webhsm by HyperifyIO: Revolutionizing Web Application Security
webhsm contributes to HyperifyIO's broader vision of enhancing digital
security through innovative solutions for custom Public Key Infrastructure
(PKI). As a pivotal element of our security toolkit, it addresses the critical
need for secure cryptographic operations within web applications.
webhsm offers a groundbreaking SoftHSM solution tailored for the unique
challenges of web environments. It provides a PKCS#11 compatible API that
allows web applications to securely manage cryptographic private keys inside
the browser's IndexDB. The genius of webhsm lies in its novel approach to
securing sensitive information: it prevents direct access by front-end
applications, requiring the use of its PKCS#11 API for any cryptographic
actions.
At the core of webhsm's security model is its ability to operate in a
distinct cross-origin context, ensuring that cryptographic keys and operations
are securely isolated from the main application. This is achieved through a
combination of iframes and web workers, with the latter running Go-compiled
WebAssembly (wasm) to perform cryptographic tasks. This innovative architecture
not only enhances security but also maintains the integrity of the
cryptographic operations.
The primary mission of webhsm is to lay the foundation for mutual TLS (mTLS)
in client-side applications, enabling the secure management and storage of
client x509 certificates and their private keys. This is essential for
establishing secure client-server communications within web applications,
making webhsm an indispensable tool for developers looking to bolster their
app's security.
See PKCS11 Compatibility. We organize our work in a simple Project (or use case) -> Task -> Subtask hierarchy.
- PKCS#11 Compatible API: Enables standard cryptographic operations,
ensuring compatibility with existing security protocols. See
PKCS11 Compatibility Backlog
for current development status in
webhsm. - Secure Key Storage: Leverages the browser's IndexDB for storing cryptographic keys, with enhanced security measures to prevent direct access by front-end code.
- Isolated Execution Environment: Utilizes cross-origin iframes and web workers to segregate cryptographic operations from the main application, safeguarding against unauthorized access.
- WebAssembly (wasm) Support: Employs Go-compiled wasm for executing cryptographic operations, combining performance with portability.
(TODO: Detailed instructions on setting up webhsm, including any prerequisites,
installation steps, and a basic usage guide, would be provided here.)
We welcome contributions to webhsm! Whether you're interested in improving
existing functionality, or reporting issues, your input is invaluable to the
project.
You can join our community at Discord.
webhsm is available under the Functional Source License, Version 1.1, MIT
Future License (FSL-1.1-MIT), allowing use, copying, modification, and
redistribution for permitted purposes, excluding competing uses. Two years
post-release, the software will also be available under MIT license terms. Refer
to the LICENSE.md file for complete license details.
For support or further inquiries, particularly regarding the SaaS offering and its suitability for securing private services and embedded application connections, please contact us directly at info@hg.fi.