Cloudflare Developers•17mo ago

Using X509Certificate

Is there any way to parse and verify certificates in workers? It seems like it's unsupported in node_compat, but my only other solution is to host a NodeJS server, only for parsing certificate signed JWT tokens.

4 Replies

Cyb3r-Jak3•17mo ago

Can you not use Webcryto importKey for this? https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey

pee cee beezOP•17mo ago

When I try to import the certificate with importKey it gives me an asn1 error about having the wrong tag My current NodeJS solution is

import jwt from "@tsndr/cloudflare-worker-jwt";
import { X509Certificate } from 'node:crypto';

export function verifyToken(keyData: string, token: string) {
  const key = Buffer.from(keyData, 'base64')
  const cert = new X509Certificate(key);
  const publicKey = cert.publicKey.export({ type: 'spki', format: 'pem' });
  return jwt.verify(token, publicKey, "ES256");
}

import jwt from "@tsndr/cloudflare-worker-jwt";
import { X509Certificate } from 'node:crypto';

export function verifyToken(keyData: string, token: string) {
  const key = Buffer.from(keyData, 'base64')
  const cert = new X509Certificate(key);
  const publicKey = cert.publicKey.export({ type: 'spki', format: 'pem' });
  return jwt.verify(token, publicKey, "ES256");
}

Cyb3r-Jak3•17mo ago

Ah sorry not sure then

pee cee beezOP•17mo ago

Did more research, found an x509 package that works on Node, but gives an incorrect publicKey on the workers runtime... guess this means more research Looks like a bug in SubtleCrypto? importKey in the worker runtime is returning

CryptoKey {
  usages: undefined,
  algorithm: undefined,
  extractable: undefined,
  type: undefined
}

CryptoKey {
  usages: undefined,
  algorithm: undefined,
  extractable: undefined,
  type: undefined
}

meanwhile NodeJS with the exact same code returns

CryptoKey {
  type: 'public',
  extractable: true,
  algorithm: { name: 'ECDSA', namedCurve: 'P-256' },
  usages: [ 'verify' ]
}

CryptoKey {
  type: 'public',
  extractable: true,
  algorithm: { name: 'ECDSA', namedCurve: 'P-256' },
  usages: [ 'verify' ]
}

Using:

await crypto.subtle.importKey(
  "spki",
  Buffer.from(
    "3059301306072a8648ce3d020106082a8648ce3d03010703420004ea1371a3dca5e8a934bf5e434ead0aeee951cc1d09774df2f1aa6948dde7c67cb4bc62502d1d05e03e7ae318820875ff988093e14cc541660366b5af868267c4",
    "hex"
  ),
  { name: "ECDSA", namedCurve: "P-256", hash: { name: "SHA-256" } },
  true,
  ["verify"]
)

await crypto.subtle.importKey(
  "spki",
  Buffer.from(
    "3059301306072a8648ce3d020106082a8648ce3d03010703420004ea1371a3dca5e8a934bf5e434ead0aeee951cc1d09774df2f1aa6948dde7c67cb4bc62502d1d05e03e7ae318820875ff988093e14cc541660366b5af868267c4",
    "hex"
  ),
  { name: "ECDSA", namedCurve: "P-256", hash: { name: "SHA-256" } },
  true,
  ["verify"]
)

Gaming

Programming

Using X509Certificate