Skip to main content

Export Partition Log

info

Log export with signature is supported in the versions listed below. If logs are exported using a version earlier than those specified, the log signature will be null.

HSM Firmware: v3.0.0 or higher
Rest-API: v2.4.0 or higher

Exporting the signed logs can be done in one of two ways:

  1. Exporting all logs
  2. Exporting logs by time

The output of both will have the form

{
"signature": "string",
"signatureAlgorithm": "string",
"attestationCertificate": "string",
"log": "string" // log-events are separated by the newline character '\n'
}

Exporting All Logs

Collect all logs for your partition from your HSM:

GET: /v1/hsm/log

Exporting All Logs by Time

Collect logs for a specified time range (unix time):

GET: /v1/hsm/log/time

Provide a value for time, e.g. 1735686000 for the 1st of Jan 2025 CET. To determine the unix time, you can use this Epoch Converter.

Sample Code

package securosys.docs.samples;

/*
* Copyright (c)2015-2025, Securosys SA
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*/

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;

import java.util.Base64;
import javax.json.Json;
import javax.json.JsonObject;
import javax.json.JsonReader;


public class VerifySignedHsmLogsSample {
public static void main(String[] args) throws IOException, InterruptedException {
HttpClient client = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://sbx-rest-api.cloudshsm.com/v1/hsm/log"))
.header("Authorization", "Bearer <JWT_TOKEN>")
.GET()
.build();
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());

String jsonString = response.body();
JsonReader jsonReader = Json.createReader(new StringReader(jsonString));
JsonObject jsonObject = jsonReader.readObject();
jsonReader.close();

String signature = jsonObject.getString("signature");
String signatureAlgorithm = jsonObject.getString("signatureAlgorithm");
String attestationCertificate = jsonObject.getString("attestationCertificate");
String log = jsonObject.getString("log");

// 4. Convert the public key from Base64 and create a PublicKey instance
byte[] attestationCertificateBytes = Base64.getDecoder().decode(attestationCertificate);
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate certificate = certFactory.generateCertificate(new ByteArrayInputStream(attestationCertificateBytes));

// 5. Verify the signature using the built-in Sun provider
Signature verifier = Signature.getInstance(signatureAlgorithm);
verifier.initVerify(certificate);
verifier.update(log.getBytes(StandardCharsets.UTF_8));

boolean verified = verifier.verify(Base64.getDecoder().decode(signature));
System.out.println("Signature verified: " + verified);
} catch (NoSuchAlgorithmException | SignatureException | InvalidKeyException |
CertificateException e) {
throw new RuntimeException(e);
}
}
}