Closed Fabb111 closed 6 months ago
I am getting
'Error: Attempt to import public RSASSA-PKCS1-v1_5
key with invalid usage "sign".\n' +
' at importJwk
(file:///home/tforster/dev/JET/FamStat/www.famstat.com/node_modules/@tsndr/cloudflare-worker-jwt/index.js:57:32)\n'
Since upgrading from 2.2.5 to 2.3.2. I have downgraded back to 2.2.5 for now.
While RSASSA-PKCS1-v1_5 does support signing it's common to have a JWK that doesn't include the private key parameters so can't be used for signing.
As a workaround the verify()
method supports CryptoKeys
which means you can import the JWK in the calling code and then pass the imported key to the verify()
method.
So I load my key (JWK) with:
const cryptokey = await crypto.subtle.importKey("jwk", key, {
name: 'RSASSA-PKCS1-v1_5',
hash: {name: 'SHA-256'}
}, false, ["verify"])
Can somebody verify if this is still an issue with the latest version?
Please reopen if this is still an issue :)
Late response but it's now working as expected in the latest version. Thank you for fixing this! 🙌🏻
importKey
uses "verify" and "sign" as keyUsages, but the RSASSA-PKCS1-v1_5 algorithm does not support signing, so trying to use verify() fails since importing the key/JWK fails. My suggestion would be to either dynamically determine the keyUsages depending on the algorithm, or passing the keyUsages depending on the usage (e.g. a call to verify only uses verify as keyUsage).