Custom HSM#
HSM provide the required secure environment that is needed to generate and protect the cryptographic keys used to protect and authenticate sensitive data.
We will use a simple Flask REST API service representing the remote HSM machine.
Looking into hsm directory, we can see following files:
hsm/sahsm.pyis an example of a remote signing service.hsm/hsm_k0_cert0_2048.pemtest private key used for signing the data.hsm/hsm_k1_cert0_2048.pemtest private key used for signing the data.
1. Setup#
In order to start the HSM service, run following code:
# Install a the required dependencies into the current Jupyter kernel
!{sys.executable} -m pip install flask requests
# Start remote signing service
from hsm.sahsm import APP
APP.run()
# This will keep running
Looking in indexes: https://pypi.org/simple, https://nl-nxrm.sw.nxp.com/repository/mougins-pypi/simple
Requirement already satisfied: flask in c:\spsdk\venv\lib\site-packages (3.1.0)
Requirement already satisfied: requests in c:\spsdk\venv\lib\site-packages (2.32.3)
Requirement already satisfied: Werkzeug>=3.1 in c:\spsdk\venv\lib\site-packages (from flask) (3.1.3)
Requirement already satisfied: Jinja2>=3.1.2 in c:\spsdk\venv\lib\site-packages (from flask) (3.1.6)
Requirement already satisfied: itsdangerous>=2.2 in c:\spsdk\venv\lib\site-packages (from flask) (2.2.0)
Requirement already satisfied: click>=8.1.3 in c:\spsdk\venv\lib\site-packages (from flask) (8.1.8)
Requirement already satisfied: blinker>=1.9 in c:\spsdk\venv\lib\site-packages (from flask) (1.9.0)
Requirement already satisfied: charset-normalizer<4,>=2 in c:\spsdk\venv\lib\site-packages (from requests) (3.4.2)
Requirement already satisfied: idna<4,>=2.5 in c:\spsdk\venv\lib\site-packages (from requests) (3.10)
Requirement already satisfied: urllib3<3,>=1.21.1 in c:\spsdk\venv\lib\site-packages (from requests) (2.4.0)
Requirement already satisfied: certifi>=2017.4.17 in c:\spsdk\venv\lib\site-packages (from requests) (2025.4.26)
Requirement already satisfied: colorama in c:\spsdk\venv\lib\site-packages (from click>=8.1.3->flask) (0.4.6)
Requirement already satisfied: MarkupSafe>=2.0 in c:\spsdk\venv\lib\site-packages (from Jinja2>=3.1.2->flask) (3.0.2)
* Serving Flask app 'hsm.sahsm'
* Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on http://127.0.0.1:5000
Press CTRL+C to quit
127.0.0.1 - - [14/May/2025 14:12:01] "GET /signer/rsa2048/0 HTTP/1.1" 200 -
127.0.0.1 - - [14/May/2025 14:12:01] "GET /signer/secp384r1/0 HTTP/1.1" 200 -
127.0.0.1 - - [14/May/2025 14:12:42] "GET /verifier/rsa2048/0?public_key=pLuDyNSAV8iId3Jb5KE1mKloQ/d2hwxpG6Ek3Kp5EEHCjfQ4PqBYmSfIeDSJZ4uUfn9mshE3oszq6YfwONWU9mXIPmvrbO9gaLQJU8DZ4AROERiZAdoZND7aQCowAH/G165k010A8%2BAYNM7XjT43ofxbsKrOgZq0I0FHJzVR3fqU4ePRL%2B25ebyMxXbCaq6LZOnOGkJxarbDtGbaOQhu8BGp7kWKzjIQXMNF6qnc6Tvtb214JN/qO4qAYDBNT533tXHupAYeZf38r/CnTrbQHZaqsz64w2QK0K/YgFu2c0qHEmT8bJgtldrWx162x9blU/x/PMn%2BlBR2EANl9ex5fwEAAQ%3D%3D HTTP/1.1" 415 -
127.0.0.1 - - [14/May/2025 14:13:40] "GET /verifier/rsa2048/0 HTTP/1.1" 200 -
127.0.0.1 - - [14/May/2025 14:13:40] "GET /signer/rsa2048/0 HTTP/1.1" 200 -
127.0.0.1 - - [14/May/2025 14:14:09] "GET /verifier/rsa2048/0 HTTP/1.1" 200 -
127.0.0.1 - - [14/May/2025 14:14:09] "GET /signer/rsa2048/0 HTTP/1.1" 200 -
127.0.0.1 - - [14/May/2025 15:46:10] "GET /verifier/rsa2048/0 HTTP/1.1" 200 -
127.0.0.1 - - [14/May/2025 15:46:10] "GET /signer/rsa2048/0 HTTP/1.1" 200 -