Add support for HSM #8349
Comments
jzheaux
added
type: enhancement
|
+1 This would be very useful to have supported due to security requirements on where the private keys are stored. |
|
+1 |
|
+1 |
|
would be very useful enhancement |
|
+1 |
|
+1 |
|
I need this for my project |
|
Thanks for opening this issue. I am currently working on an IDP-initiated solution and can confirm that a custom The problem is that the |
|
Hi @jzheaux by any chance was there any progress on this or at least a plan to include it in an upcoming release? |
|
Hi, @ryan13mt, there is no plan or progress on this issue. One thing that might help, though, is to begin with a sample. @duncanportelli, is your implementation something that you can share via GitHub? This could at least get the conversation started about what is the appropriate thing to expose to simplify this. While introducing an inheritance-based solution is a possibility, I wonder if there is a sensible composition-based one. |
|
Hi @jzheaux, Sure. I uploaded a sample spring boot application in which you can see the number of overridden classes in order to create a custom decrypter to include the decryption logic (in this case via the Azure Key Vault). |
|
Hi @jzheaux and @duncanportelli, Our use case (having private key on an HSM) would only require to handle the decryption part since that is the only time we need the actual private key to be used. @duncanportelli i'm not sure about your use case, but it seems like ours since in your sample application you mentioned a custom decrypter as well. Since the other keys are all 'public' they can technically be stored locally on the machine. @jzheaux the company i work at is ready to invest resources in contributing to this issue and develop the code needed to handle a private key stored on an HSM. Would you be willing to accept a pull request of this feature (decryption by HSM)? Or do you require that the contribution includes a full HSM integration that includes encryption, signing and verification as well? Maybe we can create a separate issue that handles the decryption specifically. Thanks and looking forward to contribute to this open-source community |
|
@ryan13mt, thanks for your message. We are currently working on an IDP initiated SSO solution so signing and encryption is not required in our case. With regards to verification, we are doing it using a public key which doesn't need to be stored in an HSM. That being said, only decryption is required in our scenario as well. |
|
Hey @jzheaux i just saw that the getDecrypter method has been changed into a DecrypterConverter. If we add a setter for this converter, could we technically just pass it our own custom decrypter to fix this issue? |
|
@ryan13mt, yes, that was the idea I was playing with while preparing the 5.4 release. Yes, a pull request would be welcome. While I understand that your use case is for decryption only, would you be able to provide a PR that handles signature validation as well? I believe it will be the same conceptually, returning a |
|
@jzheaux wouldn't the signature validation be done using the public certificate provided by the asserting party in their metadata? Or have i misunderstood your use case? |
|
No, @ryan13mt, I just got my wires crossed. The ticket here calls for support in However, thinking more about this, it would be better to wait on I've got some additional thoughts about decryption. Now that these tasks are separated, I've added those thoughts to #9044. |
Many applications will not deal with keys at all but will instead send data to a service like Vault to be encrypted, decrypted, signed, and verified.
Currently, an application needs to implement their own
Saml2AuthenticationRequestFactoryandAuthenticationProviderto achieve this. It would be nice if applications could implement something more targeted to cryptographic operations.The text was updated successfully, but these errors were encountered: