I need to sign a message using RSA-SHA256 and a public key in my Google Apps Script.

I am trying to use Utilities.computeRsaSha256Signature(value, key) for this, but I just get an Invalid argument: key error.

For the purpose of this question I have generated a key-pair like this:

openssl genrsa -out private.pem 32
openssl rsa -in private.pem -out public.pem -outform PEM -pubout

My script looks like this:

function test() {
  var privKey = "-----BEGIN RSA PRIVATE KEY-----\nMCwCAQACBQC6fs8xAgMBAAECBQCxyL35AgMA3ecCAwDXJwICKLcCAnF9AgIbnA==\n-----END RSA PRIVATE KEY-----\n";
  var pubKey = "-----BEGIN PUBLIC KEY-----\nMCAwDQYJKoZIhvcNAQEBBQADDwAwDAIFALp+zzECAwEAAQ==\n-----END PUBLIC KEY-----\n";
  Utilities.computeRsaSha256Signature("value", pubKey); 
  Utilities.computeRsaSha256Signature("value", privKey);
}

When I run this I get an Invalid argument: key error on the first call to computeRsaSha256Signature.

The error suggests there is something wrong with they key, but I can't figure out what the problem is. I've tried with both the public and the private key and I've tried to strip the newlines but everything fails with the same message.

My code looks very similar to the example in the documentation so I'm not sure what I am doing wrong.

How can Utilities.computeRsaSha256Signature() be used successfully?

Keys starting with BEGIN PRIVATE KEY have a different format than the ones with BEGIN RSA PRIVATE KEY.

I was starting from a key in the "RSA" format but the computeRsaSha256Signature needs a key in the non-RSA format.

You can convert from the latter to the former with:

openssl pkcs8 -topk8 -inform pem -in private.pem -outform pem -nocrypt -out newPrivate.pem

Source: https://plus.google.com/106009755685055488206/posts/bYuPM6MGwsU

There are at least three different types of keys that can be used when doing a rsa sha256 signature:

BEGIN PRIVATE KEY
BEGIN RSA PRIVATE KEY
BEGIN PUBLIC KEY

As indicated by the accepted answer and based on my own testing it seems like computeRsaSha256Signature only supports the BEGIN PRIVATE KEY type.

As the accepted answer explains it is possible to convert a RSA PRIVATE KEY to a PRIVATE KEY however when all you have is the public key it's more complicated.

In this scenario an external library like JSEncrypt can be useful. However this assumes that the window and navigator objects exist which they do in normal JavaScript environments but doesn't in Google Apps Scripts.

But with some modification it's possible to get JSEncrypt to work good enough with Google Apps Scripts to sign messages using a public key.