As requested: https://github.com/apache/cxf/pull/1238
However, I'm wondering if checking the algorithm String (as my first suggestion) should be the preferred solution (for RSA and EcDsa use case). As an EcDsa key stored on a HSM could lead to the same instanceof problem, that I'm facing now with my RSA key. WDYT? Jan > -----Original Message----- > From: Colm O hEigeartaigh <[email protected]> > Sent: Monday, 17 April 2023 17:32 > To: [email protected] > Cc: Colm O'Heigeartaigh <[email protected]> > Subject: Re: JwsUtils Support with HSM > > > > Hi Jan, > > Your second option looks fine to me - can you create a pull request for it? > > Colm. > > On Mon, Apr 17, 2023 at 4:00 PM Jan Bernhardt <[email protected]> > wrote: > > > > Hi CXF developers, > > > > I’m testing CXF with the usage of a hardware security module. Most parts are > working just great. > > However, I’m facing one issue with the JwsUtils class (line 119). > > > > The code is checking if the provided key is an instanceof RSAPrivateKey. > > This is > working fine using a JKS file keystore. But when I use a (HSM) PKCS11 keystore > type the used PrivateKey instance is a > sun.security.pkcs11.P11Key$P11PrivateKey which is not an instance of > RSAPrivateKey. Thus, the initialization fails and my code is not working. > > The invoked PrivateKeyJwsSignatureProvider (line 120) does not require a > RSAPrivateKey, so if I execute this code (in my java debugger) with my P11Key > it > is all working fine. > > > > Therefore I’m wondering, if we can refactor this code to check for the key > algorithm, instead of the class instance like this: > > > > } else if ("RSA".equals(key.getAlgorithm())) { > > return new PrivateKeyJwsSignatureProvider(key, algo); > > > > Or maybe it will be even better to remove the else check completely and call > the signature provider instantiation always (if it is not a EC key). Like > this: > > > > public static JwsSignatureProvider > getPrivateKeySignatureProvider(PrivateKey key, SignatureAlgorithm algo) { > > if (algo == null) { > > LOG.warning("No signature algorithm was defined"); > > throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET); > > } > > if (key instanceof ECPrivateKey) { > > return new EcDsaJwsSignatureProvider((ECPrivateKey)key, algo); > > } > > > > return new PrivateKeyJwsSignatureProvider(key, algo); > > } > > > > WDYT? > > > > Jan > > > > As a recipient of an email from the Talend Group, your personal data will be > processed by our systems. Please see our Privacy Notice > <https://www.talend.com/privacy-policy/> for more information about our > collection and use of your personal information, our security practices, and > your > data protection rights, including any rights you may have to object to > automated-decision making or profiling we use to analyze support or marketing > related communications. To manage or discontinue promotional > communications, use the communication preferences > portal<https://info.talend.com/emailpreferencesen.html>. To exercise your data > protection rights, use the privacy request > form<https://urldefense.com/v3/__https://talend.my.onetrust.com/webform/ef > 906c5a-de41-4ea0-ba73-96c079cdd15a/b191c71d-f3cb-4a42-9815- > 0c3ca021704cl__;!!CiXD_PY!Q76SbWKbE2vPPHw3GgXXA9SxIQzRuIf- > P5gZL3VkHFw_ieTKorc0bxl4y_bDEGT7aQiTkgkA0rKwIUAajcU$ >. Contact us > here <https://www.talend.com/contact/> or by mail to either of our co- > headquarters: Talend, Inc.: 400 South El Camino Real, Ste 1400, San Mateo, CA > 94402; Talend SAS: 5/7 rue Salomon De Rothschild, 92150 Suresnes, France As a recipient of an email from the Talend Group, your personal data will be processed by our systems. Please see our Privacy Notice <https://www.talend.com/privacy-policy/> for more information about our collection and use of your personal information, our security practices, and your data protection rights, including any rights you may have to object to automated-decision making or profiling we use to analyze support or marketing related communications. To manage or discontinue promotional communications, use the communication preferences portal<https://info.talend.com/emailpreferencesen.html>. To exercise your data protection rights, use the privacy request form<https://talend.my.onetrust.com/webform/ef906c5a-de41-4ea0-ba73-96c079cdd15a/b191c71d-f3cb-4a42-9815-0c3ca021704cl>. Contact us here <https://www.talend.com/contact/> or by mail to either of our co-headquarters: Talend, Inc.: 400 South El Camino Real, Ste 1400, San Mateo, CA 94402; Talend SAS: 5/7 rue Salomon De Rothschild, 92150 Suresnes, France
