Support for AWS CloudHSM

[dlutsch]

As best I can tell there is currently no native support for accessing private keys stored in Amazon's CloudHSM service. It would be great if this feature could be added.

[ebourg]

I agree it would be nice to support it, but this service is very expensive ($1600/month) and I can't spend that much for this project. If someone using AWS CloudHSM could share its access I would get a look.

[ebourg]

I got a look at the AWS documentation, and as I understand the CloudHSM REST API allows one to only manage the HSM instances, and not to perform cryptographic operations. This is performed through a dedicated client SDK that takes the form of a PKCS#11 module or a JCA provider. The client SDK doesn't look to be open source, the JCA provider isn't available on Maven Central and must be installed with a system package. The provider is actually a wrapper over a native library, so figuring out the underlying protocol to access the HSM isn't trivial.

However an HSM can be configured as a keystore for AWS KMS, so Jsign should be able to use a key in a CloudHSM instance already.

[ebourg]

Also worth noting, the name "LiquidSecurity" appears in the documentation and in the native library, that's most likely the name of the Marvell HSM hardware used by AWS. It seems to use an undocumented binary protocol.

If someone manages to reverse engineer this protocol we may be able to integrate it directly into Jsign, but in the meantime it's more reasonable to use the PKCS#11 module provided by AWS. We could add an AWSCLOUDHSM storetype that configures the SunPKCS11 provider similarly to the YUBIKEY and OPENSC storetypes, but I'll need someone to share a CloudHSM account to test it properly.