Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secretOrPrivateKey size error when size is larger enough #888

Open
padenaa opened this issue Feb 16, 2023 · 10 comments
Open

secretOrPrivateKey size error when size is larger enough #888

padenaa opened this issue Feb 16, 2023 · 10 comments

Comments

@padenaa
Copy link

padenaa commented Feb 16, 2023
edited
Loading

Description

I'm doing some development with octokit and probot which bring jsonwebtoken as a dependency. After updating octokit/auth-app to a version that supports jsonwebtoken 9.0.1, I'm getting this error:

"secretOrPrivateKey has a minimum key size of 2048 bits for RS256"

The private key used is definitely longer than 2048 bits, so I was not expecting to see this error.

Reproduction

Logs:

Error: secretOrPrivateKey has a minimum key size of 2048 bits for RS256 at Object.sign (/app/node_modules/jsonwebtoken/sign.js:130:22) at getToken (/app/node_modules/universal-github-app-jwt/dist-src/get-token.js:3:25) at Object.githubAppJwt (/app/node_modules/universal-github-app-jwt/dist-src/index.js:14:25) at getAppAuthentication (/app/node_modules/@octokit/auth-app/dist-src/get-app-authentication.js:4:41) at hook (/app/node_modules/@octokit/auth-app/dist-src/hook.js:18:33)

It's also strange that the issue only happens sometimes. For example, a previous commit didn't raise an error.

Environment

  • Version of this library used: 9.0.1
  • Version of the platform or framework used, if applicable: Node version 16
  • Other relevant versions (language, server software, OS, browser):
  • Other modules/plugins/libraries that might be involved: octokit/auth-app 4.0.8, universal-github-app-jwt 1.1.1, octokit-auth-probot 1.2.8
@martinsoengas
Copy link

Hi, I have the same problem and got the same error "secretOrPrivateKey has a minimum key size of 2048 bits for RS256". I had to do a rollback to v8.5.1 until the issue is solved. I'm using MacOS Ventura 13.2.1.

@conioX
Copy link

conioX commented Mar 7, 2023

i have the same problem, but this only happen when i build inside docker alpine (node:18.14-alpine3.17) working fine when build on local node windows

@conioX
Copy link

conioX commented Mar 7, 2023
edited
Loading 

if (!options.allowInsecureKeySizes &&
  !header.alg.startsWith('ES') &&
  secretOrPrivateKey.asymmetricKeyDetails !== undefined && //KeyObject.asymmetricKeyDetails is supported in Node 15+
  secretOrPrivateKey.asymmetricKeyDetails.modulusLength < 2048) {
  return failure(new Error(`secretOrPrivateKey has a minimum key size of 2048 bits for ${header.alg}`));
}

i set allowInsecureKeySizes to true so i dont get this error, by the way my key pair from https://cryptotools.net/rsagen and its 2048 or change your algoritm to es like es256 or another

@conioX conioX mentioned this issue Mar 7, 2023
Closed
4 tasks
@pixtron
Copy link

pixtron commented Mar 10, 2023

For anyone stumbling over this issue:

First check the bit length of your key

$ PRIVATE_KEY_FILE="private.pem"
$ openssl rsa -in $PRIVATE_KEY_FILE -text -noout | grep "Private-Key"

The reported bit length should be >= 2048. If your key has less then 2048 bits you have the following options:

1.) Gnerate a new key pair:

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

2.) Switch to one of the ES* algorithms

3.) If for some reasons you can not change your keys, you might set the flag allowInsecureKeySizes to true.
Although this is not recommended as 1024 bit keys are considered weak nowadays. Also the RFC7518 requires at least 2048 bit keys.

A key of size 2048 bits or larger MUST be used with these algorithms.
https://datatracker.ietf.org/doc/html/rfc7518.html#section-3.3

@conioX ~33% of the keys generated by cryptotools.net are only 2047 bit long even if you asked for a 2048 bit long key. Cryptotools.net seems to use JSEncrypt to generate the keys. There is an open issue regarding this topic over at JSEncrypt.

Fun fact about those 2047 bit keys is that node v16 reports 2048 bit for them whereas node v18 reports 2047bit. Probably the reason it fails in docker alpine (node:18.14-alpine3.17) and not on your windows machine.

@alaczi
Copy link

alaczi commented Mar 14, 2023

Node 18.14 had a fix regarding the key sizes and that may also cause some confusion here. So with node 18.13 you are save with 2047 bit long keys too :)
nodejs/node#46106

@anna-safonov
Copy link

i have the same problem, but this only happen when i build inside docker alpine (node:18.14-alpine3.17) working fine when build on local node windows

I should mention this is the same case for us - we are getting this error only when building inside docker alpine (node:18.14-alpine3.17). Also had to roll back to v8.5.1 for now as i's blocking our own development.

@anna-safonov
Copy link

In our case, the key is generated by GitHub automatically when we create the new app, so we cannot work around that.

@pixtron
Copy link

pixtron commented Mar 15, 2023

In our case, the key is generated by GitHub automatically when we create the new app, so we cannot work around that.

if you can't control the key itself, you can set the allowInsecureKeySizes flag. See migration notes

@anna-safonov
Copy link

@pixtron - we cannot really set that option, because we are not using jsonwebtoken directly, it is used by another package that is used by one of our shared libs.

@sators
Copy link

sators commented May 10, 2023

Same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@sators @pixtron @alaczi @padenaa @martinsoengas @conioX @anna-safonov