AWS CloudHSM Client and Software Version History - AWS CloudHSM

AWS CloudHSM Client and Software Version History

This page provides release notes for each version of the AWS CloudHSM client and related software libraries. We include download links for the most recent versions. We recommend that you use the most recent version whenever possible.

To upgrade, you must use a batch command that upgrades the client and all the libraries at the same time. For more information, see Client Upgrade.

To check the client version

  • On a Linux system, use the following command:

    rpm -qa | grep ^cloudhsm
  • On a Windows system, use the following command:

    wmic product get name,version

Version 3.1.0

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Amazon Linux

Download the version 3.1.0 software for Amazon Linux:

Amazon Linux 2

Download the version 3.1.0 software for Amazon Linux 2:

CentOS 6

Download the version 3.1.0 software for CentOS 6:

CentOS 7

Download the version 3.1.0 software for CentOS 7:

RHEL 6

Download the version 3.1.0 software for RedHat Enterprise Linux 6:

RHEL 7

Download the version 3.1.0 software for RedHat Enterprise Linux 7:

Ubuntu 16.04 LTS

Download the version 3.1.0 software for Ubuntu 16.04 LTS:

Windows Server

AWS CloudHSM supports 64-bit versions of Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016. The AWS CloudHSM 3.1 client software for Windows Server includes the required CNG and KSP providers. For details, see Install and Configure the AWS CloudHSM Client (Windows). Download the latest version (3.1.0) software for Windows Server:

Version 3.1.0 adds standards-compliant AES key wrapping.

AWS CloudHSM Client Software

  • A new requirement for upgrade: the version of your client must match the version of any software libraries you are using. To upgrade, you must use a batch command that upgrades the client and all the libraries at the same time. For more information, see Client Upgrade.

  • Key_mgmt_util (KMU) includes the following updates:

    • Added two new AES key wrap methods – standards-compliant AES key wrap with zero padding and AES key wrap with no padding. For more information, see wrapKey and unwrapKey.

    • Disabled ability to specify custom IV when wrapping a key using AES_KEY_WRAP_PAD_PKCS5. For more information, see AES Key Wrapping.

PKCS #11 Library

  • Added two new AES key wrap methods - standards-compliant AES key wrap with zero padding and AES key wrap with no padding. For more information, see AES Key Wrapping.

  • You can configure salt length for RSA-PSS signatures. To learn how to use this feature, see Configurable salt length for RSA-PSS signatures on GitHub.

OpenSSL Dynamic Engine

  • BREAKING CHANGE: TLS 1.0 and 1.2 cipher suites with SHA1 are not available in OpenSSL Engine 3.1. This issue will be resolved shortly.

  • If you intend to install the OpenSSL Dynamic Engine library on RHEL 6 or CentOS 6, see a known issue about the default OpenSSL version installed on those operating systems.

  • Improved stability and bug fixes

Java Library

  • BREAKING CHANGE: To address an issue with Java Cryptography Extension (JCE) compliance, AES wrap and unwrap now properly use the AESWrap algorithm instead of the AES algorithm. You must update your code accordingly when upgrading to client version 3.1. Cipher.WRAP_MODE and Cipher.UNWRAP_MODE no longer succeed for AES/ECB and AES/CBC mechanisms. For more information, see AES Key Wrapping.

  • You can list multiple keys with the same label from the Java library. To learn how to iterate through all available keys, see Find all keys on GitHub.

  • You can set more restrictive values for attributes during key creation, including specifying different labels for public and private keys. For more information, see Supported Java Attributes.

Windows (CNG, KSP)

  • Improved stability and bug fixes.

Deprecated Client and Software Versions

The following client versions and software have been deprecated and are no longer available to download. Release notes have been maintained for historical purposes.

Version 3.0.1 is a strongly recommended upgrade. It provides a critical bug fix for PKCS #11 users.

AWS CloudHSM Client Software

  • Updated the version for consistency.

PKCS #11 Library

OpenSSL Dynamic Engine

  • Updated the version for consistency.

Java Library

  • Updated the version for consistency.

Windows (CNG, KSP)

  • Updated the version for consistency.

Version 3.0 provides important improvements to operational stability and performance. This is a recommended update due to various bug fixes.

AWS CloudHSM Client Software

  • Key_mgmt_util includes the following updates:

    • Removed the default mechanism from wrapKey and unwrapKey. You must explicitly provide a mechanism when using these function.

    • Added support for key wrap and unwrap using AES-GCM. To use this wrapping mechanism, specify -m 10 with wrapKey and unwrapKey. For more information, see wrapKey or unwrapKey.

    • Changed the name for AES key wrapping using mechanism 4 from CLOUDHSM_AES_KEY_WRAP to AES_KEY_WRAP_PAD_PKCS5, to reflect that AWS CloudHSM utilizes PKCS5 padding while wrapping keys. For more information, see the list of Known Issues.

    • Improved findKey to return keys owned and shared by the CU that is logged in. For more information, see the findKey article.

    Cloudhsm_mgmt_util includes the following updates:

    • COs can set the OBJ_ATTR_TRUSTED attribute on any key (value 134) in the HSM by using setAttribute to mark a key as trusted.

      Note

      OBJ_ATTR_TRUSTED is the only attribute that can be set by a CO. For more information, see the setAttribute command.

    • findAllKeys displays keys owned by a CU and shared with that CU. Learn more at findAllKeys.

PKCS #11 Library

  • PKCS #11 no longer requires Redis for high performance. Redis is no longer included in the installation packages. If you used Redis in previous installations, update your start-up and installation scripts to remove Redis commands.

  • Added support for encryption and decryption using D3DES ECB and AES_CTR. The full list of supported functions and mechanisms in PKCS#11 is available in the Supported PKCS #11 Mechanisms article.

    Code samples for des_ecb.c and aes_ctr.c are available on GitHub.

  • Added support for key derivation using HMAC KDF (SP 800-108) which enables you to use the CKM_SP800_108_COUNTER_KDF mechanism with the C_DeriveKey function. For additional information see the code sample hmac-kdf.c.

  • Added support for key wrap and unwrap using AES-GCM, through the CKM_CLOUDHSM_AES_GCM mechanism. For more information, see the aes_gcm_wrapping sample on GitHub.

  • Added support for the following attributes: CKA_NEVER_EXTRACTABLE, CKA_DERIVE, CKA_ALWAYS_SENSITIVE, CKA_WRAP_WITH_TRUSTED, CKA_TRUSTED, CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, CKA_DESTROYABLE.

    The full list of supported attributes is in the Supported PKCS #11 Attributes article. To learn about using trusted keys for controlled wrapping and unwrapping, see the article on Using Trusted Keys to Control Key Unwraps. To see the available samples that work with the newly supported attributes, go to the AWS CloudHSM examples on GitHub,

  • Added the mechanism, CKM_CLOUDSHM_AES_GCM, which is a memory-safe AES-GCM implementation. This proprietary mechanism is a safer alternative to the standard CKM_AES_GCM. CKM_CLOUDSHM_AES_GCM prepends the IV generated by the HSM to the ciphertext instead of writing it back into the CK_GCM_PARAMS structure provided during cipher initialization. You can use CKM_CLOUDSHM_AES_GCM with the C_Encrypt or C_WrapKey functions. When using this mechanism, the pIV variable in the CK_GCM_PARAMS struct must be set to NULL. See the CKM_CLOUDHSM_AES_GCM entry in the table in the Supported PCKS#11-Mechanisms article.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

Java Library

Windows (CNG, KSP)

  • Updated the version for consistency.

  • Added import_key.exe to associate pre-existing CloudHSM keys with corresponding certificates.

To download the software, choose the tab for your preferred operating system, then choose the link to each software package.

Version 2.0.4 provides important improvements to operational stability and performance. This is a recommended update due to various bug fixes.

AWS CloudHSM Client Software

  • Improved stability and bug fixes.

PKCS #11 Library

  • Updated the version for consistency.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

Java Library

  • Improved stability and bug fixes.

Windows (CNG, KSP)

Version 2.0.3 provides important improvements to operational stability and performance. This is a recommended update due to various bug fixes.

AWS CloudHSM Client Software

  • Improved stability and bug fixes.

PKCS #11 Library

  • Improved stability and bug fixes.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

Java Library

  • Improved stability and bug fixes.

Windows (CNG, KSP)

  • Improved stability and bug fixes.

Version 2.0.1 is a strongly recommended upgrade, as it provides various security improvements and bug fixes. Significant changes in this version are as follows:

AWS CloudHSM Client Software

  • Security improvements and bug fixes.

PKCS #11 Library

  • Security improvements and bug fixes.

OpenSSL Dynamic Engine

  • Security improvements and bug fixes.

Java Library

  • Security improvements and bug fixes.

Windows (CNG, KSP)

  • Security improvements and bug fixes.

Version 2.0.0 provides important improvements to operational stability and performance. It also enables secure key exchange between HSMs. Significant changes in this version are as follows:

AWS CloudHSM Client Software

  • Performance improvements and bug fixes

PKCS #11 Library

  • Added RSA OAEP and RSA AES key wrapping mechanisms.

  • Added AES-ECB encryption support.

  • Added secp256k1 curve support.

For more information about updated key wrapping mechanisms, see AWS CloudHSM Software Library for PKCS #11.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

Java Library

  • Improved performance for AES-GCM encrypt and decrypt.

  • Added RSA OAEP and RSA AES key wrapping mechanisms. Note that you cannot specify key attributes when unwrapping with the Java library. For more information, see Known Issues for the JCE SDK.

  • Added AES-ECB encryption support.

  • Added secp256k1 curve support.

For more information about updated key wrapping mechanisms, see AWS CloudHSM Software Library for Java.

Windows (CNG, KSP)

  • Updated the version for consistency.

Version 1.1.2 is a strongly recommended upgrade, as it contains a change that runs the AWS CloudHSM client software for Windows as a service, as well as performance improvements and bug fixes. Significant changes in this version are as follows:

AWS CloudHSM Client Software

  • The AWS CloudHSM client software for Windows now runs as a Windows service.

PKCS #11 Library

  • DER-formatted EC public keys are now correctly imported.

    Note

    At this time, AWS CloudHSM continues to support the ability to import EC keys in raw format. Support for this format may be deprecated at a future time, as it is not compliant with PKCS#11 specifications.

  • Improved performance and bug fixes.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

Java Library

  • Updated the version for consistency.

Windows (CNG, KSP)

Significant changes in this version include:

AWS CloudHSM Client Software

  • Improved stability and bug fixes.

  • In cloud_hsm_mgmt_util, enable_e2e now set by default.

  • SECURITY FIX: in key_mgmt_util, resolved issue with the incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

PKCS #11 Library

  • Improved stability and bug fixes.

  • SECURITY FIX: Resolved issue with incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

  • BREAKING CHANGE: To protect against user error, AES-GCM initialization now requires the user supplied IV buffer to be zeroized. NIST requires the IV for AES-GCM to be generated by the HSM and noted by the application after encryption is complete, as described here. IV is always 12 bytes long.

  • Added support for CKM_RSA_PKCS_KEY_PAIR_GEN mechanism.

  • Added software hashing of buffers larger than 16KB for digest, sign and verify operations. Hashes of buffers less than 16KB continue to be offloaded to the HSM as before.

  • BREAKING CHANGE: Strengthened PKCS#11 compliance, including explicit failure when handling unsupported or inconsistent attributes. If your application was not strictly PKCS#11 compliant before, you may experience errors or failures after updating to this version. Specifically:

    • If an application is already logged in, logging in will now return the error CKR_USER_ALREADY_LOGGED_IN.

    • CKA_KEY_GEN_MECHANISM will cause an error if included in a C_CreateObject call.

    • CKA_ALWAYS_SENSITIVE, CKA_LOCAL and CKA_NEVER_EXTRACTABLE will cause errors if included in a key generation or import template.

    • CKA_VALUE_LEN is now validated.

    • By default, new keys are scoped as session keys rather than token keys, to comply with PKCS#11.

OpenSSL Dynamic Engine

  • Improved stability and bug fixes.

  • SECURITY FIX: Resolved issue with incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

Java Library

  • Improved stability and bug fixes.

  • Added software hashing of buffers larger than 16KB for digest, sign and verify operations. Hashes of buffers less than 16KB continue to be offloaded to the HSM as before.

  • For non-exportable keys, getFormat and getEncoded now return NULL without throwing an exception.

Windows (CNG, KSP)

  • SECURITY FIX: Resolved issue with incorrect PKCS#1v1.5 signature parsing. This eliminates potential errors when validating signatures with imported RSA keys that use a public exponent of 3. CloudHSM does not allow generating RSA keys with exponents smaller than 65537 to meet FIPS 140-2 requirements.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Added new Linux platforms.

    • Amazon Linux 2

    • Ubuntu 16.04 LTS

    • RedHat Enterprise Linux 6 (RHEL 6)

    • RedHat Enterprise Linux 7 (RHEL 7)

    • CentOS 6

    • CentOS 7

CNG/KSP Providers for Windows Server

The AWS CloudHSM client software for Windows Server includes the required CNG and KSP providers.

  • Updated the version for consistency.

PKCS #11 Library

  • Added support for Linux platforms.

OpenSSL Dynamic Engine

  • Added support for Linux platforms.

Java Library

  • If you downloaded this package prior to May 23, 5PM PDT, you will need to recompile your application for it to work with this version of the JCE, as the loadNative() method had temporarily changed from non-static to static. Alternatively, you can download the package again, and install the JCE. We have now restored the loadNative() method to static.

  • Eliminated the breaking change in version 1.0.18. The LoginManager.getInstance() public method accepts username and password arguments.

  • Added support for Linux platforms.

Significant changes in this version include the following:

AWS CloudHSM Client Software

Added an AWS CloudHSM client for Windows Server. The following Windows Server operating systems are currently supported:

  • Microsoft Windows Server 2012 (64-bit)

  • Microsoft Windows Server 2012 R2 (64-bit)

  • Microsoft Windows Server 2016 (64-bit)

CNG/KSP Providers for Windows Server

  • Implemented PKCS7Padding for C_DecryptUpdate and C_EncryptUpdate.

  • CKA_ID no longer required for RSA private key generation.

  • Improved multi-threading performance.

  • Fixed various bugs.

PKCS #11 Library

  • Added support for PKCS7Padding.

  • Strengthened checks on key templates.

  • Fixed various bugs.

OpenSSL Dynamic Engine

  • Added support to getCaviumPrivKey for ECC-based keys.

  • Improved stability when client daemon connectivity is lost.

  • Fixed various bugs.

Java Library

  • [Breaking Change] The LoginManager.getInstance() public method does not accept username and password arguments directly.

  • Added support for PKCS7Padding.

  • Added wrap and unwrap methods.

  • Improved stability when client daemon connectivity is lost.

  • Fixed various bugs.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Improved failover behavior.

  • Displays version metadata.

  • Fixed various bugs.

PKCS #11 Library

  • Implemented PKCS7Padding for C_DecryptUpdate and C_EncryptUpdate.

  • CKA_ID no longer required for RSA private key generation.

  • Improved multi-threading performance.

  • Fixed various bugs.

OpenSSL Dynamic Engine

  • Added support for CSRs for ECC keys.

  • Improved stability and failure handling.

Java Library

No changes. Updated the version number for consistency.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Improved load balancing.

  • Improved performance.

  • Improved handling of lost server connections.

PKCS #11 Library

  • Added support for the CKM_RSA_PKCS_PSS sign/verify mechanism.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

Java Library

  • Improved the performance of several algorithms.

  • Added Triple DES (3DES) key import feature.

  • Various bug fixes.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Updated the key_mgmt_util command line tool to enable AES wrapped key import.

  • Improved performance.

  • Fixed various bugs.

PKCS #11 Library

  • Updated the version for consistency.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

Java Library

  • Added support for additional algorithms.

  • Improved performance.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Improved setup experience.

  • Added respawning to the client upstart service.

  • Fixed various bugs.

PKCS #11 Library

  • Fixed bugs to address relative paths in the Redis setup.

OpenSSL Dynamic Engine

  • Improved performance.

Java Library

  • Updated the version for consistency.

Significant changes in this version include the following:

AWS CloudHSM Client Software

  • Added the pkpspeed performance testing tool.

  • Fixed bugs to improve stability and performance.

PKCS #11 Library

  • Added an accelerated version of the library that uses a Redis local cache to improve performance.

  • Fixed bugs related to attribute handling.

  • Added the ability to generate ECDSA keys.

OpenSSL Dynamic Engine

  • Updated the version for consistency.

Java Library

  • Added support for additional algorithms.

  • Signed the JAR files for compatibility with the Sun JCE provider.

This is the initial release.