如何在Java中使用LUNA HSM

huangapple go评论86阅读模式
英文:

How to use LUNA HSM with Java

问题

我正在开发一个Spring Boot应用程序,需要通过HTTPS连接使用TLS证书与另一个服务通信。
早期要求不明确,我开始使用Java密钥库/信任库来存储证书和密钥对。
但后来我们决定迁移到HSM Luna Client,需要生成证书和公钥/私钥对。

我已经阅读了Thales网站上有关如何生成密钥对和CSR文件的Luna文档。

但我不明白如何在我的Java应用程序中使用这些证书进行SSL/TLS连接。
现在我是否需要使用JSP/JCPROV库?还是可以像之前那样将密钥库/信任库文件添加到我的Java应用程序类路径中?
文档中没有提供有关如何使用密钥库/信任库的示例代码。

我只想使用RestTemplate向另一个服务发出HTTPS调用,并在我的Java应用程序中接收响应。
有人能帮我理解这个吗?如果有人能提供代码片段,那就更好了。

我在下面贴出了我的代码:

@Configuration
Class ApplicationConfig{

static {
com.safenetinc.luna.LunaSlotManager.getInstance().login("Partition-password");
java.security.Provider provider = new com.safenetinc.luna.provider.LunaProvider();
java.security.Security.removeProvider(provider.getName());
java.security.Security.insertProviderAt(provider,3)

}
public ClientHttpRequestFactory requestFactory(){
KeySTore keystore = KeyStore.getInstance("Luna");
InputStream inputStream = new FileInputStream("path/to/keystore");
keystore.load(inputStream,"password".toCharArray());

SSLContext sslContext = SSLContextBuilder.create()
.loadKeyMaterial(keystore,
"password".toCharArray())
.loadTrustMaterial("pathTocacert",
"password".toCharArray())
.setProtocol("TLSv1.2")
.build();

}
@Bean
public RestTemplate restTemplate(){
return new RestTemplate(requestFactory());
}
}
我不确定这段代码是否能正常工作。我已经做了很多搜索,然后找到了如何使用Luna客户端创建SSL上下文的方法。
如果有人以前做过,请提供一些指导。

英文:

I am working on a spring boot application which needs to communicate with another service through HTTPS connection using TLS certificates.
Earlier the requirements were not clear and I started using the Java Keystore/Truststore for the certificats and key pairs.
But later we decided to migrate to HSM Luna Client where we need to generate the certificates and public/private keys.

I have gone through the Luna documentation from Thales website on how we can generate the key pairs and csr files.

https://thalesdocs.com/gphsm/luna/7.2/docs/network/Content/sdk/java/java_keytool_with_luna_hsm.htm

But I do not understand How i can use these certificate in my java application for SSL/TLS connection.

Do I have to now use the JSP/JCPROV libraries. Or I can somehow add the keystore/truststore files in my java application classpath just like i did earlier.
The documentation does not depict any sample code on using the keystore/truststore.

I just want to make HTTPS calls to another service using RestTemplate and recieve the response in my JAVA application.

Can someone please help me understand this. It would be better if someone can provide the code snippets as well.

I am posting my code below:

@Configuration
Class ApplicationConfig{
   
  static {
   com.safenetinc.luna.LunaSlotManager.getInstance().login("Partition-password");
   java.security.Provider provider = new com.safenetinc.luna.provider.LunaProvider();
   java.security.Security.removeProvider(provider.getName());
   java.security.Security.insertProviderAt(provider,3)
  
 } 
  public ClientHttpRequestFactory requestFactory(){
  KeySTore keystore = KeyStore,getInstance("Luna");
  InputStream inputStream = new FileInputStream("path/to/keystore");
  keystore.load(inputStream,"password".toCharArray());

  SSLContext sslContext = SSLContextBuilder.create()
                       .loadKeyMaterial(keystore, 
 "password".toCharArray())
                       .loadTrustMaterial("pathTocacert", 
  "password".toCharArray())
                        .setProtocol("TLSv1.2")
                        .build();

   }
   @Bean
    public RestTemplate restTemplate(){
      return new RestTemplate(requestFactory());
     }
}

I am not sure this code is going to work. I have done a lot of google and then found how we can create a SSL context with Luna client.
If someone has done it before Please provide some guidance.

答案1

得分: 1

你可以像使用KeyStore一样使用它。请看下面

@Service
@Scope(ConfigurableBeanFactory.SCOPE_SINGLETON)
public class HsmService {

  public KeyStore hsmKeyStore(String hsmPartition, String hsmPassword) throws
KeyStoreException,
CertificateException,
NoSuchAlgorithmException,
IOException {

    LunaProvider lunaProvider = new LunaProvider();
    Security.addProvider(lunaProvider);

    LunaSlotManager lunaSlotManager = LunaSlotManager.getInstance();
    lunaSlotManager.login(hsmPartition, hsmPassword);

    KeyStore keyStore = KeyStore.getInstance("Luna");
    keyStore.load(null, null);
    return keyStore;
  }
}

一旦你有了一个密钥库,你可以在其上执行所有标准的加密操作。

英文:

You can use it like a KeyStore. See below

@Service
@Scope(ConfigurableBeanFactory.SCOPE_SINGLETON)
public class HsmService {

  public KeyStore hsmKeyStore(String hsmPartition, String hsmPassword) throws
KeyStoreException,                                                                   CertificateException,                                                                       NoSuchAlgorithmException,                                                                       IOException {

    LunaProvider lunaProvider = new LunaProvider();
    Security.addProvider(lunaProvider);

    LunaSlotManager lunaSlotManager = LunaSlotManager.getInstance();
    lunaSlotManager.login(hsmPartition, hsmPassword);


    KeyStore keyStore = KeyStore.getInstance("Luna");
    keyStore.load(null, null);
    return keyStore;
  }
}

Once you have a keystore, you can do all of your standard crypto operations on it.

huangapple
  • 本文由 发表于 2020年8月4日 23:24:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/63250108.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定