New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for AWS CloudHSM #179
Comments
I agree it would be nice to support it, but this service is very expensive ($1600/month) and I can't spend that much for this project. If someone using AWS CloudHSM could share its access I would get a look. |
I got a look at the AWS documentation, and as I understand the CloudHSM REST API allows one to only manage the HSM instances, and not to perform cryptographic operations. This is performed through a dedicated client SDK that takes the form of a PKCS#11 module or a JCA provider. The client SDK doesn't look to be open source, the JCA provider isn't available on Maven Central and must be installed with a system package. The provider is actually a wrapper over a native library, so figuring out the underlying protocol to access the HSM isn't trivial. However an HSM can be configured as a keystore for AWS KMS, so Jsign should be able to use a key in a CloudHSM instance already. |
Also worth noting, the name "LiquidSecurity" appears in the documentation and in the native library, that's most likely the name of the Marvell HSM hardware used by AWS. It seems to use an undocumented binary protocol. If someone manages to reverse engineer this protocol we may be able to integrate it directly into Jsign, but in the meantime it's more reasonable to use the PKCS#11 module provided by AWS. We could add an |
As best I can tell there is currently no native support for accessing private keys stored in Amazon's CloudHSM service. It would be great if this feature could be added.
The text was updated successfully, but these errors were encountered: