Error: error:1E08010C:DECODER routines::unsupported (ERR_OSSL_UNSUPPORTED)

[jsmrcaga]

Details

I'm writing this issue here to prevent other people from finding it in other repos or frmo other libraries.
The initial discussion was found on this issue but should continue here in my opinion since this is an error with how node handles cryptography and not library-specific.

This is what I know, if anyone has any more details they would be greatly appreciated!

• this error code does not seem to exist in node js itself
• this error is a reference to OpenSSL and it looks like it means that a cryptography algorithm unknown to openssl was used from a nodejs runtime
• This error is certainly bubbled up from OpenSSL itself (I'm guessing from somewhere around here)

I have encountered this error myself trying to verify a signature, the most probable cause was a bad publicKey passed like so:

const verifier = crypto.createVerify('sha256');
verifier.update('some data');
verifier.verify(publicKey, 'signature to verify against');

I would advice anyone reading this, if you are using any type of cryptography:

• check your public/private keys and the imports/transformations/buffers you make from/to them
• if using a SDK check the documentation for the necessary keys - or if they're not necessary (I've seen many posts talking about Google APIs SDK)

Node.js version

v19.7.0

but should happen in many other versions (probably 16+)

Example code

This fails on Nodejs v19.7.0

const verifier = crypto.createVerify('sha256');
verifier.update('test');
verifier.verify('public-key', 'fake-signature');

Operating system

MacOS 13.2.1

Scope

runtime + dependencies

Module and version

Not applicable.

[jsmrcaga]

Edit:
For my personal use-case, the public key was in a raw format, transforming it to PEM format solved the issue (because now openssl can recognize the key).
If it helps anyone, i transformed it like so:

const b64_publicKey = Buffer.from(myRawKey).toString('base64');
const pemKey = `
-----BEGIN PUBLIC KEY-----
${b64_publicKey}
-----END PUBLIC KEY-----
`;

// use pem key later

[PlamenHristov]

The issue seems to also appear when the key is exported in DER format

const {privateKey, publicKey} = crypto.generateKeyPairSync("ec", {
        namedCurve: curve,
        publicKeyEncoding: {type: "spki", format: "der"},
        privateKeyEncoding: {type: "pkcs8", format: "der"}
      })
const importedKey = crypto.createPrivateKey({
      key: privateKey,
      format: "der",
      type: "pkcs8",
    })

the line crypto.createPrivateKey({...}) throws the same error. Would be nice if someone could take a look at the issue

[preveen-stack]

@PlamenHristov can you share what was the curve you were using

[preveen-stack]

I tried as below on v18.7.0 on macOS intel 13.4. No error was reported

crypto = require('node:crypto');

const {privateKey, publicKey} = crypto.generateKeyPairSync("ec", {
        namedCurve: 'sect239k1',
        publicKeyEncoding: {type: "spki", format: "der"},
        privateKeyEncoding: {type: "pkcs8", format: "der"}
      })
const importedKey = crypto.createPrivateKey({
      key: privateKey,
      format: "der",
      type: "pkcs8",
    })

[preveen-stack]

@jsmrcaga can you try this code. ref: https://nodejs.org/docs/latest-v19.x/api/crypto.html#cryptocreateverifyalgorithm-options. One of the difference I am seeing is in your code you used 'sha256' whereas in the documentation it is 'SHA256'
This code works for me on my macbook pro intel 2019 with macOS 13.4 Ventura

const {
  generateKeyPairSync,
  createSign,
  createVerify,
} = await import('node:crypto');

const { privateKey, publicKey } = generateKeyPairSync('ec', {
  namedCurve: 'sect239k1',
});

const sign = createSign('SHA256');
sign.write('some data to sign');
sign.end();
const signature = sign.sign(privateKey, 'hex');

const verify = createVerify('SHA256');
verify.write('some data to sign');
verify.end();
console.log(verify.verify(publicKey, signature, 'hex'));
// Prints: true

Example: Using the [sign.update()](https://nodejs.org/docs/latest-v19.x/api/crypto.html#signupdatedata-inputencoding) and [verify.update()](https://nodejs.org/docs/latest-v19.x/api/crypto.html#verifyupdatedata-inputencoding) methods:

const {
  generateKeyPairSync,
  createSign,
  createVerify,
} = await import('node:crypto');

const { privateKey, publicKey } = generateKeyPairSync('rsa', {
  modulusLength: 2048,
});

const sign = createSign('SHA256');
sign.update('some data to sign');
sign.end();
const signature = sign.sign(privateKey);

const verify = createVerify('SHA256');
verify.update('some data to sign');
verify.end();
console.log(verify.verify(publicKey, signature));
// Prints: true

[jsmrcaga]

Hello @preveen-stack !
I'm not sure I understand what issue you are facing. For my use-case it was just that the remote key I recovered was not in a format OpenSSL could understand. Transforming it into b64 and appending the headers did the trick.

Or is it maybe because i left the issue open?

[preveen-stack]

Was just trying to reproduce the issue and wondering if there can be any improvement in error reporting so that the problem can be more narrowed.

You may please close the issue as appropriate.

[CesarDav]

@jsmrcaga
The myRawKey value is a string ?
Is that key generated by apple ?
I am having problems with the createPrivateKey method.

[jsmrcaga]

@CesarDav
I'm not familiar with apple's API so I won't be able to offer much help (and if it is apple-specific, maybe posting in an apple-specific forum would yield better resutls).
I can tell you that yes, myRawKey is a string, which corresponds to the "content" part of a PEM-formatted key.

I'm guessing you're having the problem on line 47 of your screenshot, however without seeing the value (and please do not share it ^^) it will be hard to identify what your private_key is (format, encoding etc).
My advice would be to make a script on the side and test it:

try {
    console.log('Formatting in PEM');
    createPrivateKey({
        key: `-----BEGIN PRIVATE KEY-----${private_key}-----END PRIVATE KEY-----`),
        format: 'pem' // this is the default
    });
    console.log('Success!');
} catch(e) {
    console.error('Error', e.message)l
}

try {
    console.log('Formatting by removing escaped carriage returns');
    createPrivateKey({
        key: private_key.replace(/\\n/g,, '\n'),
        format: 'pem' // this is the default
    });
    console.log('Success!');
} catch(e) {
    console.error('Error', e.message)l
}

// ... etc

and try to find which one works