Code fixed for RSA and EC use case. New pull request is: https://github.com/apache/cxf/pull/1239
Jan > -----Original Message----- > From: Colm O hEigeartaigh <[email protected]> > Sent: Tuesday, 18 April 2023 11:33 > To: [email protected] > Subject: Re: JwsUtils Support with HSM > > > > Hi Jan, > > Yes it makes sense. > > Colm. > > On Tue, Apr 18, 2023 at 8:26 AM Jan Bernhardt <[email protected]> > wrote: > > > > As requested: > > https://urldefense.com/v3/__https://github.com/apache/cxf/pull/1238__; > > > !!CiXD_PY!RgpZBpiVFZzqSz_OF49c0132MoZCrjyYml9nu1VAfH0pDDp5tqTGXXD > ySLV1 > > l7ZAE0IHFv1JKQ5Rs9IzaiU$ > > > > However, I'm wondering if checking the algorithm String (as my first > suggestion) should be the preferred solution (for RSA and EcDsa use case). > > As an EcDsa key stored on a HSM could lead to the same instanceof problem, > that I'm facing now with my RSA key. > > > > WDYT? > > > > Jan > > > > > -----Original Message----- > > > From: Colm O hEigeartaigh <[email protected]> > > > Sent: Monday, 17 April 2023 17:32 > > > To: [email protected] > > > Cc: Colm O'Heigeartaigh <[email protected]> > > > Subject: Re: JwsUtils Support with HSM > > > > > > > > > > Hi Jan, > > > > > > Your second option looks fine to me - can you create a pull request for > > > it? > > > > > > Colm. > > > > > > On Mon, Apr 17, 2023 at 4:00 PM Jan Bernhardt > > > <[email protected]> > > > wrote: > > > > > > > > Hi CXF developers, > > > > > > > > I’m testing CXF with the usage of a hardware security module. Most > > > > parts are > > > working just great. > > > > However, I’m facing one issue with the JwsUtils class (line 119). > > > > > > > > The code is checking if the provided key is an instanceof > > > > RSAPrivateKey. This is > > > working fine using a JKS file keystore. But when I use a (HSM) > > > PKCS11 keystore type the used PrivateKey instance is a > > > sun.security.pkcs11.P11Key$P11PrivateKey which is not an instance of > > > RSAPrivateKey. Thus, the initialization fails and my code is not working. > > > > The invoked PrivateKeyJwsSignatureProvider (line 120) does not > > > > require a > > > RSAPrivateKey, so if I execute this code (in my java debugger) with > > > my P11Key it is all working fine. > > > > > > > > Therefore I’m wondering, if we can refactor this code to check for > > > > the key > > > algorithm, instead of the class instance like this: > > > > > > > > } else if ("RSA".equals(key.getAlgorithm())) { > > > > return new PrivateKeyJwsSignatureProvider(key, algo); > > > > > > > > Or maybe it will be even better to remove the else check > > > > completely and call > > > the signature provider instantiation always (if it is not a EC key). Like > > > this: > > > > > > > > public static JwsSignatureProvider > > > getPrivateKeySignatureProvider(PrivateKey key, SignatureAlgorithm > > > algo) { > > > > if (algo == null) { > > > > LOG.warning("No signature algorithm was defined"); > > > > throw new > JwsException(JwsException.Error.ALGORITHM_NOT_SET); > > > > } > > > > if (key instanceof ECPrivateKey) { > > > > return new EcDsaJwsSignatureProvider((ECPrivateKey)key, > > > > algo); > > > > } > > > > > > > > return new PrivateKeyJwsSignatureProvider(key, algo); > > > > } > > > > > > > > WDYT? > > > > > > > > Jan > > > > > > > > As a recipient of an email from the Talend Group, your personal > > > > data will be > > > processed by our systems. Please see our Privacy Notice > > > <https://www.talend.com/privacy-policy/> for more information about > > > our collection and use of your personal information, our security > > > practices, and your data protection rights, including any rights you > > > may have to object to automated-decision making or profiling we use > > > to analyze support or marketing related communications. To manage or > > > discontinue promotional communications, use the communication > > > preferences portal<https://info.talend.com/emailpreferencesen.html>. > > > To exercise your data protection rights, use the privacy request > > > form<https://urldefense.com/v3/__https://talend.my.onetrust.com/webf > > > orm/ef > > > 906c5a-de41-4ea0-ba73-96c079cdd15a/b191c71d-f3cb-4a42-9815- > > > 0c3ca021704cl__;!!CiXD_PY!Q76SbWKbE2vPPHw3GgXXA9SxIQzRuIf- > > > P5gZL3VkHFw_ieTKorc0bxl4y_bDEGT7aQiTkgkA0rKwIUAajcU$ >. Contact us > > > here <https://www.talend.com/contact/> or by mail to either of our > > > co- > > > headquarters: Talend, Inc.: 400 South El Camino Real, Ste 1400, San > > > Mateo, CA 94402; Talend SAS: 5/7 rue Salomon De Rothschild, 92150 > > > Suresnes, France > > As a recipient of an email from the Talend Group, your personal data > > will be processed by our systems. Please see our Privacy Notice > > <https://www.talend.com/privacy-policy/> for more information about > > our collection and use of your personal information, our security > > practices, and your data protection rights, including any rights you > > may have to object to automated-decision making or profiling we use to > > analyze support or marketing related communications. To manage or > > discontinue promotional communications, use the communication > > preferences portal<https://info.talend.com/emailpreferencesen.html>. > > To exercise your data protection rights, use the privacy request > > form<https://urldefense.com/v3/__https://talend.my.onetrust.com/webfor > > m/ef906c5a-de41-4ea0-ba73-96c079cdd15a/b191c71d-f3cb-4a42-9815- > 0c3ca02 > > > 1704cl__;!!CiXD_PY!RgpZBpiVFZzqSz_OF49c0132MoZCrjyYml9nu1VAfH0pDDp > 5tqT > > GXXDySLV1l7ZAE0IHFv1JKQ5R8Hqob3E$ >. Contact us here > > <https://www.talend.com/contact/> or by mail to either of our > > co-headquarters: Talend, Inc.: 400 South El Camino Real, Ste 1400, San > > Mateo, CA 94402; Talend SAS: 5/7 rue Salomon De Rothschild, 92150 > > Suresnes, France As a recipient of an email from the Talend Group, your personal data will be processed by our systems. Please see our Privacy Notice <https://www.talend.com/privacy-policy/> for more information about our collection and use of your personal information, our security practices, and your data protection rights, including any rights you may have to object to automated-decision making or profiling we use to analyze support or marketing related communications. To manage or discontinue promotional communications, use the communication preferences portal<https://info.talend.com/emailpreferencesen.html>. To exercise your data protection rights, use the privacy request form<https://talend.my.onetrust.com/webform/ef906c5a-de41-4ea0-ba73-96c079cdd15a/b191c71d-f3cb-4a42-9815-0c3ca021704cl>. Contact us here <https://www.talend.com/contact/> or by mail to either of our co-headquarters: Talend, Inc.: 400 South El Camino Real, Ste 1400, San Mateo, CA 94402; Talend SAS: 5/7 rue Salomon De Rothschild, 92150 Suresnes, France
