switch to PKCS#8 key format for Bun compatibility

2026-02-25 22:14:19 -06:00
parent 05bab2c90f
commit 49faf97c9b
4 changed files with 105 additions and 57 deletions
@@ -1,5 +1,4 @@
 import { readFileSync } from "fs";
-import crypto from "crypto";
 import { PrismaPg } from "@prisma/adapter-pg";
 import { Prisma, PrismaClient } from "../generated/prisma/client";
 import * as msal from "@azure/msal-node";
@@ -29,46 +28,21 @@ const isProduction = process.env.NODE_ENV === "production";

 const readKeyFile = (path: string) => readFileSync(path).toString();

-/**
- * Convert a PKCS#1 PEM key to PKCS#8 PEM format.
- * The compiled Bun binary on Ubuntu uses an OpenSSL that doesn't auto-detect PKCS#1 format,
- * so we normalize all keys to PKCS#8 at load time.
- */
-const toPkcs8Private = (pem: string) =>
-  crypto
-    .createPrivateKey({ key: pem, format: "pem", type: "pkcs1" })
-    .export({ type: "pkcs8", format: "pem" }) as string;
-
-const toPkcs8Public = (pem: string) =>
-  crypto
-    .createPublicKey({ key: pem, format: "pem", type: "pkcs1" })
-    .export({ type: "spki", format: "pem" }) as string;
-
-export const accessTokenPrivateKey = toPkcs8Private(
-  isProduction
-    ? process.env.ACCESS_TOKEN_PRIVATE_KEY!
-    : readKeyFile(`.accessToken.key`),
-);
-export const refreshTokenPrivateKey = toPkcs8Private(
-  isProduction
-    ? process.env.REFRESH_TOKEN_PRIVATE_KEY!
-    : readKeyFile(`.refreshToken.key`),
-);
-export const permissionsPrivateKey = toPkcs8Private(
-  isProduction
-    ? process.env.PERMISSIONS_PRIVATE_KEY!
-    : readKeyFile(`.permissions.key`),
-);
-export const secureValuesPrivateKey = toPkcs8Private(
-  isProduction
-    ? process.env.SECURE_VALUES_PRIVATE_KEY!
-    : readKeyFile(`.secureValues.key`),
-);
-export const secureValuesPublicKey = toPkcs8Public(
-  isProduction
-    ? process.env.SECURE_VALUES_PUBLIC_KEY!
-    : readKeyFile(`public-keys/.secureValues.pub`),
-);
+export const accessTokenPrivateKey = isProduction
+  ? process.env.ACCESS_TOKEN_PRIVATE_KEY!
+  : readKeyFile(`.accessToken.key`);
+export const refreshTokenPrivateKey = isProduction
+  ? process.env.REFRESH_TOKEN_PRIVATE_KEY!
+  : readKeyFile(`.refreshToken.key`);
+export const permissionsPrivateKey = isProduction
+  ? process.env.PERMISSIONS_PRIVATE_KEY!
+  : readKeyFile(`.permissions.key`);
+export const secureValuesPrivateKey = isProduction
+  ? process.env.SECURE_VALUES_PRIVATE_KEY!
+  : readKeyFile(`.secureValues.key`);
+export const secureValuesPublicKey = isProduction
+  ? process.env.SECURE_VALUES_PUBLIC_KEY!
+  : readKeyFile(`public-keys/.secureValues.pub`);

 // Microsoft Auth Constants
 const msalConfig: msal.Configuration = {