This article may be of help: http://davidvaleri.wordpress.com/2010/12/16/using-nss-for-fips-140-2-compliant-message-security-in-cxf/
Colm. On Fri, Oct 17, 2014 at 7:00 PM, Martin Jäger <[email protected]> wrote: > Dear CXF users > > I'm using Webservice encryption with CXF and a java software keystore (CXF > v. 2.7.10). > I would like to switch the keystore to a hardware HSM device (FIPS Level 3 > / Thales nShield). > > During the development I get this exception: > Caused by: java.security.InvalidKeyException: Error importing key: > StrictFIPS140 > at com.ncipher.provider.Utils.importKey(Utils.java:424) > at com.ncipher.provider.nCImportedKey.<init>(nCImportedKey.java:82) > at > com.ncipher.provider.BlockCipher.engineInit(BlockCipher.java:215) > at javax.crypto.Cipher.init(Cipher.java:1346) > at javax.crypto.Cipher.init(Cipher.java:1282) > at > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1760) > > In the HSM I added the public key of the client and created a private / > public key pair on the HSM (and passed the public key to the client). > As I understand it the webservice encryption uses the assymetric key to > generate a new symmetric key for this webservice call. > > For me it looks like the Cipher wants to add this generated key to the HSM > on the server side, but this is not allowed on FIPS Level 3. > > Is there a way to tell CXF / WSS4j to use a software keystore for the > generated symmetric key and use the hardware keystore for the asymmetric > keys? > > If my assumption correct at all? > > > I configured like this: > > <!-- WSS4JInInterceptor for decrypting and validating the signature of > the SOAP request. --> > <bean id="TimestampSignEncrypt_Request" > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > <constructor-arg> > <map> > <entry key="action" value="Timestamp Signature Encrypt" /> > <entry key="signaturePropFile" value=" > mySpecialKeystore.properties" /> > <entry key="decryptionPropFile" > value="mySpecialKeystore.properties" /> > <entry key="passwordCallbackRef" value-ref="passwordcallback" /> > </map> > </constructor-arg> > </bean> > > > <!-- WSS4JOutInterceptor for encoding and signing the SOAP response. --> > <bean id="TimestampSignEncrypt_Response" > class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> > <constructor-arg> > <map> > <entry key="action" value="Timestamp Signature Encrypt" /> > <entry key="user" > value="${org.apache.ws.security.crypto.merlin.keystore.alias}" /> > <entry key="signaturePropFile" > value="mySpecialKeystore.properties" /> > <entry key="encryptionPropFile" > value="mySpecialKeystore.properties " /> > <entry key="encryptionUser" value="useReqSigCert" /> > <entry key="passwordCallbackRef" value-ref="passwordcallback" /> > <entry key="signatureParts" > value="{Element}{ > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"; > /> > <entry key="encryptionParts" > value="{Element}{ > http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"; > /> > <entry key="encryptionSymAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; /> > </map> > </constructor-arg> > </bean> > > > Thanks a lot > Martin > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
