Skip to main content
Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.

java.security.InvalidKeyException: IOException : Short read of DER length

By Ben Nadel on
Tags: ColdFusion

Yesterday, I lost an hour of work trying to debug a less-than-helpful Java error message. When I Googled for the error, the only result that came up was the actual Java source code. As such, I wanted to document this error message in case others come across it. The error message:

java.security.InvalidKeyException: IOException : Short read of DER length

This error wasn't related to the part of the code that I was working on, so it wasn't immediately apparent what was going wrong. The line of code in question was attempting to generate an RSA signature using a private key that was being pulled out of the environmental variables. It was only after logging out the environmental variables that I realized the private key was empty in my local development environment.

Once I saw that my private key was empty, the "short read" kinda sorta maybe makes sense. But, it is definitely a poorly worded error message - one that could easily be improved to be more insightful.

Anyway, here's some sample code that demonstrates the RSA signing error:

<cfscript>

	// CAUTION: Notice that I am passing in "" as the private key!!
	generateRsaSignature( "SHA256withRSA", "", "There's something about you that sticks." );

	// ------------------------------------------------------------------------------- //
	// ------------------------------------------------------------------------------- //

	/**
	* I generate an RSA signature for the given message using the given algorithm and key.
	*
	* CAUTION: Not all algorithms are supported - it depends on how many security
	* providers you have installed in your Java runtime environment.
	*
	* @algorithm I am the signing algorithm (ex, MD5withRSA, SHA256withRSA).
	* @key I am the plain-text private key used to sign the message.
	* @message I am the plain-text message being signed.
	* @output false
	*/
	public string function generateRsaSignature(
		required string algorithm,
		required string key,
		required string message
		) {

		var keySpec = createObject( "java", "java.security.spec.PKCS8EncodedKeySpec" )
			.init( binaryDecode( key, "base64" ) )
		;

		var keyFactory = createObject( "java", "java.security.KeyFactory" )
			.getInstance( javaCast( "string", "RSA" ) )
		;

		var privateKey = keyFactory.generatePrivate( keySpec );

		var signature = createObject( "java", "java.security.Signature" )
			.getInstance( javaCast( "string", algorithm ) )
		;

		signature.initSign( privateKey );
		signature.update( charsetDecode( message, "utf-8" ) );

		return( lcase( binaryEncode( signature.sign(), "base64" ) ) );

	}

</cfscript>

As you can see, I'm passing-in an empty-string for the private key value, which will generate the InvalidKeyException IO error mentioned above.

If you are interested in generting and verifying RSA signatures in ColdFusion, I played around with a ColdFusion Component (CFC) that encapsulates the ceremony of creating the intermediary Java objects.



Reader Comments