Open ITSamMed opened 5 months ago
It seems like this may be related specifically to Elliptic Curve Digital Signature Algorithm (ECDSA).
This builds just fine: Clients.builder().setPrivateKey(Jwts.SIG.RS256.keyPair().build().private).build()
This fails to build: Clients.builder().setPrivateKey(Jwts.SIG.ES256.keyPair().build().private).build()
What's weird is that passing an unencrypted PEM file path whose private key is ES512 also seems to work...
openssl genpkey -out unencrypted.key -algorithm EC -pkeyopt ec_paramgen_curve:P-521
Clients.builder().setPrivateKey("unencrypted.key").build()
@ITSamMed Thanks for posting! I'd take a look.
Describe the bug?
The
PrivateKey
parameter does not seem to be handled correctly for theOktaClient
builder when setting directly.Instead of treating the private key as a
PrivateKey
, it is getting treated as asPEMKeyPair
.What is expected to happen?
OktaClient
is built successfullyWhat is the actual behavior?
Exception is thrown
Reproduction Steps?
try { FileInputStream(path).use { keyStore.load(it, password.toCharArray()) } } catch (ex: Exception) { when (ex) { is FileNotFoundException -> println("Keystore not found by path '${path}'.") is IOException -> println("Incorrect password for keystore.") } throw ex }
// Assumes password is the same for keystore and key entry. val key = keyStore.getKey(alias, password.toCharArray()) if (key == null) { println("Keystore entry not found by alias '${alias}'.") throw UnrecoverableKeyException("Keystore entry not found by alias '${alias}'.") }
// Assumes alias is the same for private and public key entry. val certificate = keyStore.getCertificate(alias)
val keyPair = KeyPair(certificate.publicKey, key as PrivateKey)
Clients.builder().setPrivateKey(keyPair.privateKey).build()
openssl genpkey -out.key -algorithm EC -pkeyopt ec_paramgen_curve:P-521 -aes-128-cbc
val privateKey: PrivateKey
FileReader(File("")).use { keyReader ->
}
Clients.builder().setPrivateKey(privateKey).build()