AWS CloudHSM
User Guide

AWS CloudHSM Client and Software Version History

This section describes the updates to each version of the AWS CloudHSM client and related software libraries. We recommend that you use the most recent versions whenever possible.

This section includes links to download newer versions of the software. If you installed the AWS CloudHSM client for Linux or Windows, and installed the software libraries that you need, you already have all of the software you need to use AWS CloudHSM.

Current Version: 1.1.1

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon LinuxAmazon Linux 2CentOS 6CentOS 7RHEL 6RHEL 7Ubuntu 16.04 LTSWindows Server
Amazon Linux

Download the version 1.1.1 software for Amazon Linux:

Amazon Linux 2

Download the version 1.1.1 software for Amazon Linux 2:

CentOS 6

Download the version 1.1.1 software for CentOS 6:

CentOS 7

Download the version 1.1.1 software for CentOS 7:

RHEL 6

Download the version 1.1.1 software for RedHat Enterprise Linux 6:

RHEL 7

Download the version 1.1.1 software for RedHat Enterprise Linux 7:

Ubuntu 16.04 LTS

Download the version 1.1.1 software for Ubuntu 16.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 1.1.1 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows).

Download the version 1.1.1 software for Windows Server:

Version 1.1.1 is a strongly recommended upgrade, as it contains a security fix. Significant changes in this version are as follows:

AWS CloudHSM Client Software

  • Improved stability and bug fixes

  • In cloud_hsm_mgmt_util, enable_e2e now set by default

  • SECURITY FIX: in key_mgmt_util, resolved issue with the incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

PKCS #11 Library

  • Improved stability and bug fixes

  • SECURITY FIX: Resolved issue with incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

  • BREAKING CHANGE: To protect against user error, AES-GCM initialization now requires the user supplied IV buffer to be zeroized. NIST requires the IV for AES-GCM to be generated by the HSM and noted by the application after encryption is complete, as described here. IV is always 12 bytes long.

  • Added support for CKM_RSA_PKCS_KEY_PAIR_GEN mechanism

  • Added software hashing of buffers larger than 16KB for digest, sign and verify operations. Hashes of buffers less than 16KB continue to be offloaded to the HSM as before.

  • BREAKING CHANGE: Strengthened PKCS#11 compliance, including explicit failure when handling unsupported or inconsistent attributes. If your application was not strictly PKCS#11 compliant before, you may experience errors or failures after updating to this version. Specifically:

    • If an application is already logged in, logging in will now return the error CKR_USER_ALREADY_LOGGED_IN

    • CKA_KEY_GEN_MECHANISM will cause an error if included in a C_CreateObject call

    • CKA_ALWAYS_SENSITIVE, CKA_LOCAL and CKA_NEVER_EXTRACTABLE will cause errors if included in a key generation or import template

    • CKA_VALUE_LEN is now validated

    • By default, new keys are scoped as session keys rather than token keys, to comply with PKCS#11.

OpenSSL Dynamic Engine

  • Improved stability and bug fixes

  • SECURITY FIX: Resolved issue with incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements

Java Library

  • Improved stability and bug fixes

  • Added software hashing of buffers larger than 16KB for digest, sign and verify operations. Hashes of buffers less than 16KB continue to be offloaded to the HSM as before.

  • For non-exportable keys, getFormat and getEncoded now return NULL without throwing an exception.

Windows (CNG, KSP)

  • SECURITY FIX: Resolved issue with incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

Version: 1.1.0

To download the software, choose the tab for your preferred operating system, and then choose the link to each software package.

Amazon LinuxAmazon Linux 2CentOS 6CentOS 7RHEL 6RHEL 7Ubuntu 16.04 LTSWindows Server
Amazon Linux

Download the version 1.1.0 software for Amazon Linux:

Amazon Linux 2

Download the version 1.1.0 software for Amazon Linux 2:

CentOS 6

Download the version 1.1.0 software for CentOS 6:

CentOS 7

Download the version 1.1.0 software for CentOS 7:

RHEL 6

Download the version 1.1.0 software for RedHat Enterprise Linux 6:

RHEL 7

Download the version 1.1.0 software for RedHat Enterprise Linux 7:

Ubuntu 16.04 LTS

Download the version 1.1.0 software for Ubuntu 16.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 1.1.0 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows).

Download the version 1.1.0 software for Windows Server:

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Added new Linux platforms.

    • Amazon Linux 2

    • Ubuntu 16.04 LTS

    • RedHat Enterprise Linux 6 (RHEL 6)

    • RedHat Enterprise Linux 7 (RHEL 7)

    • CentOS 6

    • CentOS 7

CNG/KSP Providers for Windows Server

The AWS CloudHSM client software for Windows Server includes the required CNG and KSP providers.

  • Updated the version for consistency.

PKCS #11 Library

  • Added support for Linux platforms.

OpenSSL Dynamic Engine

  • Added support for Linux platforms.

Java Library

  • If you downloaded this package prior to May 23, 5PM PDT, you will need to recompile your application for it to work with this version of the JCE, as the loadNative() method had temporarily changed from non-static to static. Alternatively, you can download the package again, and install the JCE. We have now restored the loadNative() method to static.

  • Eliminated the breaking change in version 1.0.18. The LoginManager.getInstance() public method accepts username and password arguments.

  • Added support for Linux platforms.

Version: 1.0.18

Version 1.0.18 includes the following software packages for each platform.

Amazon LinuxUbuntuWindows Server
Amazon Linux

To download the version 1.0.18 software for Amazon Linux and compatible distributions, choose the link for each package.

Ubuntu

To download the version 1.0.18 software for Ubuntu, choose the link for each package.

Windows Server

AWS CloudHSM supports Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 1.0.18 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows).

To download the version 1.0.18 software for Windows, choose the link: AWS CloudHSM Client for Windows Server.

Significant changes in this version include the following:

AWS CloudHSM Client Software

Added an AWS CloudHSM client for Windows Server. The following Windows Server operating systems are currently supported:

  • Microsoft Windows Server 2012 (64-bit)

  • Microsoft Windows Server 2012 R2 (64-bit)

  • Microsoft Windows Server 2016 (64-bit)

CNG/KSP Providers for Windows Server

  • Implemented PKCS7Padding for C_DecryptUpdate and C_EncryptUpdate.

  • CKA_ID no longer required for RSA private key generation.

  • Improved multi-threading performance.

  • Fixed various bugs.

PKCS #11 Library

  • Added support for PKCS7Padding.

  • Strengthened checks on key templates.

  • Fixed various bugs.

OpenSSL Dynamic Engine

  • Added support to getCaviumPrivKey for ECC-based keys.

  • Improved stability when client daemon connectivity is lost.

  • Fixed various bugs.

Java Library

  • [Breaking Change] The LoginManager.getInstance() public method does not accept username and password arguments directly.

  • Added support for PKCS7Padding.

  • Added wrap and unwrap methods.

  • Improved stability when client daemon connectivity is lost.

  • Fixed various bugs.

Version 1.0.14

Version 1.0.14 includes the following software packages for each platform.

Amazon LinuxUbuntu
Amazon Linux

To download the version 1.0.14 software for Amazon Linux and compatible distributions, choose the link for each package.

Ubuntu

To download the version 1.0.14 software for Ubuntu, choose the link for each package.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Improved failover behavior.

  • Displays version metadata.

  • Fixed various bugs.

PKCS #11 Library

  • Implemented PKCS7Padding for C_DecryptUpdate and C_EncryptUpdate.

  • CKA_ID no longer required for RSA private key generation.

  • Improved multi-threading performance.

  • Fixed various bugs.

OpenSSL Dynamic Engine

  • Added support for CSRs for ECC keys.

  • Improved stability and failure handling.

Java Library

No changes. Updated the version number for consistency.

Version 1.0.11

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Improved load balancing.

  • Improved performance.

  • Improved handling of lost server connections.

PKCS #11 Library

  • Added support for the CKM_RSA_PKCS_PSS sign/verify mechanism.

OpenSSL Dynamic Engine

  • Updated the version number for consistency.

Java Library

  • Improved the performance of several algorithms.

  • Added Triple DES (3DES) key import feature.

  • Various bug fixes.

Version 1.0.10

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Updated the key_mgmt_util command line tool to enable AES wrapped key import.

  • Improved performance.

  • Fixed various bugs.

PKCS #11 Library

  • Updated the version number for consistency.

OpenSSL Dynamic Engine

  • Updated the version number for consistency.

Java Library

  • Added support for additional algorithms.

  • Improved performance.

Version 1.0.8

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Improved setup experience.

  • Added respawning to the client upstart service.

  • Fixed various bugs.

PKCS #11 Library

  • Fixed bugs to address relative paths in the Redis setup.

OpenSSL Dynamic Engine

  • Improved performance.

Java Library

  • Updated the version number for consistency.

Version 1.0.7

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Added the pkpspeed performance testing tool.

  • Fixed bugs to improve stability and performance.

PKCS #11 Library

  • Added an accelerated version of the library that uses a Redis local cache to improve performance.

  • Fixed bugs related to attribute handling.

  • Added the ability to generate ECDSA keys.

OpenSSL Dynamic Engine

  • Updated the version number for consistency.

Java Library

  • Added support for additional algorithms.

  • Signed the JAR files for compatibility with the Sun JCE provider.

Version 1.0.0

This is the initial release.