hsm | Finite state machine library based on the boost hana meta | SDK library

If you have the permissions to access the two subscriptions, you can create an Azure Management Group to manager the access of the subscriptions into this Management Group.

For more details, you can see the document about "Management Groups".

The function and your use of it have several problems. Notable on the list of problems since my first batch of comments:

• You call it within a rowwise pipe but then pass data=data, which means that it is ignoring the data coming in the pipe and instead looking at the whole thing. You might instead use data=cur_data() (since it is inside of a mutate, this works, as cur_data() is defined by dplyr for situations something like this).

• Your helper_function is ill-defined by assuming that custom.spf is defined and available. Having a function rely on the presence of external variables not explicitly passed to it makes it fragile and can be rather difficult to troubleshoot. If for instance custom.spf were not defined in the calling environment, then this function will fail with object 'custom.spf' not found. Instead, I think you could use:

As the FAQ points out, AWS KMS is designed such that

no one, including AWS employees, can retrieve your plaintext KMS keys from the service.

If you read further down, it also provides links to various articles detailing the specification and design of the KMS. And as you can see from the volumes of these articles, the full scope of design consideration and how it complies with FIPS certification is beyond the scope of this answer.

However, as an example, refer to the cryptographic details tech paper for some ideas of how it works. There are 2 areas mentioned where keys are present:

1. In the KMS Keys Repository
2. In the HSM modules

KMS Keys Repository

The repository serves as durable storage for the keys. Keys are, of course, stored encrypted. The article further explains that the key repository leverages on IAM roles.

Only under AWS IAM roles and accounts administered by each customer can customer KMS keys be created, deleted, or used to encrypt, decrypt, sign, or verify data.

This is the same way authentication and authorization to any other AWS services are managed. Hence, this is one way to prevent AWS employees from gaining access to the keys. How IAM works and how it is secured is once again beyond the scope of this answer.

HSM Modules

Unlike the KMS keys repository, the HSM Modules will have access to the plain text keys. However, the plain text keys are only loaded in-memory for the duration that they are used. They are not durably stored in the HSM modules.

These keys are made available only on the HSMs and only in memory for the necessary time needed to process your cryptographic request.

Hence, employees with access to these modules would be able to theoretically gain access to these keys. To mitigate this risk, if you go to the design goals section, the article further explains the modules use quorum-based access controls.

Multiple Amazon employees with role-specific access to quorum-based access controls are required to perform administrative actions on the HSMs.

That is, no single employee will have administrative access to these modules. Multiple employees are always required. Once again, how AWS assigns which roles to which employees at which management level is beyond the scope of this answer.

As the question requested, these are just some of the considerations of how the service is secured against AWS employees. For an organization to make a decision on whether to use AWS, usually it should be based on a comprehensive set of security policies and an audit whether AWS complies to these requirements.

EDIT

Since you mentioned also how to convince stakeholders, this is usually a business question rather than a technical one.

I would refer them to AWS compliance for evidence that AWS goes through rigorous 3rd party audits. Would then point out the security of a system is only as strong as the weakest link. That is, using AWS does not mean we automatically have AWS security. We have to ensure our software, our people, and our processes are secure against exploits. So unless we are sure we have better security profile than AWS (with all their compliance and audits), our focus and worry should be more on securing our resources.

I uploaded a new build here: https://www.npmjs.com/package/@chilkat/ck-node14-win64 It is the version "9.50.89-hotfix1".

Please give it a try. Also, I see you are passing "TnTrust Token" to LoadFromSmartCard. If the problem remains, try passing an empty string. This should cause Chilkat to try using the default Microsoft CNG Storage Provider, which may have better success.

As already mentioned in a comment, the example document "InvalidDocumentSignedTwice.pdf" has the signature not applied in an incremental update, so here it is obvious that former signatures will break. But this is not the issue of the OP's example project. Thus, the issue is processed with an eye on the actual outputs of the example project.

When validating signed PDFs Adobe Acrobat executes two types of checks:

• It checks the signature itself and whether the revision of the PDF it covers is untouched.
• (If there are additions to the PDF after the revision covered by the signature:) It checks whether changes applied in incremental updates only consist of allowed changes.

The former check is pretty stable and standard but the second one is very whimsical and prone to incorrect negative validation results. Like in your case...

In case of your example document one can simply determine that the first check must positively validate the first signature: The file with only one (valid!) signature constitutes a byte-wise starting piece of the file with two signatures, so nothing can have been broken here.

Thus, the second type of check, the fickle type, must go wrong in the case at hand.

To find out what change one has to analyze the changes done during signing. A helpful fact is that doing the same using iText 5 does not produce the issue; thus, the change that triggered the check must be in what iText 7 does differently than iText 5 here. And the main difference in this context is that iText 7 has a more thorough tagging support than iText 5 and, therefore, also adds a reference to the new signature field to the document structure tree.

This by itself does not yet trigger the whimsical check, though, it only does so here because one outline element refers to the parent structure tree element of the change as its structure element (SE). Apparently Adobe Acrobat considers the change in the associated structure element as a change of the outline link and, therefore, as a (disallowed) change of the behavior of the document revision signed by the first signature.

So is this an iText error (adding entries to the structure tree) or an Adobe Acrobat error (complaining about the additions)? Well, in a tagged PDF (and your PDF has the corresponding Marked entry set to true) the content including annotations and form fields is expected to be tagged. Thus, addition of structure tree entries for the newly added signature field and its appearance not only should be allowed but actually recommended or even required! So this appears to be an error of Adobe Acrobat.

Knowing that this appears to be an Adobe Acrobat bug is all well and good, but at the end of the day one might need a way now to sign such documents multiple times without current Adobe Acrobat calling that invalid.

It is possible to make iText believe there is no structure tree and no need to update a structure tree. This can be done by making the initialization of the document tag structure fail. For this we override the PdfDocument method TryInitTagStructure. As the iText PdfSigner creates its document object internally, we do this in an override of the PdfSigner method InitDocument.

I.e. instead of PdfSigner we use the class MySigner defined like this:

As mentioned in comments , you cannot find the HSM Key Vault in Portal , so you will have to use Azure Keyvault Powershell Module or Azure Keyvault CLI Module .

As a solution , You can add the below in your Terraform script to create a Disk Encryption Set with Managed HSM:

Unfortunately , its not directly possible to activate the Managed HSM from Terraform . Currently , you can only provision it from terraform or ARM template but for activating it has to be done only from PowerShell and Azure CLI. It is also the same while updating the storage account with customer managed key and assigning a key vault role assignment.

If you use azurerm_storage_account_customer_managed_key, then you will get the below error:

Overall all HSM Key vault Operations needs to be performed on CLI or Powershell.

So , For workaround you can use local-exec in terraform to directly run it without performing separate operations.

Code:

..almost a month later..

I've finished my application, now I know a lot more about the argument, it works with following modes:

1. Standard SunPKCS11 against a Docker SoftHSM2 image. HSM contains CKO_CERTIFICATE PUBLIC_KEY and PRIVATE_KEY, on the same slot, with same CKA_ID.All works fine and flawless.
2. Custom PKCS11 extension, I have to copy/paste almost every class from java security package (because is Java 11~17 with sun.* packages), just to alter a couple of lines in Certificate retrieving logic, dropping CKO_CERTIFICTE request and loading it by file (crt/p12).
3. P12, containing all information, used as mocked version for local use only.

I've tried to extend Bouncy Castle Fips provider, instead of SunPKCS11, without any luck.

In the end I think is not possible to accomplish what I need for, the problem is in the server configuration, which is not solvable from a client software. Anyway I'll fix server configuration, adopting the first working case, dropping custom PKCS11 solution, keeping it just for academic purpose.

Yes, it has to be the exact same key with the exact same resource id including project id.The ciphertext for decryption should be exactly as returned from the encrypt call. So, you need to make sure it matches the project in which you created the KMS key. When you try to decrypt the data with the newly created key from project-B that was encrypted in project-A, it fails.

In your use-case the ciphertext you're trying to decrypt was encrypted using a different key. You should use the same key for both encryption and decryption, else KMS tells you that it could not find the key while actually the key was found.