AndroidKeyStore RSA keys not able to be used for signing

[aeri-ri]

Describe the bug
Using an AndroidKeyStore keypair's private key doesn't allow signing of a jwt. I've tried using the BouncyCastle dependencies as mentioned in the main readme as well. The following is the error I get.

io.jsonwebtoken.security.SignatureException: Unable to compute PS256 signature with JCA algorithm 'RSASSA-PSS' using key {class: android.security.keystore2.AndroidKeyStoreRSAPrivateKey, algorithm: RSA, format: null}: Signature callback execution failed: No installed provider supports this key: android.security.keystore2.AndroidKeyStoreRSAPrivateKey

To Reproduce
Steps to reproduce the behavior:

1. Generate key pair using RSA with PSS for signature padding and SHA256 digest.

val kpg: KeyPairGenerator =
            KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, "AndroidKeyStore")

        val KEY_ALIAS = "example"
        kpg.initialize(

            KeyGenParameterSpec.Builder(
                KEY_ALIAS,
                KeyProperties.PURPOSE_SIGN or KeyProperties.PURPOSE_VERIFY or KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT
            )
                .setDigests(KeyProperties.DIGEST_SHA256, KeyProperties.DIGEST_SHA512)
                .setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PSS)
                .setKeySize(2048)
                .build()
        )

        kpg.generateKeyPair()

2. Get key pair private and public key for use in creating a jwt.

var keyStore = KeyStore.getInstance("AndroidKeyStore").apply {
            load(null) 
        }
        var entry = keyStore.getEntry("example", null) as? KeyStore.PrivateKeyEntry
        var keyPair = KeyPair(entry?.certificate?.publicKey, entry?.privateKey)
        if (entry == null || keyPair == null) {
            try {
                generateKeys();
                keyStore = KeyStore.getInstance("AndroidKeyStore").apply {
                    load(null) 
                }
                entry = keyStore.getEntry("example", null) as? KeyStore.PrivateKeyEntry
                keyPair = KeyPair(entry?.certificate?.publicKey, entry?.privateKey)
            } catch (e: Exception) {
                //
            }
        }


        pubKey = entry?.certificate?.publicKey as RSAPublicKey
        privKey = entry?.privateKey as PrivateKey

3. Use public key and private key in creating and signing a jwt.

val jwk = Jwks.builder()
                .key(pubKey).build()
            val jws = Jwts.builder()
                .header()
                .jwk(jwk)
                .and().id(Uuid.random().toString())
                .claims()
                .add("random","example")
                .and()
                .signWith(privKey, Jwts.SIG.PS256)
                .compact()

Expected behavior
The jwt should be able to be signed with the AndroidKeyStore private key. I'm able to sign with the private key using the Signature instance in the following way:

val s = Signature.getInstance("SHA256withRSA/PSS")
                .apply {
                initSign(privKey)
                update(payload)
            }
val signature: ByteArray = s.sign()

[lhazlewood]

Hi there,

I'm not sure how the Android provider works with the JCA name SHA256withRSA/PSS - JJWT doesn't use this.

The standard/spec-compliant way JJWT does this is using the RSASSA-PSS JCA name using a PSSParameterSpec instance created as follows:

jjwt/impl/src/main/java/io/jsonwebtoken/impl/security/RsaSignatureAlgorithm.java

Lines 66 to 69 in e7f9cf2

	private static AlgorithmParameterSpec pssParamSpec(int digestBitLength) {
	MGF1ParameterSpec ps = new MGF1ParameterSpec("SHA-" + digestBitLength);
	int saltByteLength = digestBitLength / Byte.SIZE;
	return new PSSParameterSpec(ps.getDigestAlgorithm(), "MGF1", ps, saltByteLength, 1);

That said, how did you enable BouncyCastle? Did you try it as shown here: https://github.com/jwtk/jjwt#bouncy-castle ?

Also, what happens if you generate a key pair as follows?

Jwts.SIG.PS256.keyPair().build();

And then use the resulting key(s) to sign the JWS?

Another thing you can try is to enable the Android Provider instance by passing it as an argument to the Jwt builder:

Provider androidProvider = getAndroidProviderAssociatedWithMyKey(); // implement me
Jwts.builder()
    .provider(androidProvider) // <---
    // ... etc ...
    .compact()

[aeri-ri]

I tried with
Jwts.SIG.PS256.keyPair().build();
That worked. Though I won't be using the keys generated by the library, I wanted to use the keys generated by AndroidKeyStore.

I tried adding the AndroidKeyStore provider in the following way:

val keyStore: KeyStore = KeyStore.getInstance("AndroidKeyStore").apply {
       load(null) 
}
val jws = Jwts.builder().provider(keyStore.provider)
               
                .and().id(Uuid.random().toString())
                .claims()
                .add("random","example")
                .and()
                .signWith(privKey, Jwts.SIG.PS256)
                .compact()

I get the following error:

Unable to obtain 'RSASSA-PSS' Signature instance from specified 'AndroidKeyStore version 1.0' Provider: no such algorithm: RSASSA-PSS for provider AndroidKeyStore

Yes, I enabled BouncyCastle as shown in the docs:
in build.gradle.kts:

dependencies {
    ...
    runtimeOnly("org.bouncycastle:bcprov-jdk18on:1.76")
    implementation("org.bouncycastle:bcprov-jdk18on:1.76")
}

in the class that extends the Application class:

class MyApplication : Application() {
    companion object {
        ...
        init {
            Security.removeProvider("BC") //remove old/legacy Android-provided BC provider
            Security.addProvider(BouncyCastleProvider()) // add 'real'/correct BC provider
        }

    }