brightspace / node-jwk-to-pem Goto Github PK

import * as jwkToPem from 'jwk-to-pem';
const pem = jwkToPem(jwk);

get error : jwkToPem is not a function
why ?

Hello,
We're using node-jwk-to-pem in one of our projects, and Linux Community Bridge is reporting a Timing Attack based on it's elliptic dependency, which we've traced to node-jwk-to-pem. It's recommended to upgrade to version 6.5.2 or higher.

Thanks for looking at this.

Hello,

Could you upgrade to elliptic:6.5.3 to fix the CVE-2020-13822 ?

Thanks.

indutny/elliptic#226 (comment)

I found this Golang library online https://play.golang.org/p/wr7dwBB_hs

My JWT Token signature is getting validated when I use the public key generated by the above golang routine but it is not getting validated when I use the pem generated by this library (I am using jwt.io to do the signature validation). When I debugged the key I found that the golang library has some extra string in the pem key. Can you throw some light on this, Why is there a difference ?

There is an extra MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A in the GoLang method.

Key generated using this library
------------BEGIN PUBLIC KEY-----
MIIBCgKCAQEAtVKUtcx/n9rt5afY/2WFNvU6PlFMggCatsZ3l4RjKxH0jgdLq6CS
cb0P3ZGXYbPzXvmmLiWZizpb+h0

Key generated by GoLang.
------------BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVKUtcx/n9rt5afY/2WF
NvU6PlFMggCatsZ3l4RjKxH0jgdLq6CScb0P3ZGXYbPzXvmmLiWZizpb+h0qup5j

I tried to generate the EC private key from JWK as below
var jwk = {
"kty": "EC",
"d": "A3v-2GnVmo--t1I4OrfSqZsM2lQn1tFZHJ2q1V-BIHU",
"use": "sig",
"crv": "P-256",
"kid": "test",
"x": "agVuKmM4y9qUk3r22iWXNISBQTtkS5Kn3916B1pLH2s",
"y": "PPhAQu_ztXJmi9VPFADWf6tfOogelcCWTGTcWvX1sSo",
"alg": "ES256"
};
var fs = require('fs');

var PrivateKeyPem = jwkToPem(jwk, {private: true});
var PublicKeyPem = jwkToPem(jwk);
var PrivateKeyPemFile = __dirname + '/data/PrivateKeyPemTestJWK.pem';
var PublicKeyPemFile = __dirname + '/data/PublicKeyPemTestJWK.pem';

This is the private key get generated

-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHkwdwIBAQQgA3v+2GnVmo++t1I4
OrfSqZsM2lQn1tFZHJ2q1V+BIHWgCgYIKoZIzj0DAQehRANCAARqBW4qYzjL2pST
evbaJZc0hIFBO2RLkqff3XoHWksfazz4QELv87VyZovVTxQA1n+rXzqIHpXAlkxk
3Fr19bEq
-----END PRIVATE KEY-----

It does not matches with the private key that I generated from the openssl command. Openssl private key's header and footer have the -----BEGIN EC PRIVATE KEY----- and -----END EC PRIVATE KEY-----.

When I used this private key to verify using sshpk npm library, its giving this error -
KeyParseError: Failed to parse (unnamed) as a valid pem format key: Expected 0xa1: got 0xa0

Please advice on this.

I can create an MR if necessary. Looks like we're seeing a red flag here via Snyk and should be an easy dependency update :)

@calvinmetcalf I should be able to remove my local definitions now, yes? (indutny/elliptic@54cfa9c)

Thank you for this awesome package.

I think it would be nice to support the oid string as value for the crv property in EC type jwk. So both the following examples are supported.

jwkToPem({kty: 'EC', crv: 'P-256', x: '...', y: '...'});
jwkToPem({kty: 'EC', crv: '1.2.840.10045.3.1.7', x: '...', y: '...'});

I see that you are already mapping the friendly names to oids. A possible solution might be to add aliases for the same.

Can this package please provide .d.ts files?

Would you consider accepting an ES256 JWK as input and returning a PEM private key? The format I'm thinking of for the jwk would be:

{
    alg: 'ES256',
    crv: 'P-256',
    kty: 'EC',
    d: 'base64url-encoded-private-key-d-value-blah'
}

v2.0.3 includes asn1.js@5 when v2.0.2 would include asn1.js@4

This introduces a breaking change for node-jwk-to-pem as well as the code in the dependency is now ES6 (i.e. it uses const which makes older build pipelines choke) when previously it would be using ES5 syntax only.

See: indutny/asn1.js#99 for the same issue happening with asn1.js itself.

Tools like https://mkjwk.org/ generate private keys with just d, e and n values. The dp, dq and qi values can be computed from these. I have a pretty cludgey tool I wrote in Java to compute these in advance, but I'm curious if you can suggest a cleaner method.

JWk to PEM is taking time to convert

It takes approx ~2.5 sec to convert JWK to PEM when private option is enabled.

const pem = jwkToPem(jwkSet, { private: true });

This process is making the overall request slower than expected.

Hello,

Is it possible to add option that disables key validation for EC keys?

I am running the code in AWS Lambda and for some reason converting JWK to PEM with this library can take a lot of time (several seconds). I assume that the validation is the biggest cause for that?

asn1.js uses Buffer() constructor which has been deprecated from nodejs 12. update is required for the package as it has been fixed from 5.3.0.