diff --git a/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java b/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java
index 90f5b9f8d9..f320fe4754 100644
--- a/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java
+++ b/core/src/main/java/org/keycloak/jose/jwk/JWKBuilder.java
@@ -26,13 +26,14 @@ import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.KeyType;
import org.keycloak.crypto.KeyUse;
-import java.math.BigInteger;
import java.security.Key;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
+import static org.keycloak.jose.jwk.JWKUtil.toIntegerBytes;
+
/**
* @author Stian Thorgersen
*/
@@ -113,8 +114,6 @@ public class JWKBuilder {
String kid = this.kid != null ? this.kid : KeyUtils.createKeyId(key);
int fieldSize = ecKey.getParams().getCurve().getField().getFieldSize();
- BigInteger affineX = ecKey.getW().getAffineX();
- BigInteger affineY = ecKey.getW().getAffineY();
k.setKeyId(kid);
k.setKeyType(KeyType.EC);
@@ -126,32 +125,4 @@ public class JWKBuilder {
return k;
}
-
- /**
- * Copied from org.apache.commons.codec.binary.Base64
- */
- private static byte[] toIntegerBytes(final BigInteger bigInt) {
- int bitlen = bigInt.bitLength();
- // round bitlen
- bitlen = ((bitlen + 7) >> 3) << 3;
- final byte[] bigBytes = bigInt.toByteArray();
-
- if (((bigInt.bitLength() % 8) != 0) && (((bigInt.bitLength() / 8) + 1) == (bitlen / 8))) {
- return bigBytes;
- }
- // set up params for copying everything but sign bit
- int startSrc = 0;
- int len = bigBytes.length;
-
- // if bigInt is exactly byte-aligned, just skip signbit in copy
- if ((bigInt.bitLength() % 8) == 0) {
- startSrc = 1;
- len--;
- }
- final int startDst = bitlen / 8 - len; // to pad w/ nulls as per spec
- final byte[] resizedBytes = new byte[bitlen / 8];
- System.arraycopy(bigBytes, startSrc, resizedBytes, startDst, len);
- return resizedBytes;
- }
-
}
diff --git a/core/src/main/java/org/keycloak/jose/jwk/JWKUtil.java b/core/src/main/java/org/keycloak/jose/jwk/JWKUtil.java
new file mode 100644
index 0000000000..3c929b667c
--- /dev/null
+++ b/core/src/main/java/org/keycloak/jose/jwk/JWKUtil.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2021 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.jose.jwk;
+
+import java.math.BigInteger;
+
+public class JWKUtil {
+
+ /**
+ * Convert BigInteger to 64-byte integer array
+ *
+ * Copied from org.apache.commons.codec.binary.Base64
+ */
+ public static byte[] toIntegerBytes(final BigInteger bigInt) {
+ int bitlen = bigInt.bitLength();
+ // round bitlen
+ bitlen = ((bitlen + 7) >> 3) << 3;
+ final byte[] bigBytes = bigInt.toByteArray();
+
+ if (((bigInt.bitLength() % 8) != 0) && (((bigInt.bitLength() / 8) + 1) == (bitlen / 8))) {
+ return bigBytes;
+ }
+ // set up params for copying everything but sign bit
+ int startSrc = 0;
+ int len = bigBytes.length;
+
+ // if bigInt is exactly byte-aligned, just skip signbit in copy
+ if ((bigInt.bitLength() % 8) == 0) {
+ startSrc = 1;
+ len--;
+ }
+ final int startDst = bitlen / 8 - len; // to pad w/ nulls as per spec
+ final byte[] resizedBytes = new byte[bitlen / 8];
+ System.arraycopy(bigBytes, startSrc, resizedBytes, startDst, len);
+ return resizedBytes;
+ }
+}
diff --git a/core/src/test/java/org/keycloak/jose/jwk/JWKTest.java b/core/src/test/java/org/keycloak/jose/jwk/JWKTest.java
index 41dde853a8..e2ed5fd372 100644
--- a/core/src/test/java/org/keycloak/jose/jwk/JWKTest.java
+++ b/core/src/test/java/org/keycloak/jose/jwk/JWKTest.java
@@ -35,10 +35,15 @@ import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.cert.X509Certificate;
+import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec;
+import java.security.spec.ECPoint;
-import static org.junit.Assert.*;
-import static org.keycloak.common.util.CertificateUtils.*;
+import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.keycloak.common.util.CertificateUtils.generateV1SelfSignedCertificate;
/**
* @author Stian Thorgersen
@@ -150,8 +155,15 @@ public class JWKTest {
byte[] xBytes = Base64Url.decode(ecJwk.getX());
byte[] yBytes = Base64Url.decode(ecJwk.getY());
- assertEquals(256/8, xBytes.length);
- assertEquals(256/8, yBytes.length);
+ assertTrue(publicKey instanceof ECPublicKey);
+ ECPoint ecPoint = ((ECPublicKey) publicKey).getW();
+ assertNotNull(ecPoint);
+
+ int lengthAffineX = JWKUtil.toIntegerBytes(ecPoint.getAffineX()).length;
+ int lengthAffineY = JWKUtil.toIntegerBytes(ecPoint.getAffineY()).length;
+
+ assertEquals(lengthAffineX, xBytes.length);
+ assertEquals(lengthAffineY, yBytes.length);
String jwkJson = JsonSerialization.writeValueAsString(jwk);