jwt-cli icon indicating copy to clipboard operation
jwt-cli copied to clipboard

Published 20 hours ago verified publisher icon mike-engel

Bug: Secret has to be in file format when encoding with RS256 etc

Open alexfoxgill opened this issue 3 years ago • 3 comments

Seems strange to me - why treat the secret format differently for different algorithms? Aren't they orthogonal concerns?

alexfoxgill avatar Jan 10 '22 14:01 alexfoxgill

Hi @alexfoxgill! I agree that it's not ideal. The problem is how we choose to parse the file (see here). We need to know if it's a pem or der file.

Happy to entertain better ideas!

mike-engel avatar Jan 20 '22 22:01 mike-engel

I think a better way to determine whether it's a PEM or DER is by reading the first line. For example, if it starts with -----BEGIN RSA PRIVATE KEY----- it's a PEM formatted RSA private key. Probably you can use the regex -----[A-Z ]+----- to catch other types of keys too.

jarimayenburg avatar Feb 12 '22 17:02 jarimayenburg

The other option, and probably more future proof is to attempt to parse it as a PEM first, and if that fails, parse as a DER file. If both fail, then it's invalid.

Unfortunately I don't have much time at the moment to work on this, but I'd be happy to review and PRs

mike-engel avatar Mar 08 '22 14:03 mike-engel