By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[CloudHSM][JCE provider] Migration from SDK3 to SDK5, load via key handle

0

Hello,

We currently use the SDK 3 in our Java application in order to use the HSM. We need to migrate to SDK5 since we need an algorithm only available in SDK5.

To encrypt thing we retrieve the key in our application using the key handle with the following code.

 byte[] keyAttribute = Util.getKeyAttributes(handle);
 CaviumKeyAttributes cka = new CaviumKeyAttributes(keyAttribute);

CaviumKey key = null;

if (cka.getKeyType() == CaviumKeyAttributes.KEY_TYPE_AES) {
    key = new CaviumAESKey(handle, cka);
}
else if (
                cka.getKeyType() == CaviumKeyAttributes.KEY_TYPE_RSA
                && cka.getKeyClass() == CaviumKeyAttributes.CLASS_PRIVATE_KEY
) {
    key = new CaviumRSAPrivateKey(handle, cka);
 }
....

When looking at the SDK5 sample, it seems that this method is no more available and we need to load key via label. Is there any way to load them via the key handle ?

Topics
Security, Identity, & ComplianceDeveloper ToolsJava Development
Tags
AWS CloudHSMDeveloper ToolsJava Development
Language
English
rePost-User-3668023
asked a year ago755 views
1 Answer
0

From the query, I understand that you would like to use the key handle to refer the keys in your JAVA application using Client SDK 5, which was possible using the Client SDK 3. Hence, you would like to understand if this is supported on Client SDK 5, and if supported then how to achieve the same.

Proceeding ahead, I would like to highlight that with Client SDK 5 the key handle changes all the time when compared to Client SDK 3 which stay consistent through the lifetime of the key. When migrating from SDK 3 to SDK 5 the below consideration needs to be followed in order to reference the key using the key handle.

Use the same key handles across different runs of an application: To successfully use key handles in Client SDK 5, you must obtain key handles each time you run an application. If you have existing applications that expect to use the same key handles across different runs, you must modify your code to obtain the key handle each time you run the application. This change is in compliance with the PKCS #11 2.40 specification.[1]

To explain it further, key handles are fixed with SDK 3, but they vary every session with SDK 5. The right way using SDK 5 is to search for the required key using some attribute such as key label or key ID. This will return one or more objects to the Java application, then you can use one of the key objects for your cryptographic operations. Additionally, in case you have several keys with the same label, then you will have to use the key ID instead (you can set the key ID when generating keys). Otherwise, you will have to generate new keys with unique labels. Providing few reference links below which may be useful to you.

References:

[1] Migrating from Client SDK 3 to Client SDK 5:

https://docs.aws.amazon.com/cloudhsm/latest/userguide/migrate-sdk.html

[2] Code samples for the AWS CloudHSM software library for Java for Client SDK 5:

https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-samples_5.html

[3] Supported Java attributes for Client SDK 5:

https://docs.aws.amazon.com/cloudhsm/latest/userguide/java-lib-attributes_5.html

[4] aws-cloudhsm-jce-examples:

https://github.com/aws-samples/aws-cloudhsm-jce-examples/blob/sdk5/src/main/java/com/amazonaws/cloudhsm/examples/KeyUtilitiesRunner.java#L51

https://github.com/aws-samples/aws-cloudhsm-jce-examples/blob/sdk5/src/main/java/com/amazonaws/cloudhsm/examples/KeyUtilitiesRunner.java#L192

https://github.com/aws-samples/aws-cloudhsm-jce-examples/blob/sdk5/src/main/java/com/amazonaws/cloudhsm/examples/KeyUtilitiesRunner.java#L200

Manish_K
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content