Supported mechanisms for JCE provider for AWS CloudHSM Client SDK 5
This topic provides information about supported mechanisms for JCE provider with AWS CloudHSM Client SDK 5. For information about the Java Cryptography Architecture (JCA) interfaces and engine classes supported by AWS CloudHSM, see the following topics.
Topics
Generate key and key pair functions
The AWS CloudHSM software library for Java allows you to use the following operations for generate key and key pair functions.
-
RSA
-
EC
-
AES
-
DESede (Triple DES)
see note 1 -
GenericSecret
Cipher functions
The AWS CloudHSM software library for Java supports the following algorithm, mode, and padding combinations.
Algorithm | Mode | Padding | Notes |
---|---|---|---|
AES | CBC |
|
Implements Implements |
AES | ECB |
|
Implements |
AES | CTR |
|
Implements |
AES | GCM |
|
Implements When performing
AES-GCM encryption, the HSM ignores the initialization vector (IV)
in the request and uses an IV that it generates. When the operation
completes, you must call |
AESWrap | ECB |
|
Implements |
DESede (Triple DES) | CBC |
|
Implements |
DESede (Triple DES) | ECB |
|
Implements |
RSA | ECB |
|
Implements |
RSA | ECB |
|
Implements |
RSAAESWrap | ECB |
|
Implements |
Sign and verify functions
The AWS CloudHSM software library for Java supports the following types of signature and verification. With Client SDK 5 and signature algorithms with hashing, the data is hashed locally in software before being sent to the HSM for the signature/verification. This means there is no limit on the size of the data that can be hashed by the SDK.
RSA Signature Types
-
NONEwithRSA
-
RSASSA-PSS
-
SHA1withRSA
-
SHA1withRSA/PSS
-
SHA1withRSAandMGF1
-
SHA224withRSA
-
SHA224withRSAandMGF1
-
SHA224withRSA/PSS
-
SHA256withRSA
-
SHA256withRSAandMGF1
-
SHA256withRSA/PSS
-
SHA384withRSA
-
SHA384withRSAandMGF1
-
SHA384withRSA/PSS
-
SHA512withRSA
-
SHA512withRSAandMGF1
-
SHA512withRSA/PSS
ECDSA Signature Types
-
NONEwithECDSA
-
SHA1withECDSA
-
SHA224withECDSA
-
SHA256withECDSA
-
SHA384withECDSA
-
SHA512withECDSA
Digest functions
The AWS CloudHSM software library for Java supports the following message digests. With Client SDK 5, the data is hashed locally in software. This means there is no limit on the size of the data that can be hashed by the SDK.
-
SHA-1
-
SHA-224
-
SHA-256
-
SHA-384
-
SHA-512
Hash-based message authentication code (HMAC) functions
The AWS CloudHSM software library for Java supports the following HMAC algorithms.
-
HmacSHA1
(Maximum data size in bytes: 16288) -
HmacSHA224
(Maximum data size in bytes: 16256) -
HmacSHA256
(Maximum data size in bytes: 16288) -
HmacSHA384
(Maximum data size in bytes: 16224) -
HmacSHA512
(Maximum data size in bytes: 16224)
Cipher-based message authentication code (CMAC) functions
CMACs (Cipher-based message authentication codes) create message authentication codes (MACs) using a block cipher and a secret key. They differ from HMACs in that they use a block symmetric key method for the MACs rather than a hashing method.
The AWS CloudHSM software library for Java supports the following CMAC algorithms.
-
AESCMAC
Convert keys to key specifications using key factories
You can use key factories to convert keys to key specifications. AWS CloudHSM has two types of key factories for JCE:
SecretKeyFactory: Used to import or derive symmetric keys. Using SecretKeyFactory, you can pass a supported Key or a supported KeySpec to import or derive symmetric keys into AWS CloudHSM. Following are the supported specs for KeyFactory:
-
For SecretKeyFactory's
generateSecret
method following KeySpecclasses are supported: KeyAttributesMapcan be used to import a key bytes with addtional attributes as a CloudHSM Key. An example can be found here here
. SecretKeySpec
can be used to import a symmetric key spec as a CloudHSM Key. AesCmacKdfParameterSpeccan be used to derive symmetric keys using another CloudHSM AES Key.
Note
SecretKeyFactory's translateKey
method takes any key that implements the key
KeyFactory: Used for importing asymmetric keys. Using KeyFactory, you can pass a supported Key or supported KeySpec to import an asymmetric key into AWS CloudHSM. For more information, refer to the following resources:
For KeyFactory's
generatePublic
method, following KeySpecclasses are supported: CloudHSM KeyAttributesMap for both RSA and EC KeyTypes, including:
CloudHSM KeyAttributesMap for both RSA and EC public KeyTypes. An example can be found here
X509EncodedKeySpec
for both RSA and EC Public Key RSAPublicKeySpec
for RSA Public Key ECPublicKeySpec
for EC Public Key
For KeyFactory's
generatePrivate
method, following KeySpecclasses are supported: CloudHSM KeyAttributesMap for both RSA and EC KeyTypes, including:
CloudHSM KeyAttributesMap for both RSA and EC public KeyTypes. An example can be found here
PKCS8EncodedKeySpec
for both EC and RSA Private Key RSAPrivateCrtKeySpec
for RSA Private Key ECPrivateKeySpec
for EC Private Key
For KeyFactory's translateKey
method, it takes in any Key that implements the Key Interface
Mechanism annotations
[1] In accordance with NIST guidance, this is disallowed for clusters in FIPS mode after 2023. For clusters in non-FIPS mode, it is still allowed after 2023. See FIPS 140 Compliance: 2024 Mechanism Deprecation for details.