密钥管理服务KMS

    密钥管理

    创建密钥

    如下代码可以创建MasterKey,返回MasterKeyId,创建时间等等。

    kmsClient.create_masterKey("test", protectedby_class.HSM, 
                                        keyspec_class.AES_256, origin_class.EXTERNAL)

    列举MasterKey

    result = kmsClient.list_masterKey(10)
    #打印所有密钥keyid
    for index in range(len(result.keys)):
                print result.keys[index].key_id

    加密数据

    keyId = "xxxxxxx"
    plaintext = base64.b64encode("hellobaby")
    result = kmsClient.encrypt(keyId, plaintext)
    print result.ciphertext

    解密数据

    keyId = "xxxxxx"
    ciphertext = "xxxxxxxxxxxxx"
    result = kmsClient.decrypt(keyId, ciphertext)
    print result.plaintext

    生成DataKey

    keyId = "xxxxxx"
    kmsClient.generate_dataKey(keyId, keyspec_class.AES_128, 128)

    使MasterKey处于可用状态

    keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
    kmsClient.enable_masterKey(keyId)

    使MasterKey处于不可用状态

    keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
    kmsClient.disable_masterKey(keyId)

    删除MasterKey

    keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
    kmsClient.scheduleDelete_masterKey(keyId, 7)

    取消删除MasterKey

    keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
    kmsClient.cancelDelete_maaterKey(keyId)

    获取MasterKey详细信息

    keyId = '001f9ef4-0a4b-1333-db42-e79dbd80fd25'
    result = self.client.describe_masterKey(keyId)
    print result.key_metadata.protected_by

    获取导入密钥参数

    keyId = "16f97e43-3bdc-c97d-903f-4d7f2bc5828e"
    publicKeyEncoding = publickeyencoding_class.PEM
    result =  self.client.get_parameters_for_import(keyId, publicKeyEncoding)
    print result.public_key

    导入对称密钥

    import base64
    from Crypto.PublicKey import RSA
    from Crypto.Cipher import PKCS1_v1_5
    from Crypto.Cipher import AES
    from Crypto.Util.asn1 import DerSequence
    from Crypto import Random
    # create external key
    result = self.client.create_masterKey("test", protectedby_class.HSM, 
                                        keyspec_class.AES_128, origin_class.EXTERNAL)
    keyId = str(result.key_metadata.key_id)
            
    # get import parameter
    publicKeyEncoding = publickeyencoding_class.PEM
    result = self.client.get_parameters_for_import(keyId, publicKeyEncoding)
    pubKey = str(result.public_key)
    importToken = str(result.import_token)
    rsa_pubKey = RSA.importKey(pubKey)
    cipher = PKCS1_v1_5.new(rsa_pubKey)
    aeskey = "1122334455667788"
    encryptedKey = base64.b64encode(cipher.encrypt(aeskey))
    self.client.import_symmetricMasterKey(keyId, importToken, encryptedKey, keySpec="AES_128")

    导入非对称密钥

    from Crypto.PublicKey import RSA
    from Crypto.Cipher import PKCS1_v1_5
    from Crypto.Cipher import AES
    from Crypto.Util.asn1 import DerSequence, DerObject
    from Crypto import Random
    
    ......
        def test_import_RSA_1024(self):
            """
            test case for import_RSA_1024
            """
            # create external key
            result = self.client.create_masterKey("test", protectedby_class.HSM, 
                                        keyspec_class.RSA_1024, origin_class.EXTERNAL)
            keyId = str(result.key_metadata.key_id)
            
            # get import parameter
            publicKeyEncoding = publickeyencoding_class.PEM
            result = self.client.get_parameters_for_import(keyId, publicKeyEncoding)
            pubKey = str(result.public_key)
            importToken = str(result.import_token)
            rsa_pubKey = RSA.importKey(pubKey)
            cipher = PKCS1_v1_5.new(rsa_pubKey)
            #随机生成一对rsa1024密钥
            random_generator = Random.new().read
            rsa = RSA.generate(1024, random_generator)
            print rsa.exportKey()
            der = DerSequence()
            der.append(rsa.n)
            der.append(rsa.e)
            pub_key = base64.b64encode(der.encode())
            D = str(hex(rsa.d)[2:-1]).decode("hex")
            P = str(hex(rsa.p)[2:-1]).decode("hex")
            Q = str(hex(rsa.q)[2:-1]).decode("hex")
            Dp = str(hex(rsa.d % (rsa.p - 1))[2:-1]).decode("hex")
            Dq = str(hex(rsa.d % (rsa.q - 1))[2:-1]).decode("hex")
            Qinv = str(hex(self.findModReverse(rsa.q, rsa.p))[2:-1]).decode("hex")
            ##用户自定义aes128密钥
            encryptedKey  = '1122334455667788'
            aes_obj = AES.new(encryptedKey, AES.MODE_ECB, Random.new().read(AES.block_size))
            D_b64 = base64.b64encode(aes_obj.encrypt(D))
            P_b64 = base64.b64encode(aes_obj.encrypt(P))
            Q_b64 = base64.b64encode(aes_obj.encrypt(Q))
            Dp_b64 = base64.b64encode(aes_obj.encrypt(Dp))
            Dq_b64 = base64.b64encode(aes_obj.encrypt(Dq))
            Qinv_b64 = base64.b64encode(aes_obj.encrypt(Qinv))
            encryptedKeyEncryptionKey = base64.b64encode(cipher.encrypt(encryptedKey))
            self.client.import_asymmetricMasterKey(keyId, importToken, keyspec_class.RSA_1024, encryptedKeyEncryptionKey,
                                                publicKeyDer=pub_key, encryptedD=D_b64, encryptedP=P_b64,
                                                encryptedQ=Q_b64, encryptedDp=Dp_b64, encryptedDq=Dq_b64,
                                                encryptedQinv=Qinv_b64)
            
    ......
    上一篇
    安装SDK工具包
    下一篇
    Java-SDK