node-forge Error: "Cannot read public key. OID is not RSA." when loading SSL certificate

Asked Nov 26 '20 at 01:02

Active Nov 26 '20 at 01:02

Viewed 1,959 times

2

I need to verify SSL certificates in node.js. Basically, I want to do the same as $ openssl verify -CApath ./roots_certs -untrusted ca_bundle.pem cert.pem.

I currently use node-forge, but for some certificates (for many other certs it's working) I get the following error when loading the certificate: 'Cannot read public key. OID is not RSA.'

const fs = require('fs')
const pki = require('node-forge').pki
var cert = pki.certificateFromPem(fs.readFileSync('./path/to/cert.pem', 'ascii'))

Does anybody know how to resolve this error, or if there are other functions or libraries that can be used for verifying SSL certificates in node.js?

Appendix:

This is one example of a certificate that leads to the error:

-----BEGIN CERTIFICATE-----
MIIGJzCCBQ+gAwIBAgIQCqlLWvpwo3CXmsUGR++snDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0yMDExMDIwMDAwMDBaFw0yMTAxMzAyMzU5NTla
MGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpN
ZW5sbyBQYXJrMRcwFQYDVQQKEw5GYWNlYm9vaywgSW5jLjEXMBUGA1UEAwwOKi5m
YWNlYm9vay5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATTrF7EQ9+307Bl
pMlq/DL+4TwAIvUt+YK7ZtGEDVrSNidKlO8JHHVQQe6HsnJ3Fqry53CDkqraJLsO
QMhlu9lzo4IDjTCCA4kwHwYDVR0jBBgwFoAUUWj/kK8CB3U8zNllZGKiErhZcjsw
HQYDVR0OBBYEFNd8q4K7QnncHfMdxlUVr9J4A37VMIG1BgNVHREEga0wgaqCDiou
ZmFjZWJvb2suY29tgg4qLmZhY2Vib29rLm5ldIILKi5mYmNkbi5uZXSCCyouZmJz
YnguY29tghAqLm0uZmFjZWJvb2suY29tgg8qLm1lc3Nlbmdlci5jb22CDioueHgu
ZmJjZG4ubmV0gg4qLnh5LmZiY2RuLm5ldIIOKi54ei5mYmNkbi5uZXSCDGZhY2Vi
b29rLmNvbYINbWVzc2VuZ2VyLmNvbTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9j
cmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNi5jcmwwNKAyoDCGLmh0
dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNi5jcmwwTAYD
VR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cu
ZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIwgYMGCCsGAQUFBwEBBHcwdTAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFo
dHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEySGlnaEFzc3Vy
YW5jZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIBBQYKKwYBBAHWeQIEAgSB
9gSB8wDxAHcAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF1h8kO
YgAABAMASDBGAiEAqrmqEpE71+My0P7lLOK2HAPoFROAiyqNzDtG16J22ZACIQD9
wlD3F11DA1x/BnUAHeMdnuXTL33Be4RHTRyi40T8MwB2AFzcQ5L+5qtFRLFemtRW
5hA3+9X6R9yhc5SyXub2xw7KAAABdYfJDnUAAAQDAEcwRQIhAIAewguYj42b4lcP
Z0pPsNhzNgytgamI0loeXG/AdKpWAiBNRabvPQKd/v/U6v1FMzPqLzn6SytO+fcE
ihchD/V4dDANBgkqhkiG9w0BAQsFAAOCAQEAXPbaOShZfzuxyfIqSVIyc2allvRs
6z8QMfa3Sb03ub33s9yP+YZ2JzFZFBQqUAAnX9kw2HLMtt6U/RORDcZP8WsoYf5Z
G2upHgSJG92w+GU+2e5GA8MqpH/imhn8UzfANjlCW3u7uRuHAGc7GZ5kttbbBakM
esmDx+5YTC4o1lHSVQbU1plq1tk1BGQ6Lx9/BNpAY6gdbo+RfEd5ektm0rxtXzre
O5Aym89GJuVpvFY6VbZL4LdVABDSJ+9IqMcOZ5G4aiOstcCYxr1CCllRsRUJS0Xr
zcLVbLd48gKtRqGQSHifD3SCoPOaxpD6OamCpID7OYnfYVgJhoJXJrgjlA==
-----END CERTIFICATE-----

asked Nov 26 '20 at 01:02

Pascal

2,590
3
21
46

1

That certificate contains an ECC (elliptic-curve) key (specifically, P-256) and `node-forge` doesn't know ECC. `@fidm/x509` apparently does, but it doesn't have chain-verification (really, validation) logic AFAICS. Of course js is inherently open source, so you could modify either. – dave_thompson_085 Nov 26 '20 at 06:06
thanks a lot for the inputs, that was already quite helpful. I've tried @fidm/x509 and can confirm that it is able to load and verify the certificate. The lack of chain-verification is a pity, but if there are no better options it should be feasible to implement it. @Topaco: using only the `crypto` module would be really convenient! I was able to load the cert as public key, but is it possible to use crypto to verify the certificate against another issuer certificate? – Pascal Nov 26 '20 at 11:05

0 Answers0