Hyperledger Web3j: HSM support for AWS KMS

In the world of digital security, protecting sensitive data with robust encryption is essential. AWS Key Management Service (KMS) plays a crucial role in this space. It serves as a highly secure, fully managed service for creating and controlling cryptographic keys. What many may not realize is that AWS KMS itself operates as a Hardware Security Module (HSM), offering the same level of security you'd expect from dedicated hardware solutions.

An HSM is a physical device designed to securely generate, store, and manage encryption keys, and AWS KMS delivers this functionality in a cloud-native way. Beyond key management, AWS KMS with HSM support can also be used to sign cryptographic transactions. This provides a trusted, hardware-backed way to secure blockchain interactions, digital signatures, and more. This article will cover  how AWS KMS functions as an HSM, the benefits of using it to sign crypto transactions, and how it fits into a broader security strategy.

In Hyperledger Web3j, support for HSM was introduced two years ago, providing users with a secure method for managing cryptographic keys. For more details, you can refer to the official documentation.

However, despite this integration, many users have encountered challenges in adopting and implementing HSM interfaces, particularly when using the AWS KMS module. To address these difficulties, a ready-to-use implementation has been added specifically for AWS KMS HSM support. This simplifies the integration process, making it easier for users to leverage AWS KMS for secure transaction signing without the complexity of manual configurations.

The class, HSMAwsKMSRequestProcessor, is an implementation of the HSMRequestProcessor interface, which is responsible for facilitating interaction with an HSM. This newly implemented class contains all the essential code required to communicate with AWS KMS, enabling the retrieval of data signed with the correct cryptographic signature. It simplifies the process of using AWS KMS as an HSM by handling the intricacies of signature generation and ensuring secure transaction signing without additional development overhead.

Here is a snippet with the most important actions of the callHSM method:

@Override
    public Sign.SignatureData callHSM(byte[] dataToSign, HSMPass pass) {

        // Create the SignRequest for AWS KMS
        var signRequest =
                SignRequest.builder()
                        .keyId(keyID)
                        .message(SdkBytes.fromByteArray(dataHash))
                        .messageType(MessageType.DIGEST)
                        .signingAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256)
                        .build();

        // Sign the data using AWS KMS
        var signResult = kmsClient.sign(signRequest);
        var signatureBuffer = signResult.signature().asByteBuffer();

        // Convert the signature to byte array
        var signBytes = new byte[signatureBuffer.remaining()];
        signatureBuffer.get(signBytes);

        // Verify signature osn KMS
        var verifyRequest =
                VerifyRequest.builder()
                        .keyId(keyID)
                        .message(SdkBytes.fromByteArray(dataHash))
                        .messageType(MessageType.DIGEST)
                        .signingAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256)
                        .signature(SdkBytes.fromByteArray(signBytes))
                        .build();

        var verifyRequestResult = kmsClient.verify(verifyRequest);
        if (!verifyRequestResult.signatureValid()) {
            throw new RuntimeException("KMS signature is not valid!");
        }

        var signature = CryptoUtils.fromDerFormat(signBytes);
        return Sign.createSignatureData(signature, pass.getPublicKey(), dataHash);
    }

NOTE!

In order to use this properly, the type of key spec created in AWS KMS must be ECC_SECG_P256K1. This is specific to the crypto space, especially to EVM. Using any other key will result in a mismatch error when the  data signature is created.

Example

Here is a short example of how to call the callHSM method from the library:

public static void main(String[] args) throws Exception {
   KmsClient client = KmsClient.create();

   // extract the KMS key
   byte[] derPublicKey = client
           .getPublicKey((var builder) -> {
               builder.keyId(kmsKeyId);
           })
           .publicKey()
           .asByteArray();
   byte[] rawPublicKey = SubjectPublicKeyInfo
           .getInstance(derPublicKey)
           .getPublicKeyData()
           .getBytes();

   BigInteger publicKey = new BigInteger(1, Arrays.copyOfRange(rawPublicKey, 1, rawPublicKey.length));
  
   HSMPass pass = new HSMPass(null, publicKey);

   HSMRequestProcessor signer = new HSMAwsKMSRequestProcessor(client, kmsKeyId);
   signer.callHSM(data, pass);
}

Conclusion

AWS KMS, with its built-in HSM functionality, offers a powerful solution for securely managing and signing cryptographic transactions. Despite initial challenges faced by users in integrating AWS KMS with Hyperledger Web3j, the introduction of the HSMAwsKMSRequestProcessor class has made it easier to adopt and implement. This ready-to-use solution simplifies interactions with AWS KMS, allowing users to securely sign data and transactions with minimal configuration. By leveraging this tool, organizations can enhance their security posture while benefiting from the convenience of AWS’s cloud-native HSM capabilities.

The Chainlens Blockchain Explorer provides all of the business metrics you need to support your blockchain and smart contract applications.

We provide SLA-backed production support for Ethereum networks running Quorum and Hyperledger Besu.

Traditional financial markets infrastructure is being redefined by blockchain and DLT technology. We can ensure you’re prepared.

With dedicated support from the creators of Web3j you can ensure you have a trusted partner to support your most critical blockchain applications.