CD
Cloudflare Developers10mo ago
pee cee beez

Using X509Certificate

Is there any way to parse and verify certificates in workers? It seems like it's unsupported in node_compat, but my only other solution is to host a NodeJS server, only for parsing certificate signed JWT tokens.
4 Replies
Cyb3r-Jak3
Cyb3r-Jak310mo ago
pee cee beez
pee cee beez10mo ago
When I try to import the certificate with importKey it gives me an asn1 error about having the wrong tag My current NodeJS solution is 
import jwt from "@tsndr/cloudflare-worker-jwt";
import { X509Certificate } from 'node:crypto';

export function verifyToken(keyData: string, token: string) {
  const key = Buffer.from(keyData, 'base64')
  const cert = new X509Certificate(key);
  const publicKey = cert.publicKey.export({ type: 'spki', format: 'pem' });
  return jwt.verify(token, publicKey, "ES256");
}
import jwt from "@tsndr/cloudflare-worker-jwt";
import { X509Certificate } from 'node:crypto';

export function verifyToken(keyData: string, token: string) {
  const key = Buffer.from(keyData, 'base64')
  const cert = new X509Certificate(key);
  const publicKey = cert.publicKey.export({ type: 'spki', format: 'pem' });
  return jwt.verify(token, publicKey, "ES256");
}
Cyb3r-Jak3
Cyb3r-Jak310mo ago
Ah sorry not sure then
pee cee beez
pee cee beez10mo ago
Did more research, found an x509 package that works on Node, but gives an incorrect publicKey on the workers runtime... guess this means more research Looks like a bug in SubtleCrypto? importKey in the worker runtime is returning 
CryptoKey {
  usages: undefined,
  algorithm: undefined,
  extractable: undefined,
  type: undefined
}
CryptoKey {
  usages: undefined,
  algorithm: undefined,
  extractable: undefined,
  type: undefined
}
meanwhile NodeJS with the exact same code returns 
CryptoKey {
  type: 'public',
  extractable: true,
  algorithm: { name: 'ECDSA', namedCurve: 'P-256' },
  usages: [ 'verify' ]
}
CryptoKey {
  type: 'public',
  extractable: true,
  algorithm: { name: 'ECDSA', namedCurve: 'P-256' },
  usages: [ 'verify' ]
}
Using: 
await crypto.subtle.importKey(
  "spki",
  Buffer.from(
    "3059301306072a8648ce3d020106082a8648ce3d03010703420004ea1371a3dca5e8a934bf5e434ead0aeee951cc1d09774df2f1aa6948dde7c67cb4bc62502d1d05e03e7ae318820875ff988093e14cc541660366b5af868267c4",
    "hex"
  ),
  { name: "ECDSA", namedCurve: "P-256", hash: { name: "SHA-256" } },
  true,
  ["verify"]
)
await crypto.subtle.importKey(
  "spki",
  Buffer.from(
    "3059301306072a8648ce3d020106082a8648ce3d03010703420004ea1371a3dca5e8a934bf5e434ead0aeee951cc1d09774df2f1aa6948dde7c67cb4bc62502d1d05e03e7ae318820875ff988093e14cc541660366b5af868267c4",
    "hex"
  ),
  { name: "ECDSA", namedCurve: "P-256", hash: { name: "SHA-256" } },
  true,
  ["verify"]
)
Want results from more Discord servers?
Add your server
More Posts
Billing problemsHey so I'm trying to switch all my domains from google to cloudflare but I'm stuck on the billing paDoes CF provide user agent parsing for device type for Workers?From these docs https://developers.cloudflare.com/workers/runtime-apis/request/#incomingrequestcfproYeah it can with functionsYeah it can with functionsIs it possible to properly hide DNS records?Hello everyone, I come looking for the right solution, if such thing is even really possible: For exImagesI am an agency owner and I used CF Pages to host my clients website, my question is is there a limitplease send your account ID in thatplease send your account ID in that channel if you want to get access fasterCloudflare Zero Trust doesn't refresh access groupsI'm currently setting up access to an internal network using Cloudflare Tunnel with Zero Trust and wWebhookHow to get video processed webhook from cloudflare?How to specify a DNSLink valueI just created an IPFS gateway on Web3 page, but when I try this: gateway.mydomain.com/ipfs/CIDstrinhow to integrate function in Next.js ssg app folder projectHello ,i have write in api/route.js but the result will prefetched get same result using export cons