Fix handling for X509 Certificates using EC algorithms

[AndrewKahr]

Overview

This PR resolves issues involving X509 Certificates using Elliptic Curve algorithms. The motivation for this implementation is driven by the NodeJS Apple App Store Server Library not functioning in the workerd environment due to a couple of bugs in handling ECDSA certificates. This PR is composed of 2 commits, each of which resolves a portion of ECDSA certificate handling, and combined, brings compatibility for the App Store Server Library in Cloudflare Workers.

Commit 1

The original implementation only inspected the top-level key, which, for EC algorithms, only provided a generic value: id-ecPublicKey. The actual curve spec is actually nested a layer below. This commit correctly inspects the inner field and pulls the correct algorithm. Additionally, a test for a test ECDSA cert with curve P-384 was created, mimicking the RSA-based test.

Commit 2

The original implementation only handled certs using the AsymmetricKey type. When a key backed by the crypto.subtle type was used, it would result in a null. This commit now handles crypto.subtle-based keys in CryptoImpl::tryGetKey, which by extension allows them to be used in sign/verify functions.

Additionally, while introducing round-trip sign/verify tests for ECDSA-based keys, it was discovered that the original implementation would fail for ECDSA keys because their DER-encoded signatures are potentially shorter than the maximum estimated size. This commit resolves this by checking the key type and determining if sign or signOneShot should be used, where sign properly handles the ECDSA case.

Testing

Functionality was verified by passing all Bazel tests and by locally running a build of workerd with the changes in this PR using wrangler and validating that the various functions in the App Store Server Library that previously failed due to certificate validation errors are now working properly.

This should resolve #3622

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[AndrewKahr]

I have read the CLA Document and I hereby sign the CLA

[AndrewKahr]

Hey @jasnell, thanks for taking the time to review my PR! Are there any additional actions required on my end to get this pushed through? Eager to get this merged so we are unblocked on our worker development. Thanks!

[danlapid]

Hey @AndrewKahr , I just approved the CI workflow to run, if it everything besides "Run internal build" passes then we should be good to go here.

[AndrewKahr]

Hey @danlapid, thanks for getting the workflow going! Looks like everything passed except the coverage job. The logs seem to point to a 500 error from the cache server that caused a cascading failure in the Bazel build, so I'm thinking it just got unlucky and needs a rerun? If you could restart the job, that would be super helpful! Unfortunately, it doesn't look like I can rerun jobs even if the original check job was approved.

If this needs code changes, please let me know what to look for, as I'm a bit lost on what else could be wrong since the tests themselves pass. Thanks!

[pat-in-a-hat]

It would be great to get this merged, its a big issue if you're using Cloudflare Workers to handle Apple IAP processing

[Alkenso]

+1, waiting for this fix a lot
It is also required for Apple AppAttest/DeviceCheck security checks

[AndrewKahr]

Hey @danlapid, sorry to poke again, just wanted to bump this. Would you be able to retry the coverage workflow since it looks like Bazel itself crashed and not a test failure? I was able to locally run coverage and it passed so I'm thinking this is just a transient issue. Thanks!

[AndrewKahr]

Thanks for rerunning @npaun! Looks like it's all green now

[AndrewKahr]

Thanks again @danlapid!

[Alkenso]

@AndrewKahr , I still experience the error on such code

const APPLE_APP_ATTESTATION_ROOT_CA = new X509Certificate(
      "-----BEGIN CERTIFICATE-----\nMIICITCCAaegAwIBAgIQC/O+DvHN0uD7jG5yH2IXmDAKBggqhkjOPQQDAzBSMSYwJAYDVQQDDB1BcHBsZSBBcHAgQXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwKQXBwbGUgSW5jLjETMBEGA1UECAwKQ2FsaWZvcm5pYTAeFw0yMDAzMTgxODMyNTNaFw00NTAzMTUwMDAwMDBaMFIxJjAkBgNVBAMMHUFwcGxlIEFwcCBBdHRlc3RhdGlvbiBSb290IENBMRMwEQYDVQQKDApBcHBsZSBJbmMuMRMwEQYDVQQIDApDYWxpZm9ybmlhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERTHhmLW07ATaFQIEVwTtT4dyctdhNbJhFs/Ii2FdCgAHGbpphY3+d8qjuDngIN3WVhQUBHAoMeQ/cLiP1sOUtgjqK9auYen1mMEvRq9Sk3Jm5X8U62H+xTD3FE9TgS41o0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSskRBTM72+aEH/pwyp5frq5eWKoTAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDaAAwZQIwQgFGnByvsiVbpTKwSga0kP0e8EeDS4+sQmTvb7vn53O5+FRXgeLhpJ06ysC5PrOyAjEAp5U4xDgEgllF7En3VcE3iexZZtKeYnpqtijVoyFraWVIyd/dganmrduC1bmTBGwD\n-----END CERTIFICATE-----",
    );
console.log(APPLE_APP_ATTESTATION_ROOT_CA.publicKey);

error

NotSupportedError: Unrecognized or unimplemented EC curve "id-ecPublicKey" requested.
 ❯ X509Certificate.get publicKey [as publicKey] node-internal:crypto_x509:210:40

[AndrewKahr]

I'd assume at a minimum cloudflare/workers-sdk#13615 would need to be merged and released for us to at least start seeing it work locally. Not entirely sure how long it takes for releases in this repo to roll out to the cloud hosted version though.

I unfortunately could not find anything online about the lag between releases in this repo and the changes reflected in the hosted version. If a Cloudflare engineer familiar with this could color that in, that would be super helpful!

[Alkenso]

Yes, seems my bad. Updated locally all dependencies and everything works.

[npaun]

I think it should be in prod within a week. I'll post here when it's live.

[pat-in-a-hat]

I think it should be in prod within a week. I'll post here when it's live.

@npaun any update here?

[npaun]

My apologies for the late reply -- it's been a really busy period for us. It looks like this change has been live in production since 22 April 2026.