0

Jose4j up to and including version 0.9.4 throws a ClassCastException on the toJson method when running the following code on a FIPS enabled host. If you disable FIPS on the host, this same code does not throw an error. We tested using CentOs Stream 8, and enabled FIPS using the 'fips-mode-setup --enable' command.

RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048);
rsaJsonWebKey.setAlgorithm("RS256");
rsaJsonWebKey.setKeyId("authServer");
rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);

The offending line is org.jose4j.jwk.RsaJsonWebKey.getRsaPrivateKey(RsaJsonWebKey.java:124) which reads:

  return (RSAPrivateKey) privateKey;

When FIPS is enabled, 'privateKey' is a 'sun.security.pkcs11.P11Key$P11PrivateKey' (SunPKCS11-NSS-FIPS RSA private key, 2048 bitssession object, sensitive, extractable) and it will not cast to RSAPrivateKey

When FIPS is not enabled,

privateKey' is a 'sun.security.rsa.RSAPrivateCrtKeyImpl 
(SunRsaSign RSA private CRT key, 2048 bits)

and it will cast to RSAPrivateKey

Thanks, Dmil Team

We expected to not have an exception when running with or without FIPS enabled.

Improve this question

1 Answer 1

Reset to default
1

Looks like jose4j's JWK functionality doesn't support outputting the parameters for RSA Private Keys when in this FIPS mode. Whether or not it should is a different/larger question. It does say 'extractable' there but I'd say that typically in a FIPS environment you don't want to be encoding your raw private key in JSON anyway. Changing that last line to rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY) will only output the public key parameters and avoid the exception. And the private key object can be accessed using rsaJsonWebKey.getPrivateKey().

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.