signWith for RSA512 #942

lost-jwt-users · 2024-05-13T21:17:26Z

lost-jwt-users
May 13, 2024

I'm trying to build a JWT Token using the RSA512 signing algorithm.

My first attempt was to do the following:

return Jwts.builder()
				.claims(claims)
				.subject(username)
				.issuedAt(issuedAt)
				.expiration(expiration.getTime())
				.signWith(getPrivateKey())
				.compact();

However, when I run my code, it fails with the following error:

"Unable to determine a suitable MAC or Signature algorithm for the specified key using available heuristics: either the key size is too weak to be used with available algorithms, or the key size is unavailable (e.g. if using a PKCS11 or HSM (Hardware Security Module) key storage). If you are using a PKCS11 or HSM keystore, consider using the JwtBuilder.signWith(Key, SecureDigestAlgorithm) method instead."

I think that the solution is to use a signWith method which also takes the signature algorithm like this:
.signWith(getPrivateKey(), SignatureAlgorithm.RS512)
or
.signWith(SignatureAlgorithm.RS512, getPrivateKey())
but both of those method signatures are deprecated. What is the non-deprecated way to specify the SignatureAlgorithm?

There is a method in the javadoc with a signature of signWith(K key, SecureDigestAlgorithm), but I can't find any example on google of allowed SecureDigestAlgorithm - if I try:
.signWith(getPrivateKey(), SecureDigestAlgorithm.RS512)
it doesn't even compile since there isn't any set of pre-defined algorithms inside the SecureDigestAlgorithm interface.

Any hints/tips would be appreciated. Thanks.

Answered by lhazlewood

May 13, 2024

Hi there!

The olderio.jsonwebtoken.SignatureAlgorithm enum (which is not extensible and did not allow for custom algorithm implementations) has been deprecated in favor of the newer (pluggable) io.jsonwebtoken.security.SignatureAlgorithm interface. Default (RFC-standard) implementations for that interface are available via the Jwts.SIG registry class:

https://github.com/jwtk/jjwt?tab=readme-ov-file#signaturealgorithm-override

With that, your example might look like this:

return Jwts.builder()
     .claims(claims)
    .subject(username)
    .issuedAt(issuedAt)
    .expiration(expiration.getTime())
    .signWith(getPrivateKey(), Jwts.SIG.RS512) // <---
    .compact();

I hope that helps! Fee…

View full answer

lhazlewood · 2024-05-13T21:50:46Z

lhazlewood
May 13, 2024
Maintainer

Hi there!

The olderio.jsonwebtoken.SignatureAlgorithm enum (which is not extensible and did not allow for custom algorithm implementations) has been deprecated in favor of the newer (pluggable) io.jsonwebtoken.security.SignatureAlgorithm interface. Default (RFC-standard) implementations for that interface are available via the Jwts.SIG registry class:

https://github.com/jwtk/jjwt?tab=readme-ov-file#signaturealgorithm-override

With that, your example might look like this:

return Jwts.builder()
     .claims(claims)
    .subject(username)
    .issuedAt(issuedAt)
    .expiration(expiration.getTime())
    .signWith(getPrivateKey(), Jwts.SIG.RS512) // <---
    .compact();

I hope that helps! Feel free to ask any follow-up questions :)

1 reply

lhazlewood May 15, 2024
Maintainer

Also note that we have examples in the documentation: JWT Signed with RSA

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

signWith for RSA512 #942

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

signWith for RSA512 #942

lost-jwt-users May 13, 2024

Replies: 1 comment · 1 reply

lhazlewood May 13, 2024 Maintainer

lhazlewood May 15, 2024 Maintainer

lost-jwt-users
May 13, 2024

Replies: 1 comment 1 reply

lhazlewood
May 13, 2024
Maintainer

lhazlewood May 15, 2024
Maintainer