tl;dr
- Resource needed which ensures and shows how to use the elliptic curve called Ed25519 / Curve25519 along Spring-Boot authorization server.
Objectives
- Use of elliptic curve (EC) cryptography provided by Spring-Boot
- Use of Ed25519 / Curve25519 as it is used by 'trustworthy' organizations
- Needed for ...
- Key generation -> JWK
- Encryption (& Decryption) -> JWE
- Signing -> JWS
- Token generation -> JWT
Setup
- Java : 21
- Spring Boot : v3.2.x
- spring-security-oauth2-authorization-server : 1.2.x
Pre-Research
- Spring-Boot uses the com.nimbusds.jose library internally (Since ~2020, ~v5.1).
- Likewise questions have been asked 'before 2018' (afaik)
- RSA is supported
- Elliptic Curves are supported (generally)
- Use of 'Ed25519 / Curve25519' - unknown
Still there are multiple classes that offer EC-functionality around 'Ed25519 / Curve25519'
Key generation, compatible to java.security.KeyPair
static KeyPair generateEcKeyPairUsingEd25519() {
KeyPair keyPair;
try {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("Ed25519");
keyPair = keyPairGenerator.generateKeyPair();
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException("JVM does not support Ed25519 algorithm", e);
}
return keyPair;
}
Interfaces are provided as well
import java.security.interfaces.EdECPrivateKey;
import java.security.interfaces.EdECPublicKey;
KeyPair ecKeyPair = generateEcKeyPairUsingEd25519()
EdECPublicKey edEcPublicKey = (EdECPublicKey) ecKeyPair.getPublic();
EdECPrivateKey edEcPrivateKey = (EdECPrivateKey) ecKeyPair.getPrivate();
Re-assuring
- Is this already too deep into the rabbit hole?
- Is Spring-Boot already using Ed25519 for JWK, JWE, JWS and JWT without me noticing?
- Is there a suitable Ed25519 / Curve25519 reference imlementation?
Problem
Spring Boot : v3.2.x
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
<version>${spring-boot.version}</version>
</dependency>
To my knowledge the used com.nimbusds.jose.* supports JWK, JWE, JWS and JWT with RSA and for EC genearlly.
Keypairs as seen above can be generated, but they can - to my knowledge - not be used in the example below.
Example
@Bean
public JwtDecoder jwtDecoder() {
KeyPair keyPair = this.getKeyPair();
RSAPublicKey rsaPublicKey = (RSAPublicKey) keyPair.getPublic();
return NimbusJwtDecoder.withPublicKey(rsaPublicKey).build();
}
@Bean
JwtEncoder jwtEncoder() {
KeyPair keyPair = this.getKeyPair();
RSAPublicKey rsaPublicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey rsaPrivateKey = (RSAPrivateKey) keyPair.getPrivate();
JWK jwk = new RSAKey.Builder(rsaPublicKey)
.privateKey(rsaPrivateKey).build();
JWKSource<SecurityContext> jwks = new ImmutableJWKSet<>(new JWKSet(jwk));
return new NimbusJwtEncoder(jwks);
}
Finally
- How to use Ed25519 / Curve25519 with SpringBoot for JWK, JWE, JWS and JWT security?
You could apply the integration by adding a configuration for
Ed25519And generate
KeyPairsand integrate with beans. I remember there was a risk with NullPointerExceptions, but I could not find the resource now.