Generate key and key pair functions Cipher functions Sign and verify functions Digest functions Hash-based message authentication code (HMAC) functions Cipher-based message authentication code (CMAC) functions Convert keys to key specifications using key factories Mechanism annotations

Supported mechanisms for JCE provider for AWS CloudHSM Client SDK 3

This topic provides information about supported mechanisms for JCE provider with AWS CloudHSM Client SDK 5. For information about the Java Cryptography Architecture (JCA) interfaces and engine classes supported by AWS CloudHSM, see the following topics.

Topics

Generate key and key pair functions
Cipher functions
Sign and verify functions
Digest functions
Hash-based message authentication code (HMAC) functions
Cipher-based message authentication code (CMAC) functions
Convert keys to key specifications using key factories
Mechanism annotations

Generate key and key pair functions

The AWS CloudHSM software library for Java allows you to use the following operations for generate key and key pair functions.

RSA
EC
AES
DESede (Triple DES)^{see note 1}
GenericSecret

Cipher functions

The AWS CloudHSM software library for Java supports the following algorithm, mode, and padding combinations.

Algorithm	Mode	Padding	Notes
AES	CBC	`AES/CBC/NoPadding` `AES/CBC/PKCS5Padding`	Implements `Cipher.ENCRYPT_MODE` and `Cipher.DECRYPT_MODE`. Implements `Cipher.UNWRAP_MODE for AES/CBC NoPadding`
AES	ECB	`AES/ECB/PKCS5Padding` `AES/ECB/NoPadding`	Implements `Cipher.ENCRYPT_MODE` and `Cipher.DECRYPT_MODE`.
AES	CTR	`AES/CTR/NoPadding`	Implements `Cipher.ENCRYPT_MODE` and `Cipher.DECRYPT_MODE`.
AES	GCM	`AES/GCM/NoPadding`	Implements `Cipher.WRAP_MODE`, `Cipher.UNWRAP_MODE`, `Cipher.ENCRYPT_MODE`, and `Cipher.DECRYPT_MODE`. When performing AES-GCM encryption, the HSM ignores the initialization vector (IV) in the request and uses an IV that it generates. When the operation completes, you must call `Cipher.getIV()` to get the IV.
AESWrap	ECB	`AESWrap/ECB/NoPadding` `AESWrap/ECB/PKCS5Padding` `AESWrap/ECB/ZeroPadding`	Implements `Cipher.WRAP_MODE` and `Cipher.UNWRAP_MODE`.
DESede (Triple DES)	CBC	`DESede/CBC/PKCS5Padding` `DESede/CBC/NoPadding`	Implements `Cipher.ENCRYPT_MODE` and `Cipher.DECRYPT_MODE`. See note 1 below for an upcoming change.
DESede (Triple DES)	ECB	`DESede/ECB/NoPadding` `DESede/ECB/PKCS5Padding`	Implements `Cipher.ENCRYPT_MODE` and `Cipher.DECRYPT_MODE`. See note 1 below for an upcoming change.
RSA	ECB	`RSA/ECB/PKCS1Padding` ^{see note 1} `RSA/ECB/OAEPPadding` `RSA/ECB/OAEPWithSHA-1ANDMGF1Padding` `RSA/ECB/OAEPWithSHA-224ANDMGF1Padding` `RSA/ECB/OAEPWithSHA-256ANDMGF1Padding` `RSA/ECB/OAEPWithSHA-384ANDMGF1Padding` `RSA/ECB/OAEPWithSHA-512ANDMGF1Padding`	Implements `Cipher.WRAP_MODE`, `Cipher.UNWRAP_MODE`, `Cipher.ENCRYPT_MODE`, and `Cipher.DECRYPT_MODE`.
RSA	ECB	`RSA/ECB/NoPadding`	Implements `Cipher.ENCRYPT_MODE` and `Cipher.DECRYPT_MODE`.
RSAAESWrap	ECB	`RSAAESWrap/ECB/OAEPPadding` `RSAAESWrap/ECB/OAEPWithSHA-1ANDMGF1Padding` `RSAAESWrap/ECB/OAEPWithSHA-224ANDMGF1Padding` `RSAAESWrap/ECB/OAEPWithSHA-256ANDMGF1Padding` `RSAAESWrap/ECB/OAEPWithSHA-384ANDMGF1Padding` `RSAAESWrap/ECB/OAEPWithSHA-512ANDMGF1Padding`	Implements `Cipher.WRAP_MODE` and `Cipher.UNWRAP_MODE`.

Sign and verify functions

The AWS CloudHSM software library for Java supports the following types of signature and verification. With Client SDK 5 and signature algorithms with hashing, the data is hashed locally in software before being sent to the HSM for the signature/verification. This means there is no limit on the size of the data that can be hashed by the SDK.

RSA Signature Types

NONEwithRSA
RSASSA-PSS
SHA1withRSA
SHA1withRSA/PSS
SHA1withRSAandMGF1
SHA224withRSA
SHA224withRSAandMGF1
SHA224withRSA/PSS
SHA256withRSA
SHA256withRSAandMGF1
SHA256withRSA/PSS
SHA384withRSA
SHA384withRSAandMGF1
SHA384withRSA/PSS
SHA512withRSA
SHA512withRSAandMGF1
SHA512withRSA/PSS

ECDSA Signature Types

NONEwithECDSA
SHA1withECDSA
SHA224withECDSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA

Digest functions

The AWS CloudHSM software library for Java supports the following message digests. With Client SDK 5, the data is hashed locally in software. This means there is no limit on the size of the data that can be hashed by the SDK.

SHA-1
SHA-224
SHA-256
SHA-384
SHA-512

Hash-based message authentication code (HMAC) functions

The AWS CloudHSM software library for Java supports the following HMAC algorithms.

HmacSHA1 (Maximum data size in bytes: 16288)
HmacSHA224 (Maximum data size in bytes: 16256)
HmacSHA256 (Maximum data size in bytes: 16288)
HmacSHA384 (Maximum data size in bytes: 16224)
HmacSHA512 (Maximum data size in bytes: 16224)

Cipher-based message authentication code (CMAC) functions

CMACs (Cipher-based message authentication codes) create message authentication codes (MACs) using a block cipher and a secret key. They differ from HMACs in that they use a block symmetric key method for the MACs rather than a hashing method.

The AWS CloudHSM software library for Java supports the following CMAC algorithms.

AESCMAC

Convert keys to key specifications using key factories

You can use key factories to convert keys to key specifications. AWS CloudHSM has two types of key factories for JCE:

SecretKeyFactory: Used to import or derive symmetric keys. Using SecretKeyFactory, you can pass a supported Key or a supported KeySpec to import or derive symmetric keys into AWS CloudHSM. Following are the supported specs for KeyFactory:

For SecretKeyFactory's generateSecret method following KeySpec classes are supported:
- KeyAttributesMapcan be used to import a key bytes with addtional attributes as a CloudHSM Key. An example can be found here here.
- SecretKeySpeccan be used to import a symmetric key spec as a CloudHSM Key.
- AesCmacKdfParameterSpeccan be used to derive symmetric keys using another CloudHSM AES Key.

Note

SecretKeyFactory's translateKey method takes any key that implements the key interface.

KeyFactory: Used for importing asymmetric keys. Using KeyFactory, you can pass a supported Key or supported KeySpec to import an asymmetric key into AWS CloudHSM. For more information, refer to the following resources:

For KeyFactory's generatePublic method, following KeySpec classes are supported:
CloudHSM KeyAttributesMap for both RSA and EC KeyTypes, including:
- CloudHSM KeyAttributesMap for both RSA and EC public KeyTypes. An example can be found here
- X509EncodedKeySpec for both RSA and EC Public Key
- RSAPublicKeySpec for RSA Public Key
- ECPublicKeySpec for EC Public Key
For KeyFactory's generatePrivate method, following KeySpec classes are supported:
CloudHSM KeyAttributesMap for both RSA and EC KeyTypes, including:
- CloudHSM KeyAttributesMap for both RSA and EC public KeyTypes. An example can be found here
- PKCS8EncodedKeySpec for both EC and RSA Private Key
- RSAPrivateCrtKeySpec for RSA Private Key
- ECPrivateKeySpec for EC Private Key

For KeyFactory's translateKey method, it takes in any Key that implements the Key Interface.

Mechanism annotations

[1] In accordance with NIST guidance, this is disallowed for clusters in FIPS mode after 2023. For clusters in non-FIPS mode, it is still allowed after 2023. See FIPS 140 Compliance: 2024 Mechanism Deprecation for details.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Key management basics

Key attributes