Why I am this Error in decoding JSON Web Token Error: error:0909006C:PEM routines:get_name:no start line

Question

I have a key named social-public.key, which I am using to decode JWTs, but the problem is I am having an error as below

Error occurred while decoding access token Error: error:0909006C:PEM routines:get_name:no start line
    at Verify.verify (internal/crypto/sig.js:157:24)
    at Object.verify (D:\SocialAnalysisDashboard\social-dashboard-user-service\node_modules\jwa\index.js:164:21)
    at Object.jwsVerify [as verify] (D:\SocialAnalysisDashboard\social-dashboard-user-service\node_modules\jws\lib\verify-stream.js:54:15)
    at D:\SocialAnalysisDashboard\social-dashboard-user-service\node_modules\jsonwebtoken\verify.js:127:19
    at getSecret (D:\SocialAnalysisDashboard\social-dashboard-user-service\node_modules\jsonwebtoken\verify.js:90:14)
    at Object.module.exports [as verify] (D:\SocialAnalysisDashboard\social-dashboard-user-service\node_modules\jsonwebtoken\verify.js:94:10)
    at D:\SocialAnalysisDashboard\social-dashboard-user-service\express\Middlewares\auth.js:24:46
    at processTicksAndRejections (internal/process/task_queues.js:93:5) {
  library: 'PEM routines',
  function: 'get_name',
  reason: 'no start line',
  code: 'ERR_OSSL_PEM_NO_START_LINE'
}

Here is code the code I am using to decode JWTs,

const decodedToken = jwt.verify(token, key, {algorithms: ['RS256']});

Mostly solutions I have found are related to .pem files.

Answer 1

I had a similar problem and I fixed it with help of this issue post. You only need one key to sign and verify if you use HS256. The RSA version requires a public and private key (Public for verification and private for signing)

Follow the following steps:

1. Have a valid public and it's associated private key. (csfieldguide, travistidwell)
2. Include the '---private/public key start---' and '---public/private key end---' part
3. I saved it in base64 and can be giving directly in the jsonwebtoken module from npm
4. Make sure the new line byte (\n) is giving with the base64 string

example:

let secret = [
        '-----BEGIN PRIVATE KEY-----',
        'MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAkcd7iupXSHhgIRat',
        'b2gnEiyC3AIf7GCrISTtgM5Lb8kccGjunU8sIqwwd3BV6qD+pExeyvMyU085RHRX',
        'ud1cyQIDAQABAkAzmni6GPAiwDHPJLbqK+VAwq7j8ICabTHGvsqwANalT/O4V75m',
        'e2ExeqV05+jlzVOGrQ953n8Mx1u0uRgPlfoBAiEAyO3qytGKRRzlqBuGwPFPde4a',
        '66ZW4AmRcBwwuKp1zgkCIQC5u/2j/JFzM4GTbpoC0a2u78+tqYQW7Y/Usu6AAubI',
        'wQIhAMKbhMQJ7UUBNwH6HyryzcZn5pUEl7IIMmAGPb4uA0mZAiAbJPhawQzY00w6',
        'qc1kYBSMHowxiza8yxdcNJJarxHfgQIgcw2oEtn8GbvNMOsFg0Q9TPMdQ+uhxhWK',
        'xhVgWkIkTVU=',
        '-----END PRIVATE KEY-----',
    ].join('\n');

Same goes for the public key when verifying.

// Create a signed JWT token
const token = jwt.sign(payload, privKey, {algorithm: 'RS256', ...otherSignOptions}); 

// returns undefined if token could not be verified
jwt.verify(token, pubKey);

I'd recommend of course reading the key from a file instead of hardcoding it. (preferably in a safe location)