JSON Web Signature (JWS) HS256 with AWS CloudHSM

Starting with v9.34 the Nimbus JOSE+JWT library is able to use HMAC keys in PKCS#11 compliant stores, such as the AWS CloudHSM. All standard HMAC JWS algorithms are supported:

  • HS256 - HMAC with SHA-256, requires 256+ bit secret
  • HS384 - HMAC with SHA-384, requires 384+ bit secret
  • HS512 - HMAC with SHA-512, requires 512+ bit secret

Example loading of an AWS CloudHSM key store and obtaining a javax.crypto.SecretKey handle from the HSM to compute the HMAC for a JWS object:

// Load the AWS CloudHSM as a JCE provider
if (Security.getProvider(CloudHsmProvider.PROVIDER_NAME) == null) {
    Security.addProvider(new CloudHsmProvider())

Provider hsmProvider = Security.getProvider(CloudHsmProvider.PROVIDER_NAME);

KeyStore keyStore = KeyStore.getInstance(

// Get the secret key handle
String keyID = "my-key-id";
SecretKey secretKey = (SecretKey)keyStore.getKey(keyID, "".toCharArray());

// Instantiate an HMAC signer with the secret key stored in the CloudHSM
JWSSigner signer = MACSigner(secretKey);

// Create the JWS object
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.HS256)

Payload payload = new Payload("HMAC protected string");
JWSObject jws = new JWSObject(header, payload);

// Compute the HMAC

// Serialise to compact JWS encoding