Support for HSM-backed Keystores for Signing and Encryption

[RivinduM]

Purpose

This pr adds support to configure and load a HSM keystore via the PKCS11 API.

deployment.toml configuration

[keystore.hsm]
enabled = true
pin = "hsm_pin"
alias = "hsm_key_alias"
provider_configuration = "pkcs11.cfg"

Related Issue

wso2/product-is#26706

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1	Y
#### Log Improvement Suggestion No: 2	Y

[hwupathum]

Shall we reuse the existing configs like this?

        <KeyStore>
            <!-- Keystore file location-->
            <Location>${carbon.home}/repository/resources/security/{{keystore.primary.file_name}}</Location>
            <!-- Keystore type (JKS/PKCS12 etc.)-->
            <Type>{{keystore.primary.type}}</Type>
            <!-- Keystore password-->
            <Password>{{keystore.primary.password}}</Password>
            <!-- Private Key alias-->
            <KeyAlias>{{keystore.primary.alias}}</KeyAlias>
            <!-- Private Key password-->
            <KeyPassword>{{keystore.primary.key_password}}</KeyPassword>
            {% if keystore.primary.type is defined and keystore.primary.type == 'HSM' %}
            <!-- HSM specific configurations -->
            <ProviderConfiguration>{{keystore.primary.provider_configuration}}</ProviderConfiguration>
            {% endif %}
        </KeyStore>

[keystore.primary]
type="HSM"
password = "654321"
provider_configuration = "pkcs11.cfg"
alias = "wso2carbon"

[RivinduM]

Shall we reuse the existing configs like this?

        <KeyStore>
            <!-- Keystore file location-->
            <Location>${carbon.home}/repository/resources/security/{{keystore.primary.file_name}}</Location>
            <!-- Keystore type (JKS/PKCS12 etc.)-->
            <Type>{{keystore.primary.type}}</Type>
            <!-- Keystore password-->
            <Password>{{keystore.primary.password}}</Password>
            <!-- Private Key alias-->
            <KeyAlias>{{keystore.primary.alias}}</KeyAlias>
            <!-- Private Key password-->
            <KeyPassword>{{keystore.primary.key_password}}</KeyPassword>
            {% if keystore.primary.type is defined and keystore.primary.type == 'HSM' %}
            <!-- HSM specific configurations -->
            <ProviderConfiguration>{{keystore.primary.provider_configuration}}</ProviderConfiguration>
            {% endif %}
        </KeyStore>

[keystore.primary]
type="HSM"
password = "654321"
provider_configuration = "pkcs11.cfg"
alias = "wso2carbon"

If we change the primary keystore itself, it will be a breaking change. For example, in [1] and [2] it has directly loaded the keystore using the carbon.xml configuration. There could be such similar places where we might not know. That was the reason to introduce HSM keystore as a seperate configuration.

[1] https://github.com/wso2-support/carbon-identity-framework/blob/support-7.8.23.x-full/components/authentication-framework/org.wso2.carbon.identity.application.authentication.endpoint.util/src/main/java/org/wso2/carbon/identity/application/authentication/endpoint/util/MutualSSLManager.java#L315
[2] https://github.com/wso2/financial-services-accelerator/blob/main/financial-services-accelerator/common-mediation-policies/consent-enforcement/consent-enforcement-payload-mediator/src/main/java/org/wso2/financial/services/apim/mediation/policies/consent/enforcement/utils/KeyStoreUtils.java#L67

[hwupathum]

LGTM

[hwupathum]

IS master is now using 4.12.x branch and this PR needs to go there