fix: check for RSA header before decoding public key (#415)

nearform · Dec 5, 2023 · 89efaab · 89efaab
1 parent 4add987
commit 89efaab
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 67 deletions.
diff --git a/benchmarks/keys/generate-keys.js b/benchmarks/keys/generate-keys.js
@@ -46,8 +46,11 @@ for (const [prefix, configuration] of Object.entries(configurations)) {
       let type = 'pkcs8'
       let format = 'pem'
 
+      let publicKeyType = 'spki'
+
       if (prefix === 'ps') {
         type = 'pkcs1'
+        publicKeyType = 'pkcs1'
         format = 'der'
       } else if (prefix === 'es' && bits === '256') {
         type = 'sec1'
@@ -60,7 +63,7 @@ for (const [prefix, configuration] of Object.entries(configurations)) {
           modulusLength: 4096,
           namedCurve,
           publicKeyEncoding: {
-            type: 'spki',
+            type: publicKeyType,
             format: 'pem'
           },
           privateKeyEncoding: {

diff --git a/benchmarks/keys/ps-512-private.key b/benchmarks/keys/ps-512-private.key
@@ -1,51 +1,51 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEArtmWShv1Bu4fgEHbLP/APChVkl6X3odEu6MPDRzRqH6KjtCj
-0wP7OMN4eC4/uIUdhfj0zzVL0f3gIKXj4B2tqW9wVtCMadsZUPTjUb7EkM8ZRFsl
-jHFFTDFIqbQtW+DNCskaZHg/fyWZ3nLYk2rVGQnRieAVV9G2qyRfaPXqOv7BiXfa
-dxcgaCMnJMpQIPAtMZ0JSdFqPEx4go7oO9dg/22o3bwwwd4Rgq4FFBhTB8HlJqJR
-U3lLlEC8T5ZWww+Ru+c6KZjNypRtOLAHcn8m1K7xORzeLJk0Eg06EHhOAC+K85Zz
-VzuX5N+eQ6VJBkZcgvkhhc0OPy1nuXPpL3iW+NGhI3gjEzQP2fHjBYpYEQKVmfTM
-d2Qmw738O6n7p3NRDetjatgwOqj9G2k0syFjmvOxx/3ys8JGq86ztcx18fdX4K/E
-3EanEwE5wBIMbksG32+VqWsV4i64+LDhZ+KyqazDIJzGpTX7Tc1mvKaS4REtctaB
-tMoT4d+hayLWZ3ifCD05FkNJ/raTCgaTQ8aW0d2E1eWZGIkPba9rV5kr5y4w+7wK
-VBSwu5puF9ddmfU4tiWnqXgF8E0IkNcTfP3EOE7cZQC7nu6aySCDzSfl051JWgv0
-9UddgkdQnjDbbbagNUVm7XtM5LQISKd6heUw904vBYgo0o77EJXLYNN51QsCAwEA
-AQKCAgADbPfo08tlK10qoh+tLgWSKCglCf1nura6BmPRGfNxnakRSz0qcTWG0y2V
-DTLqZpFBgrMpLB4kKxktCpMAXRR98VT+Hm/h0w0X7PRXMamgPK5+DFsb+UwmRgDq
-ckFBP5JE19PQjBqSXyY4mX9sw/cQ2oRkcyN36P/vMnM8FzVTmpIoI1UAaE+WOroV
-mnEfdBUul6kK7TNrowPpautZ4MphtsBMN9estLEbIlWvIxrdWAspSpzVSdcVPH9z
-/7oLcE6mo80b64Z8pZPOPISo1ZzpJdRMDii8LvQ6NlAg6np8vnG2fAgeeWhsb4Um
-RiK8ILzHRCJIANB6pGUX2RGEgJRUm1SfpL64C9651pKQ8f+fWg1iiuxsb8i/2L8u
-gbfn3rATrtNGrwGzhgBmKR4pF8FZg58Ix1mayQztfj77FqOsMk6FjO1cwEKz8AR1
-aFd17F9GdJbOg9R6TCN7nuWOXRzSj2mdoju6s0Xhf6j7fAOIA9hItKX5A6DXHowR
-RWz9iAtnerIcmjoKPZicB9yFD9HJ6B7D8tluI72XSgKrvu3VozV5GabUFLNLluGO
-IR9YHodYNtiF6mZxpu40V4pn2CgFn/VRq1fo3b8gtbsh6+W1lhcxH+RsWEE5qt4s
-b66NsVNmR4X13Ah9YjH/Ec2SMaougZo93Psf/ERWgwTlUWuDYQKCAQEA5pzdoyDx
-cwEOud4jHORIu2rNnc3Qe4SPbmeotEJg8873Bma2vakQSS7hYVnpnu6neoriVlPn
-0SIycd0w+2QIOxpYfEoK7pZPoVnT6e44IIGG5radwGKbRS5ge1p1ZwQjarJqwOVd
-S44ctKsWEFPYPUbP5QsRNKtCTxAwS2CyraqvnK1TYpLcgGkNeFHI7pv33jh5aZ9r
-nQ48PtxHAXf/EnOzHQ+yYbiQEYb3Y2OYwB4Cok2waqqmfYclD3m00vE3IVP+x76L
-ceyV6qYCnyFreiwBije8+GyIg2hjkscirweZ49ZJzUmmZ/FY+dYlMJxL+gFLDXIj
-4fT1c0tVNtMC3wKCAQEAwhk2aBOE7Spds41avRcAkTBDG2ND+fE7MKvZwjPGYTam
-qi3ZIaD6lUEJFIz89zQZj19wvkXY+GCT2FtvwioSA3lfo1j84iSpT9h190wD9NlR
-YlbZshQmF3EfT5w6hjYqf3Az5S2n0MpYqi6plAzJJsg4sFTP7MPJ9Gr8Vpwxy5DA
-rpV4pGAcs5ocXLNW41/KdspakTur5BVTA7T+unpfhshjHP/eZ1SfiXjehgaEbD0+
-o+b63KMNuTQ1M4OTBV42nWT8BaIeUmnsD54PUDe/5yV6L0mIuLJjBIl227BUn7PN
-Cpa+ZcTBWcVWmMd3/EgTDED5ozCCIv2Tr8b00es/VQKCAQEAql343yrXNT7ywh15
-kz6S/OJKROpnutiTndy2pXTkaznbBL+dAUCE54vatTDXhrKIx98SlvQlrjq1Sak/
-JnkgG4m7FRcePGSPL4RNKeTzUhBeuNLwd9BhJRq97GNHmHNWNtzYQOkxoz+5tT8v
-baCDf8FwlKU4cNCUjBRJmWY2mlYepoDluU0F2VfCu8Cv0Jco5uKRz5YWylBZ8ZaK
-Xmtn5RnUmQOfpNHUnR44ZRSPJF8HUyBR1Ht9w/6zQluHWs8ZC2YiMy5xlhhSKKe8
-CBOIcxlPiezjjiOgNnRIG4dB+EyFQ+xrWV2vsdp7ARdTIjZVarzJ1YUdPTDao/Jj
-Yb1BwQKCAQBPCnVdbJV0/wupUqbg2b0hYsXxITtNTS8NYu4KZ4shi1/TbVg+mY9x
-uEo6VC+ve0ftWrBOy6LPgoSyVonsR7WONJ79pf9VGBjaqwte6VWzH8xEf5mnKw1X
-/nkBsl0iymwD+W0opq7wF3aD1vy3jX1cjayIIgGKKTDUl7yqiHC+tPPCJJw8U+dc
-PCXQmjeH4DpSpZS8D9Cv0P89Qzd4ON0txeyWopuu+Ib/NHlpmr3SVh5sIGOH9d5g
-zSHdGHeGeBdFgRogMSSn6vp2Yadaw1kih+B54TgL/pjUACamz+emIVIePcTLLJSQ
-OgxJqvDxi2g2VT9TdS2JkjnSGvMXiPUBAoIBAH06VWo/yhLKhgP63DfLg9HL79zS
-u0mZRPqGwzDW6g7hhns2LWz+p2oWESW4WROQxsRtKwy08/R2empIl60DlSLv/prO
-TIRglGpyl3K/Gn/Np47la1U/aehgYxMW6mHs1OMH84t5PqedEcSLN9BG9/koaY7x
-1n1A+UFTpLh4GzzxlO/Ohr+rCDnDiQQZm29U4hgBrgQCcdtdBaoTHN6LkMV1662/
-sO8D5LJ7yMKLUVla8S+9/r5e+JxrXX8LADg3jhyX5446HtcCuc0rmzkN7XSTZOuN
-alR/RV4e8kfl6Hpcu2pipjcUPnHCBULK/rm8/cu6bnYMSZ5XYk2+GmYpfUM=
+MIIJKAIBAAKCAgEAm4aCPiqZ3h48wrUOZtYjoSyUnaCzU6zhba/7wSXju00jmjYJ
+o6CHMpp6K7bsFUdpFMVVb7JyJMtMnEbU21VhkvcXh3FZf0aJHsm0YMTH8gFkcIJy
+KGKsYT5hdnR49nSc9q6aEJIvarN60pcX18Gva2eI+LLR52iarq2Mgjs6ZMlLDFrc
+6AJRjHPqDfc7oWEvHjGtxaX40sZC93skRn/LLk2wGgrC7eOosp6mwhK41xmwD63w
+QVe8qkEQ8gVdNPjPr2Vfg88x28fX8wc5K4Gux9fJujmMPg9CQ6QFHui9LQG6/Y8/
+miizEpFlka1jOqL+m1qBhlrwdAeSgU/PU3nKDK/pBVcpieiFgGbdGyEWMWt94q1Z
+aQaPLNugmUOvV5LdLRENv5mBnZd3mBYVJeApzdwNaBsFGZTxZE6Ufm4Bgvi6XAsH
+ap/KUHPjAuwwkdq0BVXFbNq/P/mJgOr1+M5aDX2bgYlPEYD8D/lo8xZe+SeFav8g
+r7MKOqpcC5FjuGpi2hXLLYhDrln05CH+lyku83h0aFWq9+zeHu1vdkl80VMgvyW7
+WuEaZi09IHm5/878vBtlIsS8bq6EIb/A+6YAZBwvX3RHjzk1yOoO35kXSO1i/YAF
+MsF8/ekUiVS2pVpANrppkoiHGxVFXVT0htMBVvJqHylk3SRux0p644O8hv8CAwEA
+AQKCAgBJoi8C6N+NqspAs0E8zhDza6x3TtDognb+nC35Pguqr7R1/DSnHEc2Xa4P
+CV2QG420UFOJfTaOlhRQ/zYjHDMExmkE7tUdLdOY2I3GrRQvT5pyrEgJN+J+be7u
+CuoEYaS5JGR8CQJbJdu2XePjemen1c6jVOKNidiGcFOQiyMz+ZvHHzPswsBCW9UK
+RK4eU2lgBcxMwi5i+IxXKJ29pR6Y7x47zjGJONqzquqwAvYxnQ9e9Q7FmRkRkJnJ
+xGFjRZPq6neE6/GiqWTkQty97PnH0zJGsZ1k+ot4g+0Ku81pRCL4jrxhq/hQh7dL
+eAh9iBM8kWa2qlKi1Lz37UXvMz/F8gSB1m8fvng5/e5DuiGTo+ERdM2GcN1yfsZ1
+Bc0gGh5Grt6c97bccn4SwH9PPXq1mOMZyeMD04LmPR2mmlfgSepsPYA3ySuE2cRf
+DDqXVoL8HoGTxbgAx3Oq7f4Zk/p4elSbLMl5LSaaRdbaaTVt0rUC+k3c4JszFyGJ
+pYXedlNT2YHTncpxre07E+V4y1oyH8UQzF6rvExhFcSc8EvIV4xqIdk2Bye3RB8P
+fOhZk2PSwTJSgPVj21R1UQVUkG1BqaSHky+jysEXLORHH/sN9+jW/YdfeAEJ9yJG
+ziALAHNUelT5yqgj1UoUE12Q/o3u/v44uzjIWlgcoUVHTwD4lQKCAQEAyd7ip1nB
+v5vh0ERHltgRqQIzpF1gYq0FL+zkg/qiMjlYnGtyB4XMgyim1BprRQxKTi5xT7EQ
+FLbQPzfMJ7R8Iu4n+jsFPZPmNbzat0qWy65KyWdHGta6JK895AKrrPylsIqTFfWs
+bH+euxvbmLbHj9VXakUYkCEOm2WPKXp9RLCrons/RgRshyoLMdPRaZyCiNMDU6rS
+yRAgdnhiCRft9QE2C6adsZNmNhZK8/q0ppHSKifEJYvtnIPDHtt6X2Dyd4EAcE2p
+1t10opl10ltUnmO0k4HDIoPkHShzMo/J/i0EIY2KOiRQXvgUH1uelJxBAZ+8Rf4Q
+PUt4jw70wST/tQKCAQEAxTpS2GVlBGRe1NYjcl8cgmZi8BfMeXXbL9q7hCgmZyaN
+WP8fS3OkJw2kWJ9R5Y4/b/thoTtYhhW1gu59IiGGY6eYP2jr+HOGsTM9XkgYR/Gj
+QM7pp6Mh0+iJP/HIWcCbAEOIFnfcK6jOSeNNUyCKAOhTpNLidqgcf9tyZLjc2/Jc
+SIDPRN26e83fBZbLXkyI+FEPH/7VFv+8suyDPerIt0R6zkXUk62K6cEc7jydR/sN
+ehxEXMQHRVM4QXU3GycMTbDMk3RQDSW98oIKWFIXxPn9Jw5Kps+Z4kM0Knxr6pdO
+DrfNtt3NbVbqV3j7rk0Dt0Q09mPSRM5PssnKGdWUYwKCAQEAgqe4iNoGFW7d438d
+2pq0K3AaXop1JMiZL+CiMm2YZutI18yO/CF0MXuxJlyHCySePyW9/vc50j5UYGZL
+w3MEWVNNGp7ykF1WRXebE8C6AtAm5V3r3ooV5kJpy1aTKJ5I2w+FjVP5qiubX7zz
+D09VsFlDf6uC714F5zv/QbhetYOnQr2EQVwBpiXnIvPWeQVsUwRIBfHtBWdjq2nV
+Ac+0GrwS782CCPm+0Mjy8CBWpeyBWvlr8WU0f/Wj5yfkdzD3HbOnxgfuIfwpTkgG
+wwSLqwwbRtFYq9EzZk/U52e7M8CNCO5kBaeVQTJNS9Jvu/258UQihiae+h0LxYPH
+k+7PdQKCAQBXLsL0WU3gNSYeW1Jr+lM16WCO1VZT0p9DdiMx9jWTn10YHB6PUd0c
+TlF5w2OGX+z26V5s0Tj+fJYx/I5gCgXIA4uvbAfzWc4OgqH8DU5+bvhFa7GpotkP
+PVl+ZLi1xAhAg5mipPU0b3hQ/SNvPZEDea+PypDE9ucyNaVJlNY8e9QDUL1Oqd0H
+YSfW5qObWaWqbtqKwDEd64pUZWxWcHStXp4SlJe1eB9R2UWaojy8VuPMOLaXcyfr
+oy/Y76GeZRJxPVgRTncceLSQgJ9mD1PmhMM9AnpJZreVZzOmHD3wA1ZD90f+L+nh
+DWylohtPH0gnOQVYbSPDupdMZxrpdJoVAoIBAC+gD8+t6vdhy+K291vlhOvl0/Pz
+zmyboK7Gnu4iN2ZUZZl7x+6y7bLNj3645nZL+2C9Mm1jsYDpvy+ZxMe7q13Tu+zX
+1caytR2RDqQeFU5CjWsqTbF2goBpgzS745soKst5xsx5ESv4mb7VMZehDEHM6ooL
+W1vJWxN3B387A1kcZu0OSL1Hpx5TQSuA17+roEZxzBBLIvmVpSDx5wnHA+nXefKJ
+qMTsjvaFjyXvM1dJLUxgo3MT5nwkoh3sI+zUDaG8qOxa6TSgINkiE0b+3etwoz6T
+fZegoHhC6xJf5EnmdFEx704ogUZIHZDRMhEF57gVzX2AlTMz6SJjEHW14uM=
 -----END RSA PRIVATE KEY-----
diff --git a/benchmarks/keys/ps-512-public.key b/benchmarks/keys/ps-512-public.key
@@ -1,14 +1,13 @@
------BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArtmWShv1Bu4fgEHbLP/A
-PChVkl6X3odEu6MPDRzRqH6KjtCj0wP7OMN4eC4/uIUdhfj0zzVL0f3gIKXj4B2t
-qW9wVtCMadsZUPTjUb7EkM8ZRFsljHFFTDFIqbQtW+DNCskaZHg/fyWZ3nLYk2rV
-GQnRieAVV9G2qyRfaPXqOv7BiXfadxcgaCMnJMpQIPAtMZ0JSdFqPEx4go7oO9dg
-/22o3bwwwd4Rgq4FFBhTB8HlJqJRU3lLlEC8T5ZWww+Ru+c6KZjNypRtOLAHcn8m
-1K7xORzeLJk0Eg06EHhOAC+K85ZzVzuX5N+eQ6VJBkZcgvkhhc0OPy1nuXPpL3iW
-+NGhI3gjEzQP2fHjBYpYEQKVmfTMd2Qmw738O6n7p3NRDetjatgwOqj9G2k0syFj
-mvOxx/3ys8JGq86ztcx18fdX4K/E3EanEwE5wBIMbksG32+VqWsV4i64+LDhZ+Ky
-qazDIJzGpTX7Tc1mvKaS4REtctaBtMoT4d+hayLWZ3ifCD05FkNJ/raTCgaTQ8aW
-0d2E1eWZGIkPba9rV5kr5y4w+7wKVBSwu5puF9ddmfU4tiWnqXgF8E0IkNcTfP3E
-OE7cZQC7nu6aySCDzSfl051JWgv09UddgkdQnjDbbbagNUVm7XtM5LQISKd6heUw
-904vBYgo0o77EJXLYNN51QsCAwEAAQ==
------END PUBLIC KEY-----
+-----BEGIN RSA PUBLIC KEY-----
+MIICCgKCAgEAm4aCPiqZ3h48wrUOZtYjoSyUnaCzU6zhba/7wSXju00jmjYJo6CH
+Mpp6K7bsFUdpFMVVb7JyJMtMnEbU21VhkvcXh3FZf0aJHsm0YMTH8gFkcIJyKGKs
+YT5hdnR49nSc9q6aEJIvarN60pcX18Gva2eI+LLR52iarq2Mgjs6ZMlLDFrc6AJR
+jHPqDfc7oWEvHjGtxaX40sZC93skRn/LLk2wGgrC7eOosp6mwhK41xmwD63wQVe8
+qkEQ8gVdNPjPr2Vfg88x28fX8wc5K4Gux9fJujmMPg9CQ6QFHui9LQG6/Y8/miiz
+EpFlka1jOqL+m1qBhlrwdAeSgU/PU3nKDK/pBVcpieiFgGbdGyEWMWt94q1ZaQaP
+LNugmUOvV5LdLRENv5mBnZd3mBYVJeApzdwNaBsFGZTxZE6Ufm4Bgvi6XAsHap/K
+UHPjAuwwkdq0BVXFbNq/P/mJgOr1+M5aDX2bgYlPEYD8D/lo8xZe+SeFav8gr7MK
+OqpcC5FjuGpi2hXLLYhDrln05CH+lyku83h0aFWq9+zeHu1vdkl80VMgvyW7WuEa
+Zi09IHm5/878vBtlIsS8bq6EIb/A+6YAZBwvX3RHjzk1yOoO35kXSO1i/YAFMsF8
+/ekUiVS2pVpANrppkoiHGxVFXVT0htMBVvJqHylk3SRux0p644O8hv8CAwEAAQ==
+-----END RSA PUBLIC KEY-----
diff --git a/src/crypto.js b/src/crypto.js
@@ -26,7 +26,7 @@ const base64UrlMatcher = /[=+/]/g
 const encoderMap = { '=': '', '+': '-', '/': '_' }
 
 const privateKeyPemMatcher = /^-----BEGIN(?: (RSA|EC|ENCRYPTED))? PRIVATE KEY-----/
-const publicKeyPemMatcher = /^-----BEGIN( RSA)? PUBLIC KEY-----/
+const publicKeyPemMatcher = /^-----BEGIN(?: (RSA))? PUBLIC KEY-----/
 const publicKeyX509CertMatcher = '-----BEGIN CERTIFICATE-----'
 const privateKeysCache = new Cache(1000)
 const publicKeysCache = new Cache(1000)
@@ -155,9 +155,14 @@ function performDetectPrivateKeyAlgorithm(key) {
 }
 
 function performDetectPublicKeyAlgorithms(key) {
+  const publicKeyPemMatch = key.match(publicKeyPemMatcher)
+
   if (key.match(privateKeyPemMatcher)) {
     throw new TokenError(TokenError.codes.invalidKey, 'Private keys are not supported for verifying.')
-  } else if (!key.match(publicKeyPemMatcher) && !key.includes(publicKeyX509CertMatcher)) {
+  } else if (publicKeyPemMatch && publicKeyPemMatch[1] === 'RSA') {
+    // pkcs1 format - Can only be RSA key
+    return rsaAlgorithms
+  } else if (!publicKeyPemMatch && !key.includes(publicKeyX509CertMatcher)) {
     // Not a PEM, assume a plain secret
     return hsAlgorithms
   }

diff --git a/test/crypto.spec.js b/test/crypto.spec.js
@@ -241,7 +241,7 @@ test('detectPublicKeyAlgorithms - malformed PEM files should be rejected', t =>
   t.end()
 })
 
-test('detectPublicKeyAlgorithms - public keys should be rejected', t => {
+test('detectPublicKeyAlgorithms - private keys should be rejected', t => {
   t.throws(() => detectPublicKeyAlgorithms(privateKeys.RS), {
     message: 'Private keys are not supported for verifying.'
   })