Jose4j validate signature alg RS256 against encryption algorithm

Question

The JWT is signed with RS256, and I am using jose4j to verify JWT signature. In one of user environment which I do not have access, it generates this unexpected exception:

org.jose4j.lang.InvalidAlgorithmException: RS256 is an unknown, unsupported or unavailable alg algorithm (not one of [RSA1_5, RSA-OAEP, RSA-OAEP-256, dir, A128KW, A192KW, A256KW, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, A128GCMKW, A192GCMKW, A256GCMKW])

Looks like the signature algorithm is incorrectly validated against Key encryption algorithm. Note that my codes only do signature validation, and do not have any logic for decryption/encryption. This only happens in one user environment, and I can not access or recreate it locally.

Does anyone ever see such a problem? or can give me a hint to debug it?

Answer 1

The JwtConsumer looks at the JWT string it is processing and attempts to determine whether it's a JWS or JWE based on the format. JWSs have three segments separated by two period ('.') characters like <header>.<payload>.<signature> while JWEs have five segments separated by four period ('.') characters like <header>.<encrypted-key>.<IV>.<ciphertext>.<authentication-tag>.

It would appear that you've somehow gotten a malformed JWT that has a JWS header but five encoded segments separated by four period characters. The JwtConsumer will first see the structure with four dots and attempt to process it as a JWE. Then it fails when it sees a non JWE alg header value. I have no idea how the JWT might have gotten malformed like that but that's almost certainly what the error message means.

Answer 2

I had this error because I did not have the JCE (Java Cryptography Extension) in my JDK. (I assume, many people can google this question because of the same issue). Here you can find how to install it on MacOS.