Search code examples
jwtquarkussmallrye

JWT Token Encryption

I am looking to encrypt my JWT token. I have gone through the quarkus documentation and the various properties for JWT. However i am not able to figure out what is going wrong. The basic stuff with a simple signing bit works fine,

Jwt.claims(jsonObject).sign();

here i have set 2 properties,

mp.jwt.verify.publickey.location=publicKey.pem
smallrye.jwt.sign.key.location=privateKey.pem

For Encryption bit, according to the doc I am setting 2 additional properties,

mp.jwt.decrypt.key.location=privateKey.pem
smallrye.jwt.encrypt.key.location=publicKey.pem

And the code being used is,

Jwt.innerSignAndEncrypt(jsonObject);

When I turn on verification tracing, I am getting the following exception in the logs,

Caused by: org.jose4j.lang.InvalidKeyException: The key must not be null.
        at org.jose4j.jwx.KeyValidationSupport.notNull(KeyValidationSupport.java:72)
        at org.jose4j.jwx.KeyValidationSupport.castKey(KeyValidationSupport.java:56)
        at org.jose4j.jwe.RsaKeyManagementAlgorithm.validateDecryptionKey(RsaKeyManagementAlgorithm.java:57)
        at org.jose4j.jwe.JsonWebEncryption.createDecryptingPrimitive(JsonWebEncryption.java:225)
        at org.jose4j.jwe.JsonWebEncryption.decrypt(JsonWebEncryption.java:240)
        at org.jose4j.jwe.JsonWebEncryption.getPlaintextBytes(JsonWebEncryption.java:85)
        at org.jose4j.jwe.JsonWebEncryption.getPlaintextString(JsonWebEncryption.java:78)
        at org.jose4j.jwe.JsonWebEncryption.getPayload(JsonWebEncryption.java:93)
        at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:366)

Not sure what key needs to be set.

Note: For testing, I am using the same RSA key pair for both signing and encryption.

Any help is greatly appreciated.

TIA

Solution

  • I posted this on Quarkus chat as well. Where while creating a reproducer app for them I used the latest Quarkus version 2.1.3. There I encountered a different exception,

    Caused by: org.jose4j.lang.InvalidAlgorithmException: 'RSA-OAEP-256' is not a permitted algorithm.
at org.jose4j.jwa.AlgorithmConstraints.checkConstraint(AlgorithmConstraints.java:80)

    On investigating this further, it seemed to be an issue in smallrye where the even though the documented default algorithm is "RSA-OAEP", it's trying to default to "RSA-OAEP-256". The solution was to set the property(smallrye.jwt.decrypt.algorithm) explicitly to "RSA-OAEP-256", while they add a fix.