fix(ext/node): sign with PEM private keys (#21287)

Add support for signing with a RSA PEM private key: `pkcs8` and `pkcs1`.

Fixes #18972
Ref #21124 

Verified fix with `npm:sshpk`. Unverfied but fixes
`npm:google-auth-library`, `npm:web-push` & `oracle/oci-typescript-sdk`

---------

Signed-off-by: Divy Srivastava <[email protected]>

Author: littledivy

cli/tests/unit_node/crypto/crypto_sign_test.ts

@@ -1,6 +1,9 @@
 // Copyright 2018-2023 the Deno authors. All rights reserved. MIT license.
 
-import { assert, assertEquals } from "../../../../test_util/std/assert/mod.ts";
+import {
+  assert,
+  assertEquals,
+} from "../../../../test_util/std/testing/asserts.ts";
 import { createSign, createVerify, sign, verify } from "node:crypto";
 import { Buffer } from "node:buffer";
 
@@ -9,6 +12,11 @@ const rsaPrivatePem = Buffer.from(
     new URL("../testdata/rsa_private.pem", import.meta.url),
   ),
 );
+const rsaPrivatePkcs1Pem = Buffer.from(
+  await Deno.readFile(
+    new URL("../testdata/rsa_private_pkcs1.pem", import.meta.url),
+  ),
+);
 const rsaPublicPem = Buffer.from(
   await Deno.readFile(
     new URL("../testdata/rsa_public.pem", import.meta.url),
@@ -86,3 +94,39 @@ Deno.test({
     }
   },
 });
+
+Deno.test({
+  name: "crypto.createPrivateKey|sign - RSA PEM",
+  fn() {
+    for (const testCase of table) {
+      for (const algorithm of testCase.algorithms) {
+        assertEquals(
+          createSign(algorithm).update(data).sign(rsaPrivatePem, "hex"),
+          testCase.signature,
+        );
+        assertEquals(
+          sign(algorithm, data, rsaPrivatePem),
+          Buffer.from(testCase.signature, "hex"),
+        );
+      }
+    }
+  },
+});
+
+Deno.test({
+  name: "crypto.createPrivateKey|sign - RSA PKCS1 PEM",
+  fn() {
+    for (const testCase of table) {
+      for (const algorithm of testCase.algorithms) {
+        assertEquals(
+          createSign(algorithm).update(data).sign(rsaPrivatePkcs1Pem, "hex"),
+          testCase.signature,
+        );
+        assertEquals(
+          sign(algorithm, data, rsaPrivatePkcs1Pem),
+          Buffer.from(testCase.signature, "hex"),
+        );
+      }
+    }
+  },
+});

cli/tests/unit_node/testdata/rsa_private_pkcs1.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAt9xYiIonscC3vz/A2ceR7KhZZlDu/5bye53nCVTcKnWd2seY
+6UAdKersX6njr83Dd5OVe1BW/wJvp5EjWTAGYbFswlNmeD44edEGM939B6Lq+/8i
+BkrTi8mGN4YCytivE24YI0D4XZMPfkLSpab2y/Hy4DjQKBq1ThZ0UBnK+9IhX37J
+u/ZoGYSlTIGIhzyaiYBh7wrZBoPczIEu6et/kN2VnnbRUtkYTF97ggcv5h+hDpUQ
+jQW0ZgOMcTc8n+RkGpIt0/iM/bTjI3Tz/gsFdi6hHcpZgbopPL630296iByyigQC
+PJVzdusFrQN5DeC+zT/nGypQkZanLb4ZspSx9QIDAQABAoIBAQCS2erYu8gyoGPi
+3E/zYgQ6ishFAZWzDWSFubwD5wSm4SSAzvViL/RbO6kqS25xR569DmLRiHzD17VI
+mJMsNECUnPrqR2TL256OJZaXrNHh3I1lUwVhEzjeKMsL4/ys+d70XPXoiocVblVs
+moDXEIGEqa48ywPvVE3Fngeuxrsq3/GCVBNiwtt0YjAOZxmKEh31UZdHO+YI+wNF
+/Z8KQCPscN5HGlR0SIQOlqMANz49aKStrevdvjS1UcpabzDEkuK84g3saJhcpAhb
+pGFmAf5GTjkkhE0rE1qDF15dSqrKGfCFtOjUeK17SIEN7E322ChmTReZ1hYGfoSV
+cdFntUINAoGBAPFKL5QeJ6wZu8R/ru11wTG6sQA0Jub2hGccPXpbnPrT+3CACOLI
+JTCLy/xTKW3dqRHj/wZEe+jUw88w7jwGb1BkWr4BI8tDvY9jQLP1jyuLWRfrxXbp
+4Z0oeBBwBeCI/ZG7FIvdDTqWxn1aj3Tmh6s4ByqEdtwrrrJPcBUNl01fAoGBAMMR
+3RGE/ca6X6xz6kgUD6TtHVhiiRJK1jm/u+q0n7i/MBkeDgTZkHYS7lPc0yIdtqaI
+Plz5yzwHnAvuMrv8LSdkjwioig2yQa3tAij8kXxqs7wN5418DMV2s1OJBrPthYPs
+bv4im2iI8V63JQS4ZMYQbckq8ABYccTpOnxXDy0rAoGBAKkvzHa+QjERhjB9GyoT
+1FhLQIsVBmYSWrp1+cGO9V6HPxoeHJzvm+wTSf/uS/FmaINL6+j4Ii4a6gWgmJts
+I6cqBtqNsAx5vjQJczf8KdxthBYa0sXTrsfktXNJKUXMqIgDtp9vazQ2vozs8AQX
+FPAAhD3SzgkJdCBBRSTt97ZfAoGAWAziKpxLKL7LnL4dzDcx8JIPIuwnTxh0plCD
+dCffyLaT8WJ9lXbXHFTjOvt8WfPrlDP/Ylxmfkw5BbGZOP1VLGjZn2DkH9aMiwNm
+bDXFPdG0G3hzQovx/9fajiRV4DWghLHeT9wzJfZabRRiI0VQR472300AVEeX4vgb
+rDBn600CgYEAk7czBCT9rHn/PNwCa17hlTy88C4vXkwbz83Oa+aX5L4e5gw5lhcR
+2ZuZHLb2r6oMt9rlD7EIDItSs+u21LOXWPTAlazdnpYUyw/CzogM/PN+qNwMRXn5
+uXFFhmlP2mVg2EdELTahXch8kWqHaCSX53yvqCtRKu/j76V31TfQZGM=
+-----END RSA PRIVATE KEY-----

ext/node/ops/crypto/mod.rs

@@ -19,6 +19,7 @@ use rand::distributions::Distribution;
 use rand::distributions::Uniform;
 use rand::thread_rng;
 use rand::Rng;
+use rsa::pkcs1::DecodeRsaPrivateKey;
 use rsa::pkcs8;
 use rsa::pkcs8::der::asn1;
 use rsa::pkcs8::der::Decode;
@@ -363,23 +364,32 @@ pub fn op_node_sign(
   #[buffer] digest: &[u8],
   #[string] digest_type: &str,
   #[serde] key: StringOrBuffer,
-  #[string] key_type: &str,
-  #[string] key_format: &str,
+  #[string] _type: &str,
+  #[string] format: &str,
 ) -> Result<ToJsBuffer, AnyError> {
-  match key_type {
-    "rsa" => {
+  let (label, doc) =
+    pkcs8::SecretDocument::from_pem(std::str::from_utf8(&key).unwrap())?;
+
+  let oid;
+  let pkey = match format {
+    "pem" => {
+      if label == "PRIVATE KEY" {
+        let pk_info = pkcs8::PrivateKeyInfo::try_from(doc.as_bytes())?;
+        oid = pk_info.algorithm.oid;
+        pk_info.private_key
+      } else if label == "RSA PRIVATE KEY" {
+        oid = RSA_ENCRYPTION_OID;
+        doc.as_bytes()
+      } else {
+        return Err(type_error("Invalid PEM label"));
+      }
+    }
+    _ => return Err(type_error("Unsupported key format")),
+  };
+  match oid {
+    RSA_ENCRYPTION_OID => {
       use rsa::pkcs1v15::SigningKey;
-      let key = match key_format {
-        "pem" => RsaPrivateKey::from_pkcs8_pem((&key).try_into()?)
-          .map_err(|_| type_error("Invalid RSA private key"))?,
-        // TODO(kt3k): Support der and jwk formats
-        _ => {
-          return Err(type_error(format!(
-            "Unsupported key format: {}",
-            key_format
-          )))
-        }
-      };
+      let key = RsaPrivateKey::from_pkcs1_der(pkey)?;
       Ok(
         match digest_type {
           "sha224" => {
@@ -408,10 +418,7 @@ pub fn op_node_sign(
         .into(),
       )
     }
-    _ => Err(type_error(format!(
-      "Signing with {} keys is not supported yet",
-      key_type
-    ))),
+    _ => Err(type_error("Unsupported signing key")),
   }
 }
 
@@ -1345,8 +1352,6 @@ fn parse_private_key(
   format: &str,
   type_: &str,
 ) -> Result<pkcs8::SecretDocument, AnyError> {
-  use rsa::pkcs1::DecodeRsaPrivateKey;
-
   match format {
     "pem" => {
       let (label, doc) =

ext/node/polyfills/internal/crypto/cipher.ts

@@ -31,7 +31,8 @@ import {
 export function isStringOrBuffer(val) {
   return typeof val === "string" ||
     isArrayBufferView(val) ||
-    isAnyArrayBuffer(val);
+    isAnyArrayBuffer(val) ||
+    Buffer.isBuffer(val);
 }
 
 const { ops, encode } = globalThis.__bootstrap.core;

ext/node/polyfills/internal/crypto/keys.ts

@@ -210,7 +210,7 @@ export interface JsonWebKeyInput {
   format: "jwk";
 }
 
-function prepareAsymmetricKey(key) {
+export function prepareAsymmetricKey(key) {
   if (isStringOrBuffer(key)) {
     return { format: "pem", data: getArrayBufferOrView(key, "key") };
   } else if (typeof key == "object") {

ext/node/polyfills/internal/crypto/sig.ts

@@ -20,8 +20,8 @@ import type {
   PublicKeyInput,
 } from "ext:deno_node/internal/crypto/types.ts";
 import {
-  getKeyMaterial,
   KeyObject,
+  prepareAsymmetricKey,
 } from "ext:deno_node/internal/crypto/keys.ts";
 import { createHash, Hash } from "ext:deno_node/internal/crypto/hash.ts";
 import { KeyFormat, KeyType } from "ext:deno_node/internal/crypto/types.ts";
@@ -80,26 +80,13 @@ export class SignImpl extends Writable {
     privateKey: BinaryLike | SignKeyObjectInput | SignPrivateKeyInput,
     encoding?: BinaryToTextEncoding,
   ): Buffer | string {
-    let keyData: Uint8Array;
-    let keyType: KeyType;
-    let keyFormat: KeyFormat;
-    if (typeof privateKey === "string" || isArrayBufferView(privateKey)) {
-      // if the key is BinaryLike, interpret it as a PEM encoded RSA key
-      // deno-lint-ignore no-explicit-any
-      keyData = privateKey as any;
-      keyType = "rsa";
-      keyFormat = "pem";
-    } else {
-      keyData = getKeyMaterial(privateKey);
-      keyType = "rsa";
-      keyFormat = "pem";
-    }
+    const { data, format, type } = prepareAsymmetricKey(privateKey);
     const ret = Buffer.from(ops.op_node_sign(
       this.hash.digest(),
       this.#digestType,
-      keyData!,
-      keyType,
-      keyFormat,
+      data!,
+      type,
+      format,
     ));
     return encoding ? ret.toString(encoding) : ret;
   }