Description
Hi y'all
Describe the problem you'd like to have solved
In my project, I'm required to use an HSM (Hardware Security Module) for computing digital signatures. This particular HSM provides a Java API which includes a java.security.Provider class. This class is tasked with making the HSM specific calls for computing signatures with a given java.security.PrivateKey reference.
The same could be said if we want to use BouncyCastleProvider, another common crypto provider in the Java and .NET crypto communities.
Specifying the signature provider is standard Java, as can be observed in the Signature.getInstance(String algorithm, String provider).
Unfortunately, there's no way in auth0 to pass a provider instance or it's name to the CryptoHelper.
Describe the ideal solution
Since auth0 is already relying on java.security.Signature class to compute signatures, for me, the ideal solution would be to add a provider parameter to the JWTCreator.Builder#sign(Algorithm algorithm) method to match the java.security.Signature.getInstance(String algorithm, String/Provider provider) method in the Java API.
Alternatives and current work-arounds
I'm unsure if setting the HSM provider as the provider in position 0 of the providers list would suffice. Other than this, I'm forking auth0 and modifying the code.
Additional information, if any
I'm using auth0 3.16.0.
I'm also available to implement this and create a pull request with the code. I'm doing it right now..
Regards
Antonio Pedro Santos