Error on Google Cloud keys: Failed to match tag: "bitstr" at: ["privateKey"]

[Macil]

In Google Cloud, when you create a service account, you're given a JSON file that contains the 2048-bit RSA private key for the account. I've created and then deleted a service account so I could have an example private key to post here:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCOJu3e+6JX5egP
9sJtdPnp2Qe64UmoUroKn270MWzqUkiNur5YntIUj2UZ2cU59UToeDXlZ7y9Yjl2
KYV4xsZc7hxbL4KqPOitvqEN8NHmY1u1fbn4tkaQLsJA5Cvkt22lTwyZCWx5UIhl
6jWlpsgk2n+Eopbc84FQvn694LxTHwUviLSbMkonPjkZO7Gr6txe4jKVuHZitcSS
myvPXN9grJWdFuOAjUqsnt6CNqYSeXYZ0+WNKN+mqWyrWNZp2kiKOFWXBIGcQ/Wz
zxK7vWi9Nj2qob4lYmmjwx03/gn5bioCB/z4HhMDE/ch3+3PLt8We2HFqc8oaqJ3
Br9WawrdAgMBAAECggEAPgrAnCdQijOGTt1gq3w4DTfTl113k/cTSsqeFwcxZa3n
C7C7HhunTiDtu9Qfr/WcDyhUQZ0+s5uYv7lMj1OWRP4Js0Svr1RpK1e9nEOEoRyx
bKuEjQglEQ3Pa5oKjEcAnHs9YNfLl8Et3ulTY8rApNEWgdGiram7wX16/K2HFHGZ
bK/r+9hO687AkB8Kr9Zgas+bWzRNngTQ2HuhkVdpRO7UzXHqv/BokespmVY73TOa
RK2II1+WQpoik1D0IEYpVdF+QfK+lPsZSfyQoIAX4XVRR6RYCPpfIVdQRBNqOCOf
rwEIBfk3U/un1DjWc+T+KjVRtUP3nVpt9gHMVcYmgwKBgQDEyA+udC0SPO7lGaEG
QDVhwjMrjnTZ+aGbg423e0oGTJmKRXCmxC1TJpG5557Uw9QDBbHGf5giG7AcHFTX
xyUioRAJP+TUqwQsFk02DJh/xTn15jNNk0oM4c91hy75ZYp07GE9K9+S50lxKNb6
p1sG50Jdi5Mg34W1W8u8PRiJ9wKBgQC47j87jxMMVj/OOqaLHxZ4x7S2sf3zWzvY
f2I1w5X0cJf4rL5Z5WVD4t1gfhR5qTBUqONFmxNYi6DPvOkkDsoF21A5KBifar9l
5y9B5y/TWFtXE5oBqz7QmXVNmNEe3/BK5rPUTn2c4FvtC8ibZ1diyT9BYHAFMwiZ
D/k/z258ywKBgQCjS+X/fjccyGXyxmbi2guyeUafYZNEg6yBchT7axtNyOktXlyS
d3+pXftWS4h5xZw9ec9CCwZDX7iwSy549bCyYPf+xP/vH4/Ryhv+u0sd1Jw5m/N8
77pmoEjZnfn0SjgwuSwkaDEbJkXC2wIzdQfL3cMr/7RzdinuCyQxrH2dlwKBgBNz
U4lDIiDBDZL2TkABtA5eCt7QV8J5zRCXTVAUUzhTg1hvatHvs7fxK5GTkTm+lsvA
u669gcplXTOcTfUx7QOyrnxkgDp8MsdYCntnAnu7JlhBQoh8Z23vRgw0T4Js0Uw/
eZiR7NpMKr8C50WZF/LW8eVBbGbPmE7pBDE28wsDAoGBAK1z4rqKY4A3JzqK2iUr
v9ftXp9g7TMrcAlSAz5epAakXpUZ3bgxvzJCz2JpDeiAmwELhEiGKjAC2c1u49jY
Zay5fFx9OTSu7hqqxTZpdYa0L02GMMEpV1/MUHudDx3Dr/BEUS5Jy12YhDijWphu
vBu776Gyn1tD51Ibb4FbJS5q
-----END PRIVATE KEY-----

I assume this is a normal PEM-format key, but I'm not really sure. openssl rsa -text -noout is capable of parsing it.

If I try to convert this key to a JWK with this project, I get an error:

$ <testkey.pem pem-jwk

/private/tmp/x/node_modules/asn1.js/lib/asn1/base/reporter.js:84
    throw err;
    ^
ReporterError: Failed to match tag: "bitstr" at: ["privateKey"]
    at DecoderBuffer.error (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/reporter.js:78:11)
    at DERNode.decodeTag [as _decodeTag] (/private/tmp/x/node_modules/asn1.js/lib/asn1/decoders/der.js:71:19)
    at DERNode.decode [as _decode] (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/node.js:341:25)
    at decodeChildren (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/node.js:378:15)
    at Array.forEach (<anonymous>)
    at DERNode.decode [as _decode] (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/node.js:375:22)
    at DERNode.decode [as _decode] (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/node.js:280:47)
    at Generated.decode (/private/tmp/x/node_modules/asn1.js/lib/asn1/decoders/der.js:28:20)
    at Entity.decode (/private/tmp/x/node_modules/asn1.js/lib/asn1/api.js:44:32)
    at decodePrivate (/private/tmp/x/node_modules/pem-jwk/index.js:133:29) {
  path: '["privateKey"]',
  message: 'Failed to match tag: "bitstr" at: ["privateKey"]'
}

I'm not sure if it's sensible to do, but if I add the word "RSA" to the header and footer (so it's -----BEGIN RSA PRIVATE KEY----- / -----END RSA PRIVATE KEY-----, like how PEMs generated by openssl look), then I get this error instead:

$ <testkey.pem pem-jwk

/private/tmp/x/node_modules/asn1.js/lib/asn1/base/reporter.js:84
    throw err;
    ^
ReporterError: Failed to match tag: "int" at: ["n"]
    at DecoderBuffer.error (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/reporter.js:78:11)
    at DERNode.decodeTag [as _decodeTag] (/private/tmp/x/node_modules/asn1.js/lib/asn1/decoders/der.js:71:19)
    at DERNode.decode [as _decode] (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/node.js:341:25)
    at decodeChildren (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/node.js:378:15)
    at Array.forEach (<anonymous>)
    at DERNode.decode [as _decode] (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/node.js:375:22)
    at DERNode.decode [as _decode] (/private/tmp/x/node_modules/asn1.js/lib/asn1/base/node.js:280:47)
    at Generated.decode (/private/tmp/x/node_modules/asn1.js/lib/asn1/decoders/der.js:28:20)
    at Entity.decode (/private/tmp/x/node_modules/asn1.js/lib/asn1/api.js:44:32)
    at decodeRsaPrivate (/private/tmp/x/node_modules/pem-jwk/index.js:111:27) {
  path: '["n"]',
  message: 'Failed to match tag: "int" at: ["n"]'
}

However, if I reserialize the key with openssl rsa first, then it works fine:

$ <testkey.pem openssl rsa | pem-jwk
writing RSA key
{"kty":"RSA","n":"jibt3vuiV-XoD_bCbXT56dkHuuFJqFK6Cp9u9DFs6lJIjbq-WJ7SFI9lGdnFOfVE6Hg15We8vWI5dimFeMbGXO4cWy-Cqjzorb6hDfDR5mNbtX25-LZGkC7CQOQr5LdtpU8MmQlseVCIZeo1pabIJNp_hKKW3POBUL5-veC8Ux8FL4i0mzJKJz45GTuxq-rcXuIylbh2YrXEkpsrz1zfYKyVnRbjgI1KrJ7egjamEnl2GdPljSjfpqlsq1jWadpIijhVlwSBnEP1s88Su71ovTY9qqG-JWJpo8MdN_4J-W4qAgf8-B4TAxP3Id_tzy7fFnthxanPKGqidwa_VmsK3Q","e":"AQAB","d":"PgrAnCdQijOGTt1gq3w4DTfTl113k_cTSsqeFwcxZa3nC7C7HhunTiDtu9Qfr_WcDyhUQZ0-s5uYv7lMj1OWRP4Js0Svr1RpK1e9nEOEoRyxbKuEjQglEQ3Pa5oKjEcAnHs9YNfLl8Et3ulTY8rApNEWgdGiram7wX16_K2HFHGZbK_r-9hO687AkB8Kr9Zgas-bWzRNngTQ2HuhkVdpRO7UzXHqv_BokespmVY73TOaRK2II1-WQpoik1D0IEYpVdF-QfK-lPsZSfyQoIAX4XVRR6RYCPpfIVdQRBNqOCOfrwEIBfk3U_un1DjWc-T-KjVRtUP3nVpt9gHMVcYmgw","p":"xMgPrnQtEjzu5RmhBkA1YcIzK4502fmhm4ONt3tKBkyZikVwpsQtUyaRueee1MPUAwWxxn-YIhuwHBxU18clIqEQCT_k1KsELBZNNgyYf8U59eYzTZNKDOHPdYcu-WWKdOxhPSvfkudJcSjW-qdbBudCXYuTIN-FtVvLvD0Yifc","q":"uO4_O48TDFY_zjqmix8WeMe0trH981s72H9iNcOV9HCX-Ky-WeVlQ-LdYH4UeakwVKjjRZsTWIugz7zpJA7KBdtQOSgYn2q_ZecvQecv01hbVxOaAas-0Jl1TZjRHt_wSuaz1E59nOBb7QvIm2dXYsk_QWBwBTMImQ_5P89ufMs","dp":"o0vl_343HMhl8sZm4toLsnlGn2GTRIOsgXIU-2sbTcjpLV5cknd_qV37VkuIecWcPXnPQgsGQ1-4sEsuePWwsmD3_sT_7x-P0cob_rtLHdScOZvzfO-6ZqBI2Z359Eo4MLksJGgxGyZFwtsCM3UHy93DK_-0c3Yp7gskMax9nZc","dq":"E3NTiUMiIMENkvZOQAG0Dl4K3tBXwnnNEJdNUBRTOFODWG9q0e-zt_ErkZOROb6Wy8C7rr2BymVdM5xN9THtA7KufGSAOnwyx1gKe2cCe7smWEFCiHxnbe9GDDRPgmzRTD95mJHs2kwqvwLnRZkX8tbx5UFsZs-YTukEMTbzCwM","qi":"rXPiuopjgDcnOoraJSu_1-1en2DtMytwCVIDPl6kBqRelRnduDG_MkLPYmkN6ICbAQuESIYqMALZzW7j2NhlrLl8XH05NK7uGqrFNml1hrQvTYYwwSlXX8xQe50PHcOv8ERRLknLXZiEOKNamG68G7vvobKfW0PnUhtvgVslLmo"}

[MNITD]

Have the same error while converting private key generated using crypto
https://nodejs.org/docs/latest-v12.x/api/crypto.html#crypto_crypto_generatekeypair_type_options_callback

[mug-cat]

However, if I reserialize the key with openssl rsa first, then it works fine:

$ <testkey.pem openssl rsa | pem-jwk
writing RSA key
{"kty":"RSA","n":"jibt3vuiV-XoD_bCbXT56dkHuuFJqFK6Cp9u9DFs6lJIjbq-WJ7SFI9lGdnFOfVE6Hg15We8vWI5dimFeMbGXO4cWy-Cqjzorb6hDfDR5mNbtX25-LZGkC7CQOQr5LdtpU8MmQlseVCIZeo1pabIJNp_hKKW3POBUL5-veC8Ux8FL4i0mzJKJz45GTuxq-rcXuIylbh2YrXEkpsrz1zfYKyVnRbjgI1KrJ7egjamEnl2GdPljSjfpqlsq1jWadpIijhVlwSBnEP1s88Su71ovTY9qqG-JWJpo8MdN_4J-W4qAgf8-B4TAxP3Id_tzy7fFnthxanPKGqidwa_VmsK3Q","e":"AQAB","d":"PgrAnCdQijOGTt1gq3w4DTfTl113k_cTSsqeFwcxZa3nC7C7HhunTiDtu9Qfr_WcDyhUQZ0-s5uYv7lMj1OWRP4Js0Svr1RpK1e9nEOEoRyxbKuEjQglEQ3Pa5oKjEcAnHs9YNfLl8Et3ulTY8rApNEWgdGiram7wX16_K2HFHGZbK_r-9hO687AkB8Kr9Zgas-bWzRNngTQ2HuhkVdpRO7UzXHqv_BokespmVY73TOaRK2II1-WQpoik1D0IEYpVdF-QfK-lPsZSfyQoIAX4XVRR6RYCPpfIVdQRBNqOCOfrwEIBfk3U_un1DjWc-T-KjVRtUP3nVpt9gHMVcYmgw","p":"xMgPrnQtEjzu5RmhBkA1YcIzK4502fmhm4ONt3tKBkyZikVwpsQtUyaRueee1MPUAwWxxn-YIhuwHBxU18clIqEQCT_k1KsELBZNNgyYf8U59eYzTZNKDOHPdYcu-WWKdOxhPSvfkudJcSjW-qdbBudCXYuTIN-FtVvLvD0Yifc","q":"uO4_O48TDFY_zjqmix8WeMe0trH981s72H9iNcOV9HCX-Ky-WeVlQ-LdYH4UeakwVKjjRZsTWIugz7zpJA7KBdtQOSgYn2q_ZecvQecv01hbVxOaAas-0Jl1TZjRHt_wSuaz1E59nOBb7QvIm2dXYsk_QWBwBTMImQ_5P89ufMs","dp":"o0vl_343HMhl8sZm4toLsnlGn2GTRIOsgXIU-2sbTcjpLV5cknd_qV37VkuIecWcPXnPQgsGQ1-4sEsuePWwsmD3_sT_7x-P0cob_rtLHdScOZvzfO-6ZqBI2Z359Eo4MLksJGgxGyZFwtsCM3UHy93DK_-0c3Yp7gskMax9nZc","dq":"E3NTiUMiIMENkvZOQAG0Dl4K3tBXwnnNEJdNUBRTOFODWG9q0e-zt_ErkZOROb6Wy8C7rr2BymVdM5xN9THtA7KufGSAOnwyx1gKe2cCe7smWEFCiHxnbe9GDDRPgmzRTD95mJHs2kwqvwLnRZkX8tbx5UFsZs-YTukEMTbzCwM","qi":"rXPiuopjgDcnOoraJSu_1-1en2DtMytwCVIDPl6kBqRelRnduDG_MkLPYmkN6ICbAQuESIYqMALZzW7j2NhlrLl8XH05NK7uGqrFNml1hrQvTYYwwSlXX8xQe50PHcOv8ERRLknLXZiEOKNamG68G7vvobKfW0PnUhtvgVslLmo"}

You re-serialized the key from PKCS8 to PKCS1 format, which pem-jwk works fine for.
pem-jwk only seems to be not working on pkcs8 private keys. Unfortunately, I do not know enough about asn1 and the crypto standardization to debug it.

I'm not sure if it's sensible to do, but if I add the word "RSA" to the header and footer (so it's -----BEGIN RSA PRIVATE KEY----- / -----END RSA PRIVATE KEY-----, like how PEMs generated by openssl look), then I get this error instead:

Well the difference between pkcs8 and pkcs1 is more than just a change in the header. If you use openssl to serialize the key into both formats, you can obviously see that the key components in the middle are different

[davidfernandezm]

I'm facing this exact error... the PEM encoded file from GCP does not seem to work with this lib

[bughunter2]

If someone stumbles upon this page by searching the web for a workaround, there is one:
At least, if you're in a position to change the code you're working with, you can try the following.

For example, if this gives you problems...:
openssl genrsa 2048 | pem-jwk

...then try changing it into this:
openssl genrsa -traditional 2048 | pem-jwk

That worked for me.