Hi Jan, Yes it makes sense.
Colm. On Tue, Apr 18, 2023 at 8:26 AM Jan Bernhardt <[email protected]> wrote: > > As requested: https://github.com/apache/cxf/pull/1238 > > However, I'm wondering if checking the algorithm String (as my first > suggestion) should be the preferred solution (for RSA and EcDsa use case). > As an EcDsa key stored on a HSM could lead to the same instanceof problem, > that I'm facing now with my RSA key. > > WDYT? > > Jan > > > -----Original Message----- > > From: Colm O hEigeartaigh <[email protected]> > > Sent: Monday, 17 April 2023 17:32 > > To: [email protected] > > Cc: Colm O'Heigeartaigh <[email protected]> > > Subject: Re: JwsUtils Support with HSM > > > > > > > Hi Jan, > > > > Your second option looks fine to me - can you create a pull request for it? > > > > Colm. > > > > On Mon, Apr 17, 2023 at 4:00 PM Jan Bernhardt <[email protected]> > > wrote: > > > > > > Hi CXF developers, > > > > > > I’m testing CXF with the usage of a hardware security module. Most parts > > > are > > working just great. > > > However, I’m facing one issue with the JwsUtils class (line 119). > > > > > > The code is checking if the provided key is an instanceof RSAPrivateKey. > > > This is > > working fine using a JKS file keystore. But when I use a (HSM) PKCS11 > > keystore > > type the used PrivateKey instance is a > > sun.security.pkcs11.P11Key$P11PrivateKey which is not an instance of > > RSAPrivateKey. Thus, the initialization fails and my code is not working. > > > The invoked PrivateKeyJwsSignatureProvider (line 120) does not require a > > RSAPrivateKey, so if I execute this code (in my java debugger) with my > > P11Key it > > is all working fine. > > > > > > Therefore I’m wondering, if we can refactor this code to check for the key > > algorithm, instead of the class instance like this: > > > > > > } else if ("RSA".equals(key.getAlgorithm())) { > > > return new PrivateKeyJwsSignatureProvider(key, algo); > > > > > > Or maybe it will be even better to remove the else check completely and > > > call > > the signature provider instantiation always (if it is not a EC key). Like > > this: > > > > > > public static JwsSignatureProvider > > getPrivateKeySignatureProvider(PrivateKey key, SignatureAlgorithm algo) { > > > if (algo == null) { > > > LOG.warning("No signature algorithm was defined"); > > > throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET); > > > } > > > if (key instanceof ECPrivateKey) { > > > return new EcDsaJwsSignatureProvider((ECPrivateKey)key, algo); > > > } > > > > > > return new PrivateKeyJwsSignatureProvider(key, algo); > > > } > > > > > > WDYT? > > > > > > Jan > > > > > > As a recipient of an email from the Talend Group, your personal data will > > > be > > processed by our systems. Please see our Privacy Notice > > <https://www.talend.com/privacy-policy/> for more information about our > > collection and use of your personal information, our security practices, > > and your > > data protection rights, including any rights you may have to object to > > automated-decision making or profiling we use to analyze support or > > marketing > > related communications. To manage or discontinue promotional > > communications, use the communication preferences > > portal<https://info.talend.com/emailpreferencesen.html>. To exercise your > > data > > protection rights, use the privacy request > > form<https://urldefense.com/v3/__https://talend.my.onetrust.com/webform/ef > > 906c5a-de41-4ea0-ba73-96c079cdd15a/b191c71d-f3cb-4a42-9815- > > 0c3ca021704cl__;!!CiXD_PY!Q76SbWKbE2vPPHw3GgXXA9SxIQzRuIf- > > P5gZL3VkHFw_ieTKorc0bxl4y_bDEGT7aQiTkgkA0rKwIUAajcU$ >. Contact us > > here <https://www.talend.com/contact/> or by mail to either of our co- > > headquarters: Talend, Inc.: 400 South El Camino Real, Ste 1400, San Mateo, > > CA > > 94402; Talend SAS: 5/7 rue Salomon De Rothschild, 92150 Suresnes, France > As a recipient of an email from the Talend Group, your personal data will be > processed by our systems. Please see our Privacy Notice > <https://www.talend.com/privacy-policy/> for more information about our > collection and use of your personal information, our security practices, and > your data protection rights, including any rights you may have to object to > automated-decision making or profiling we use to analyze support or marketing > related communications. To manage or discontinue promotional communications, > use the communication preferences > portal<https://info.talend.com/emailpreferencesen.html>. To exercise your > data protection rights, use the privacy request > form<https://talend.my.onetrust.com/webform/ef906c5a-de41-4ea0-ba73-96c079cdd15a/b191c71d-f3cb-4a42-9815-0c3ca021704cl>. > Contact us here <https://www.talend.com/contact/> or by mail to either of > our co-headquarters: Talend, Inc.: 400 South El Camino Real, Ste 1400, San > Mateo, CA 94402; Talend SAS: 5/7 rue Salomon De Rothschild, 92150 Suresnes, > France
