ソフトウェアで Safenet HSM を使用してキーを生成および保持しています。毎回ソフトウェアを実行した後、HSM でキーを生成しますが、毎回キーは同じです。HSM は、ソフトウェアを無限に実行するために同じキーを生成します。なんで?ソフトウェアの HSM にこの属性を使用します。
library=/usr/lunasa/lib/libCryptoki2.so slot=1 attributes(generate, *, ) = { CKA_TOKEN = true } attributes( , CKO_PUBLIC_KEY, ) = { CKA_ENCRYPT = true CKA_VERIFY = true CKA_WRAP = true } attributes( , CKO_PRIVATE_KEY , *) = { CKA_PRIVATE = true
CKA_EXTRACTABLE = false CKA_SIGN = true CKA_UNWRAP = true }
HSM でいつでもランダム RSA キーを生成するためにランダム シードを使用する必要がありますか? この図は、HSM の構成ファイルの属性を示しています。hsm.properties ソースコードでは、このコードを使用します
protected KeyPair generateKeyPair(int purpose, String keyPairAlias) throws ManagerException, SQLException {
PreparedStatement stmt;
int iType;
String name = device.name().toLowerCase();
if (name.equals("software")) {
iType = 0;
} else if (name.equals("hsm")) {
iType = 1;
} else {
throw new IllegalArgumentException("key manager type not recognised.");
}
String alg = parameters.getProperty("keypair_alg", "rsa").toLowerCase();
KeyManager.KEY_PAIR_ALG keyalg;
if (alg.equals("rsa")) {
keyalg = KeyManager.KEY_PAIR_ALG.RSA;
} else if (alg.equals("dsa")) {
keyalg = KeyManager.KEY_PAIR_ALG.DSA;
} else {
throw new IllegalArgumentException("key pair algorithm not recognised.");
}
int size = Integer.parseInt(parameters.getProperty("root_key_length", "1024"));
String alias = parameters.getProperty("keypair_alias", keyPairAlias);
KeyManager manager = new KeyManager(device);
if((manager.containsAlias(alias))&&(device==CryptoSettings.CRYPTO_DEVICE.HSM)){
manager.deleteEntry(alias);
}
keyPair = manager.generateKeyPair(keyalg, size);
String sql = "insert into " + schema + ".keys";
sql += "(id, status, alias, algorithm, length, type1, usage, usagenote, storagetype) values(";
sql += "nextval('" + schema + ".seq_" + schema + "_keys_id'),1,?,?,?,?,?,?,?)";
stmt = cnn.prepareStatement(sql);
//perpare to insert public key
stmt.setString(1, alias + "_pub");
stmt.setString(2, alg.toUpperCase());
stmt.setInt(3, size);
stmt.setInt(4, 1); //public key
stmt.setInt(5, purpose); //key pair will be used for external signature purposes.
stmt.setString(6, "This key will be used for external signature generation purpose.");
stmt.setInt(7, iType);
stmt.execute();
stmt = cnn.prepareStatement(sql);
//perpare to insert private key
stmt.setString(1, alias + "_prv");
stmt.setString(2, alg.toUpperCase());
stmt.setInt(3, size);
stmt.setInt(4, 2); //private key
stmt.setInt(5, purpose); //key pair will be used for external signature purposes.
stmt.setString(6, "This key will be used for external signature verification purpose.");
stmt.setInt(7, iType);
stmt.execute();
sql = "insert into " + schema + ".keypair(id, publickeyid, privatekeyid) " +
"values(nextval('" + schema + ".seq_" + schema + "_keypair_id')," +
"currval('" + schema + ".seq_" + schema + "_keys_id')-1,currval('" + schema + ".seq_" + schema + "_keys_id'))";
System.out.println(sql);
stmt = cnn.prepareStatement(sql);
stmt.execute();
if (device == CryptoSettings.CRYPTO_DEVICE.HSM) {
manager.save(keyPair, alias);
} else {
sql = "insert into keystore(id,keyid,rawdata) values(seq_" + schema + "_keystore_id.nextval," +
"seq_" + schema + "_key_id.currval-1,?)";
stmt = cnn.prepareStatement(sql);
stmt.setBytes(1, keyPair.getPublic().getEncoded());
stmt.execute();
sql = "insert into keystore(id,keyid,rawdata) values(seq_" + schema + "_keystore_id.nextval," +
"seq_" + schema + "_key_id.currval,?)";
stmt = cnn.prepareStatement(sql);
stmt.setBytes(1, keyPair.getPrivate().getEncoded());
stmt.execute();
}
return keyPair;
}
この
public KeyPair generateKeyPair(KEY_PAIR_ALG alg, int size) throws ManagerException {
KeyPair result = null;
try {
java.security.KeyPairGenerator keygen;
keygen = java.security.KeyPairGenerator.getInstance(alg.name(), Settings.getProvider(type));
keygen.initialize(size);
java.security.KeyPair keypair = keygen.generateKeyPair();
result = KeyPairImpl.getInstance(keypair, type);
} catch (Throwable t) {
throw new ManagerException(t);
}
return result;
}
プロバイダーコードは
public static Provider getProvider(CryptoSettings.CRYPTO_DEVICE type) {
Provider result = null;
switch (type) {
case Software:
result = bcProvider;
break;
case HSM:
result = hsmprovider;
break;
case AdminToken:
result = adminTokenProvider;
break;
case UserToken:
result = userTokenProvider;
break;
}
なぜいつでも同じキーを持っているのですか?