[
https://issues.apache.org/jira/browse/KNOX-3281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar reassigned KNOX-3281:
-----------------------------------
Assignee: (was: Sandor Molnar)
> DefaultTokenAuthorityService only supports RSA keys, fails with EC-based
> signing keys
> -------------------------------------------------------------------------------------
>
> Key: KNOX-3281
> URL: https://issues.apache.org/jira/browse/KNOX-3281
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Affects Versions: 2.0.0, 1.6.0, 2.1.0
> Reporter: Sandor Molnar
> Priority: Critical
> Fix For: 3.0.0
>
>
> *Description:*
> The current implementation of
> {{DefaultTokenAuthorityService}} (gateway-server module) assumes that signing
> keys are of type {{RSAPublicKey}} / {{{}RSAPrivateKey{}}}.
> During initialization, the service explicitly casts or operates on RSA key
> types, which makes it incompatible with other valid key algorithms supported
> by Java security APIs, such as EC (Elliptic Curve) keys.
> As a result, when a non-RSA key pair (e.g., EC-based keys) is configured for
> token signing, the service fails to start due to type mismatch or unsupported
> key handling.
> *Steps to Reproduce:*
> # Configure token signing with an EC key pair (e.g., using {{ECPrivateKey}}
> / {{{}ECPublicKey{}}})
> # Start the Knox gateway
> # Observe service initialization failure in {{DefaultTokenAuthorityService}}
> *Actual Result:*
> The service fails to initialize when non-RSA keys are used.
> *Expected Result:*
> The service should support multiple key algorithms (at least RSA and EC), as
> long as they are compatible with the configured signing algorithm (e.g., JWT
> signing via JCA/JCE).
> *Impact:*
> * Prevents users from using modern or preferred cryptographic algorithms
> (e.g., EC keys)
> * Limits interoperability and flexibility in security configurations
> * May block deployments with stricter security/compliance requirements
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
