convert PKCS#1 keys to PKCS#8 at load time

2026-02-25 21:55:09 -06:00
parent 3d7db8b132
commit 29b5c986cd
3 changed files with 30 additions and 26 deletions
@@ -1,4 +1,5 @@
 import { readFileSync } from "fs";
+import crypto from "crypto";
 import { PrismaPg } from "@prisma/adapter-pg";
 import { Prisma, PrismaClient } from "../generated/prisma/client";
 import * as msal from "@azure/msal-node";
@@ -28,21 +29,32 @@ const isProduction = process.env.NODE_ENV === "production";

 const readKeyFile = (path: string) => readFileSync(path).toString();

-export const accessTokenPrivateKey = isProduction
-  ? process.env.ACCESS_TOKEN_PRIVATE_KEY!
-  : readKeyFile(`.accessToken.key`);
-export const refreshTokenPrivateKey = isProduction
-  ? process.env.REFRESH_TOKEN_PRIVATE_KEY!
-  : readKeyFile(`.refreshToken.key`);
-export const permissionsPrivateKey = isProduction
-  ? process.env.PERMISSIONS_PRIVATE_KEY!
-  : readKeyFile(`.permissions.key`);
-export const secureValuesPrivateKey = isProduction
-  ? process.env.SECURE_VALUES_PRIVATE_KEY!
-  : readKeyFile(`.secureValues.key`);
-export const secureValuesPublicKey = isProduction
-  ? process.env.SECURE_VALUES_PUBLIC_KEY!
-  : readKeyFile(`public-keys/.secureValues.pub`);
+/**
+ * Convert a PKCS#1 PEM key to PKCS#8 PEM format.
+ * The compiled Bun binary on Ubuntu uses an OpenSSL that doesn't auto-detect PKCS#1 format,
+ * so we normalize all keys to PKCS#8 at load time.
+ */
+const toPkcs8Private = (pem: string) =>
+  crypto.createPrivateKey({ key: pem, format: "pem", type: "pkcs1" }).export({ type: "pkcs8", format: "pem" }) as string;
+
+const toPkcs8Public = (pem: string) =>
+  crypto.createPublicKey({ key: pem, format: "pem", type: "pkcs1" }).export({ type: "spki", format: "pem" }) as string;
+
+export const accessTokenPrivateKey = toPkcs8Private(
+  isProduction ? process.env.ACCESS_TOKEN_PRIVATE_KEY! : readKeyFile(`.accessToken.key`),
+);
+export const refreshTokenPrivateKey = toPkcs8Private(
+  isProduction ? process.env.REFRESH_TOKEN_PRIVATE_KEY! : readKeyFile(`.refreshToken.key`),
+);
+export const permissionsPrivateKey = toPkcs8Private(
+  isProduction ? process.env.PERMISSIONS_PRIVATE_KEY! : readKeyFile(`.permissions.key`),
+);
+export const secureValuesPrivateKey = toPkcs8Private(
+  isProduction ? process.env.SECURE_VALUES_PRIVATE_KEY! : readKeyFile(`.secureValues.key`),
+);
+export const secureValuesPublicKey = toPkcs8Public(
+  isProduction ? process.env.SECURE_VALUES_PUBLIC_KEY! : readKeyFile(`public-keys/.secureValues.pub`),
+);

 // Microsoft Auth Constants
 const msalConfig: msal.Configuration = {