Importing firebase PEM as x509 throws "Supplied format is not supported" on Fastly Compute

[cupofjoakim]

I'm trying to verify some firebase session tokens in our Fastly Compute edge, but I'm unable to even import the x509 certificate.

The public keys are gotten from here: https://www.googleapis.com/identitytoolkit/v3/relyingparty/publicKeys

Running await jose.importX509(certificate, 'RS256'); throws us this error:

DOMException { code: 0, message: "Supplied format is not supported", name: "DataError", INDEX_SIZE_ERR: 1, DOMSTRING_SIZE_ERR: 2, HIERARCHY_REQUEST_ERR: 3, WRONG_DOCUMENT_ERR: 4, INVALID_CHARACTER_ERR: 5, NO_DATA_ALLOWED_ERR: 6, NO_MODIFICATION_ALLOWED_ERR: 7, NOT_FOUND_ERR: 8, NOT_SUPPORTED_ERR: 9, INUSE_ATTRIBUTE_ERR: 10, INVALID_STATE_ERR: 11, SYNTAX_ERR: 12, INVALID_MODIFICATION_ERR: 13, NAMESPACE_ERR: 14, INVALID_ACCESS_ERR: 15, VALIDATION_ERR: 16, TYPE_MISMATCH_ERR: 17, SECURITY_ERR: 18, NETWORK_ERR: 19, ABORT_ERR: 20, URL_MISMATCH_ERR: 21, QUOTA_EXCEEDED_ERR: 22, TIMEOUT_ERR: 23, INVALID_NODE_TYPE_ERR: 24, DATA_CLONE_ERR: 25 }

The JWT header reports RS256 as algo and kIMSOw as the kid. At the time of writing, that kid corresponds to this public key:

-----BEGIN CERTIFICATE-----
MIIDHDCCAgSgAwIBAgIEI0cVgTANBgkqhkiG9w0BAQsFADAzMQ8wDQYDVQQDEwZH
aXRraXQxEzARBgNVBAoTCkdvb2dsZSBJbmMxCzAJBgNVBAYTAlVTMB4XDTI1MDYx
MTE3MjM1NFoXDTI2MDYwNjE3MjM1NFowMzEPMA0GA1UEAxMGR2l0a2l0MRMwEQYD
VQQKEwpHb29nbGUgSW5jMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMhLJvDpex9RWSY3Hx399yfdcJwecy28rx38pJFB5JGp9Wwd
mRMEF+7tSmVyRv7Ne36D52haNydkxqVqdMkCYwdhC81RAymUPPhEAGAPihCRTtXN
dgzGHBDubnmf73JaOsXkGRu6tcQ58C8aExsMT4EE6E5/njz+ivM8ct1oyHda7rx+
Ca4ThVXYU+MVLAfsPkCpBKAVC3hL46WfDsrusP4vLSHP3HtcP2SuCLctsXsia58G
Lb7rpeq7yMrDy88BRZlcFHCYRlLFyUXmQ801/4HtTX++rki+CsDbHG0q7AreoEmx
WRI9o8ujQYB1kAu5a9x+WzP4PIvg7t9Yb56SRAsCAwEAAaM4MDYwDAYDVR0TAQH/
BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCB4AwDQYJ
KoZIhvcNAQELBQADggEBAEHgfCxSc822cE40MTfV6LtlfqEQqtSj4SHq0OJ+/1+6
ZCJngxrDP1V6KHjm3IxUP2MPQ4A5Q1RhCTqsefI1SzMEhN+tx4RpKyyeqIZM711V
/VzK7eavCxiCFLYQ+W6T5i3EGOmgqYTOYDGJKXHs3C0K0AXeUG29blsfnybPpeeg
+O9/j1XXeGc1ESv9Uscr2byfEb08EJwRjpJq/1Dfvw4pT7+PudzWw/XB6Zd37mtQ
FPpQ3ilBx7wVFc3OrogdSk7Vqka0PZFTfUw9EmwujBT7vty6m0Ipx4taPu6icxrg
oSvT4oTsvCkwb3niI6AXzw8bdnB7cdWigJZ70Fl/wUo=
-----END CERTIFICATE-----

I'm unsure what this barks up to – afaik it could be weirdness with googles certificates, an issue with the fastly compute runtime, a legit bug in the jose package.

@panva has kindly given an example for the same functionality in this comment, and that was reported as working a year ago, so I'm inclined to suspect Fastly here. That is further supported as the import seems to work in node 22 when running a test in vitest:

// Passes
describe('import cert test', () => {
  it('should import a valid X.509 certificate', async () => {
    const cert = await importX509(validCert.trim(), 'RS256');
    expect(cert).toBeDefined(); 
  });
});

Fastly does claim to support at least v5 in the docs: https://www.fastly.com/documentation/guides/compute/developer-guides/javascript/#using-dependencies

I'll reach out to our contacts at fastly as well, but thought it'd make sense to make a discussion here if it was something known.