search

auth0 / node-jwa

JSON Web Algorithms
http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-08.html
MIT License
98 stars 42 forks source link

error:0409806E:rsa routines:RSA_padding_add_PKCS1_PSS_mgf1:data too large for key size #39

Open stevendesu opened 4 years ago

stevendesu commented 4 years ago

There may be nothing weird or wrong about this and I just don't understand the underlying algorithms, but my understanding did not match up to the behavior I experienced.

From my understanding, keys as short at 512 bits should be acceptable when writing a JSON Web Token. However I've found experimentally then when signing tokens using the PS512 algorithm, if I create a public/private key pair with a length less than 1034 bits then I get the error in the title.

I'm generating my key like so:

crypto.generateKeyPair(
    "rsa",
    {
        modulusLength: 1033,
        publicKeyEncoding: {type: "pkcs1", format: "pem"},
        privateKeyEncoding: {type: "pkcs8", format: "pem"}
    },
    async (err, pub, priv) => {
        if (err) throw err;
        // ... write pub and priv to a file ...
    }
);

I then utilize the key like so:

jsonwebtoken.sign({
    sub: user.id
}, privateKey, {
    algorithm: "PS512"
}, async (err, encoded) => {
    if (err) throw err;
    // ... return encoded key to user ...
});

This is throwing the following error:

Error: error:0409806E:rsa routines:RSA_padding_add_PKCS1_PSS_mgf1:data too large for key size
    at Sign.sign (internal/crypto/sig.js:112:29)
    at Object.sign (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jwa/index.js:173:45)
    at jwsSign (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jws/lib/sign-stream.js:32:24)
    at SignStream.sign (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jws/lib/sign-stream.js:58:21)
    at SignStream.<anonymous> (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jws/lib/sign-stream.js:46:12)
    at Object.onceWrapper (events.js:421:28)
    at DataStream.emit (events.js:315:20)
    at DataStream.EventEmitter.emit (domain.js:485:12)
    at DataStream.<anonymous> (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jws/lib/data-stream.js:32:12)
    at processTicksAndRejections (internal/process/task_queues.js:79:11)

If I set the modulus length to 1034 or greater, or if I change the algorithm to RS512 or PS256, the error goes away.

I don't understand the internals of the various algorithms well enough to understand why this is the case. I had hoped to utilize a very short key in development (512 bits) and a very large key in production (4096 bits) - but when I ran into this I just grew more and more confused.

I'm posting here because the last (non-internal) line of the stack trace pointed to jwa, but this could very well be an issue with jws, jsonwebtoken, or even with NodeJS itself

panva commented 4 years ago

Putting aside that the JWA specification requires that

A key of size 2048 bits or larger MUST be used with this algorithm.

Technically you can use keys of smaller bit sizes but it's not a blank check. Following are observed minimal bit sizes that OpenSSL will allow you to sign with.

RS256: 512 RS384: 624 RS512: 752 PS256: 528 PS384: 784 PS512: 1040

Nevertheless, you shouldn't - use at least 2048