You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Martin Jäger <Ma...@netcetera.com> on 2014/10/17 20:00:57 UTC

Using CXF WS Security with a FIPS Level 3 HSM

Dear CXF users

I'm using Webservice encryption with CXF and a java software keystore (CXF v. 2.7.10).
I would like to switch the keystore to a hardware HSM device (FIPS Level 3 / Thales nShield).

During the development I get this exception:
Caused by: java.security.InvalidKeyException: Error importing key: StrictFIPS140
        at com.ncipher.provider.Utils.importKey(Utils.java:424)
        at com.ncipher.provider.nCImportedKey.<init>(nCImportedKey.java:82)
        at com.ncipher.provider.BlockCipher.engineInit(BlockCipher.java:215)
        at javax.crypto.Cipher.init(Cipher.java:1346)
        at javax.crypto.Cipher.init(Cipher.java:1282)
        at org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1760)

In the HSM I added the public key of the client and created a private / public key pair on the HSM (and passed the public key to the client).
As I understand it the webservice encryption uses the assymetric key to generate a new symmetric key for this webservice call.

For me it looks like the Cipher wants to add this generated key to the HSM on the server side, but this is not allowed on FIPS Level 3.

Is there a way to tell CXF / WSS4j to use a software keystore for the generated symmetric key and use the hardware keystore for the asymmetric keys?

If my assumption correct at all?


I configured like this:

  <!-- WSS4JInInterceptor for decrypting and validating the signature of the SOAP request. -->
  <bean id="TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
    <constructor-arg>
      <map>
        <entry key="action" value="Timestamp Signature Encrypt" />
        <entry key="signaturePropFile" value=" mySpecialKeystore.properties" />
        <entry key="decryptionPropFile" value="mySpecialKeystore.properties" />
        <entry key="passwordCallbackRef" value-ref="passwordcallback" />
      </map>
    </constructor-arg>
  </bean>


  <!-- WSS4JOutInterceptor for encoding and signing the SOAP response. -->
  <bean id="TimestampSignEncrypt_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
    <constructor-arg>
      <map>
        <entry key="action" value="Timestamp Signature Encrypt" />
        <entry key="user" value="${org.apache.ws.security.crypto.merlin.keystore.alias}" />
        <entry key="signaturePropFile" value="mySpecialKeystore.properties" />
        <entry key="encryptionPropFile" value="mySpecialKeystore.properties " />
        <entry key="encryptionUser" value="useReqSigCert" />
        <entry key="passwordCallbackRef" value-ref="passwordcallback" />
        <entry key="signatureParts"
          value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
        <entry key="encryptionParts"
          value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body" />
        <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      </map>
    </constructor-arg>
  </bean>


Thanks a lot
Martin

Re: Using CXF WS Security with a FIPS Level 3 HSM

Posted by Colm O hEigeartaigh <co...@apache.org>.

This article may be of help:
http://davidvaleri.wordpress.com/2010/12/16/using-nss-for-fips-140-2-compliant-message-security-in-cxf/

Colm.

On Fri, Oct 17, 2014 at 7:00 PM, Martin Jäger <Ma...@netcetera.com>
wrote:

> Dear CXF users
>
> I'm using Webservice encryption with CXF and a java software keystore (CXF
> v. 2.7.10).
> I would like to switch the keystore to a hardware HSM device (FIPS Level 3
> / Thales nShield).
>
> During the development I get this exception:
> Caused by: java.security.InvalidKeyException: Error importing key:
> StrictFIPS140
>         at com.ncipher.provider.Utils.importKey(Utils.java:424)
>         at com.ncipher.provider.nCImportedKey.<init>(nCImportedKey.java:82)
>         at
> com.ncipher.provider.BlockCipher.engineInit(BlockCipher.java:215)
>         at javax.crypto.Cipher.init(Cipher.java:1346)
>         at javax.crypto.Cipher.init(Cipher.java:1282)
>         at
> org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1760)
>
> In the HSM I added the public key of the client and created a private /
> public key pair on the HSM (and passed the public key to the client).
> As I understand it the webservice encryption uses the assymetric key to
> generate a new symmetric key for this webservice call.
>
> For me it looks like the Cipher wants to add this generated key to the HSM
> on the server side, but this is not allowed on FIPS Level 3.
>
> Is there a way to tell CXF / WSS4j to use a software keystore for the
> generated symmetric key and use the hardware keystore for the asymmetric
> keys?
>
> If my assumption correct at all?
>
>
> I configured like this:
>
>   <!-- WSS4JInInterceptor for decrypting and validating the signature of
> the SOAP request. -->
>   <bean id="TimestampSignEncrypt_Request"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>     <constructor-arg>
>       <map>
>         <entry key="action" value="Timestamp Signature Encrypt" />
>         <entry key="signaturePropFile" value="
> mySpecialKeystore.properties" />
>         <entry key="decryptionPropFile"
> value="mySpecialKeystore.properties" />
>         <entry key="passwordCallbackRef" value-ref="passwordcallback" />
>       </map>
>     </constructor-arg>
>   </bean>
>
>
>   <!-- WSS4JOutInterceptor for encoding and signing the SOAP response. -->
>   <bean id="TimestampSignEncrypt_Response"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>     <constructor-arg>
>       <map>
>         <entry key="action" value="Timestamp Signature Encrypt" />
>         <entry key="user"
> value="${org.apache.ws.security.crypto.merlin.keystore.alias}" />
>         <entry key="signaturePropFile"
> value="mySpecialKeystore.properties" />
>         <entry key="encryptionPropFile"
> value="mySpecialKeystore.properties " />
>         <entry key="encryptionUser" value="useReqSigCert" />
>         <entry key="passwordCallbackRef" value-ref="passwordcallback" />
>         <entry key="signatureParts"
>           value="{Element}{
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"
> />
>         <entry key="encryptionParts"
>           value="{Element}{
> http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"
> />
>         <entry key="encryptionSymAlgorithm" value="
> http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
>       </map>
>     </constructor-arg>
>   </bean>
>
>
> Thanks a lot
> Martin
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com