The various *Key interfaces (RSAPrivateKey, etc.) and *Spec classes (RSAPrivateKeySpec, etc.) are underspecified. They do not state if null is a valid value for any of their components.

The common interpretation among providers implemented in software is that all values must be non-null. On the other hand, most hardware providers assume null is a valid return value for almost any method.

These interpretations are fundamtentally incompatible and lead to unexpected interoperability behavior. In particular, one could expect a software provider to throw an InvalidKeyException when initialized with an unextractable hardware key. Instead, initialization typically either fails with a NullPointerException or it succeeds altogether and the actual operation fails with a NullPointerException.

The options seem to be:
 . a forbid null values for (some) components. Recommend that hardware implementations do not use the RSAPrivateKey, etc. interfaces.
 . allow null values and recommend that software implementations check for this condition.

One way or another, the API needs to be clarified and the *Spec classes and our code modified accordingly.