Known issues for all HSM instances - AWS CloudHSM

Known issues for all HSM instances

The following issues impact all AWS CloudHSM users regardless of whether they use the key_mgmt_util command line tool, the PKCS #11 SDK, the JCE SDK, or the OpenSSL SDK.

Issue: AES key wrapping uses PKCS #5 padding instead of providing a standards-compliant implementation of key wrap with zero padding

Additionally, key wrap with no padding and zero padding is not supported.

  • Impact: There is no impact if you wrap and unwrap using this algorithm within AWS CloudHSM. However, keys wrapped with AWS CloudHSM cannot be unwrapped within other HSMs or software that expects compliance to the no-padding specification. This is because eight bytes of padding data might be added to the end of your key data during a standards-compliant unwrap. Externally wrapped keys cannot be properly unwrapped into an AWS CloudHSM instance.

  • Workaround: To externally unwrap a key that was wrapped with AES Key Wrap with PKCS #5 Padding on an AWS CloudHSM instance, strip the extra padding before you attempt to use the key. You can do this by trimming the extra bytes in a file editor or copying only the key bytes into a new buffer in your code.

  • Resolution status: With the 3.1.0 client and software release, AWS CloudHSM provides standards-compliant options for AES key wrapping. For more information, see AES Key Wrapping.

Issue: The client daemon requires at least one valid IP address in its configuration file to successfully connect to the cluster

  • Impact: If you delete every HSM in your cluster and then add another HSM, which gets a new IP address, the client daemon continues to search for your HSMs at their original IP addresses.

  • Workaround: If you run an intermittent workload, we recommend that you use the IpAddress argument in the CreateHsm function to set the elastic network interface (ENI) to its original value. Note than an ENI is specific to an Availability Zone (AZ). The alternative is to delete the /opt/cloudhsm/daemon/1/ file and then reset the client configuration to the IP address of your new HSM. You can use the client -a <IP address> command. For more information, see Install and Configure the AWS CloudHSM Client (Linux) or Install and Configure the AWS CloudHSM Client (Windows).

Issue: There was an upper limit of 16 KB on data that can be hashed and signed by AWS CloudHSM using Client SDK 3

  • Resolution status: Data less than 16KB in size continues to be sent to the HSM for hashing. We have added capability to hash locally, in software, data between 16KB and 64KB in size. Client SDK 5 will explicitly fail if the data buffer is larger than 64KB. You must update your client and SDK(s) to a version greater than 5.0.0 or higher to benefit from the fix.

Issue: Imported keys could not be specified as nonexportable

  • Resolution Status: This issue is fixed. No action is required on your part to benefit from the fix.

Issue: The default mechanism for the wrapKey and unWrapKey commands in the key_mgmt_util has been removed

  • Resolution: When using the wrapKey or unWrapKey commands, you must use the -m option to specify the mechanism. See the examples in the wrapKey or unWrapKey articles for more information.

Issue: If you have a single HSM in your cluster, HSM failover does not work correctly

  • Impact: If the single HSM instance in your cluster loses connectivity, the client will not reconnect with it even if the HSM instance is later restored.

  • Workaround: We recommend at least two HSM instances in any production cluster. If you use this configuration, you will not be impacted by this issue. For single-HSM clusters, bounce the client daemon to restore connectivity.

  • Resolution status: This issue has been resolved in the AWS CloudHSM client 1.1.2 release. You must upgrade to this client to benefit from the fix.

Issue: If you exceed the key capacity of the HSMs in your cluster within a short period of time, the client enters an unhandled error state

  • Impact: When the client encounters the unhandled error state, it freezes and must be restarted.

  • Workaround: Test your throughput to ensure you are not creating session keys at a rate that the client is unable to handle. You can lower your rate by adding an HSM to the cluster or slowing down the session key creation.

  • Resolution status: This issue has been resolved in the AWS CloudHSM client 1.1.2 release. You must upgrade to this client to benefit from the fix.

Issue: Digest operations with HMAC keys of size greater than 800 bytes are not supported

  • Impact: HMAC keys larger than 800 bytes can be generated on or imported into the HSM. However, if you use this larger key in a digest operation via the JCE or key_mgmt_util, the operation will fail. Note that if you are using PKCS11, HMAC keys are limited to a size of 64 bytes.

  • Workaround: If you will be using HMAC keys for digest operations on the HSM, ensure the size is smaller than 800 bytes.

  • Resolution status: None at this time.

Issue: The client_info tool, distributed with Client SDK 3, deletes the contents of the path specified by the optional output argument

  • Impact: All existing files and sub-directories under the specified output path may be permanently lost.

  • Workaround: Do not use the optional argument -output path when using the client_info tool.

  • Resolution status: This issue has been resolved in the Client SDK 3.3.2 release. You must upgrade to this client to benefit from the fix.

Issue: You receive an error when running the SDK 5 configure tool using the --cluster-id argument in containerized environments

You receive the following error when using the --cluster-id argument with the Configure Tool:

No credentials in the property bag

This error is caused by an update to Instance Metadata Service Version 2 (IMDSv2). For more information, see the IMDSv2 documentation.

  • Impact: This issue will impact users running the configure tool on SDK versions 5.5.0 and later in containerized environments and utilizing EC2 instance metadata to provide credentials.

  • Workaround: Set the PUT response hop limit to at least two. for guidance on how to do this, see Configure the instance metadata options.

Issue: You receive the error "Failed to create cert/key from provided pfx file. Error: NotPkcs8"

  • Impact: SDK 5.11.0 users who reconfigure SSL with a certificate and private key will fail if their private keys are not in PKCS8 format.

  • Workaround: You can convert the custom SSL private key to PKCS8 format with openssl command: openssl pkcs8 -topk8 -inform PEM -outform PEM -in ssl_private_key -out ssl_private_key_pkcs8

  • Resolution status: This issue has been resolved in the client SDK 5.12.0 release. You must upgrade to this client version or later to benefit from the fix.