Extra whitespace or BOM can corrupt the PEM header; OpenSSL requires exact format: `-----BEGIN PUBLIC KEY-----` on its own line. (85% fail)