密钥管理

更新时间：2022-03-30

创建密钥

如下代码可以创建MasterKey，返回MasterKeyId，创建时间等等。

kmsClient.create_masterKey("test", protectedby_class.HSM, 
                                    keyspec_class.AES_256, 
                                    origin_class.EXTERNAL,360)

列举MasterKey

result = kmsClient.list_masterKey(10)
#打印所有密钥keyid
for index in range(len(result.keys)):
            print result.keys[index].key_id

加密数据

keyId = "xxxxxxx"
plaintext = base64.b64encode("hellobaby")
result = kmsClient.encrypt(keyId, plaintext)
print result.ciphertext

解密数据

keyId = "xxxxxx"
ciphertext = "xxxxxxxxxxxxx"
result = kmsClient.decrypt(keyId, ciphertext)
print result.plaintext

生成DataKey

keyId = "xxxxxx"
kmsClient.generate_dataKey(keyId, keyspec_class.AES_128, 128)

使MasterKey处于可用状态

keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
kmsClient.enable_masterKey(keyId)

使MasterKey处于不可用状态

keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
kmsClient.disable_masterKey(keyId)

删除MasterKey

keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
kmsClient.scheduleDelete_masterKey(keyId, 7)

取消删除MasterKey

keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
kmsClient.cancelDelete_maaterKey(keyId)

获取MasterKey详细信息

keyId = '001f9ef4-0a4b-1333-db42-e79dbd80fd25'
result = self.client.describe_masterKey(keyId)
print result.key_metadata.protected_by

获取导入密钥参数

keyId = "16f97e43-3bdc-c97d-903f-4d7f2bc5828e"
publicKeyEncoding = publickeyencoding_class.PEM
result =  self.client.get_parameters_for_import(keyId, publicKeyEncoding)
print result.public_key

导入对称密钥

import base64
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
from Crypto.Cipher import AES
from Crypto.Util.asn1 import DerSequence
from Crypto import Random
# create external key
result = self.client.create_masterKey("test", protectedby_class.HSM, 
                                    keyspec_class.AES_128, origin_class.EXTERNAL)
keyId = str(result.key_metadata.key_id)
        
# get import parameter
publicKeyEncoding = publickeyencoding_class.PEM
result = self.client.get_parameters_for_import(keyId, publicKeyEncoding)
pubKey = str(result.public_key)
importToken = str(result.import_token)
rsa_pubKey = RSA.importKey(pubKey)
cipher = PKCS1_v1_5.new(rsa_pubKey)
aeskey = "1122334455667788"
encryptedKey = base64.b64encode(cipher.encrypt(aeskey))
self.client.import_symmetricMasterKey(keyId, importToken, encryptedKey, keySpec="AES_128")

导入非对称密钥

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
from Crypto.Cipher import AES
from Crypto.Util.asn1 import DerSequence, DerObject
from Crypto import Random

    def test_import_RSA_1024(self):
        """
        test case for import_RSA_1024
        """
        # create external key
        result = self.client.create_masterKey("test", protectedby_class.HSM, 
                                    keyspec_class.RSA_1024, origin_class.EXTERNAL)
        keyId = str(result.key_metadata.key_id)
        
        # get import parameter
        publicKeyEncoding = publickeyencoding_class.PEM
        result = self.client.get_parameters_for_import(keyId, publicKeyEncoding)
        pubKey = str(result.public_key)
        importToken = str(result.import_token)
        rsa_pubKey = RSA.importKey(pubKey)
        cipher = PKCS1_v1_5.new(rsa_pubKey)
        #随机生成一对rsa1024密钥
        random_generator = Random.new().read
        rsa = RSA.generate(1024, random_generator)
        print rsa.exportKey()
        der = DerSequence()
        der.append(rsa.n)
        der.append(rsa.e)
        pub_key = base64.b64encode(der.encode())
        D = str(hex(rsa.d)[2:-1]).decode("hex")
        P = str(hex(rsa.p)[2:-1]).decode("hex")
        Q = str(hex(rsa.q)[2:-1]).decode("hex")
        Dp = str(hex(rsa.d % (rsa.p - 1))[2:-1]).decode("hex")
        Dq = str(hex(rsa.d % (rsa.q - 1))[2:-1]).decode("hex")
        Qinv = str(hex(self.findModReverse(rsa.q, rsa.p))[2:-1]).decode("hex")
        ##用户自定义aes128密钥
        encryptedKey  = '1122334455667788'
        aes_obj = AES.new(encryptedKey, AES.MODE_ECB, Random.new().read(AES.block_size))
        D_b64 = base64.b64encode(aes_obj.encrypt(D))
        P_b64 = base64.b64encode(aes_obj.encrypt(P))
        Q_b64 = base64.b64encode(aes_obj.encrypt(Q))
        Dp_b64 = base64.b64encode(aes_obj.encrypt(Dp))
        Dq_b64 = base64.b64encode(aes_obj.encrypt(Dq))
        Qinv_b64 = base64.b64encode(aes_obj.encrypt(Qinv))
        encryptedKeyEncryptionKey = base64.b64encode(cipher.encrypt(encryptedKey))
        self.client.import_asymmetricMasterKey(keyId, importToken, keyspec_class.RSA_1024, encryptedKeyEncryptionKey,
                                            publicKeyDer=pub_key, encryptedD=D_b64, encryptedP=P_b64,
                                            encryptedQ=Q_b64, encryptedDp=Dp_b64, encryptedDq=Dq_b64,
                                            encryptedQinv=Qinv_b64)

配置MasterKey轮转周期

keyId = "001f9ef4-0a4b-1333-db42-e79dbd80fd25"
kmsClient.updateRotate_masterKey(keyId, 365)

安装SDK工具包

Java-SDK

密钥管理服务 KMS

密钥管理服务 KMS

密钥管理

创建密钥

列举MasterKey

加密数据

解密数据

生成DataKey

使MasterKey处于可用状态

使MasterKey处于不可用状态

删除MasterKey

取消删除MasterKey

获取MasterKey详细信息

获取导入密钥参数

导入对称密钥

导入非对称密钥

配置MasterKey轮转周期