Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.1.7
-
Component/s: JAX-RS Security
-
Labels:None
-
Estimated Complexity:Unknown
Description
When an RSA private key is converted to a JWK and stored in a JSON Web Keys file using the following code:
import test.CryptoUtils; // loads an RSA private key from file import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys; import org.apache.cxf.rs.security.jose.jwk.JwkUtils; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.nio.file.Paths; import java.security.interfaces.RSAPrivateKey; import java.time.LocalDateTime; public class JwkCreator { public static void main(String[] args) throws IOException { final RSAPrivateKey privateKey = CryptoUtils.loadRsaPrivateKey(Paths.get("private-key.der")); final JsonWebKey jwk = JwkUtils.fromRSAPrivateKey(privateKey, "RSA-OAEP-256"); jwk.setKeyId("test"); final JsonWebKeys webKeys = new JsonWebKeys(jwk); JwkUtils.jwkSetToJson(webKeys, new FileOutputStream("jwk.json")); } }
The generated file does not have a RSA_PUBLIC_EXP (i.e. the `e`) property:
{
"keys": [
{
"kty": "RSA",
"alg": "RSA-OAEP-256",
"n": "...",
"d": "...",
"p": "...",
"q": "...",
"dp": "...",
"dq": "...",
"qi": "...",
"kid": "test"
}
]
}
Consequently, when trying to use JwkUtils.toRSAPrivateKey to convert the JWK to a private key, a NullPointerException is thrown due to the following statement in JwkUtils.java:
return CryptoUtils.getRSAPrivateKey(encodedModulus,
encodedPublicExponent,
encodedPrivateExponent,
encodedPrimeP,
encodedPrimeQ,
encodedPrimeExpP,
encodedPrimeExpQ,
encodedCrtCoefficient);
which in turn calls CryptoUtils.decodeSequence(encodedPublicExponent) on a null value.