有人可以使用AWS Encryption SDK来使用JCE密钥库和对称密钥(AES)吗?我可以使加密正常工作,但在解密数据密钥时,解密总是失败。对其进行调试看起来像密文结果中存储的别名(主密钥名称)已损坏(末尾的额外字符)。该代码非常简单,它创建了一个密钥库,添加了一个秘密密钥,encryptString,然后立即解密。
我想这样做是因为我希望能够在AWS中运行时支持AWS KMS,而在本地运行时能够支持密钥库。
对此有何想法?
public static void main(final String[] args) throws Exception {
// get the JCEKS keystore (JCEKS is needed for symmetric encryption keys)
// ks = KeyStore.getInstance("JCEKS");
ks = KeyStore.getInstance("BKS", "BC");
ks.load(null, KEYSTOREPASSWORD); // null is only for test, normally we would load existing key store
final KeyStore.PasswordProtection protectionParam = new KeyStore.PasswordProtection(KEYSTOREPASSWORD);
// add the master key
// encapsulate this (done whenever we create/rotate a master key, normally not done here)
KeyGenerator kg = KeyGenerator.getInstance("AES");
kg.init(256);
SecretKey sk = kg.generateKey();
KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(sk);
ks.setEntry(MASTERKEY, skEntry, protectionParam);
// set up the context (pass in via encrypt/decrypt methods)
final Map<String, String> context = Collections.singletonMap("AccountID", ACCOUNTID);
// final Map<String, String> context = Collections.emptyMap();
final AwsCrypto crypto = new AwsCrypto();
final KeyStoreProvider prov = new KeyStoreProvider(ks, protectionParam, PROVIDERNAME, WRAPPERALGORITHM, MASTERKEY);
System.out.println("master key: " + prov.getMasterKey(prov.getDefaultProviderId(), MASTERKEY).getKeyId());
System.out.println("plaintext: " + PLAINTEXT);
// encrypt the plaintext
final CryptoResult<String, JceMasterKey> encryptResult = crypto.encryptString(prov, PLAINTEXT, context);
System.out.println("master key from encryption result: " + encryptResult.getMasterKeyIds().get(0));
// verify that the correct key was used
if (!encryptResult.getMasterKeyIds().get(0).equals(MASTERKEY))
{
throw new IllegalStateException("Wrong key id on encrypt!");
}
final String ciphertext = encryptResult.getResult();
System.out.println("ciphertext: " + ciphertext);
// decrypt the ciphertext
final CryptoResult<String, JceMasterKey> decryptResult = crypto.decryptString(prov, ciphertext);
// verify that the decryption was okay
if (!decryptResult.getMasterKeyIds().get(0).equals(MASTERKEY)) {
throw new IllegalStateException("Wrong key id on decrypt!");
}
for (final Map.Entry<String, String> e : context.entrySet()) {
if (!e.getValue().equals(decryptResult.getEncryptionContext().get(e.getKey()))) {
throw new IllegalStateException("Wrong context!");
}
}
System.out.println("plaintext: " + decryptResult.getResult());
}
结果:
主键:万能键
纯文本:PlainText
加密结果中的主密钥:万能密钥
密文: AYADeLxyAkkD8uHCp6fA1hNPgtwAdQACAAlBY2NvdW50SUQACTQ1LTM0LTUzYgAVYXdzLWNyeXB0by1wdWJsaWMta2V5AERBdjZJcGovYzJEYnAxTmoxRWpxL054NkdwVmFiVXZDNlZsdlFTdUtick1BSElReXNoK3VsZFFXaWNQY2ZhNll5Q0E9PQABAAhLZXlTdG9yZQAdbWFzdGVya2V5AAAAgAAAAAyQtzn9Fsq / H2yUYScAMNiB4Snccv31U6SVTJKz6 + 9JgK6VAqxI7SK3kVlR4lIbTAT0u631dbCeIDtRmF5avgIAAAAADAAAEAAAAAAAAAAAAAAAAAAFFx5VUdsPv / poNBRnNZ / B ///// wAAAAEAAAAAAAAAAAAAAAEAAAAJQqLA2EARt3Unqj5zqVIvBg + XPV + FnnpLvgBnMGUCMQCdFlUECMm / sXbGZy2FpzDHgIoxk8jDlZY05Gm48OQjJ / qWIdpCGLsEQMkYMnLMIYQCMGrs2c7MmIR0eRt / yUb6hrdoVRP5390RTJtIM31rmQbK8fEa0o7fj29Ns + oEGzDmHA ==
-此行来自数据密钥解密代码中的调试代码...请注意,它是主密钥,末尾有多余的垃圾
别名:万能钥匙。 ��9�ʿl�a'
线程“ main” com.amazonaws.encryptionsdk.exception.CannotUnwrapDataKeyException中的异常:无法解密任何数据密钥
at com.amazonaws.encryptionsdk.MasterKeyProvider.buildCannotDecryptDksException(MasterKeyProvider.java:103)
at com.amazonaws.encryptionsdk.jce.KeyStoreProvider.decryptDataKey(KeyStoreProvider.java:201)
at com.amazonaws.encryptionsdk.DefaultCryptoMaterialsManager.decryptMaterials(DefaultCryptoMaterialsManager.java:108)
at com.amazonaws.encryptionsdk.internal.DecryptionHandler.readHeaderFields(DecryptionHandler.java:455)
at com.amazonaws.encryptionsdk.internal.DecryptionHandler.<init>(DecryptionHandler.java:96)
at com.amazonaws.encryptionsdk.internal.DecryptionHandler.create(DecryptionHandler.java:185)
at com.amazonaws.encryptionsdk.AwsCrypto.decryptData(AwsCrypto.java:380)
at com.amazonaws.encryptionsdk.AwsCrypto.decryptData(AwsCrypto.java:357)
at com.amazonaws.encryptionsdk.AwsCrypto.decryptString(AwsCrypto.java:430)
at com.amazonaws.encryptionsdk.AwsCrypto.decryptString(AwsCrypto.java:412)
at EncryptionService.main(EncryptionService.java:78)