cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin J├Ąger <Martin.Jae...@netcetera.com>
Subject Using CXF WS Security with a FIPS Level 3 HSM
Date Fri, 17 Oct 2014 18:00:57 GMT
Dear CXF users

I'm using Webservice encryption with CXF and a java software keystore (CXF v. 2.7.10).
I would like to switch the keystore to a hardware HSM device (FIPS Level 3 / Thales nShield).

During the development I get this exception:
Caused by: java.security.InvalidKeyException: Error importing key: StrictFIPS140
        at com.ncipher.provider.Utils.importKey(Utils.java:424)
        at com.ncipher.provider.nCImportedKey.<init>(nCImportedKey.java:82)
        at com.ncipher.provider.BlockCipher.engineInit(BlockCipher.java:215)
        at javax.crypto.Cipher.init(Cipher.java:1346)
        at javax.crypto.Cipher.init(Cipher.java:1282)
        at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1760)

In the HSM I added the public key of the client and created a private / public key pair on
the HSM (and passed the public key to the client).
As I understand it the webservice encryption uses the assymetric key to generate a new symmetric
key for this webservice call.

For me it looks like the Cipher wants to add this generated key to the HSM on the server side,
but this is not allowed on FIPS Level 3.

Is there a way to tell CXF / WSS4j to use a software keystore for the generated symmetric
key and use the hardware keystore for the asymmetric keys?

If my assumption correct at all?


I configured like this:

  <!-- WSS4JInInterceptor for decrypting and validating the signature of the SOAP request.
-->
  <bean id="TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
    <constructor-arg>
      <map>
        <entry key="action" value="Timestamp Signature Encrypt" />
        <entry key="signaturePropFile" value=" mySpecialKeystore.properties" />
        <entry key="decryptionPropFile" value="mySpecialKeystore.properties" />
        <entry key="passwordCallbackRef" value-ref="passwordcallback" />
      </map>
    </constructor-arg>
  </bean>


  <!-- WSS4JOutInterceptor for encoding and signing the SOAP response. -->
  <bean id="TimestampSignEncrypt_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
    <constructor-arg>
      <map>
        <entry key="action" value="Timestamp Signature Encrypt" />
        <entry key="user" value="${org.apache.ws.security.crypto.merlin.keystore.alias}"
/>
        <entry key="signaturePropFile" value="mySpecialKeystore.properties" />
        <entry key="encryptionPropFile" value="mySpecialKeystore.properties " />
        <entry key="encryptionUser" value="useReqSigCert" />
        <entry key="passwordCallbackRef" value-ref="passwordcallback" />
        <entry key="signatureParts"
          value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"
/>
        <entry key="encryptionParts"
          value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"
/>
        <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
/>
      </map>
    </constructor-arg>
  </bean>


Thanks a lot
Martin


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message