SignFinal error #15

m1n1b00 · 2015-01-29T07:09:18Z

I'm trying to generate a signature with jws.sign and I keep getting an error that seems to be coming from crypto.js.

My node code is as follows:

var jws = require('jws');

function getIdentityToken(userID, nonce) {
// Get Provider, Key ID, and private key from Heroku Environment Variables
        var layerProviderID = process.env.LAYER_PROVIDER_ID;  // looks something like ed47c64a-a74f-11e4-85ff-d2a153003309
        var layerKeyID = process.env.LAYER_KEY_ID;  // looks something like ed47c64a-a74f-11e4-85ff-d2a153003309
        var privateKey = process.env.LAYER_KEY;  MIICWwIBAAKBgQCP/pfcXdzD9f6kK/7cXE+LwvS1fd6JWXDLIxo5wjyjaL9+dMMo6yucGuQRAwORHQpePOtX2vGtRLlS2Cw23YPCpoYa8RLC9CWCOf8yXzj6kz7L5aBZeCZcaWAph0W+939nyprc4H4iAbydOkY1Ydjnnx+CcnXSpMl1GiV6OsbyiwIDAQABAoGARVZtPfocwmgENH3S/b2duEkqmPKBZFYjUE4Y5NM5a96Wx4fmKiAEIel5BRAUeZ4oTfS7xtRxJ+Q98TyTHeBQ/4LAipjs1srgPQUCgs3L1KmflmjdnnGl0KmxZomW9iUxKt6PEoG3sRxWMW3gd84gWJ3twZde1Hp0CYQ4LawzmECQQDPx+gnsLazEyNgZoCLM9zXWQxm2g9cRW0CVk64XQELowaV3Q3Bg94y4IwSyY6kms2gw6OLMHZs9rJ7jgtR0RLJAkEAsWkwfLZmM/AnnPA5ozqelx8VgDQvg13wPfYFz1/qxFA5/QJnmJBLfRnr7imS94Mgla/b4zHtq5iaOPSaFfhQswJAJfgZ7GbWfBLbPBp/EvD/Qjr7kS/37pyhNvQenoIgVsgLxAcJJHu8dv+hmS1L67h+KwqVMDJC8daC9yEV4HWcQQJAbP5J6qSIn6oQPCudzXlrCzjhq5iupcRSaTwbBxQiRi/AZ4CXFDYbAyefN+bCS+PsXXr7+4VK+lIzlYA41fyLXwJAcf30R3VqT757JDSQ8URSyI1IzA016dkxiR86h9p2mBiLMVo2E0V8pLI5KW1vpL8czlTGCzSNsc7Wu49QLej96g==

        if (!layerProviderID || !layerKeyID || !privateKey) {
            res.send(500, { status: 500, message: err.message });
        } 

        var header =  {
      typ: "JWS", 
      alg: "RS256", 
      cty: "layer-eit;v=1", 
      kid: layerKeyID,
    };

    var currentTimeInSeconds = Math.round(new Date() / 1000);
    var expirationTime = currentTimeInSeconds + 10000;

    var payload = JSON.stringify({
      iss: layerProviderID,
      prn: userID,
      iat: currentTimeInSeconds,
      exp: expirationTime,
      nce: nonce,
    });

    var signature = jws.sign({ 
      header: header, 
      payload: payload, 
      secret: privateKey.toString()
    });

    return signature;
};
exports.getIdentityToken = getIdentityToken;

The error I'm getting is:

40735208461056:error:0906D06C:PEM routines:PEM_read_bio:no start line:../deps/openssl/openssl/crypto/pem/pem_lib.c:703:Expecting: ANY PRIVATE KEY
Error: SignFinal error
    at Sign.sign (crypto.js:429:27)
    at Object.sign (/work/dif-api/node_modules/jws/node_modules/jwa/index.js:51:47)
    at Object.jwsSign [as sign] (/work/dif-api/node_modules/jws/index.js:34:26)
    at Object.getIdentityToken (/work/dif-api/lib/layerAuth.js:35:25)
    at /work/dif-api/routes/users.js:118:41
    at Layer.handle [as handle_request] (/work/dif-api/node_modules/express/lib/router/layer.js:82:5)
    at next (/work/dif-api/node_modules/express/lib/router/route.js:100:13)
    at Route.dispatch (/work/dif-api/node_modules/express/lib/router/route.js:81:3)
    at Layer.handle [as handle_request] (/work/dif-api/node_modules/express/lib/router/layer.js:82:5)
    at /work/dif-api/node_modules/express/lib/router/index.js:235:24

Do you see anything wrong with the call to jws.sign()? Or any clues as to why this error is being generated?

The text was updated successfully, but these errors were encountered:

brianloveswords · 2015-01-30T14:27:56Z

The error is complaining about your key being invalid. I've highlighted the important bits of the error below:

40735208461056:error:0906D06C:PEM routines:PEM_read_bio:no start line:../deps/openssl/openssl/crypto/pem/pem_lib.c:703:Expecting: ANY PRIVATE KEY

OpenSSL is very particular about the key format and if its deviates at all it'll blow up. In this case it's complaining that it can't find "ANY PRIVATE KEY" because of "no start line". Your key should look like this:

(note: that's a brand new RSA private key I generated with openssl genrsa 2048 for the purpose of this example)

The start line it's looking for is that -----BEGIN RSA PRIVATE KEY-----\n. In my testing the key parser is also sensitive enough that it requires those line breaks after every 64 characters or else you'll get a bad base64 decode error.

brianloveswords · 2015-01-30T16:00:59Z

I'm gonna close this for now, let me know if you need anymore help!

m1n1b00 · 2015-01-31T03:37:57Z

Thank you so much for the clarification. I followed your instructions and it fixed the error immediately.

groovecoder · 2016-02-10T17:50:10Z

I may need some similar help. I'm adding VAPID to web-push and using jws to do it:

+         var header = { typ: "JWT", alg: "ES256" };
+         var now = Math.floor(Date.now() / 1000);
+         var payload = { aud: vapid.audience, exp: now + 86400, sub: vapid.subject};
+         var appKeys = crypto.createECDH('prime256v1');
+         appKeys.generateKeys();
+         var signature = jws.sign({
+           header: header,
+           payload: payload,
+           privateKey: appKeys.getPrivateKey()
+         });
+         auth = "Bearer " +
+           urlBase64.encode(JSON.stringify(header)) + "." +
+           urlBase64.encode(JSON.stringify(payload)) + "." +
+           JSON.stringify(signature);
+         options['Authorization'] = auth;
+         options['Crypto-Key'] = "p256ecdsa=" + urlBase64.encode(appKeys.getPublicKey())

But on the jws.sign I'm getting the same error:

Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
    at Error (native)
    at Sign.sign (crypto.js:279:26)
    at sign (/Users/lcrouch/code/web-push/node_modules/jws/node_modules/jwa/index.js:54:47)
    at Object.sign (/Users/lcrouch/code/web-push/node_modules/jws/node_modules/jwa/index.js:74:27)
    at Object.jwsSign [as sign] (/Users/lcrouch/code/web-push/node_modules/jws/lib/sign-stream.js:23:26)
    at repl:1:5
    at REPLServer.defaultEval (repl.js:252:27)
    at bound (domain.js:287:14)
    at REPLServer.runBound [as eval] (domain.js:300:12)
    at REPLServer.<anonymous> (repl.js:417:12)

The appKeys.getPrivateKey() doesn't return anything like the RSA private key I'm used to seeing. 😢 ...

> var privateKey = appKeys.getPrivateKey()
undefined
> privateKey.toString()
'Q�K��\fۄ��-���]�\u0012������HB�\n^�a��'
> privateKey.toString('hex')
'51c84b9b920cdb8488922d95f8d95d811299abb6e7fdf84842bd0a5eef61f0fa'

So, (how?) can I use a private key generated by Node Crypto?

joelwass · 2016-09-08T18:31:23Z

Why does the sign.sign() method not allow single line keys? What is the reasoning behind this, and are there any options we can pass so that it allows single line keys without line breaks?

Trying to load the private key through an elastic beanstalk environmental variable.

omsmith · 2016-09-08T18:34:49Z

@joelwass No, it is an OpenSSL behaviour. Feel free to correctly format the key from your input source.

brianloveswords closed this as completed Jan 30, 2015

reduxdj mentioned this issue Apr 15, 2016

RS256 keys do not create signatures causes runtime error #48

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SignFinal error #15

SignFinal error #15

m1n1b00 commented Jan 29, 2015

brianloveswords commented Jan 30, 2015

brianloveswords commented Jan 30, 2015

m1n1b00 commented Jan 31, 2015

groovecoder commented Feb 10, 2016

joelwass commented Sep 8, 2016

omsmith commented Sep 8, 2016

SignFinal error #15

SignFinal error #15

Comments

m1n1b00 commented Jan 29, 2015

brianloveswords commented Jan 30, 2015

brianloveswords commented Jan 30, 2015

m1n1b00 commented Jan 31, 2015

groovecoder commented Feb 10, 2016

joelwass commented Sep 8, 2016

omsmith commented Sep 8, 2016