Failing to create a RS256 jwt key using jsonwebtoken

Question

Im trying to create my JWT following this tutorial: https://developer.okta.com/blog/2018/10/31/jwts-with-java but when I change the SignatureAlgorithm from HS256 to RS 256 Im getting the following error:

The signing key's algorithm 'SHA256withRSA' does not equal a valid HmacSHA* algorithm name and cannot be used with HS512.

this is the part of the code that is responsible for the Jwt:

        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RS256;
        byte[] apiKeySecretBytes = DatatypeConverter.parseBase64Binary(SECRET_KEY);
        Key signingKey = new SecretKeySpec(apiKeySecretBytes, signatureAlgorithm.getJcaName());

        JwtBuilder builder = Jwts.builder().setId(id)
                .setIssuedAt(now)
                .setSubject(subject)
                .setIssuer(issuer)
                .signWith(signingKey);

Im using the SECRET_KEY for example is:

My guess is that Im signing the key wrong... but Im not sure what I need to do..

k0staa · Accepted Answer

The key you are trying to use is not in PKCS#8 format that could be used using your code. You have two options.

Save your RSA key to pr_test.key file and convert it using the command openssl pkcs8 -topk8 -in pr_test.key -out pr_test_pkcs8.key -nocrypt. Then copy and paste it to your SECRET_KEY variable.You still need to modify the code a little:

        StringBuilder pkcs8Lines = new StringBuilder();
        BufferedReader rdr = new BufferedReader(new StringReader(SECRET_KEY2));
        String line;
        while ((line = rdr.readLine()) != null) {
            pkcs8Lines.append(line);
        }
        String pkcs8Pem = pkcs8Lines.toString();
        pkcs8Pem = pkcs8Pem.replace("-----BEGIN PRIVATE KEY-----", "");
        pkcs8Pem = pkcs8Pem.replace("-----END PRIVATE KEY-----", "");
        pkcs8Pem = pkcs8Pem.replaceAll("\s+","");

        byte[] valueDecoded = Base64.decodeBase64(pkcs8Pem);
        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(valueDecoded);
        KeyFactory rsaFact = KeyFactory.getInstance("RSA");
        RSAPrivateKey key = (RSAPrivateKey) rsaFact.generatePrivate(keySpec);

        JwtBuilder builder = Jwts.builder().setId("ID")
                .setIssuedAt(new Date())
                .setSubject("Subject")
                .setIssuer("Issuer")
                .signWith(SignatureAlgorithm.RS256, key);
        return builder.compact();

Second option is to use bouncycastle library which allows you to use any type of key format:

package com.example.demo;

import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import org.apache.tomcat.util.codec.binary.Base64;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.springframework.stereotype.Service;

import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.StringReader;
import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Date;


@Service
public class JWTService {

    private static String SECRET_KEY = "-----BEGIN RSA PRIVATE KEY-----
" +
            "MIICXgIBAAKBgQCtrKVnwse4anfX+JzM7imShXZUC+QBXQ11A5bOWwHFkXc4nTfE
" +
            "Or3fJjnRSU5A3IROFU/pVVNiXJNkl7qQZK5mYb8j3NgqX8zZJG7IwLJ/Pm2sRW5Q
" +
            "j32C/uJum64Q/iEIsCg/mJjDLh1lylEMEuzKgTdWtoeLfxDBL2AJ20qXzQIDAQAB
" +
            "AoGBAKNXi0GpmjnCOPDxLFg5bvQVfhLSFCGMKQny1DVEtsfgZmbixv5R2R41T4+d
" +
            "CHJMdEsUFFJ6I7CRLTcg1SDU8IhcAWCBRSNeVuomCHlQG16ti8HxwhiwIcjvDz/z
" +
            "NC2sL5ZJ2eJnhbtXLdf6pxxO1pA5vLp1AX06IaETO977XvupAkEA+ZgtGZybyUkf
" +
            "tEA3ekXc5eLoW+zgU0C1fATWcIZ8Iq5YV1BW+3oAzf8HgIbkQh4LM2qa6An3l+vW
" +
            "NXR4wICHkwJBALIhrcdJqKw36qiyenq+m78klp5SnurQifVt0Sy1GMWyOUqYz5jK
" +
            "t9sGo9Qn6GDuYe/XGXKWQW25PkEYXxxPPx8CQQCpICyvRidp5VrOURVGjUB5pZ+9
" +
            "am02/In9V2nXJcnH1kuWHqJSFQGmlEEJHl5dTu5YEMyWnupezzd/UUThbDZxAkAz
" +
            "TNO5QxNalbf04YG4e9Bq2eSur+iog2pXzkqhb3404UDypNOUkz0jzOO9o8ieschu
" +
            "xCnGAFPTf7fYE2bAxmnNAkEA0/3bdsvJclquypqP9CQeQnxGwQtWz6+yn07gj3U1
" +
            "V19mdeKCUZWklRarrcr67u9DdEx+JowyEY/ppzgeQtW01g==
" +
            "-----END RSA PRIVATE KEY-----";


    public String generateToken() throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
        java.security.Security.addProvider(
                new org.bouncycastle.jce.provider.BouncyCastleProvider()
        );
        PemReader pemReader = new PemReader(new StringReader(SECRET_KEY));

        PemObject pemObject;
        pemObject = pemReader.readPemObject();

        KeyFactory factory = KeyFactory.getInstance("RSA");
        byte[] content = pemObject.getContent();
        PKCS8EncodedKeySpec privKeySpec = new PKCS8EncodedKeySpec(content);
        RSAPrivateKey privateKey = (RSAPrivateKey) factory.generatePrivate(privKeySpec);

        JwtBuilder builder = Jwts.builder().setId("ID")
                .setIssuedAt(new Date())
                .setSubject("Subject")
                .setIssuer("Issuer")
                .signWith(SignatureAlgorithm.RS256, privateKey);
        return builder.compact();
    }
}

build.gradle dependencies needed:

  implementation 'org.bouncycastle:bcprov-jdk15on:1.64'
  implementation 'org.bouncycastle:bcpkix-jdk15on:1.64'

Failing to create a RS256 jwt key using jsonwebtoken

Answers (1)

Related Questions