Sandor Molnar created KNOX-3281:
-----------------------------------
Summary: DefaultTokenAuthorityService only supports RSA keys,
fails with EC-based signing keys
Key: KNOX-3281
URL: https://issues.apache.org/jira/browse/KNOX-3281
Project: Apache Knox
Issue Type: Task
Components: Server
Affects Versions: 2.1.0, 1.6.0, 2.0.0
Reporter: Sandor Molnar
Assignee: Sandor Molnar
Fix For: 3.0.0
*Description:*
The current implementation of
{{DefaultTokenAuthorityService}} (gateway-server module) assumes that signing
keys are of type {{RSAPublicKey}} / {{{}RSAPrivateKey{}}}.
During initialization, the service explicitly casts or operates on RSA key
types, which makes it incompatible with other valid key algorithms supported by
Java security APIs, such as EC (Elliptic Curve) keys.
As a result, when a non-RSA key pair (e.g., EC-based keys) is configured for
token signing, the service fails to start due to type mismatch or unsupported
key handling.
*Steps to Reproduce:*
# Configure token signing with an EC key pair (e.g., using {{ECPrivateKey}} /
{{{}ECPublicKey{}}})
# Start the Knox gateway
# Observe service initialization failure in {{DefaultTokenAuthorityService}}
*Actual Result:*
The service fails to initialize when non-RSA keys are used.
*Expected Result:*
The service should support multiple key algorithms (at least RSA and EC), as
long as they are compatible with the configured signing algorithm (e.g., JWT
signing via JCA/JCE).
*Impact:*
* Prevents users from using modern or preferred cryptographic algorithms
(e.g., EC keys)
* Limits interoperability and flexibility in security configurations
* May block deployments with stricter security/compliance requirements
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
