Skip to main content
Ben Nadel at CFCamp 2023 (Freising, Germany) with: Evagoras Charalambous
Ben Nadel at CFCamp 2023 (Freising, Germany) with: Evagoras Charalambous

java.security.InvalidKeyException: IOException : Short read of DER length

By
Published in

Yesterday, I lost an hour of work trying to debug a less-than-helpful Java error message. When I Googled for the error, the only result that came up was the actual Java source code. As such, I wanted to document this error message in case others come across it. The error message:

java.security.InvalidKeyException: IOException : Short read of DER length

This error wasn't related to the part of the code that I was working on, so it wasn't immediately apparent what was going wrong. The line of code in question was attempting to generate an RSA signature using a private key that was being pulled out of the environmental variables. It was only after logging out the environmental variables that I realized the private key was empty in my local development environment.

Once I saw that my private key was empty, the "short read" kinda sorta maybe makes sense. But, it is definitely a poorly worded error message - one that could easily be improved to be more insightful.

Anyway, here's some sample code that demonstrates the RSA signing error:

<cfscript>

	// CAUTION: Notice that I am passing in "" as the private key!!
	generateRsaSignature( "SHA256withRSA", "", "There's something about you that sticks." );

	// ------------------------------------------------------------------------------- //
	// ------------------------------------------------------------------------------- //

	/**
	* I generate an RSA signature for the given message using the given algorithm and key.
	*
	* CAUTION: Not all algorithms are supported - it depends on how many security
	* providers you have installed in your Java runtime environment.
	*
	* @algorithm I am the signing algorithm (ex, MD5withRSA, SHA256withRSA).
	* @key I am the plain-text private key used to sign the message.
	* @message I am the plain-text message being signed.
	* @output false
	*/
	public string function generateRsaSignature(
		required string algorithm,
		required string key,
		required string message
		) {

		var keySpec = createObject( "java", "java.security.spec.PKCS8EncodedKeySpec" )
			.init( binaryDecode( key, "base64" ) )
		;

		var keyFactory = createObject( "java", "java.security.KeyFactory" )
			.getInstance( javaCast( "string", "RSA" ) )
		;

		var privateKey = keyFactory.generatePrivate( keySpec );

		var signature = createObject( "java", "java.security.Signature" )
			.getInstance( javaCast( "string", algorithm ) )
		;

		signature.initSign( privateKey );
		signature.update( charsetDecode( message, "utf-8" ) );

		return( lcase( binaryEncode( signature.sign(), "base64" ) ) );

	}

</cfscript>

As you can see, I'm passing-in an empty-string for the private key value, which will generate the InvalidKeyException IO error mentioned above.

If you are interested in generting and verifying RSA signatures in ColdFusion, I played around with a ColdFusion Component (CFC) that encapsulates the ceremony of creating the intermediary Java objects.

Want to use code from this post? Check out the license.

Short link: https://bennadel.com/3224

Reader Comments

Oh my chickens, this post is old!
I believe in love. I believe in compassion. I believe in human rights. I believe that we can afford to give more of these gifts to the world around us because it costs us nothing to be decent and kind and understanding. And, I want you to know that when you land on this site, you are accepted for who you are, no matter how you identify, what truths you live, or whatever kind of goofy shit makes you feel alive! Rock on with your bad self!
Ben Nadel