Unable to compute HS512 signature with JCA algorithm 'HmacSHA512' using key {class: javax.crypto.spec.SecretKeySpec, algorithm: HmacSHA512, format: RAW}: Mac callback execution failed: No installed provider supports this key: javax.crypto.spec.SecretKeySpec

[ehddbs4521]

spring version:3.2.2
jvm version:17.0.7
jjwt version:0.12.5

It worked 3days ago. but It deosn't work now...

    private final SecretKey key;

    public JwtService(@Value("${jwt.secret-key}") String secret,
                      @Value("${jwt.access-header}") String accessHeader,
                      @Value("${jwt.refresh-header}") String refreshHeader,
                      UserRepository userRepository) {
        this.accessHeader = accessHeader;
        this.refreshHeader = refreshHeader;
        this.key = Keys.hmacShaKeyFor(secret.getBytes(StandardCharsets.UTF_8));
        this.userRepository = userRepository;
    }

[bdemers]

It's difficult to what the problem is here because the example above is not reproducible (the problematic values are defined in your spring config).

That said my guess is your secret is not defined correctly, see the related section of the README:
https://github.com/jwtk/jjwt?tab=readme-ov-file#secretkey-formats

More specifically, number 3 in this post: Five Anti-Patterns with Secrets in Java

Note

This post was based on a presentation JWTs for CSRF & Microservices from @dogeared, which is also embedded in the post.

If those resources don't help, create an example that uses hard-coded values (don't use real keys), and we can point you in the right direction.

[ehddbs4521]

With Linux Command
head -c 64 /dev/urandom | base64

I stored it in spring application.yml. It created token well, but it didn't parse token and catch io.jsonwebtoken.security.SecurityException, show me "error: Unable to compute HS512 signature with JCA algorithm 'HmacSHA512' using key {class: javax.crypto.spec.SecretKeySpec, algorithm: HmacSHA512, format: RAW}: Mac callback execution failed: No installed provider supports this key: javax.crypto.spec.SecretKeySpec" log. Although I'm using the same code in other projects, but failed in this project and succeed in other projects

    private final SecretKey key;
    private final UserRepository userRepository;

    public JwtService(@Value("${jwt.secret-key}") String secret,
                      @Value("${jwt.access-header}") String accessHeader,
                      @Value("${jwt.refresh-header}") String refreshHeader,
                      UserRepository userRepository) {
        this.accessHeader = accessHeader;
        this.refreshHeader = refreshHeader;
        byte[] keyBytes = Base64.getDecoder().decode(secret.getBytes(UTF_8));
        this.key = new SecretKeySpec(keyBytes, "HmacSHA512");
        this.userRepository = userRepository;
    }
    public String generateAccessToken(String socialId) {
        long now = (new Date()).getTime();

        Date accessTokenExpiresIn = new Date(now + ACCESS_TOKEN_EXPIRE_TIME);

        return Jwts.builder()
                .setSubject(ACCESS_TOKEN_SUBJECT)
                .claim(SOCIAL_ID, socialId)
                .setExpiration(accessTokenExpiresIn)
                .signWith(key)
                .compact();
    }

    public TokenStatus isTokenValid(String token) {
        try {
            Jwts.parser()
                    .verifyWith(key)
                    .build()
                    .parseSignedClaims(token);
            return TokenStatus.SUCCESS;
        } catch (io.jsonwebtoken.security.SecurityException | MalformedJwtException e) {
            log.info("error:{}",e.getMessage());
            return TokenStatus.WRONG_SIGNATURE;
        } catch (ExpiredJwtException e) {
            return TokenStatus.EXPIRED;
        } catch (UnsupportedJwtException e) {
            return TokenStatus.UNSUPPORTED;
        } catch (IllegalArgumentException e) {
            return TokenStatus.ILLEGAL_TOKEN;
        }
    }

[bdemers]

It looks like you changed the code from your original post:

- this.key = Keys.hmacShaKeyFor(secret.getBytes(StandardCharsets.UTF_8));
+ byte[] keyBytes = Base64.getDecoder().decode(secret.getBytes(UTF_8));
+ this.key = new SecretKeySpec(keyBytes, "HmacSHA512");

Did you try something like this:

SecretKey key = Keys.hmacShaKeyFor(Decoders.BASE64.decode(secret));

Can you include your full stacktrace?

[lhazlewood]

For what it's worth, this line in the sample code is incorrect:

byte[] keyBytes = Base64.getDecoder().decode(secret.getBytes(UTF_8));

Base64 does not use the UTF-8 charset, it uses ISO-8859-1. Changing your code to the following is more correct/accurate:

byte[] keyBytes = Base64.getDecoder().decode(secret);

Also, if you want the extra length/strength assertions to guarantee that the Base64 key's decoded bytes are valid for a JWA HMAC algorithm, I would change this line:

this.key = new SecretKeySpec(keyBytes, "HmacSHA512");

to this:

this.key = Keys.hmacShaKeyFor(keyBytes);

In summary, the total changes to the class constructor would be:

byte[] keyBytes = Base64.getDecoder().decode(secret);
this.key = Keys.hmacShaKeyFor(keyBytes);

[lhazlewood]

@ehddbs4521 any update on this based on our feedback?