Google Cloud HSM作为加密提供程序
[英]Google Cloud HSM as a provider for encryption
问题描述
AWS seems to allow us to have the AWS Cloud HSM as a provider, See here and here 
AWS似乎允许我们将AWS Cloud HSM作为提供者,请参见此处和此处
Security.addProvider(new com.cavium.provider.CaviumProvider())
In the samples from GKE however we seem to only have bouncy castle as a provider. 但是,在GKE的样本中,我们似乎只有充气城堡作为提供者。 See here 看这里
Security.addProvider(new BouncyCastleProvider());
Maybe i am missing something fundamental. 也许我缺少基本的东西。
Would like to do a initsign as below JCA API 想要执行以下JCA API的initsign
https://docs.oracle.com/javase/10/docs/api/java/security/Signature.html#initSign(java.security.PrivateKey) https://docs.oracle.com/javase/10/docs/api/java/security/Signature.html#initSign(java.security.PrivateKey)
1 个解决方案
解决方案1
0 2019-05-09 07:44:56
I am not sure what the exact question is but it looks like you want to write code that signs data using a private key from an HSM and have that work on AWS and Google Cloud. 我不确定确切的问题是什么,但是您似乎想编写使用HSM的私钥对数据签名的代码,并使其在AWS和Google Cloud上正常工作。 The steps to do that are: 为此,请执行以下步骤:
- Load the provider 加载提供者
- Open the keystore 打开密钥库
- Retrieve the private key 检索私钥
- Initialize a signing object with the private key (and update it with the data to sign) 使用私钥初始化签名对象(并使用要签名的数据对其进行更新)
- Sign 标志
Step 1 can be done programmatically (via Security.addProvider , as you have written in your question) or statically in the java.security file. 步骤1可以以编程方式(通过您在问题中所写的Security.addProvider)完成 ,也可以在java.security文件中静态完成。 If you want your code to be agnostic to the cloud platform it is running on, you may want to consider doing this statically (although it is also possible to do it programmatically and keep things platform agnostic). 如果您希望代码对于运行它的云平台是不可知的,则可能需要考虑静态执行此操作(尽管也可以通过编程方式进行操作并使事物与平台无关)。
The rest of the steps just require pretty standard JCE code. 其余步骤仅需要非常标准的JCE代码。 Below is an example: 下面是一个示例:
KeyStore keyStore = KeyStore.getInstance("type", "provider name");
PrivateKey privKey = (PrivateKey) keyStore.getKey("alias", null);
Signature sig = Signature.getInstance("transformation", "provider name");
sig.initSign(privKey);
sig.update(dataToSign);
byte[] signature = sig.sign();
You may want to read the provider name and keystore type from a (secured) configuration file, so those aren't hard-coded. 您可能想要从(安全的)配置文件中读取提供程序名称和密钥库类型,因此这些文件不会被硬编码。 After you get that working you'll want to look at how often you go to the keystore to retrieve key objects and possibly consider caching them because keystore retrievals can be expensive, depending on the HSM and provider library being used. 完成这项工作后,您将需要查看去密钥库检索密钥对象的频率,并可能考虑对它们进行缓存,因为密钥库检索可能很昂贵,具体取决于所使用的HSM和提供程序库。 That is going a bit beyond the scope of this question, or at least what I am interpreting the question to be, so I will stop there. 这超出了这个问题的范围,或者至少是我要解释的问题的范围,所以我将在此处停止。 Hope that helps. 希望能有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.