convert PKCS#1 keys to PKCS#8 at load time

src/constants.ts

@@ -1,4 +1,5 @@
 import { readFileSync } from "fs";
+import crypto from "crypto";
 import { PrismaPg } from "@prisma/adapter-pg";
 import { Prisma, PrismaClient } from "../generated/prisma/client";
 import * as msal from "@azure/msal-node";
@@ -28,21 +29,46 @@ const isProduction = process.env.NODE_ENV === "production";
 
 const readKeyFile = (path: string) => readFileSync(path).toString();
 
-export const accessTokenPrivateKey = isProduction
+/**
-  ? process.env.ACCESS_TOKEN_PRIVATE_KEY!
+ * Convert a PKCS#1 PEM key to PKCS#8 PEM format.
-  : readKeyFile(`.accessToken.key`);
+ * The compiled Bun binary on Ubuntu uses an OpenSSL that doesn't auto-detect PKCS#1 format,
-export const refreshTokenPrivateKey = isProduction
+ * so we normalize all keys to PKCS#8 at load time.
-  ? process.env.REFRESH_TOKEN_PRIVATE_KEY!
+ */
-  : readKeyFile(`.refreshToken.key`);
+const toPkcs8Private = (pem: string) =>
-export const permissionsPrivateKey = isProduction
+  crypto
-  ? process.env.PERMISSIONS_PRIVATE_KEY!
+    .createPrivateKey({ key: pem, format: "pem", type: "pkcs1" })
-  : readKeyFile(`.permissions.key`);
+    .export({ type: "pkcs8", format: "pem" }) as string;
-export const secureValuesPrivateKey = isProduction
+
-  ? process.env.SECURE_VALUES_PRIVATE_KEY!
+const toPkcs8Public = (pem: string) =>
-  : readKeyFile(`.secureValues.key`);
+  crypto
-export const secureValuesPublicKey = isProduction
+    .createPublicKey({ key: pem, format: "pem", type: "pkcs1" })
-  ? process.env.SECURE_VALUES_PUBLIC_KEY!
+    .export({ type: "spki", format: "pem" }) as string;
-  : readKeyFile(`public-keys/.secureValues.pub`);
+
+export const accessTokenPrivateKey = toPkcs8Private(
+  isProduction
+    ? process.env.ACCESS_TOKEN_PRIVATE_KEY!
+    : readKeyFile(`.accessToken.key`),
+);
+export const refreshTokenPrivateKey = toPkcs8Private(
+  isProduction
+    ? process.env.REFRESH_TOKEN_PRIVATE_KEY!
+    : readKeyFile(`.refreshToken.key`),
+);
+export const permissionsPrivateKey = toPkcs8Private(
+  isProduction
+    ? process.env.PERMISSIONS_PRIVATE_KEY!
+    : readKeyFile(`.permissions.key`),
+);
+export const secureValuesPrivateKey = toPkcs8Private(
+  isProduction
+    ? process.env.SECURE_VALUES_PRIVATE_KEY!
+    : readKeyFile(`.secureValues.key`),
+);
+export const secureValuesPublicKey = toPkcs8Public(
+  isProduction
+    ? process.env.SECURE_VALUES_PUBLIC_KEY!
+    : readKeyFile(`public-keys/.secureValues.pub`),
+);
 
 // Microsoft Auth Constants
 const msalConfig: msal.Configuration = {

src/modules/credentials/generateSecureValue.ts

@@ -6,12 +6,8 @@ export const generateSecureValue = (content: string) => {
   // Generate a hash of the content
   const hash = Password.hash(content);
 
-  // Parse the PKCS#1 PEM key into a proper KeyObject
+  // Parse the PEM key into a proper KeyObject
-  const publicKey = crypto.createPublicKey({
+  const publicKey = crypto.createPublicKey(secureValuesPublicKey);
-    key: secureValuesPublicKey,
-    format: "pem",
-    type: "pkcs1",
-  });
 
   // Encrypt the content using the .secureValues.pub public key
   const encrypted = crypto.publicEncrypt(

src/modules/credentials/readSecureValue.ts

@@ -3,11 +3,7 @@ import crypto from "crypto";
 import { secureValuesPrivateKey } from "../../constants";
 import GenericError from "../../Errors/GenericError";
 
-const privateKey = crypto.createPrivateKey({
+const privateKey = crypto.createPrivateKey(secureValuesPrivateKey);
-  key: secureValuesPrivateKey,
-  format: "pem",
-  type: "pkcs1",
-});
 
 export const readSecureValue = (
   encryptedContent: string,