3 files changed, 30 insertions, 6 deletions

diff --git a/java_src/src/test/java/com/google/crypto/tink/jwt/BUILD.bazel b/java_src/src/test/java/com/google/crypto/tink/jwt/BUILD.bazel
index 58d80f6a0..2981f1583 100644
--- a/java_src/src/test/java/com/google/crypto/tink/jwt/BUILD.bazel
+++ b/java_src/src/test/java/com/google/crypto/tink/jwt/BUILD.bazel
@@ -182,6 +182,7 @@ java_test(
         "//proto:jwt_rsa_ssa_pkcs1_java_proto",
         "//proto:tink_java_proto",
         "//src/main/java/com/google/crypto/tink:cleartext_keyset_handle",
+        "//src/main/java/com/google/crypto/tink:key",
         "//src/main/java/com/google/crypto/tink:key_template",
         "//src/main/java/com/google/crypto/tink:key_templates",
         "//src/main/java/com/google/crypto/tink:registry_cluster",
@@ -193,6 +194,8 @@ java_test(
         "//src/main/java/com/google/crypto/tink/jwt:jwt_public_key_sign",
         "//src/main/java/com/google/crypto/tink/jwt:jwt_public_key_sign_internal",
         "//src/main/java/com/google/crypto/tink/jwt:jwt_public_key_verify",
+        "//src/main/java/com/google/crypto/tink/jwt:jwt_rsa_ssa_pkcs1_parameters",
+        "//src/main/java/com/google/crypto/tink/jwt:jwt_rsa_ssa_pkcs1_private_key",
         "//src/main/java/com/google/crypto/tink/jwt:jwt_rsa_ssa_pkcs1_sign_key_manager",
         "//src/main/java/com/google/crypto/tink/jwt:jwt_rsa_ssa_pkcs1_verify_key_manager",
         "//src/main/java/com/google/crypto/tink/jwt:jwt_signature_config",
diff --git a/java_src/src/test/java/com/google/crypto/tink/jwt/JwkSetConverterTest.java b/java_src/src/test/java/com/google/crypto/tink/jwt/JwkSetConverterTest.java
index 7e310a1c5..6c55a5417 100644
--- a/java_src/src/test/java/com/google/crypto/tink/jwt/JwkSetConverterTest.java
+++ b/java_src/src/test/java/com/google/crypto/tink/jwt/JwkSetConverterTest.java
@@ -940,9 +940,8 @@ public final class JwkSetConverterTest {
         "{\"keys\":[{\"kty\":\"RSA\","
             + "\"n\":\"AAAwOQ\","
             + "\"e\":\"AQAB\",\"use\":\"sig\",\"alg\":\"RS256\",\"key_ops\":[\"verify\"]}]}";
-    KeysetHandle handle = JwkSetConverter.toPublicKeysetHandle(jwksString);
     assertThrows(
-        GeneralSecurityException.class, () -> handle.getPrimitive(JwtPublicKeyVerify.class));
+        GeneralSecurityException.class, () -> JwkSetConverter.toPublicKeysetHandle(jwksString));
 
     String psJwksString = jwksString.replace("RS256", "PS256");
     KeysetHandle psHandle = JwkSetConverter.toPublicKeysetHandle(psJwksString);
diff --git a/java_src/src/test/java/com/google/crypto/tink/jwt/JwtRsaSsaPkcs1SignKeyManagerTest.java b/java_src/src/test/java/com/google/crypto/tink/jwt/JwtRsaSsaPkcs1SignKeyManagerTest.java
index 8cf8fc308..c70c127e6 100644
--- a/java_src/src/test/java/com/google/crypto/tink/jwt/JwtRsaSsaPkcs1SignKeyManagerTest.java
+++ b/java_src/src/test/java/com/google/crypto/tink/jwt/JwtRsaSsaPkcs1SignKeyManagerTest.java
@@ -323,6 +323,29 @@ public class JwtRsaSsaPkcs1SignKeyManagerTest {
   }
 
   @Test
+  public void createKeysetHandle_works() throws Exception {
+    if (TestUtil.isTsan()) {
+      // factory.createKey is too slow in Tsan.
+      return;
+    }
+    KeysetHandle handle = KeysetHandle.generateNew(KeyTemplates.get("JWT_RS256_2048_F4"));
+    
+    com.google.crypto.tink.Key key = handle.getAt(0).getKey();
+    assertThat(key).isInstanceOf(com.google.crypto.tink.jwt.JwtRsaSsaPkcs1PrivateKey.class);
+    com.google.crypto.tink.jwt.JwtRsaSsaPkcs1PrivateKey jwtPrivateKey =
+        (com.google.crypto.tink.jwt.JwtRsaSsaPkcs1PrivateKey) key;
+
+    assertThat(jwtPrivateKey.getParameters())
+        .isEqualTo(
+            JwtRsaSsaPkcs1Parameters.builder()
+                .setModulusSizeBits(2048)
+                .setPublicExponent(JwtRsaSsaPkcs1Parameters.F4)
+                .setAlgorithm(JwtRsaSsaPkcs1Parameters.Algorithm.RS256)
+                .setKidStrategy(JwtRsaSsaPkcs1Parameters.KidStrategy.BASE64_ENCODED_KEY_ID)
+                .build());
+  }
+
+  @Test
   public void testTinkTemplatesAreTink() throws Exception {
     assertThat(getOutputPrefixType(KeyTemplates.get("JWT_RS256_2048_F4")))
         .isEqualTo(KeyTemplate.OutputPrefixType.TINK);
@@ -718,7 +741,7 @@ public class JwtRsaSsaPkcs1SignKeyManagerTest {
   }
 
   @Test
-  public void signWithTinkKeyAndCustomKid_fails() throws Exception {
+  public void getPrimitiveWithTinkKeyAndCustomKid_fails() throws Exception {
     if (TestUtil.isTsan()) {
       // creating keys is too slow in Tsan.
       // We do not use assume because Theories expects to find something which is not skipped.
@@ -729,8 +752,7 @@ public class JwtRsaSsaPkcs1SignKeyManagerTest {
     KeysetHandle handleWithKid =
         withCustomKid(handleWithoutKid, "Lorem ipsum dolor sit amet, consectetur adipiscing elit");
 
-    JwtPublicKeySign signerWithKid = handleWithKid.getPrimitive(JwtPublicKeySign.class);
-    RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
-    assertThrows(JwtInvalidException.class, () -> signerWithKid.signAndEncode(rawToken));
+    assertThrows(
+        GeneralSecurityException.class, () -> handleWithKid.getPrimitive(JwtPublicKeySign.class));
   }
 }