How to encrypt a json string as JWE (Json Web Encryption) by using public key stored in HSM?

Question

I want to encrypt a json data as JWE using a public key stored in HSM. I use .Net framework or .Net core libraries for Net.Pkcs11Interop.HighLevelAPI for communication with HSM. I searched lots of sample java or .net core sample code but they all encrypted by local stored .cer/.pem keys. I only want to do this by using HSM and want to handle JWE encrypted format not a normal encrypted string result.

Answer 1

By default, the pkcs11Interop code wraps a PKCS11 provider. The default provider is simply a wrapper around either a minimal P11 implementation, or SoftHSM or something (I don't know). Instead, you would tell it to use the P11 provider supplied by the vendor of the HSM. Changing the P11 provider changes how the hardware is accessed, but otherwise does not change the behavior of Interop.

But other than that change, there will be no difference in the outer code (the code that is using Interop), except maybe at the user auth (C_Login in PKCS11-speak), as different vendors may have slightly different capabilities there (dual control, MFA, etc).

I would look for the HSMs provider and add that to your search terms. Possibly there is an integration guide available, assuming there is something truly weird about the vendor's Provider implementation. Most HSMs are using P11 the standards-based way (most of the Vendors are on the P11 standards committee), so assume that if an integration guide is provided, it will be very short, and very probably work with another vendor's implementation with little or no change :)

Disclosure: I work for an HSM vendor, it does work with Interop, and no, we don't have an Integration Guide dedicated to support of Interop.