JWT signing gives "DOMException: key.algorithm does not match that of operation"

[gitowiec]

Hi

I need to sign JWT with PEM PCKS#8 private key.
I took code from MDN example to prepare CryptoKey object https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#pkcs_8_import
Then I run

function stringToArrayBuffer(str: string): ArrayBuffer {
  const buf = new ArrayBuffer(str.length);
  const bufView = new Uint8Array(buf);
  for (let i = 0, strLen = str.length; i < strLen; i++) {
    bufView[i] = str.charCodeAt(i);
  }
  return buf;
}

/*
Import a PEM encoded RSA private key, to use for RSA-PSS signing.
Takes a string containing the PEM encoded key, and returns a Promise
that will resolve to a CryptoKey representing the private key.
*/
const importPrivateKey = async (pem: string) => {
  const pemHeader = "-----BEGIN PRIVATE KEY-----";
  const pemFooter = "-----END PRIVATE KEY-----";
  const pemContents = pem.substring(
    pemHeader.length,
    pem.length - pemFooter.length
  );
  // base64 decode the string to get the binary data
  const binaryDerString = window.atob(pemContents);
  // convert from a binary string to an ArrayBuffer
  const binaryDer = stringToArrayBuffer(binaryDerString);
  const algo = {
    name: "RSA-PSS",
    hash: "SHA-256"
  };
  return window.crypto.subtle.importKey("pkcs8", binaryDer, algo, true, [
    "sign"
  ]);
};

const VALIDITY_PERIOD = 3_600; // ms

const getJWTPayload = (env: EnvName): JWTPayload => {
  const issuedAt = Date.now();

  const common: JWTPayload = {
    iat: issuedAt,
    exp: issuedAt + VALIDITY_PERIOD
  };

  if (env === "production") {
    return {
      ...common,
      aud: "https://someapi",
      iss: "some:text",
      sub: "more:of:text"
    };
  }
  return {
    ...common,
    aud: "https://sandbox.someapi",
      iss: "some:text",
      sub: "more:of:text"
  };
};

const KEY_ID = 'keyid';

const getJWT = async (env: EnvName) => {
  const key = await importPrivateKey(PKCS8_PRIVATE_KEY);
  console.log(key);

  const s = new SignJWT(getJWTPayload(env));
  s.setProtectedHeader({
    alg: "RS256",
    kid: KEY_ID
  });
 return await s.sign(key);
};

I generated the key using openssl with this command

openssl genrsa -out privatekey.pem 4096

and converted it to PKCS#8 with this command

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in pkcs1.key -out pkcs8.key

The code stops on return await s.sign(key)
How I can correct the problem of key algorithm not matching to the operation?
Best regards

[panva]

How I can correct the problem of key algorithm not matching to the operation?

Use RSASSA-PKCS1-v1_5 for RS256, RS384, and RS512, or use RSA-PSS for PS256, PS384, and PS512. You cannot mix and match.

In your code above just changing RS256 to PS256 should do the trick.

[panva]

FWIW I've added a set of helper functions to aid in this PEM import process. It does not get rid of the need to know what algs a key is good for but it cuts down on the code you have to write to make a PEM string import happen. Also, X509 import.

import * as keytools from 'jose/key/import'

const algorithm = 'ES256'

{
  const pkcs8 = `-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgiyvo0X+VQ0yIrOaN
nlrnUclopnvuuMfoc8HHly3505OhRANCAAQWUcdZ8uTSAsFuwtNy4KtsKqgeqYxg
l6kwL5D4N3pEGYGIDjV69Sw0zAt43480WqJv7HCL0mQnyqFmSrxj8jMa
-----END PRIVATE KEY-----`
  const ecPrivateKey = await keytools.importPKCS8(pkcs8, algorithm)
  console.log(ecPrivateKey)
}


{
  const spki = `-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFlHHWfLk0gLBbsLTcuCrbCqoHqmM
YJepMC+Q+Dd6RBmBiA41evUsNMwLeN+PNFqib+xwi9JkJ8qhZkq8Y/IzGg==
-----END PUBLIC KEY-----`
  const ecPublicKey = await keytools.importSPKI(spki, algorithm)
  console.log(ecPublicKey)
}

{
  const x509 = `-----BEGIN CERTIFICATE-----
MIIBXjCCAQSgAwIBAgIGAXvykuMKMAoGCCqGSM49BAMCMDYxNDAyBgNVBAMMK3Np
QXBNOXpBdk1VaXhXVWVGaGtjZXg1NjJRRzFyQUhXaV96UlFQTVpQaG8wHhcNMjEw
OTE3MDcwNTE3WhcNMjIwNzE0MDcwNTE3WjA2MTQwMgYDVQQDDCtzaUFwTTl6QXZN
VWl4V1VlRmhrY2V4NTYyUUcxckFIV2lfelJRUE1aUGhvMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAE8PbPvCv5D5xBFHEZlBp/q5OEUymq7RIgWIi7tkl9aGSpYE35
UH+kBKDnphJO3odpPZ5gvgKs2nwRWcrDnUjYLDAKBggqhkjOPQQDAgNIADBFAiEA
1yyMTRe66MhEXID9+uVub7woMkNYd0LhSHwKSPMUUTkCIFQGsfm1ecXOpeGOufAh
v+A1QWZMuTWqYt+uh/YSRNDn
-----END CERTIFICATE-----`
  const ecPublicKey = await keytools.importX509(x509, algorithm)
  console.log(ecPublicKey)
}