bug: keystore.toJWKS throws on windows

[DarkSorrow]

I'm trying to generate a key, i used the code i found in the doc

const { JWKS: { KeyStore } } = require('@panva/jose');
const keystore = new KeyStore();
keystore.generateSync('RSA', 2048, {
  alg: 'RS256',
  use: 'sig',
});
console.log('this is the full private JWKS:\n', keystore.toJWKS(true));

But when i try to start it i get this error

E:\HAS\OpenId\node_modules\@trust\keyto\src\index.js:231
        throw new InvalidOperationError('key is not a valid PEM string')
        ^

Error: key is not a valid PEM string
    at Function.from (E:\HAS\OpenId\node_modules\@trust\keyto\src\index.js:231:15)
    at module.exports.keyObjectToJWK (E:\HAS\OpenId\node_modules\@panva\jose\lib\help\key_utils.js:13:16)
    at RSAKey.get [as e] (E:\HAS\OpenId\node_modules\@panva\jose\lib\jwk\key\base.js:84:23)
    at RSAKey.[THUMBPRINT_MATERIAL] (E:\HAS\OpenId\node_modules\@panva\jose\lib\jwk\key\rsa.js:78:22)
    at RSAKey.get [as kid] (E:\HAS\OpenId\node_modules\@panva\jose\lib\jwk\key\base.js:39:97)
    at Function.entries (<anonymous>)
    at RSAKey.toJWK (E:\HAS2\OpenId\node_modules\@panva\jose\lib\jwk\key\base.js:60:27)
    at keys.map.key (E:\HAS2\OpenId\node_modules\@panva\jose\lib\jwks\keystore.js:95:60)
    at Array.map (<anonymous>)
    at KeyStore.toJWKS (E:\HAS\OpenId\node_modules\@panva\jose\lib\jwks\keystore.js:95:45)

If i understand correctly this is suppose to directly generate a key? I don't see in the doc the need for another file so maybe i'm not understanding something and i know you are probably very busy atm but if there are things i can do to help let me know :x

[panva]

Are you saying this snippet does not work for you?

const { JWKS: { KeyStore } } = require('@panva/jose');
const keystore = new KeyStore();
keystore.generateSync('RSA', 2048, {
  alg: 'RS256',
  use: 'sig',
});
console.log(keystore.toJWKS())

[DarkSorrow]

Yes and my version is

E:\HAS\OpenId>node -v
v11.11.0

[DarkSorrow]

and package is

"dependencies": {
"@panva/jose": "^0.11.1",
"koa": "^2.7.0",
"koa-body": "^4.1.0",
"koa-ejs": "^4.2.0",
"koa-helmet": "^4.1.0",
"koa-mount": "^4.0.0",
"koa-router": "^7.4.0",
"lodash": "^4.17.11",
"nanoid": "^2.0.1"
}

[panva]

The only thing i can think of is that the keyobject export does not honour const EOL = require('os').EOL;

[panva]

can you try going to your node_modules/@trust/keyto/src/index.js file and changing line 219 to let lines = key.split('\n')? I don't have a windows machine available so this would help me out a lot to confirm.

[panva]

also run this for me and paste the output please

const { generateKeyPairSync } = require('crypto')

generateKeyPairSync('rsa', { modulusLength: 2048 }).privateKey.export({ format: 'pem', type: 'pkcs8' })

[DarkSorrow]

It works when i change the line you gave me. I'll run the second command

[DarkSorrow]

i ran this

const { generateKeyPairSync } = require('crypto')

let res = generateKeyPairSync('rsa', { modulusLength: 2048 }).privateKey.export({ format: 'pem', type: 'pkcs8' })
console.log(JSON.stringify(res))

Which gave me
"-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCzw77UxBXgwWov\nTFbjXmqWF33a9V0D4Vjk1YLarvSSEM07tzn1oe8WdZ+AnhRIgw1HSn+VK2RonZMV\nPQ+27n1FIgvtYyzN3Xg2TU5fN7KRF7WCs3CDkh+npHvCpJK6ssTccWTcwY4F9HGU\nbz9Ui/5o7Gbqvb6QKlr3sjOKj2BmyIsyA+ypU3mYexozr4uiS+OmMpc08ekZh5ew\nu3IsAoKmLw4OhW6JGpzYQ2aCX+9KR/56Z5OCbCgvunG33IKkogtqZm5cJC7dG/la\nkRi/andQHDBatuvoqUTRzX99siX/P2B8tuRyklpdVigNYXXi/JthRyEtJgt7HB9x\n4v00o2E7AgMBAAECggEAZHw0/gYmHJ7BVnMb1rj+Z6v2BCFHv1WGNVRMcyV9PPD7\naDgBxBai6TES2fiDag0nrQQt0RqSZBBBGYwqbp1dlPl1JVtcvi7gdao89ujRfl18\nbvUTHdjerP062RDZnFc1x+vy75uaYiXEH68X/ZDLw6bx2KH8FeY3N2J7gSaoQotD\nrJF9263Tg9V420aM2jrNgHESKg9DSzoRGoIT67YVYyRDoc6zqWwAqeUx8NJl5fg6\n5C0g6B+4M8/SQq197kHH9+VVK4Sxw0Xanw6Td3GQtjJKlhI8AYV/UJbP9RcOTtng\nysBfvJ5oaoNQ68l4g3ztuMJMvpIXfizlBSVuZfviQQKBgQDb1GbKtZXsfnkg/Ppu\ntZK94d5/ECOWWCQYdDSPvewosnHQ9PFTJYpSFrtdWF/J8x/+WExhznTRu2/pPhdJ\nUs4WzGifVa/+Km9GBXIrlNCGfNeKAHAjDkfgQAVJ5omxKehuSlnDRseLBzyUZnQi\nlKWD8GJ+nHhbj/NLC9wycHWkkQKBgQDRV7xWl4OyIGp0MrNSuikAAkCmOxLoj8rA\nAvcRSxdWBCnekK4wqN+XfERSouCcW7YoxdmVNDhoeQPQSARrZdDWWOJzNdkEzJ3t\ntEojB7W1yrxZe0vX6DE5tEYvnAAq4vN3fwrc56hkv40mJEad1XNwytQ+miJqPvUY\niBxuIwvfCwKBgAwiw7H5KFev+7voe2LVP06gQ4o8N9q67vMypxwwXfM5NrNUcmYm\nsmYpvxo+ILujYmbGNSFJJoXVlS4JMXvoyFvV2QjC0D511ULGVjE1u/VQuw1xTL+C\nsFEe96vGwF85cw1zqVTweV+hfKSsq0ilcCXChY170eEsJ0BDXVqjfrshAoGAafhG\nr3K9SLMeEDoGCm+QB6AcR8mJlc4MLUyS8t8XLgSniTGl653gqVdPYqFun9fRCyy0\nKtInZ8MyigGasx70Kz0NTJLKi6Jko4prKPZjJmY9F/LQ/rdcC8DU8o6+ivcdlbTq\ns85UsMNCWTdtw8HkUQlrjVEK8Mtz2Ho2Ig59mOcCgYBQ9zZu9XNYcUtwCRrta2wK\nGhOWKSl2z3yFVYfocKjsU8ILrPO9ui8tWGvldcsF64Ie7qi6i5Q9N8WlEo30ldDm\nCHg/VQ79bADb7qj12XRrfhWKtjAMGcyTHQqWdSuFQOEA7A0meCzxDW8ar6O7KTWb\nq2WlQN5l1Z/vejSd2tA+Lg==\n-----END PRIVATE KEY-----\n"

[panva]

ok, please revert everything and change lib/help/key_utils.js to

const { EOL } = require('os')
const keyto = require('@trust/keyto')

const errors = require('../errors')

const SUPPORTED = new Set(['EC', 'RSA'])

module.exports.keyObjectToJWK = (keyObject) => {
  const type = keyObject.type === 'private' ? 'pkcs8' : 'spki'
  const format = 'pem'

  const pem = keyObject.export({ type, format }).replace(/\n/g, EOL)

  return keyto.from(pem, 'pem').toJwk(keyObject.type)
}

module.exports.jwkToPem = (jwk) => {
  if (!SUPPORTED.has(jwk.kty)) {
    throw new errors.JOSENotSupported(`unsupported key type: ${jwk.kty}`)
  }

  return keyto.from(jwk, 'jwk').toString('pem', jwk.d ? 'private_pkcs8' : 'public_pkcs8')
}

I think this might work as a temporary workaround to the @trust/keyto implementation. Upon confirmation i'll work that one in.

[DarkSorrow]

Your workaround works and when i check my JSON.stringify(require('os').EOL) i get a "\r\n" and i suppose the generation of the token is something made with just \n so its not based on the OS end of line but something like openssl? Maybe its something i should post on the @trust/keyto? If i can be of some help :x

[panva]

Yes, i think @trust/keyto should not rely on os.EOL, for one the key might be coming from a different system.

That being said i'll work around it for now and in the future the work being done the KeyObject API will remove the need to use the pem -> jwk path in keyto.

[panva]

@DarkSorrow while we're at it and you're willing to help. Can you clone this repo, make the above change in your source and run

npm i
npm test

Maybe there are more windows specific bugs that we could uncover.

[DarkSorrow]

Yes sure i'll do that and post something on their channel too later

[DarkSorrow]

ok with your workaround all test pass

E:\HAS\jose>npm run test
> @panva/[email protected] test E:\HAS\jose
> ava



  1355 tests passed

[panva]

Thanks for your help @DarkSorrow, i'll get this sorted later today.

[DarkSorrow]

Well thanks for being so reactive, i sent a PR to keyto as well