将pkcs11密钥重定向到nCipher HSM中的jcecsp

时间:2018-03-15 11:12:04

标签: pkcs#11 jce hsm

使用PKCS11 api,我能够生成对称密钥(DES3),但现在我需要将这些密钥重新定位到jcecsp,以便只使用nCipher JCE提供程序来访问HSM。我意识到 private void backUpDatabase() { tvDriveResult.append("Creating Drive back-up"); /* get the path of the local backup */ File dbFile = new File(dbPath + DATABASE_NAME); /* Check of dbFileExists on device */ if (! dbFile.exists()){ tvDriveResult.append("Local database not found?!\n"); return; } /* File input stream from database to read from */ final FileInputStream fileInputStream; try { fileInputStream = new FileInputStream(dbFile); } catch (FileNotFoundException e) { tvDriveResult.append("Could not get input stream from local file\n"); return; } /* Task to make file */ final Task<DriveContents> createContentsTask = mDriveResourceClient.createContents(); tvDriveResult.append("Creating a back-up of the Database File\n"); Tasks.whenAll(createContentsTask).continueWithTask(new Continuation<Void, Task<DriveFile>>() { @Override public Task<DriveFile> then(@NonNull Task<Void> task) throws Exception { /* Retrieved the drive contents returned by the Task */ DriveContents contents = createContentsTask.getResult(); /* Output stream where data will be written */ OutputStream outputStream = contents.getOutputStream(); /* File output stream */ tvDriveResult.append("Attempting to write\n"); byte[] buffer = new byte[4096]; int c; while ((c = fileInputStream.read(buffer, 0, buffer.length)) > 0){ outputStream.write(buffer, 0, c); } outputStream.flush(); outputStream.close(); fileInputStream.close(); tvDriveResult.append("Database written\n"); /* Save the file, using MetadataChangeSet */ MetadataChangeSet changeSet = new MetadataChangeSet.Builder() .setTitle(BACK_UP) .setMimeType("application/x-sqlite3") .setStarred(false) .build(); return mDriveResourceClient.createFile(baseFolder, changeSet, contents); } }) /* Task successful */ .addOnSuccessListener(new OnSuccessListener<DriveFile>() { @Override public void onSuccess(DriveFile driveFile) { tvDriveResult.append("Back up file created\n"); } }) .addOnFailureListener(new OnFailureListener() { @Override public void onFailure(@NonNull Exception e) { tvDriveResult.append("Could not create back up file\n"); } }); } 不在jcecsp命令的已识别应用列表中。

所以我的问题是:有没有办法将--retarget添加为jcecsp命令支持的应用程序?或者这在nShield HSM中根本不可能?

我收到了错误输出:

generatekey --retarget

1 个答案:

答案 0 :(得分:0)

jcecsp有点奇怪,因为操作需要通过Java的KeyStore API。您可以使用Java keytool的-importkeystore选项将SunPKCS11作为源,将nCipher.sworld作为目标。如果这样做,你将有效地重新定位密钥。通过密钥库文件的Java层确保在JCE尝试访问密钥时可以再次找到密钥。

你会有很多选择跳舞...... SunPKCS11文档在这里https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html并且可以看到Thales文档中有关nCipherKM方面的内容。

相关问题
最新问题