Is the Sunpkcs11 provider compatible with the AWS CloudHSM?

Question

I am trying to work with an HSM (hardware security module) to store keys and to do cryptographic operations. I want to operate the HSM inside a java application. For this I need to use a compatible java JCE provider as a mapping layer between the application and the standardized PKCS#11 interface of the HSM. I have played around with the Utimaco Cryptoserver Simulator in combination with the Sunpkcs11 provider in order to get a first understanding. It worked out fine!

But now I'd like to replace the Utimaco Cryptoserver Simulator with the AWS CloudHSM, but I'm a little confused about that. The FAQs states that the AWS CloudHSM provides a JCE (com.cavium.provider.caviumprovider). But I would like to use Sunpkcs11 provider for this.

1. Is it possible to use the Sunpkcs11 provider in combination with the AWS CloudHSM or am I limited to the Cavium provider in this regard?
2. Are there any disadvantages compared to the Cavium provider if the Sunpkcs11 provider is used?

Answer 1

I am currently working on AWS CloudHSM and I realized that SunPKCS is not fully compatible with the AWS CloudHSM PKCS11 Lib.

I tested using keytool with configuration create a RSA KeyPair and I was not able to query back.

And when I test the same with Cavium the supported JCE Provider.

And on discussing with some folks from AWS it seems that intermediate JCE's like SunPKCS11 are not supported.

Answer 2

Looking all that different HSM offings including Azure KeyVault, etc. you anyway should go with Utimaco. Having done 1000s of tests with all of them I can tell Utimaco's offers the most reliable product.