Hardware Security Module (HSM) Support With HTTPS/TLS/crypto

[AiNoKame]

I want to offload all cryptographic functionality involving my private keys to my HSM (which contain my non-exportable/non-readable private keys), but as it stands, it seems I have to provide my private keys when setting up an HTTPS server (https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener). Is HSM support on the nodejs roadmap, or is it actually possible to accomplish what I need now? 😉

[rmhrisk]

@AiNoKame you want to look at OpenSSL engine support, see nodejs/node#6374

[AiNoKame]

@rmhrisk Thanks for your response! I can see how crypto.setEngine works when you want to use a specified engine to execute cryptographic algorithms on an HSM (for acceleration purposes), but I think I'm requesting something slightly different

I can't see how to feed arguments into an engine to perform operations that utilize an HSM-boarded private key. For example, using https://github.com/OpenSC/libp11#using-p11tool-and-openssl-from-the-command-line, how can you feed in something like pin-key when using crypto?

[rmhrisk]

I think you need to use https://tools.ietf.org/html/rfc7512 to specify the pin; for OpenSSL on the command line it is my understanding you would specify the key like this "-key pkcs11:object=test-key;type=private;pin-value=XXXX".

I am not positive on how to do this with node, but in the case of NGINX it looks like this:
https://security.stackexchange.com/questions/91394/nginx-and-hsm-integration-to-hold-private-keys

I would ask that once you are done you do a blog post or provide clear step by steps with configuration files for others.

@indutny can you clarify?

[gireeshpunathil]

@AiNoKame - is this still outstanding?

[gireeshpunathil]

closing due to inactivity

[josh-hemphill]

Anyone figure this out?