Error verifying signature of JWT signed with ES256 on aws lambda function

Question

I ported a working java code for authentifying JWT signed with an Elliptic Curve Digital Signatures (ECDSA) with SHA-2 ES256 private key.

The following exception,if I understand it correctly, suggests that the underlying runtime platform does not support ES256.

I'm surprised because AWS Lambda works on recent Java 8 open jdk and I thought the cryptography was pre-installed.

What am I missing?

Is this a bug in JOSE4J ? A limitation of the AWS Lambda infrastructure ?

Caused by: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"kid":"staging_0","alg":"ES256"} due to an unexpected exception (org.jose4j.lang.InvalidAlgorithmException: ES256 is an unknown, unsupported or unavailable alg algorithm (not one of [none, HS256, HS384, HS512, RS256, RS384, RS512]).) selecting from keys: [org.jose4j.jwk.EllipticCurveJsonWebKey{kty=EC, kid=staging_0, x=jz84fmrLuG5T9cnT-ydQdGjqk2iX2PsVYIcABTkXiqc, y=6oGYrjWEjhUSea5q7izitbcp5o7QlkArnm49OA0cPlI, crv=P-256}, org.jose4j.jwk.EllipticCurveJsonWebKey{kty=EC, kid=prod_0, x=cd5u73HnAueI1mgjuk9JSvU0ekonRCafffwaG-_D5VM, y=QjOMm1fqw3Aevkzzd-RVmlcmGMwPS9uajFN4nLnTwFc, crv=P-256}]
at org.jose4j.keys.resolvers.JwksVerificationKeyResolver.resolveKey(JwksVerificationKeyResolver.java:54)
at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:190)
... 6 more
Caused by: org.jose4j.lang.InvalidAlgorithmException: ES256 is an unknown, unsupported or unavailable alg algorithm (not one of [none, HS256, HS384, HS512, RS256, RS384, RS512]).
at org.jose4j.jwa.AlgorithmFactory.getAlgorithm(AlgorithmFactory.java:51)
at org.jose4j.jws.JsonWebSignature.getAlgorithm(JsonWebSignature.java:142)
at org.jose4j.jws.JsonWebSignature.getAlgorithm(JsonWebSignature.java:35)
at org.jose4j.jwk.SelectorSupport.commonFilterForInbound(SelectorSupport.java:49)
at org.jose4j.jwk.VerificationJwkSelector.selectList(VerificationJwkSelector.java:39)
at org.jose4j.jwk.VerificationJwkSelector.select(VerificationJwkSelector.java:33)
at org.jose4j.keys.resolvers.JwksVerificationKeyResolver.resolveKey(JwksVerificationKeyResolver.java:47)
... 7 more

Answer 1

When jose4j initializes it's AlgorithmFactory(s), basically on first use, it attempts to interrogate the underlying JVM with its JCA providers to determine availability of the various algorithms. The exception message suggests that the ECDSA algorithms weren't available from the platform - specifically for ES256, Signature.getInstance("SHA256withECDSA") returned null or something else didn't go right getting the Signature instance. So, it seems like ECDSA isn't available on AWS Lambda's Java.