[4.12.x]Support for HSM-backed Keystores for Signing and Encryption

[RivinduM]

Purpose

This pr adds support to configure and load a HSM keystore via the PKCS11 API.

deployment.toml configuration

[keystore.hsm]
enabled = true
pin = "hsm_pin"
alias = "hsm_key_alias"
provider_configuration = "pkcs11.cfg"

Related Issue

wso2/product-is#26706

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wso2-engineering]

Log Improvement Suggestion No: 1

Suggested change

	if (tenantId == MultitenantConstants.SUPER_TENANT_ID) {
	if (tenantId == MultitenantConstants.SUPER_TENANT_ID) {
	log.info("Loading HSM key store for super tenant.");

[wso2-engineering]

Log Improvement Suggestion No: 2

Suggested change

	KeyStore ks = KeyStore.getInstance(PKCS11, pkcs11);
	ks.load(null, this.getServerConfigService()
	.getFirstProperty(RegistryResources.SecurityManagement.SERVER_HSM_KEYSTORE_PASSWORD).toCharArray());
	log.info("HSM keystore loaded successfully.");
	KeyStore ks = KeyStore.getInstance(PKCS11, pkcs11);
	ks.load(null, this.getServerConfigService()
	.getFirstProperty(RegistryResources.SecurityManagement.SERVER_HSM_KEYSTORE_PASSWORD).toCharArray());
	log.info("HSM keystore loaded successfully with provider: " + pkcs11.getName());

[wso2-engineering]

AI Agent Log Improvement Checklist

⚠️ Warning: AI-Generated Review Comments

• The log-related comments and suggestions in this review were generated by an AI tool to assist with identifying potential improvements. Purpose of reviewing the code for log improvements is to improve the troubleshooting capabilities of our products.
• Please make sure to manually review and validate all suggestions before applying any changes. Not every code suggestion would make sense or add value to our purpose. Therefore, you have the freedom to decide which of the suggestions are helpful.

✅ Before merging this pull request:

• Review all AI-generated comments for accuracy and relevance.
• Complete and verify the table below. We need your feedback to measure the accuracy of these suggestions and the value they add. If you are rejecting a certain code suggestion, please mention the reason briefly in the suggestion for us to capture it.

Comment	Accepted (Y/N)	Reason
#### Log Improvement Suggestion No: 1
#### Log Improvement Suggestion No: 2

[jenkins-is-staging]

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/22992707911

[jenkins-is-staging]

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/22992707911
Status: success

[jenkins-is-staging]

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/22992707911