Using HSM with KeyManager

[rjpereira]

Hi. I am new to Spring Security SAML, but would appreciate your advice and experience to guide me. I want to use an HSM to deal with encryption/decryption, signing/verification of everything keys related (will use AWS KMS Asymmetric keys). Through Spring security this is managed by KeyManager interface which is supposed to give access to Private and Public Credentials, which in turn should give access to raw byte[].

Thta's exactly the point that I want to avoid: with an HSM I have access to public byte[] but not private: we are supposed to use HSM apis for encryption, without being able to access them.

Can someone advise what would be the changes/overrides I should look into to change the KeyManager behavior ?

Thanks

[ryan13mt]

+1 since we have a client requirement to store all the keys in an HSM or HSM backed vault like Azure Key Vault which doesn't return the private keys.

[jcputney]

Have to add our +1 to this as well, as we would love to move key management into KMS for SAML.

[Koshux]

+1 here as well!

[duncanportelli]

@jzheaux,

Is the effort for this solution going to be done on the Spring SAML Extension (which is no longer actively maintained) or else on the SAML authentication part of the core Spring Security please?

[jzheaux]

@rjpereira If you are using 2.x, you might be able to get this working by making some adjustments to OpenSamlImplementation. This is where the OpenSAML cryptography support is in the 2.x release train.

1.x doesn't really have a cryptography abstraction, so I believe you'd need to modify several components to get HSM working.

[jzheaux]

@duncanportelli I imagine that this is a big enough change that it would be better to place the effort into Spring Security proper instead of the extension. I've created a ticket to track that effort - https://github.com/spring-projects/spring-security/issues/8349