Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error:0409806E:rsa routines:RSA_padding_add_PKCS1_PSS_mgf1:data too large for key size #39

Open
stevendesu opened this issue Apr 28, 2020 · 1 comment
Open

error:0409806E:rsa routines:RSA_padding_add_PKCS1_PSS_mgf1:data too large for key size #39

stevendesu opened this issue Apr 28, 2020 · 1 comment

Comments

@stevendesu
Copy link

There may be nothing weird or wrong about this and I just don't understand the underlying algorithms, but my understanding did not match up to the behavior I experienced.

From my understanding, keys as short at 512 bits should be acceptable when writing a JSON Web Token. However I've found experimentally then when signing tokens using the PS512 algorithm, if I create a public/private key pair with a length less than 1034 bits then I get the error in the title.

I'm generating my key like so:

crypto.generateKeyPair(
	"rsa",
	{
		modulusLength: 1033,
		publicKeyEncoding: {type: "pkcs1", format: "pem"},
		privateKeyEncoding: {type: "pkcs8", format: "pem"}
	},
	async (err, pub, priv) => {
		if (err) throw err;
		// ... write pub and priv to a file ...
	}
);

I then utilize the key like so:

jsonwebtoken.sign({
	sub: user.id
}, privateKey, {
	algorithm: "PS512"
}, async (err, encoded) => {
	if (err) throw err;
	// ... return encoded key to user ...
});

This is throwing the following error:

Error: error:0409806E:rsa routines:RSA_padding_add_PKCS1_PSS_mgf1:data too large for key size
    at Sign.sign (internal/crypto/sig.js:112:29)
    at Object.sign (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jwa/index.js:173:45)
    at jwsSign (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jws/lib/sign-stream.js:32:24)
    at SignStream.sign (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jws/lib/sign-stream.js:58:21)
    at SignStream.<anonymous> (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jws/lib/sign-stream.js:46:12)
    at Object.onceWrapper (events.js:421:28)
    at DataStream.emit (events.js:315:20)
    at DataStream.EventEmitter.emit (domain.js:485:12)
    at DataStream.<anonymous> (/Users/stevenbarnett/Repos/xxx/auth/node_modules/jws/lib/data-stream.js:32:12)
    at processTicksAndRejections (internal/process/task_queues.js:79:11)

If I set the modulus length to 1034 or greater, or if I change the algorithm to RS512 or PS256, the error goes away.

I don't understand the internals of the various algorithms well enough to understand why this is the case. I had hoped to utilize a very short key in development (512 bits) and a very large key in production (4096 bits) - but when I ran into this I just grew more and more confused.

I'm posting here because the last (non-internal) line of the stack trace pointed to jwa, but this could very well be an issue with jws, jsonwebtoken, or even with NodeJS itself
@panva
Copy link

panva commented Apr 28, 2020
edited
Loading

Putting aside that the JWA specification requires that

A key of size 2048 bits or larger MUST be used with this algorithm.

Technically you can use keys of smaller bit sizes but it's not a blank check. Following are observed minimal bit sizes that OpenSSL will allow you to sign with.

RS256: 512
RS384: 624
RS512: 752
PS256: 528
PS384: 784
PS512: 1040

Nevertheless, you shouldn't - use at least 2048

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@panva @stevendesu