密钥管理
所有文档

          密钥管理服务 KMS

          密钥管理

          创建密钥

          如下代码可以创建MasterKey,返回MasterKeyId,创建时间等等。

          kmsClient.create_masterKey("test", protectedby_class.HSM, 
                                              keyspec_class.AES_256, origin_class.EXTERNAL)

          列举MasterKey

          result = kmsClient.list_masterKey(10)
          #打印所有密钥keyid
          for index in range(len(result.keys)):
                      print result.keys[index].key_id

          加密数据

          keyId = "xxxxxxx"
          plaintext = base64.b64encode("hellobaby")
          result = kmsClient.encrypt(keyId, plaintext)
          print result.ciphertext

          解密数据

          keyId = "xxxxxx"
          ciphertext = "xxxxxxxxxxxxx"
          result = kmsClient.decrypt(keyId, ciphertext)
          print result.plaintext

          生成DataKey

          keyId = "xxxxxx"
          kmsClient.generate_dataKey(keyId, keyspec_class.AES_128, 128)

          使MasterKey处于可用状态

          keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
          kmsClient.enable_masterKey(keyId)

          使MasterKey处于不可用状态

          keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
          kmsClient.disable_masterKey(keyId)

          删除MasterKey

          keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
          kmsClient.scheduleDelete_masterKey(keyId, 7)

          取消删除MasterKey

          keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
          kmsClient.cancelDelete_maaterKey(keyId)

          获取MasterKey详细信息

          keyId = '001f9ef4-0a4b-1333-db42-e79dbd80fd25'
          result = self.client.describe_masterKey(keyId)
          print result.key_metadata.protected_by

          获取导入密钥参数

          keyId = "16f97e43-3bdc-c97d-903f-4d7f2bc5828e"
          publicKeyEncoding = publickeyencoding_class.PEM
          result =  self.client.get_parameters_for_import(keyId, publicKeyEncoding)
          print result.public_key

          导入对称密钥

          import base64
          from Crypto.PublicKey import RSA
          from Crypto.Cipher import PKCS1_v1_5
          from Crypto.Cipher import AES
          from Crypto.Util.asn1 import DerSequence
          from Crypto import Random
          # create external key
          result = self.client.create_masterKey("test", protectedby_class.HSM, 
                                              keyspec_class.AES_128, origin_class.EXTERNAL)
          keyId = str(result.key_metadata.key_id)
                  
          # get import parameter
          publicKeyEncoding = publickeyencoding_class.PEM
          result = self.client.get_parameters_for_import(keyId, publicKeyEncoding)
          pubKey = str(result.public_key)
          importToken = str(result.import_token)
          rsa_pubKey = RSA.importKey(pubKey)
          cipher = PKCS1_v1_5.new(rsa_pubKey)
          aeskey = "1122334455667788"
          encryptedKey = base64.b64encode(cipher.encrypt(aeskey))
          self.client.import_symmetricMasterKey(keyId, importToken, encryptedKey, keySpec="AES_128")

          导入非对称密钥

          from Crypto.PublicKey import RSA
          from Crypto.Cipher import PKCS1_v1_5
          from Crypto.Cipher import AES
          from Crypto.Util.asn1 import DerSequence, DerObject
          from Crypto import Random
          
          ......
              def test_import_RSA_1024(self):
                  """
                  test case for import_RSA_1024
                  """
                  # create external key
                  result = self.client.create_masterKey("test", protectedby_class.HSM, 
                                              keyspec_class.RSA_1024, origin_class.EXTERNAL)
                  keyId = str(result.key_metadata.key_id)
                  
                  # get import parameter
                  publicKeyEncoding = publickeyencoding_class.PEM
                  result = self.client.get_parameters_for_import(keyId, publicKeyEncoding)
                  pubKey = str(result.public_key)
                  importToken = str(result.import_token)
                  rsa_pubKey = RSA.importKey(pubKey)
                  cipher = PKCS1_v1_5.new(rsa_pubKey)
                  #随机生成一对rsa1024密钥
                  random_generator = Random.new().read
                  rsa = RSA.generate(1024, random_generator)
                  print rsa.exportKey()
                  der = DerSequence()
                  der.append(rsa.n)
                  der.append(rsa.e)
                  pub_key = base64.b64encode(der.encode())
                  D = str(hex(rsa.d)[2:-1]).decode("hex")
                  P = str(hex(rsa.p)[2:-1]).decode("hex")
                  Q = str(hex(rsa.q)[2:-1]).decode("hex")
                  Dp = str(hex(rsa.d % (rsa.p - 1))[2:-1]).decode("hex")
                  Dq = str(hex(rsa.d % (rsa.q - 1))[2:-1]).decode("hex")
                  Qinv = str(hex(self.findModReverse(rsa.q, rsa.p))[2:-1]).decode("hex")
                  ##用户自定义aes128密钥
                  encryptedKey  = '1122334455667788'
                  aes_obj = AES.new(encryptedKey, AES.MODE_ECB, Random.new().read(AES.block_size))
                  D_b64 = base64.b64encode(aes_obj.encrypt(D))
                  P_b64 = base64.b64encode(aes_obj.encrypt(P))
                  Q_b64 = base64.b64encode(aes_obj.encrypt(Q))
                  Dp_b64 = base64.b64encode(aes_obj.encrypt(Dp))
                  Dq_b64 = base64.b64encode(aes_obj.encrypt(Dq))
                  Qinv_b64 = base64.b64encode(aes_obj.encrypt(Qinv))
                  encryptedKeyEncryptionKey = base64.b64encode(cipher.encrypt(encryptedKey))
                  self.client.import_asymmetricMasterKey(keyId, importToken, keyspec_class.RSA_1024, encryptedKeyEncryptionKey,
                                                      publicKeyDer=pub_key, encryptedD=D_b64, encryptedP=P_b64,
                                                      encryptedQ=Q_b64, encryptedDp=Dp_b64, encryptedDq=Dq_b64,
                                                      encryptedQinv=Qinv_b64)
                  
          ......
          上一篇
          安装SDK工具包
          下一篇
          Java-SDK