I have the following code:

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.Keys;


SecretKey key = Keys.hmacShaKeyFor("some_test_value".getBytes(StandardCharsets.UTF_8));
Jwts.builder()
    .claims(claims)
    .issuedAt(Date.from(iat))
    .signWith(key, SignatureAlgorithm.forName(HS256))
    pact();

I get warning for deprecated methods:

'signWith(java. security. Key, io. jsonwebtoken. SignatureAlgorithm)' is deprecated 
'io. jsonwebtoken. SignatureAlgorithm' is deprecated 

I tried to migrate the code this way:

Key key = Keys.hmacShaKeyFor("some_test_value".getBytes(StandardCharsets.UTF_8));
String value = Jwts.builder()
        .claims(claims)
        .issuedAt(Date.from(iat))
        .signWith(key)
        pact();

But as you can see I cannot set HS256 algorithm. Do you know how I can set this type of HS256 algorithm for sign key?

Do you know what is the proper way to migrate the code without breaking the functionality?

I have the following code:

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.Keys;


SecretKey key = Keys.hmacShaKeyFor("some_test_value".getBytes(StandardCharsets.UTF_8));
Jwts.builder()
    .claims(claims)
    .issuedAt(Date.from(iat))
    .signWith(key, SignatureAlgorithm.forName(HS256))
    pact();

I get warning for deprecated methods:

'signWith(java. security. Key, io. jsonwebtoken. SignatureAlgorithm)' is deprecated 
'io. jsonwebtoken. SignatureAlgorithm' is deprecated 

I tried to migrate the code this way:

Key key = Keys.hmacShaKeyFor("some_test_value".getBytes(StandardCharsets.UTF_8));
String value = Jwts.builder()
        .claims(claims)
        .issuedAt(Date.from(iat))
        .signWith(key)
        pact();

But as you can see I cannot set HS256 algorithm. Do you know how I can set this type of HS256 algorithm for sign key?

Do you know what is the proper way to migrate the code without breaking the functionality?

• java
• jwt

• What does the documentation say to use as an alternative? – Sotirios Delimanolis Commented Feb 15 at 16:33
• I can't find a solution. – Peter Penzov Commented Feb 15 at 16:37
• 1 Where did you look? Because the documentation literally says what to use as an alternative. – Sotirios Delimanolis Commented Feb 15 at 17:02
• javadoc.io/doc/io.jsonwebtoken/jjwt-api/latest/index.html – President James K. Polk Commented Feb 15 at 17:23
• The solution that I found is to use .signWith(key, Jwts.SIG.HS256) But I need to set this algorithm using yml file property. How I can do this? – Peter Penzov Commented Feb 15 at 17:52

1 Answer 1

If you absolutely want to always use HS256 and never the 384 and 512-bit variants then do the following. Note the truncation of the 'password' to less than 47 bytes (so the bits are less than 384):

    Key key = Keys.hmacShaKeyFor("some_test_value".substring(0, 47).getBytes(StandardCharsets.UTF_8));
    SecureDigestAlgorithm<SecretKey, SecretKey> sda = SIG.HS256;
    String value = Jwts.builder()
            .claims(claims)
            .issuedAt(Date.from(iat))
            .signWith(key)
            pact();

This is because Keys.hmacShaKeyFor() will always use HS256 for a key of length between 256 and 384 bits. See source code below:

public static SecretKey hmacShaKeyFor(byte[] bytes) throws WeakKeyException {

    if (bytes == null) {
        throw new InvalidKeyException("SecretKey byte array cannot be null.");
    }

    int bitLength = bytes.length * 8;

    //Purposefully ordered higher to lower to ensure the strongest key possible can be generated.
    if (bitLength >= 512) {
        return new SecretKeySpec(bytes, "HmacSHA512");
    } else if (bitLength >= 384) {
        return new SecretKeySpec(bytes, "HmacSHA384");
    } else if (bitLength >= 256) {
        return new SecretKeySpec(bytes, "HmacSHA256");
    }