Jose4j up to and including version 0.9.4 throws a ClassCastException on the toJson method when running the following code on a FIPS enabled host.
If you disable FIPS on the host, this same code does not throw an error.
We tested using CentOs Stream 8, and enabled FIPS using the 'fips-mode-setup --enable' command.
RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048);
rsaJsonWebKey.setAlgorithm("RS256");
rsaJsonWebKey.setKeyId("authServer");
rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);
The offending line is org.jose4j.jwk.RsaJsonWebKey.getRsaPrivateKey(RsaJsonWebKey.java:124) which reads:
return (RSAPrivateKey) privateKey;
When FIPS is enabled, 'privateKey' is a 'sun.security.pkcs11.P11Key$P11PrivateKey'
(SunPKCS11-NSS-FIPS RSA private key, 2048 bitssession object, sensitive, extractable) and it will not cast to RSAPrivateKey
When FIPS is not enabled,
privateKey' is a 'sun.security.rsa.RSAPrivateCrtKeyImpl
(SunRsaSign RSA private CRT key, 2048 bits)
and it will cast to RSAPrivateKey
Thanks, Dmil Team
We expected to not have an exception when running with or without FIPS enabled.
Looks like jose4j's JWK functionality doesn't support outputting the parameters for RSA Private Keys when in this FIPS mode. Whether or not it should is a different/larger question. It does say 'extractable' there but I'd say that typically in a FIPS environment you don't want to be encoding your raw private key in JSON anyway. Changing that last line to
rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY)will only output the public key parameters and avoid the exception. And the private key object can be accessed usingrsaJsonWebKey.getPrivateKey().