The ECDSASigningHandler which is used for JWT signing when using ES* signing algorithm cannot work if the keystore does not provide an exportable EC Private key.
The implementation assume that the construction of the signing handler need ECPrivateKey.
It would help if this can be constructed with a more lax constructor (like PrivateKey) just like the RSASigningHandler. In fact it seems we constructor to compute the EC curve may not be needed as when sign() is called the algorithm type is passed and so the curve can be determined there.
This may help to solve the issues for
OPENAM-12801 too (HSM). As for now it would seems AM5/6 will not be able to do signing with ECDSA due to the inability to even create a EC signing handler
OPENAM-12801 (subset of the issues)