KTOR-9352 Handle EC key type when JWK algorithm is null (#5387)

e5l · claude · Copilot · web-flow · commit a5b2eb6bbe9d · 2026-02-27T11:02:16.000Z
* KTOR-9352 Add failing test for EC JWK with null algorithm

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* KTOR-9352 Handle EC key type when JWK algorithm is null

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Update ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/test/io/ktor/server/auth/jwt/JWTAuthTest.kt

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* KTOR-9352 Detect EC curve when JWK algorithm is null

Infer ECDSA algorithm from the EC key's curve size (P-256, P-384, P-521)
instead of always defaulting to ECDSA256.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/src/io/ktor/server/auth/jwt/JWTUtils.kt b/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/src/io/ktor/server/auth/jwt/JWTUtils.kt
@@ -25,7 +25,18 @@ internal fun Jwk.makeAlgorithm(): Algorithm = when (algorithm) {
     "ES256" -> Algorithm.ECDSA256(publicKey as ECPublicKey, null)
     "ES384" -> Algorithm.ECDSA384(publicKey as ECPublicKey, null)
     "ES512" -> Algorithm.ECDSA512(publicKey as ECPublicKey, null)
-    null -> Algorithm.RSA256(publicKey as RSAPublicKey, null)
+    null -> when (type) {
+        "EC" -> {
+            val ecKey = publicKey as ECPublicKey
+            when (ecKey.params.order.bitLength()) {
+                in 249..258 -> Algorithm.ECDSA256(ecKey, null)
+                in 379..388 -> Algorithm.ECDSA384(ecKey, null)
+                in 518..527 -> Algorithm.ECDSA512(ecKey, null)
+                else -> Algorithm.ECDSA256(ecKey, null)
+            }
+        }
+        else -> Algorithm.RSA256(publicKey as RSAPublicKey, null)
+    }
     else -> throw IllegalArgumentException("Unsupported algorithm $algorithm")
 }
 
diff --git a/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/test/io/ktor/server/auth/jwt/JWTAuthTest.kt b/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/test/io/ktor/server/auth/jwt/JWTAuthTest.kt
@@ -374,6 +374,81 @@ class JWTAuthTest {
         verifier.verify(token)
     }
 
+    @Test
+    fun `KTOR-9352 makeAlgorithm with EC key type and null algorithm`() {
+        val ecKeyPair = KeyPairGenerator.getInstance("EC").apply {
+            initialize(256, SecureRandom())
+        }.generateKeyPair()
+        val ecAlgorithm = Algorithm.ECDSA256(ecKeyPair.public as ECPublicKey, ecKeyPair.private as ECPrivateKey)
+
+        val token = JWT.create()
+            .withAudience(audience)
+            .withIssuer(issuer)
+            .withKeyId(kid)
+            .sign(ecAlgorithm)
+
+        val jwk = mockk<Jwk> {
+            every { algorithm } returns null
+            every { type } returns "EC"
+            every { publicKey } returns ecKeyPair.public
+        }
+        val provider = mockk<JwkProvider> {
+            every { this@mockk.get(kid) } returns jwk
+        }
+
+        val resolvedAlgorithm = jwk.makeAlgorithm()
+        val verifier = JWT.require(resolvedAlgorithm).withIssuer(issuer).build()
+        verifier.verify(token)
+    }
+
+    @Test
+    fun `KTOR-9352 makeAlgorithm with EC P-384 key and null algorithm`() {
+        val ecKeyPair = KeyPairGenerator.getInstance("EC").apply {
+            initialize(java.security.spec.ECGenParameterSpec("secp384r1"))
+        }.generateKeyPair()
+        val ecAlgorithm = Algorithm.ECDSA384(ecKeyPair.public as ECPublicKey, ecKeyPair.private as ECPrivateKey)
+
+        val token = JWT.create()
+            .withAudience(audience)
+            .withIssuer(issuer)
+            .withKeyId(kid)
+            .sign(ecAlgorithm)
+
+        val jwk = mockk<Jwk> {
+            every { algorithm } returns null
+            every { type } returns "EC"
+            every { publicKey } returns ecKeyPair.public
+        }
+
+        val resolvedAlgorithm = jwk.makeAlgorithm()
+        val verifier = JWT.require(resolvedAlgorithm).withIssuer(issuer).build()
+        verifier.verify(token)
+    }
+
+    @Test
+    fun `KTOR-9352 makeAlgorithm with EC P-521 key and null algorithm`() {
+        val ecKeyPair = KeyPairGenerator.getInstance("EC").apply {
+            initialize(java.security.spec.ECGenParameterSpec("secp521r1"))
+        }.generateKeyPair()
+        val ecAlgorithm = Algorithm.ECDSA512(ecKeyPair.public as ECPublicKey, ecKeyPair.private as ECPrivateKey)
+
+        val token = JWT.create()
+            .withAudience(audience)
+            .withIssuer(issuer)
+            .withKeyId(kid)
+            .sign(ecAlgorithm)
+
+        val jwk = mockk<Jwk> {
+            every { algorithm } returns null
+            every { type } returns "EC"
+            every { publicKey } returns ecKeyPair.public
+        }
+
+        val resolvedAlgorithm = jwk.makeAlgorithm()
+        val verifier = JWT.require(resolvedAlgorithm).withIssuer(issuer).build()
+        verifier.verify(token)
+    }
+
     @Test
     fun testVerifyNotProvided() = testApplication {
         configureServer {
@@ -550,6 +625,7 @@ class JWTAuthTest {
     private fun getJwkProviderNullAlgorithmMock(): JwkProvider {
         val jwk = mockk<Jwk> {
             every { algorithm } returns null
+            every { type } returns "RSA"
             every { publicKey } returns keyPair.public
         }
         return mockk {
