0

Using NodeJS v16/v17, I am trying to encrypt a data with Crypto.publicEncrypt() using a certificate public key(pem). Code snippet is added below:

    const pkey = '-----BEGIN CERTIFICATE-----
    <Encoding>
    -----END CERTIFICATE-----'
const pubPemKey = crypto.createPublicKey(pkey)
const pubPemKeyStr = pubPemKey.export({ type: 'spki', format: 'pem' })
console.log(pubPemKeyStr)
const encryptedData = crypto.publicEncrypt(pubPemKeyStr,
      Buffer.from ('test'))

On executing, am getting below error:

node:internal/crypto/cipher:79

return method(data, format, type, passphrase, buffer, padding, oaepHash,
       ^

Error: error:0608B096:digital envelope routines:EVP_PKEY_encrypt_init:operation not supported for this     
keytype
at Object.publicEncrypt (node:internal/crypto/cipher:79:12)
at Object.<anonymous> (/home/jdoodle.js:28:30)
at Module._compile (node:internal/modules/cjs/loader:1097:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1149:10)
at Module.load (node:internal/modules/cjs/loader:975:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
at node:internal/main/run_main_module:17:47 {
 library: 'digital envelope routines',
 function: 'EVP_PKEY_encrypt_init',
 reason: 'operation not supported for this keytype',
 code: 'ERR_OSSL_EVP_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE'

}

I have tried passing the key as a keyobject also but not successful. like : const encryptedKey = crypto.publicEncrypt({ key: pkey, padding: crypto.constants.RSA_PKCS1_PADDING }, Buffer.from(plainText))

Please provide input that can help to resolve this issue ...

Thanks in advance Sree

Sree
  • 1
  • 1
  • 1
    You have to import the certificate first (see [here](https://nodejs.org/api/crypto.html#class-x509certificate)), then you can extract the public key with [`publicKey`](https://nodejs.org/api/crypto.html#x509publickey) and use this key for encryption with `publicEncrypt()`. – Topaco Aug 11 '23 at 17:05
  • I already have the public key from the certificate which we are using. So public key is already extracted and the format is mentioned in the question. Error is given while invoking publicEncrypt() with that public key. – Sree Aug 16 '23 at 04:13
  • *I already have the public key from the certificate which we are using. So public key is already extracted...* Then edit your question and share the corresponding code. In any case, your statement in the comment does not apply to the currently posted code, there `pkey` is *not* the extracted public key, but the PEM encoded certificate (as evidenced by header and footer, assuming a valid certificate). – Topaco Aug 16 '23 at 05:44
  • Yes, I have added/edited code. I am converting the certificate pem to a public key using createPublicKey() and then export it to spki/pem format and then tries to do publicEncrypt() using that key – Sree Aug 16 '23 at 06:50
  • And why don't you do it the way I described it in my first comment? Oh yes, you would have to look at the links (which is obviously too much to ask). – Topaco Aug 16 '23 at 06:54
  • Though i didnt mention in my comment, i had already gone through the link which you had shared, that takes me to nodejs crypto API doc. Sorry that I didnt mention. But I thought that was to extract public key which as I mentioned, already I have. – Sree Aug 16 '23 at 07:09
  • Take a look online here for an executable code: https://www.jdoodle.com/ia/KSu – Topaco Aug 16 '23 at 07:17
  • Thanks for that working code. I just replaced the value of certificatePEM variable with mine and executed the same code and getting same "Error: error:0608B096:digital envelope routines:EVP_PKEY_encrypt_init:operation not supported for this keytype" error. Does it depend on any specific certificate/format? With "crypto.X509Certificate()", I am getting certificate object and the details like public key, subject etc. So certificate object seems valid. – Sree Aug 16 '23 at 07:41
  • Does your certificate contain an RSA key at all? Check this with an ASN.1 Parser, e.g. https://lapo.it/asn1js/ (disable *with definitions*). Possibly it contains an EC key, which of course cannot be used for RSA encryption (and can cause this error message, s. [here](https://mta.openssl.org/pipermail/openssl-users/2017-January/005143.html)). Just a guess, for an exact analysis you need to post a certificate with which the issue can be reproduced (note that common X.509 certificates unlike pfx are not secret, see [here](https://stackoverflow.com/a/22788593/9014097)). – Topaco Aug 16 '23 at 10:05
  • Thank you Topaco for the detailed explanation. I used lapo.it and tried to decode and the public key it shows is "ecPublicKey". From your comment "Possibly it contains an EC key, which of course cannot be used for RSA encryption. " is it the key you were referring to? Also could you show some light on why EC cant be used for RSA and is there anyway we can proceed on encrypting with same key? – Sree Aug 16 '23 at 10:29
  • *...is it the key you were referring to?...:* Yes. `ecPublicKey` means [*Elliptic curve public key cryptography*](http://www.oid-info.com/cgi-bin/display?oid=1.2.840.10045.2.1+&action=display) or *ECC* for short and is a collective term for different EC algorithms like ECDH or ECDSA. *...Also could you show some light on why EC cant be used for RSA...:* EC algorithms are completely different from RSA and have incompatible keys (which should explain why an EC key cannot be used for RSA and vice versa). – Topaco Aug 16 '23 at 12:33
  • *...is there anyway we can proceed on encrypting with same key...:* In the context of encryption, ECC is used as part of a so-called [hybrid encryption](https://en.wikipedia.org/wiki/Hybrid_cryptosystem). With ECDH (the ECC algorithm that is usually applied in the context of encryption, in contrast to ECDSA, which is used in the context of signing), a shared secret is agreed on both sides, from which a symmetric key is derived. The actual data is then encrypted using a symmetric encryption (e.g. AES) with the derived key. You'll find many posts about this on SO with more details. – Topaco Aug 16 '23 at 12:37
  • Thank you Topaco. Appreciate your inputs/help. – Sree Aug 16 '23 at 12:57

0 Answers0