0

我正在查看 Tink 文档,但我没有看到如何旋转密钥的清晰方法。基本上,我想做一些类似的事情:

KeyTemplate keyTemplate = AeadKeyTemplates.AES256_GCM;
KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
// Do some stuff... and then
keysetHandle.rotateKey(); // How to do the equivalent of this??

该文档讨论了密钥轮换如何成为该库的核心功能。但是,文档中没有关于如何执行此操作的示例。使用库旋转密钥的“正确”方法是什么?我还希望单独旋转并激活新密钥。

4

1 回答 1

1

开发人员改进了 GitHub-docs 上的文档(参见https://github.com/google/tink/blob/master/docs/JAVA-HOWTO.md#key-rotation):

*通过 KeysetManager 类提供对 Tink 中密钥轮换的支持。您必须提供一个 KeysetHandle 对象,其中包含应该轮换的键集,以及通过 KeyTemplate 消息指定的新键。

import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KeysetManager;
import com.google.crypto.tink.proto.KeyTemplate;
KeysetHandle keysetHandle = ...;   // existing keyset
KeyTemplate keyTemplate = ...;     // template for the new key
KeysetHandle rotatedKeysetHandle = KeysetManager
    .withKeysetHandle(keysetHandle)
    .rotate(keyTemplate)
    .getKeysetHandle();

一些常见的规范可作为示例/keytemplates 中的预生成模板使用,并且可以通过各自原语的 ...KeyTemplates.java 类访问。轮换成功后,生成的keyset中包含根据keyTemplate中的规范生成的新key,新key成为keyset的主键。要使轮换成功,注册表必须包含 keyTemplate 中指定的密钥类型的密钥管理器。或者,您可以使用 Tinkey 来轮换或管理密钥集。*

您可以在下面找到一个简短的示例以及该程序生成的文件:

keyset_original.json 是(第一个)原始密钥:

{
    "primaryKeyId": 937652358,
    "key": [{
        "keyData": {
            "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
            "keyMaterialType": "SYMMETRIC",
            "value": "GhC1iBVcPeQwNp9GcXfqpm8G"
        },
        "outputPrefixType": "TINK",
        "keyId": 937652358,
        "status": "ENABLED"
    }]
}

keyset_rotated.json 是旋转的键集 - primaryKeyId 已更改,(第一个)键仍然可用并启用但不再是主键:

{
    "primaryKeyId": 138119043,
    "key": [
        {
            "keyData": {
                "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
                "keyMaterialType": "SYMMETRIC",
                "value": "GhC1iBVcPeQwNp9GcXfqpm8G"
            },
            "outputPrefixType": "TINK",
            "keyId": 937652358,
            "status": "ENABLED"
        },
        {
            "keyData": {
                "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
                "keyMaterialType": "SYMMETRIC",
                "value": "GhBrr2JLPAMMi36n56RHGF2A"
            },
            "outputPrefixType": "TINK",
            "keyId": 138119043,
            "status": "ENABLED"
        }
    ]
}

代码:

import com.google.crypto.tink.*;
import com.google.crypto.tink.aead.AeadKeyTemplates;
import com.google.crypto.tink.config.TinkConfig;
import com.google.crypto.tink.proto.KeyTemplate;

import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;

public class KeyRotation {
    public static void main(String[] args) throws GeneralSecurityException, IOException {
        System.out.println("Google Tink key rotation");
        TinkConfig.register();
        // key generation
        KeyTemplate keyTemplate = AeadKeyTemplates.AES128_GCM;
        KeysetHandle keysetHandle = KeysetHandle.generateNew(keyTemplate);
        // write it to a file
        String originalKeysetFilename = "keyset_original.json";
        CleartextKeysetHandle.write(keysetHandle, JsonKeysetWriter.withFile(
                new File(originalKeysetFilename)));
        // load the existing keysetHandle
        KeysetHandle keysetHandleLoaded = CleartextKeysetHandle.read(
                JsonKeysetReader.withFile(new File(originalKeysetFilename)));
        // generate a new key and make it primary key
        KeysetHandle rotatedKeysetHandle = KeysetManager
                .withKeysetHandle(keysetHandleLoaded)
                .rotate(keyTemplate)
                .getKeysetHandle();
        // write it to a file
        String rotatedKeysetFilename = "keyset_rotated.json";
        CleartextKeysetHandle.write(rotatedKeysetHandle, JsonKeysetWriter.withFile(
                new File(rotatedKeysetFilename)));
        System.out.println("key rotation done, new keyset in " + rotatedKeysetFilename);
    }
}
于 2020-09-19T21:27:53.230 回答