JSON Web Signature (JWS) HS256 with AWS CloudHSM

Starting with v9.34 the Nimbus JOSE+JWT library is able to use HMAC keys in PKCS#11 compliant stores, such as the AWS CloudHSM. All standard HMAC JWS algorithms are supported:

• HS256 - HMAC with SHA-256, requires 256+ bit secret
• HS384 - HMAC with SHA-384, requires 384+ bit secret
• HS512 - HMAC with SHA-512, requires 512+ bit secret

Example loading of an AWS CloudHSM key store and obtaining a javax.crypto.SecretKey handle from the HSM to compute the HMAC for a JWS object:

// Load the AWS CloudHSM as a JCE provider
if (Security.getProvider(CloudHsmProvider.PROVIDER_NAME) == null) {
    Security.addProvider(new CloudHsmProvider())
}

Provider hsmProvider = Security.getProvider(CloudHsmProvider.PROVIDER_NAME);

KeyStore keyStore = KeyStore.getInstance(
    CloudHsmProvider.CLOUDHSM_KEYSTORE_TYPE,
    hsmProvider);
hsmProvider.load(null);

// Get the secret key handle
String keyID = "my-key-id";
SecretKey secretKey = (SecretKey)keyStore.getKey(keyID, "".toCharArray());

// Instantiate an HMAC signer with the secret key stored in the CloudHSM
JWSSigner signer = MACSigner(secretKey);
signer.getJCAContext().setProvider(hsmProvider);

// Create the JWS object
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.HS256)
    .keyID(keyID)
    .build()

Payload payload = new Payload("HMAC protected string");
JWSObject jws = new JWSObject(header, payload);


// Compute the HMAC
jws.sign(signer);

// Serialise to compact JWS encoding
System.out.println(jws.serialize());