(gravitino) branch main updated: [#9121] fix(auth): Correct KeyFactory handling for ECDSA algorithms (#9141)

Mon, 17 Nov 2025 13:50:18 -0800 

This is an automated email from the ASF dual-hosted git repository.

jmclean pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git


The following commit(s) were added to refs/heads/main by this push:
     new eb4afe8cfe [#9121] fix(auth): Correct KeyFactory handling for ECDSA 
algorithms (#9141)
eb4afe8cfe is described below

commit eb4afe8cfe17d65b102f5906acf9e6d938fd4cc9
Author: Kwon Taeheon <[email protected]>
AuthorDate: Tue Nov 18 06:50:08 2025 +0900

    [#9121] fix(auth): Correct KeyFactory handling for ECDSA algorithms (#9141)
    
    ### What changes were proposed in this pull request?
    
    - Fixed incorrect KeyFactory lookup for ECDSA algorithms.
    - Updated the key generation logic to use "EC" instead of "ECDSA" when
    handling ES256/ES384/ES512 keys.
    - Refactored the branching into a dedicated generateKeyByFamilyType
    method.
    
    
    ### Why are the changes needed?
    
    - Java does not provide a KeyFactory named "ECDSA", which caused token
    validation to fail with ECDSA signatures.
    - Using "EC" resolves the issue and allows proper validation of ES256
    tokens.
    
    Fix: #9121
    
    ### Does this PR introduce _any_ user-facing change?
    - no.
    - This change only corrects internal exception handling logic, with no
    modification to public APIs or user-visible behavior.
    
    ### How was this patch tested?
    - Verified using an ES256 token generation flow as described in the
    issue.
    - Confirmed all existing tests continue to pass.
---
 .../authentication/StaticSignKeyValidator.java     | 28 +++++++++++++++-------
 .../authentication/TestStaticSignKeyValidator.java | 25 +++++++++++++++++++
 2 files changed, 44 insertions(+), 9 deletions(-)

diff --git 
a/server-common/src/main/java/org/apache/gravitino/server/authentication/StaticSignKeyValidator.java
 
b/server-common/src/main/java/org/apache/gravitino/server/authentication/StaticSignKeyValidator.java
index c9d477ffda..0fd59b7353 100644
--- 
a/server-common/src/main/java/org/apache/gravitino/server/authentication/StaticSignKeyValidator.java
+++ 
b/server-common/src/main/java/org/apache/gravitino/server/authentication/StaticSignKeyValidator.java
@@ -112,17 +112,27 @@ public class StaticSignKeyValidator implements 
OAuthTokenValidator {
       SignatureAlgorithmFamilyType algFamilyType =
           
SignatureAlgorithmFamilyType.valueOf(SignatureAlgorithm.valueOf(algType).getFamilyName());
 
-      if (SignatureAlgorithmFamilyType.HMAC == algFamilyType) {
-        return Keys.hmacShaKeyFor(key);
-      } else if (SignatureAlgorithmFamilyType.RSA == algFamilyType
-          || SignatureAlgorithmFamilyType.ECDSA == algFamilyType) {
-        X509EncodedKeySpec spec = new X509EncodedKeySpec(key);
-        KeyFactory kf = KeyFactory.getInstance(algFamilyType.name());
-        return kf.generatePublic(spec);
-      }
+      return generateKeyByFamilyType(algFamilyType, key, algType);
     } catch (Exception e) {
       throw new IllegalArgumentException("Failed to decode key", e);
     }
-    throw new IllegalArgumentException("Unsupported signature algorithm type: 
" + algType);
+  }
+
+  private static Key generateKeyByFamilyType(
+      SignatureAlgorithmFamilyType algFamilyType, byte[] key, String algType) 
throws Exception {
+
+    switch (algFamilyType) {
+      case RSA:
+        return KeyFactory.getInstance("RSA").generatePublic(new 
X509EncodedKeySpec(key));
+
+      case ECDSA:
+        return KeyFactory.getInstance("EC").generatePublic(new 
X509EncodedKeySpec(key));
+
+      case HMAC:
+        return Keys.hmacShaKeyFor(key);
+
+      default:
+        throw new IllegalArgumentException("Unsupported signature algorithm 
type: " + algType);
+    }
   }
 }
diff --git 
a/server-common/src/test/java/org/apache/gravitino/server/authentication/TestStaticSignKeyValidator.java
 
b/server-common/src/test/java/org/apache/gravitino/server/authentication/TestStaticSignKeyValidator.java
index 827265612d..4ef5cda368 100644
--- 
a/server-common/src/test/java/org/apache/gravitino/server/authentication/TestStaticSignKeyValidator.java
+++ 
b/server-common/src/test/java/org/apache/gravitino/server/authentication/TestStaticSignKeyValidator.java
@@ -27,6 +27,7 @@ import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import io.jsonwebtoken.security.Keys;
 import java.security.Key;
+import java.security.KeyPair;
 import java.security.Principal;
 import java.time.Instant;
 import java.util.Arrays;
@@ -228,4 +229,28 @@ public class TestStaticSignKeyValidator {
     assertThrows(
         UnauthorizedException.class, () -> validator.validateToken(token, 
serviceAudience));
   }
+
+  @Test
+  public void testValidateTokenWithEcdsaSignature() {
+    KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.ES256);
+    Map<String, String> config = createBaseConfig();
+    config.put(
+        "gravitino.authenticator.oauth.defaultSignKey",
+        Base64.getEncoder().encodeToString(keyPair.getPublic().getEncoded()));
+    config.put("gravitino.authenticator.oauth.signAlgorithmType", "ES256");
+    validator.initialize(createConfig(config));
+
+    String token =
+        Jwts.builder()
+            .setSubject("test-user")
+            .setAudience(serviceAudience)
+            .setIssuedAt(Date.from(Instant.now()))
+            .setExpiration(Date.from(Instant.now().plusSeconds(3600)))
+            .signWith(keyPair.getPrivate(), SignatureAlgorithm.ES256)
+            .compact();
+
+    Principal principal = validator.validateToken(token, serviceAudience);
+    assertNotNull(principal);
+    assertEquals("test-user", principal.getName());
+  }
 }

Reply via email to