Using CloudHSM from Erlang w/o openssl engine?

Roger Lipscombe roger@REDACTED
Wed Nov 25 22:11:44 CET 2020

I'd like to use AWS CloudHSM from Erlang to sign ECDSA certificates.
But: the OpenSSL engine for CloudHSM doesn't support anything other
than RSA. The PKCS #11 (and JCE, KSP and CNG) client libraries for
CloudHSM *do* support elliptic curve crypto.

So I was wondering if:
- there exist PKCS #11 bindings for Erlang.
- there was a way to slot them into Erlang's crypto, in the same
manner as OpenSSL engines

I couldn't find anything in the first category.

I've dug into the Erlang/OTP source code, and I'm almost certain that
the answer to the second is currently "no", anyway.

I had the idea that it would be possible to update 'crypto' to support
arbitrary modules.

Currently, OpenSSL engine-managed keys use a map in the place of a
record when specifying the private key. If that map could be extended
to support 'module', (where it currently expects 'engine'), you could
have it call into an Erlang module for various operations. In turn,
that module could use a port or NIF for the PKCS #11 bindings.

Has anyone done any work in this direction? Is it even a good idea?


More information about the erlang-questions mailing list