Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Windows RSAPrivateKey (MSCAPI)

See original GitHub issue

Hi,

im loading a RSAPrivateKey on Windows with the following code:

KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, null);
RSAPrivateKey privateKey = ks.getKey("someKeyAlias", null);

But then i get the following exception:

Exception in thread "main" java.lang.IllegalArgumentException: RSA signatures must be computed using an RSAPrivateKey.  
The specified key of type sun.security.mscapi.RSAPrivateKey is not an RSAPrivateKey.
    at io.jsonwebtoken.impl.crypto.RsaSigner.<init>(RsaSigner.java:34)
    at io.jsonwebtoken.impl.crypto.DefaultSignerFactory.createSigner(DefaultSignerFactory.java:43)
    at io.jsonwebtoken.impl.crypto.DefaultJwtSigner.<init>(DefaultJwtSigner.java:37)
    at io.jsonwebtoken.impl.crypto.DefaultJwtSigner.<init>(DefaultJwtSigner.java:32)
    at io.jsonwebtoken.impl.DefaultJwtBuilder.createSigner(DefaultJwtBuilder.java:339)
    at io.jsonwebtoken.impl.DefaultJwtBuilder.compact(DefaultJwtBuilder.java:321)

Any idea why this is not compatible?

Issue Analytics

State:
Created 7 years ago
Comments:11 (2 by maintainers)

Top GitHub Comments

1reaction

oddbjornkvalsundcommented, Jul 4, 2018

For others coming here with the same problem, I solved this by subclassing io.jsonwebtoken.impl.DefaultJwtBuilder and supplying my own io.jsonwebtoken.impl.crypto.Signer:

final DefaultJwtBuilder jwtBuilder = new DefaultJwtBuilder() {
    @Override
    protected JwtSigner createSigner(SignatureAlgorithm alg, Key key) {
        final SignerFactory signerFactory = new DefaultSignerFactory() {
            @Override
            public Signer createSigner(SignatureAlgorithm alg, Key key) {
                return bytes -> {
                    try {
                        final Signature sig = Signature.getInstance(alg.getJcaName());
                        sig.initSign((PrivateKey) key);
                        sig.update(bytes);
                        logger.info("Signed data of length {} with key: {}", bytes.length, key);
                        return sig.sign();
                    } catch (Exception e) {
                        throw new RuntimeException("Unable to sign JWT!", e);
                    }
                };
            }
        };
        return new DefaultJwtSigner(signerFactory, alg, key);
    }
};

This instance of DefaultJwtBuilder can then be used instead of Jwts.builder(). The passed-in key in my case is an instance of sun.security.mscapi.RSAPrivateKey.

Example use:

final String signedJwt = jwtBuilder
                .setClaims(claims)
                .setIssuer(myIssuer)
                .setAudience(myAudience)
                .setExpiration(new Date(System.currentTimeMillis() + 60_000))
                .signWith(SignatureAlgorithm.RS256, mySunMSCAPIKey)
                .compact();

Works like a charm in my case, but YMMV.

0reactions

Ulteriorcommented, Dec 11, 2020

Works like a charm in my case too. This needs to go to getting started section for externally stored keys - HSM

Top Results From Across the Web

Old src/windows/classes/sun/security/mscapi/RSAPrivateKey ...

24 */ 25 26 package sun.security.mscapi; 27 28 import java.security.PrivateKey; 29 30 /** 31 * The handle for an RSA private key using...

java - Supplied key (sun.security.mscapi.CPrivateKey) is not a ...

Exception in thread "main" java.security.InvalidKeyException: Supplied key (sun.security.mscapi.CPrivateKey) is not a RSAPrivateKey instance ...

Supplied key (sun.security.mscapi.RSAPrivateKey) is not a ...

I am getting bellow error while trying to execute below method can some body help me out in this. Caused by: java.security.

RSA private key can't be read by microsoft crypt api

A common mistake is to import the key in big-endian. MS CAPI require litte-endian. Another solution is to use a JCE provider implementation...

sun/security/mscapi/SignedObjectChain.java fails on Windows

JDK-8176183 : sun/security/mscapi/SignedObjectChain.java fails on Windows ... signature accepts only RSAPrivateKey if ((key instanceof sun.security.mscapi.