secretOrPrivateKey size error when size is larger enough

[padenaa]

Description

I'm doing some development with octokit and probot which bring jsonwebtoken as a dependency. After updating octokit/auth-app to a version that supports jsonwebtoken 9.0.1, I'm getting this error:

"secretOrPrivateKey has a minimum key size of 2048 bits for RS256"

The private key used is definitely longer than 2048 bits, so I was not expecting to see this error.

Reproduction

Logs:

Error: secretOrPrivateKey has a minimum key size of 2048 bits for RS256 at Object.sign (/app/node_modules/jsonwebtoken/sign.js:130:22) at getToken (/app/node_modules/universal-github-app-jwt/dist-src/get-token.js:3:25) at Object.githubAppJwt (/app/node_modules/universal-github-app-jwt/dist-src/index.js:14:25) at getAppAuthentication (/app/node_modules/@octokit/auth-app/dist-src/get-app-authentication.js:4:41) at hook (/app/node_modules/@octokit/auth-app/dist-src/hook.js:18:33)

It's also strange that the issue only happens sometimes. For example, a previous commit didn't raise an error.

Environment

• Version of this library used: 9.0.1
• Version of the platform or framework used, if applicable: Node version 16
• Other relevant versions (language, server software, OS, browser):
• Other modules/plugins/libraries that might be involved: octokit/auth-app 4.0.8, universal-github-app-jwt 1.1.1, octokit-auth-probot 1.2.8

[martinsoengas]

Hi, I have the same problem and got the same error "secretOrPrivateKey has a minimum key size of 2048 bits for RS256". I had to do a rollback to v8.5.1 until the issue is solved. I'm using MacOS Ventura 13.2.1.

[conioX]

i have the same problem, but this only happen when i build inside docker alpine (node:18.14-alpine3.17) working fine when build on local node windows

[conioX]

if (!options.allowInsecureKeySizes &&
  !header.alg.startsWith('ES') &&
  secretOrPrivateKey.asymmetricKeyDetails !== undefined && //KeyObject.asymmetricKeyDetails is supported in Node 15+
  secretOrPrivateKey.asymmetricKeyDetails.modulusLength < 2048) {
  return failure(new Error(`secretOrPrivateKey has a minimum key size of 2048 bits for ${header.alg}`));
}

i set allowInsecureKeySizes to true so i dont get this error, by the way my key pair from https://cryptotools.net/rsagen and its 2048 or change your algoritm to es like es256 or another

[pixtron]

For anyone stumbling over this issue:

First check the bit length of your key

$ PRIVATE_KEY_FILE="private.pem"
$ openssl rsa -in $PRIVATE_KEY_FILE -text -noout | grep "Private-Key"

The reported bit length should be >= 2048. If your key has less then 2048 bits you have the following options:

1.) Gnerate a new key pair:

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem

2.) Switch to one of the ES* algorithms

3.) If for some reasons you can not change your keys, you might set the flag allowInsecureKeySizes to true.
Although this is not recommended as 1024 bit keys are considered weak nowadays. Also the RFC7518 requires at least 2048 bit keys.

A key of size 2048 bits or larger MUST be used with these algorithms.
https://datatracker.ietf.org/doc/html/rfc7518.html#section-3.3

@conioX ~33% of the keys generated by cryptotools.net are only 2047 bit long even if you asked for a 2048 bit long key. Cryptotools.net seems to use JSEncrypt to generate the keys. There is an open issue regarding this topic over at JSEncrypt.

Fun fact about those 2047 bit keys is that node v16 reports 2048 bit for them whereas node v18 reports 2047bit. Probably the reason it fails in docker alpine (node:18.14-alpine3.17) and not on your windows machine.

[alaczi]

Node 18.14 had a fix regarding the key sizes and that may also cause some confusion here. So with node 18.13 you are save with 2047 bit long keys too :)
nodejs/node#46106

[anna-safonov]

i have the same problem, but this only happen when i build inside docker alpine (node:18.14-alpine3.17) working fine when build on local node windows

I should mention this is the same case for us - we are getting this error only when building inside docker alpine (node:18.14-alpine3.17). Also had to roll back to v8.5.1 for now as i's blocking our own development.

[anna-safonov]

In our case, the key is generated by GitHub automatically when we create the new app, so we cannot work around that.

[pixtron]

In our case, the key is generated by GitHub automatically when we create the new app, so we cannot work around that.

if you can't control the key itself, you can set the allowInsecureKeySizes flag. See migration notes

[anna-safonov]

@pixtron - we cannot really set that option, because we are not using jsonwebtoken directly, it is used by another package that is used by one of our shared libs.

[sators]

Same.