Invalid RSA private key crypto.sign() #18972

Vittitow · 2023-05-03T13:06:24Z

The oracle/oci-typescript-sdk depends on a dated sshpk package. I'm attempting to switch from node to deno but I get Invalid RSA private key when signing requests going to OCI APIs. I've narrowed this down to the following reproducible steps.

Deno version

deno 1.33.1 (release, aarch64-apple-darwin)
v8 11.4.183.1
typescript 5.0.3

Generate a 2048 bit RSA key in PEM format:
openssl genrsa -out ./example.pem 2048

Run the following code against the newly generated key:

import { parsePrivateKey } from "npm:sshpk@^1.17.0";

const privateKey = Deno.readTextFileSync("example.pem");
const key = parsePrivateKey(privateKey, "pem");
const data = "example text";
const signer = key.createSign("sha256");

signer.update(data);

const signature = signer.sign();

console.log(signature);

Resulting error:

error: Uncaught TypeError: Invalid RSA private key
    at SignImpl.sign (ext:deno_node/internal/crypto/sig.ts:46:37)
    at SignImpl.v.sign (file:///~/Library/Caches/deno/npm/registry.npmjs.org/sshpk/1.17.0/lib/private-key.js:161:13)
    at file:///~/Documents/repos/wmill-cloud/windmill/src/f/scripts/sshpk_issue.ts:11:21

Expected result:
The data is signed with the private key which works in node.

The text was updated successfully, but these errors were encountered:

punarinta · 2023-10-01T10:39:40Z

Same here. :(
google-auth-library fails because of a similar error.

TypeError: Invalid RSA public key
    at VerifyImpl.verify (ext:deno_node/internal/crypto/sig.ts:98:16)
    at NodeCrypto.verify (file:///home/******/node_modules/.deno/google-auth-library@9.0.0/node_modules/google-auth-library/build/src/crypto/node/crypto.js:29:25)
    at OAuth2Client.verifySignedJwtWithCertsAsync (file:///home/******/node_modules/.deno/google-auth-library@9.0.0/node_modules/google-auth-library/build/src/auth/oauth2client.js:644:39)
    at OAuth2Client.verifyIdTokenAsync (file:///home/******/node_modules/.deno/google-auth-library@9.0.0/node_modules/google-auth-library/build/src/auth/oauth2client.js:458:34)

ewiggin · 2023-11-13T20:09:01Z

Same here with web-push lib:

TypeError: Invalid RSA private key
    at SignImpl.sign (ext:deno_node/internal/crypto/sig.ts:48:33)
    at sign (file:///Users/****/Library/Caches/deno/npm/registry.npmjs.org/jwa/2.0.0/index.js:152:45)
    at Object.sign (file:///Users/****/Library/Caches/deno/npm/registry.npmjs.org/jwa/2.0.0/index.js:200:27)
    at Object.jwsSign [as sign] (file:///Users/****/Library/Caches/deno/npm/registry.npmjs.org/jws/4.0.0/lib/sign-stream.js:32:24)
    at Object.getVapidHeaders (file:///Users/****/Library/Caches/deno/npm/registry.npmjs.org/web-push/3.6.6/src/vapid-helper.js:226:19)
    at WebPushLib.generateRequestDetails (file:///Users/****/Library/Caches/deno/npm/registry.npmjs.org/web-push/3.6.6/src/web-push-lib.js:278:40)
    at WebPushLib.sendNotification (file:///Users/****/Library/Caches/deno/npm/registry.npmjs.org/web-push/3.6.6/src/web-push-lib.js:341:29)

Add support for signing with a RSA PEM private key: `pkcs8` and `pkcs1`. Fixes #18972 Ref #21124 Verified fix with `npm:sshpk`. Unverfied but fixes `npm:google-auth-library`, `npm:web-push` & `oracle/oci-typescript-sdk` --------- Signed-off-by: Divy Srivastava <dj.srivastava23@gmail.com>

aleksanb · 2023-12-27T00:10:33Z

Same here with web-push lib:

Now as of deno 1.39.1 i get a new error instead when using web-push:

TypeError: Invalid PEM label
    at SignImpl.sign (ext:deno_node/internal/crypto/sig.ts:36:33)
    at sign (file:///Users/<username>/Library/Caches/deno/npm/registry.npmjs.org/jwa/2.0.0/index.js:152:45)
    at Object.sign (file:///Users/<username>/Library/Caches/deno/npm/registry.npmjs.org/jwa/2.0.0/index.js:200:27)
    at Object.jwsSign [as sign] (file:///Users/<username>/Library/Caches/deno/npm/registry.npmjs.org/jws/4.0.0/lib/sign-stream.js:32:24)
    at Object.getVapidHeaders (file:///Users/<username>/Library/Caches/deno/npm/registry.npmjs.org/web-push/3.6.6/src/vapid-helper.js:226:19)
    at WebPushLib.generateRequestDetails (file:///Users/<username>/Library/Caches/deno/npm/registry.npmjs.org/web-push/3.6.6/src/web-push-lib.js:278:40)
    at WebPushLib.sendNotification (file:///Users/<username>/Library/Caches/deno/npm/registry.npmjs.org/web-push/3.6.6/src/web-push-lib.js:341:29)
    ...

I'm hard stuck here for now i think.

littledivy · 2023-12-28T04:12:49Z

Please provide a reproduction using web-push or what kind of PEM key is being used. It's hard to tell by just looking at the error.

mattjamieson · 2023-12-28T10:42:35Z

I found the same issue, here's a minimal repro:

 ~ deno
Deno 1.39.1
exit using ctrl+d, ctrl+c, or close()
REPL is running with all permissions allowed.
To specify permissions, run `deno repl` with allow flags.
> import { default as webpush } from "npm:web-push";
undefined
> const vapidKeys = webpush.generateVAPIDKeys();
undefined
> await webpush.sendNotification({ endpoint: "http://localhost" }, "", { vapidDetails: { ...vapidKeys, subject: "mailto:test@localhost" } });
Uncaught TypeError: Invalid PEM label
    at SignImpl.sign (ext:deno_node/internal/crypto/sig.ts:36:33)
    at sign (file:///home/matt/.cache/deno/npm/registry.npmjs.org/jwa/2.0.0/index.js:152:45)
    at Object.sign (file:///home/matt/.cache/deno/npm/registry.npmjs.org/jwa/2.0.0/index.js:200:27)
    at Object.jwsSign [as sign] (file:///home/matt/.cache/deno/npm/registry.npmjs.org/jws/4.0.0/lib/sign-stream.js:32:24)
    at Object.getVapidHeaders (file:///home/matt/.cache/deno/npm/registry.npmjs.org/web-push/3.6.6/src/vapid-helper.js:226:19)
    at WebPushLib.generateRequestDetails (file:///home/matt/.cache/deno/npm/registry.npmjs.org/web-push/3.6.6/src/web-push-lib.js:278:40)
    at WebPushLib.sendNotification (file:///home/matt/.cache/deno/npm/registry.npmjs.org/web-push/3.6.6/src/web-push-lib.js:341:29)
    at <anonymous>:1:36

phocks · 2024-02-04T03:54:10Z

Yep getting the same with "npm:web-push" library.

JTCorrin · 2024-02-20T12:25:36Z

Yep getting the same with "npm:web-push" library.

same:

[Error] Error sending push notifications TypeError: Invalid PEM label at SignImpl.sign (ext:deno_node/internal/crypto/sig.ts:35:29) at sign (file:///tmp/sb-compile-edge-runtime/node_modules/localhost/jwa/2.0.0/index.js:152:45) at Object.sign (file:///tmp/sb-compile-edge-runtime/node_modules/localhost/jwa/2.0.0/index.js:200:27) at Object.jwsSign [as sign] (file:///tmp/sb-compile-edge-runtime/node_modules/localhost/jws/4.0.0/lib/sign-stream.js:32:24) at Object.getVapidHeaders (file:///tmp/sb-compile-edge-runtime/node_modules/localhost/web-push/3.6.7/src/vapid-helper.js:226:19) at WebPushLib.generateRequestDetails (file:///tmp/sb-compile-edge-runtime/node_modules/localhost/web-push/3.6.7/src/web-push-lib.js:278:40) at WebPushLib.sendNotification (file:///tmp/sb-compile-edge-runtime/node_modules/localhost/web-push/3.6.7/src/web-push-lib.js:341:29) at file:///home/deno/functions/push-notification/index.ts:42:20 at Array.map (<anonymous>) at Object.handler (file:///home/deno/functions/push-notification/index.ts:40:42)

Fixes denoland#18972 Support for web-push & jws

Fixes #18972 Support for web-push VAPID keys & jws signing - Fixes EC keygen to return raw private key and uncompressed public key point. - Support for `EC PRIVATE KEY`

Fixes denoland#18972 Support for web-push VAPID keys & jws signing - Fixes EC keygen to return raw private key and uncompressed public key point. - Support for `EC PRIVATE KEY`

bartlomieju added bug Something isn't working correctly node compat labels May 3, 2023

bartlomieju mentioned this issue May 15, 2023

Tracking issue for remaining node:crypto APIs #18455

Closed

39 tasks

mmastrac mentioned this issue Oct 19, 2023

jsonwebtoken cannot sign with RS256 #20938

Closed

littledivy self-assigned this Nov 21, 2023

littledivy mentioned this issue Nov 21, 2023

fix(ext/node): sign with PEM private keys #21287

Merged

littledivy closed this as completed in #21287 Dec 3, 2023

littledivy reopened this Dec 28, 2023

danielbankhead mentioned this issue Jan 22, 2024

Error: Invalid RSA public key when using verifySignedJwtWithCertsAsync with Google IAP JWT token googleapis/google-auth-library-nodejs#1724

Closed

aleksanb mentioned this issue Jan 24, 2024

☂️ Node/npm compatibility issue for Q4 2023 #20851

Closed

4 tasks

bartlomieju mentioned this issue Feb 8, 2024

Node.js compat roadmap February 2024 #22337

Closed

20 tasks

bartlomieju added the node API Related to various "node:*" modules APIs label Mar 4, 2024

bartlomieju unassigned littledivy Mar 4, 2024

bartlomieju assigned littledivy Mar 12, 2024

littledivy added a commit to littledivy/deno that referenced this issue Mar 14, 2024

fix(ext/node): Support private EC key signing

7ba3d32

Fixes denoland#18972 Support for web-push & jws

littledivy mentioned this issue Mar 14, 2024

fix(ext/node): Support private EC key signing #22914

Merged

littledivy closed this as completed in #22914 Mar 14, 2024

bavjackson mentioned this issue May 5, 2024

Support private EC key signing supabase/edge-runtime#334

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Invalid RSA private key crypto.sign() #18972

Invalid RSA private key crypto.sign() #18972

Vittitow commented May 3, 2023

punarinta commented Oct 1, 2023

ewiggin commented Nov 13, 2023

aleksanb commented Dec 27, 2023 •

edited

Loading

littledivy commented Dec 28, 2023

mattjamieson commented Dec 28, 2023

phocks commented Feb 4, 2024

JTCorrin commented Feb 20, 2024

Invalid RSA private key crypto.sign() #18972

Invalid RSA private key crypto.sign() #18972

Comments

Vittitow commented May 3, 2023

punarinta commented Oct 1, 2023

ewiggin commented Nov 13, 2023

aleksanb commented Dec 27, 2023 • edited Loading

littledivy commented Dec 28, 2023

mattjamieson commented Dec 28, 2023

phocks commented Feb 4, 2024

JTCorrin commented Feb 20, 2024

aleksanb commented Dec 27, 2023 •

edited

Loading