Skip to content

MacOS RSA DER / OpenSSL 3.4.0 RSA256 EncodingKey::from_rsa_der broken #426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ben-kaye opened this issue Apr 26, 2025 · 0 comments
Open

MacOS RSA DER / OpenSSL 3.4.0 RSA256 EncodingKey::from_rsa_der broken #426

ben-kaye opened this issue Apr 26, 2025 · 0 comments

Comments

@ben-kaye
Copy link

Seen also #55

Description:
Using OpenSSL 3.4.0 on MacOS, EncodingKey::from_rsa_der fails to parse standard RSA DER keys.

Steps to Reproduce:
Minimal repro here: der_broken
jsonwebtoken = "9.3.1"

Shell script to generate the key:

#!/bin/zsh

if [ -z "$1" ]; then
    num_bits=3072
else
    num_bits=$1
fi

# Generate 3072-bit RSA private key directly in PEM
openssl genrsa -out private.pem $num_bits

openssl rsa -outform DER -in private.pem -out private.der
openssl rsa -RSAPublicKey_out -outform DER -in private.pem -out public.der

# Base64 encode the DER files (without newlines)
base64 < private.der | tr -d '\n' > private.der.b64
base64 < public.der | tr -d '\n' > public.der.b64

# Write to .env cleanly without extra newlines
{
  printf "JWT_PRIVATE=%s\n" "$(cat private.der.b64)"
  printf "JWT_PUBLIC=%s\n" "$(cat public.der.b64)"
} > .env

Notes:

  • The DER produced is valid (can be parsed by OpenSSL and other libraries).
  • Likely regression related to stricter ASN.1 parsing.
  • Happens on both 2048 and 3072-bit keys.
  • PEM-based loading (from_rsa_pem) still works fine.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ben-kaye