使用 Luna Cloud HSM 的 Pkcs#11:在 Java KeyStore 中找不到 cmu 列表中列出的私钥

问题描述 投票:0回答:1

连接到 Luna Cloud HSM 我可以将 RSA 私钥添加到 HSM(通过 

cmu importkey
或通过 
cmu gen
),并且命令行工具 
cmu list
从服务器显示此密钥。

我使用 Pkcs#11 和最少的配置文件连接到 HSM 

name=LunaHsm
description=SunPKCS11 accessing LunaHsm
library=libCryptoki2.so
showInfo=true
slot=3

但是我找不到我期望的私钥。我启用了 

java.security.debug=sunpkcs11
的日志记录(日志如下),Java 代码正确初始化 PKCS#11 库,列出了提供者 SunPKCS11-LunaHsm 的正确信息,它找到了正确的插槽,但只找到了此插槽上存在的密钥槽,没有我期望找到的私钥。我正在使用 OpenJDK 11.0.18

SunPKCS11 loading lunahsm-pkcs11.cfg
sunpkcs11: Initializing PKCS#11 library libCryptoki2.so
Information for provider SunPKCS11-LunaHsm
Library info:
  cryptokiVersion: 2.20
  manufacturerID: SafeNet                         
  flags: 0
  libraryDescription: Chrystoki                       
  libraryVersion: 10.07
All slots: 0, 1, 2, 3
Slots with tokens: 3
Slot info for slot 3:
  slotDescription: Net Token Slot                                                  
  manufacturerID: SafeNet                         
  flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
  hardwareVersion: 0.00
  firmwareVersion: 0.00
Token info for token in slot 3:
  label: my_partition          
  manufacturerID: SafeNet                         
  model: Cryptovisor7    
  serialNumber: 123123   
  flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_RESTORE_KEY_NOT_NEEDED | CKF_TOKEN_INITIALIZED
  ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
  ulSessionCount: 1
  ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
  ulRwSessionCount: 1
  ulMaxPinLen: 255
  ulMinPinLen: 7
  ulTotalPublicMemory: 159744
  ulFreePublicMemory: 156528
  ulTotalPrivateMemory: 159744
  ulFreePrivateMemory: 156528
  hardwareVersion: 0.00
  firmwareVersion: 7.03
  utcTime: 20241008132333  
<list of Mechanisms>
sunpkcs11: login succeeded

如果我使用 Luna JSP LunaProvider.jar 那么我还可以找到私钥:

Security.addProvider(new LunaProvider());
myStore = KeyStore.getInstance("Luna");
ByteArrayInputStream is1 = new ByteArrayInputStream(
                ("slot:" + slot + "\ncaching:false" + "\ndefertokenization:true").getBytes());
myStore.load(is1, passwd.toCharArray());

但我只想使用 Pkcs#11 API:

Provider provider = Security.getProvider("SunPKCS11");
provider = provider.configure("path/to/config/file");
KeyStore ks = KeyStore.getInstance("PKCS11", provider);
ks.load(is1,passwd.toCharArray());

有什么建议吗?

java pkcs#11 hardware-security-module cryptoki
1个回答
0
投票

我认为您使用 SunPKCS11 的 Java 代码无法找到您的密钥,因为您用于 SunPKCS11 提供程序的配置文件缺少关键属性。 SunPKCS11 依赖配置文件中指定的密钥属性来定位密钥。例如:-

name = Luna
library = /usr/safenet/lunaclient/lib/libCryptoki2_64.so
slot = 0
showInfo=false

attributes(*, CKO_PRIVATE_KEY, *) = {
    CKA_SIGN = true
    CKA_TOKEN = true
}

attributes(*, CKO_PUBLIC_KEY, *) = {
    CKA_VERIFY = true
}

attributes(*, CKO_SECRET_KEY, *) = {
    CKA_ENCRYPT = true
    CKA_DECRYPT = true
    CKA_WRAP = true
    CKA_UNWRAP = true
    CKA_TOKEN = true
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.