Hi all, I’m working on a project to integrate HSM support for WOS2 IS[1]. I have implemented a component[2] conforming to Carbon Crypto Service API specification, to provide cryptographic operations using a HSM. Currently I’m exploring possible extension points in the WSO2 IS to use Carbon Crypto Service[3]. I’m mainly focusing on ways to extend SAML and OAuth implementations.
At the moment I’m researching on possible ways to extend OAuth JWT sign/verification operations to use Carbon Crypto Service. In WSO2 IS, OAuth’s cryptographic operations are handled by an open source library Nimbus JOSE + JWT[4]. Following is the normal flow of an OAuth JWT signing operation[5] request handled by Nimbus. There are two possible extensions to use Carbon Crypto Service to support OAuth’s cryptographic requirements as marked in the figure. 1. Use carbon crypto service only to retrieve keys and certificates. 2. Extend Nimbus Crypto Interface to use Crypto Service for cryptographic operations. But issue associated with option 1 is that, primary purpose of a HSM is to protect sensitive materials(private keys etc.) and it’s a bad practice to retrieve private keys from a HSM. Standard practice is to delegate the cryptographic operation to HSM with a key alias related to the operation. Nimbus Crypto Interface has a default implementation which uses JCE providers to carry out cryptographic operations. But default implementation requires to provide private keys as inputs. So extending the default implementation has the same issue I discussed above. Since WSO2 IS uses RSA for sign/verification for OAuth, I have designed an extension of Nimbus Crypto Interface to carry out RSA sign/verification operations using the Carbon Crypto Service. Following is the class diagram of the design. If you have any other possible solutions or suggestions regarding above scenario, feel free to discuss. References [1] [IAM] Introducing HSM support for Identity Server [2] HSM based crypto provider component - https://github.com/karu95/carbon-crypto-service/tree/HSMProvider/components/org.wso2.carbon.crypto.hsmbasedcryptoprovider [3] Carbon Crypto Service - https://github.com/wso2/carbon-crypto-service [4] Nimbus JOSE + JWT - https://connect2id.com/products/nimbus-jose-jwt [5] OAuth JWT sign operation implementation - <https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/9b666e0320ab6639c4bdccb1675d111ad3e4ec45/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L1986> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/9b666e0320ab6639c4bdccb1675d111ad3e4ec45/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L1986 [6] OAuth JWT validation operation implementation - https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/9b666e0320ab6639c4bdccb1675d111ad3e4ec45/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L1812 Regards, *Mevan Karunanayake* Trainee Software Engineer | WSO2 Email : me...@wso2.com Mobile : +94 71 202 8954
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
