Prepared by:
HALBORN
Last Updated 07/13/2026
Date of Engagement: June 15th, 2026 - June 24th, 2026
100% of all REPORTED Findings have been addressed
All findings
6
Critical
0
High
0
Medium
3
Low
1
Informational
2
IntellectEU engaged Halborn to conduct a security assessment of their Canton Azure KMS Driver. The engagement was carried out between the 17th of June 2026 and the 24th of June 2026. The security assessment was scoped to the assets agreed upon with the IntellectEU team.
The team at Halborn was provided 4 days for the engagement and assigned resources from its advisory and assurance teams to provide coverage across both the Canton Azure KMS Driver architecture/system flows and the specific code-based assets in scope. The security engineers are custody/secrets management and penetration testing experts with advanced knowledge in web, cloud, discovery & infrastructure penetration testing.
The goals of our security assessments are to improve the quality of the systems we review and to target sufficient remediation to help protect users.
The security assessment was scoped to:
The assessment identified weaknesses across the Canton Azure KMS Driver dependencies and key configuration practices. The most significant finding was the presence of vulnerable dependencies, which may expose the driver to known exploits and expand the attack surface. Additionally, the absence of version pinning for a Docker image may introduce supply chain risk, as it could silently introduce compromised packages into builds.
Additional informational findings relating to hardcoded RSA key sizes and permissions beyond required represented areas where the principle of least privilege is not fully enforced. Over-permissioned keys increase the threat of a key compromise, and hardcoded cryptographic parameters reduce the driver's adaptability.
Addressing the identified findings, particularly those affecting dependency integrity, is important in order to reduce the organization's exposure to supply chain attacks and ensure that the cryptographic trust anchors are maintainable over time.
Fixes by IntellectEU were merged on main branch in 44daf92a25054b9039e9be62d0cc18eb1dea61bb (tagged v1.0.0, https://gitlab.com/intellecteu/products/catalyst/cat-bp/canton/canton-azure-kms-driver/-/releases/v1.0.0)
| Security analysis | Risk level | Remediation |
|---|---|---|
| Lack of Checksum-enforced Classpath Discovery | Medium | Solved - 07/01/2026 |
| Audit Logging Default Off | Medium | Solved - 07/02/2026 |
| Outdated and Vulnerable Dependencies | Medium | Solved - 06/30/2026 |
| Dependencies Should Be Pinned to Exact Versions | Low | Solved - 06/30/2026 |
| Hardcoded RSA-2048 Key Size | Informational | Solved - 07/01/2026 |
| RSA Keys Granted Permissions Beyond Required Scope | Informational | Solved - 07/02/2026 |
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
Custody and Key Management Assessment
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed