Skip to content

[Security] PrivateKey.getSigner() Returns Null for Unsupported Key Types #224

New issue
New issue
Open
Open
[Security] PrivateKey.getSigner() Returns Null for Unsupported Key Types#224
@mefai-dev

Description

@mefai-dev
mefai-dev
opened on Mar 20, 2026

Bug Name

PrivateKey.getSigner() Returns Null for Unsupported Key Types

Attack Scenario

getSigner() returns null for ECDSA or other unsupported key types. This null is stored in this.signer. Next call to sign() throws NullPointerException with no indication of the actual problem.

Impact

Users with ECDSA keys get opaque NullPointerExceptions instead of a clear unsupported key type message.

Components

File: clients/common/src/main/java/com/binance/connector/client/common/sign/PrivateKey.java line 132. Returns null for non-Ed25519/non-RSA keys.

Reproduction

  1. Configure client with an ECDSA private key.
  2. Make a signed request.
  3. NullPointerException thrown at sign() with no useful error message.

Fix

Throw ApiException('Unsupported key type: ' + algorithmIdentifier) instead of returning null.

Details

Finding ID: MEDIUM-02
Severity: Medium

Researcher: Independent Security Researcher -- Mefai Security Team

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions