JSON Web Key (JWK) not working with RS256 algorithm

[Fabb111]

importKey uses "verify" and "sign" as keyUsages, but the RSASSA-PKCS1-v1_5 algorithm does not support signing, so trying to use verify() fails since importing the key/JWK fails. My suggestion would be to either dynamically determine the keyUsages depending on the algorithm, or passing the keyUsages depending on the usage (e.g. a call to verify only uses verify as keyUsage).

[Fabb111]

See here: https://github.com/tsndr/cloudflare-worker-jwt/blob/b0d4084a0f9ee21f2e3dac979a281764d7fecb41/src/index.ts#L171-L173

[tforster]

I am getting

'Error: Attempt to import public RSASSA-PKCS1-v1_5
  key with invalid usage "sign".\n' +
      '    at importJwk
  (file:///home/tforster/dev/JET/FamStat/www.famstat.com/node_modules/@tsndr/cloudflare-worker-jwt/index.js:57:32)\n'

Since upgrading from 2.2.5 to 2.3.2. I have downgraded back to 2.2.5 for now.

[buckett]

While RSASSA-PKCS1-v1_5 does support signing it's common to have a JWK that doesn't include the private key parameters so can't be used for signing.

[buckett]

As a workaround the verify() method supports CryptoKeys which means you can import the JWK in the calling code and then pass the imported key to the verify() method.

So I load my key (JWK) with:

const cryptokey = await crypto.subtle.importKey("jwk", key, {
                name: 'RSASSA-PKCS1-v1_5',
                hash: {name: 'SHA-256'}
            }, false, ["verify"])

[tsndr]

Can somebody verify if this is still an issue with the latest version?

Please reopen if this is still an issue :)

[Fabb111]

Late response but it's now working as expected in the latest version. Thank you for fixing this! 🙌🏻