3

我找到了这个线程:Connecting to SoftHSM java and it works when storage private keys,就像这个例子一样。

但我需要存储密钥,例如 AES。

这是我的代码:

import java.security.*;
import sun.security.pkcs11.*;
import javax.crypto.spec.SecretKeySpec;

public class Main {
    public static void main(String[] args) throws Exception {
        // Set up the Sun PKCS 11 provider
        String configName = "softhsm.cfg";
        Provider p = new SunPKCS11(configName);

        if (-1 == Security.addProvider(p)) {
            throw new RuntimeException("could not add security provider");
        }

        // Load the key store
        char[] pin = "mypin".toCharArray();
        KeyStore keyStore = KeyStore.getInstance("PKCS11", p);
        keyStore.load(null, pin);

        // AES key
        SecretKeySpec secretKeySpec = new SecretKeySpec("0123456789ABCDEF".getBytes(), "AES");
        Key key = new SecretKeySpec(secretKeySpec.getEncoded(), "AES");

        keyStore.setKeyEntry("AA", key, "1234".toCharArray(), null);
        keyStore.store(null); //this gives me the exception.
    }
}

这是 softhsm.cfg 文件:

name = SoftHSM
library = /usr/local/lib/softhsm/libsofthsm.so
slot = 0
attributes(generate, *, *) = {
   CKA_TOKEN = true
}
attributes(generate, CKO_CERTIFICATE, *) = {
   CKA_PRIVATE = false
}
attributes(generate, CKO_PUBLIC_KEY, *) = {
   CKA_PRIVATE = false
}

当执行 keyStore.store(null) 我得到java.security.KeyStoreException Cannot convert to PKCS11 keys

4

1 回答 1

2

原来 SoftHSMv1 发生异常。我安装了 SoftHSMv2,你可以使用 git 从 GitHub 下载它,并用它来存储密钥。不要从 OpenDNSsec 网站下载 SoftHSMv2,因为它不起作用!!。

最后我不得不更改 softhsm.cfg 文件以指向新库,由于某种原因我忽略了,SoftHSM2 更改了初始化插槽的编号,您可以使用验证它sudo softhsm2-util --show-slots

softhsm.cfg:

name = SoftHSM
library = /usr/local/lib/softhsm/libsofthsm2.so
slot = 498488451
attributes(generate, *, *) = {
   CKA_TOKEN = true
}
attributes(generate, CKO_CERTIFICATE, *) = {
   CKA_PRIVATE = false
}
attributes(generate, CKO_PUBLIC_KEY, *) = {
   CKA_PRIVATE = false
}

我的代码:

import java.security.*;
import sun.security.pkcs11.*;
import javax.crypto.spec.SecretKeySpec;

public class Main {
    public static void main(String[] args) throws Exception {
        // Set up the Sun PKCS 11 provider
        String configName = "softhsm.cfg";
        Provider p = new SunPKCS11(configName);

        if (-1 == Security.addProvider(p)) {
            throw new RuntimeException("could not add security provider");
        }

        // Load the key store
        char[] pin = "mypin".toCharArray();
        KeyStore keyStore = KeyStore.getInstance("PKCS11", p);
        keyStore.load(null, pin);

        // AES key
        SecretKeySpec secretKeySpec = new SecretKeySpec("0123456789ABCDEF".getBytes(), "AES");
        Key key = new SecretKeySpec(secretKeySpec.getEncoded(), "AES");

        keyStore.setKeyEntry("AA", key, "1234".toCharArray(), null);
        keyStore.store(null); //this no longer gives me the exception.

        Enumeration<String> aliases = keyStore.aliases();
        while(aliases.hasMoreElements()){
            String alias = aliases.nextElement();
            System.out.println(alias + ": " + keyStore.getKey(alias,"1234".toCharArray()));
        }
    }
}

这给了我输出:

AA: SunPKCS11-SoftHSM AES secret key, 16 bits (id 2, token object, not sensitive, unextractable)

如果您尝试使用类似的方法获取密钥,keyStore.getKey("AA", "1234".toCharArray());您将获得一个具有密钥某些属性的对象,但您将无法用于.getEncoded()实际获取密钥本身,因为它是不可提取的。

于 2016-11-04T13:23:28.210 回答