如何将对称密钥导入thales HSM

1. 安装Java以连接到HSM

1.1将SafeNet Java库和jar文件从/opt/SafeNet/lunaclient/jsp/lib下的默认位置复制到Java环境目录，例如/opt/jre/lib/ext。

1.2编辑java SDK/jre安装的/jre/lib/security目录中的java.security文件，如下所示：

security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.safenetinc.luna.provider.LunaProvider
security.provider.4=com.sun.rsajca.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider

2. 运行代码，将desKey更改为您的密钥，并从引用中获取HsmManager

public class KeyWrappingExample {
//
// Alias used to store the the KEK (Key Encryption Key) on the HSM
//
private static final String KEK_ALIAS = "KEK_AES_TEST";
//  OpenJDK handles AES 256 just fine, but I had to lower this to 128 for
//  Oracle's off-the-shelf JDK which has strong crypto disabled.
private static int KEK_NUM_KEY_BITS = 128;
//
//  AES has a block size of 128 bits or 16 bytes.  Used easy HEX values so you can plug them
//  into a website like http://aes.online-domain-tools.com/ to verify encrypted values.
//
private static final byte[] FIXED_128BIT_IV_FOR_TESTS =
LunaUtils.hexStringToByteArray("DEADD00D8BADF00DDEADBABED15EA5ED");
public static void main(String[] args) throws Exception {
final String hostKeyType = "DESede";
HsmManager.login();
HsmManager.setSecretKeysExtractable(false);
SecretKey kek = createNewHsmKek();
out.println("HSM KEK ID (a handle, not in clear):nt" + getHex(kek.getEncoded()));
SecretKey des3Key = createSoftwareKey(hostKeyType);
out.println("Software-Only 3DES Key (in the clear):nt" + getHex(des3Key.getEncoded()));
byte[] wrappedHostKey = wrapKeyWithKek(kek, des3Key);
out.println("KEK wrapped 3DES key (host key):nt" + getHex(wrappedHostKey));
out.println("nStopping and starting session with HSM.");
HsmManager.logout();
out.println("Pretend that the host key was stored and restored from a database while disconnectedn");
kek = null;
des3Key = null;
HsmManager.login();
kek = getExistingHsmKek();
SecretKey unwrapped3DesKey = unwrapKeyWithKek(kek, hostKeyType, wrappedHostKey);
out.println("Unwrapped 3DES key is same as original (in clear):nt" + getHex(unwrapped3DesKey.getEncoded()));
out.println("Class of unwrapped key: " + unwrapped3DesKey.getClass().getCanonicalName());
//
//  Give an example using using the unwrapped LunaSecretKey in both a software
//  cipher operation and an HSM cipher operation.  If the LunaSecretKey was
//  protected in hardware, the SunJCE operation with it would fail.
//
String plainText = "12345678";
byte[] plainTextBytes = plainText.getBytes();
out.println("Original plaintext:nt" + plainText);
//  Start software cipher operation CKM_DES3_ECB
Cipher sunJceCipher = Cipher.getInstance("DESede/ECB/NoPadding", "LunaProvider");
sunJceCipher.init(Cipher.ENCRYPT_MODE, unwrapped3DesKey);
byte[] cipherText = sunJceCipher.doFinal(plainText.getBytes());
out.println("SunJCE encryption result:nt" + getHex(cipherText));
//  Start Luna HSM cipher operation
Cipher lunaHsmCipher = Cipher.getInstance("DESede/ECB/NoPadding", "LunaProvider");
lunaHsmCipher.init(Cipher.DECRYPT_MODE, unwrapped3DesKey);
byte[] originalClearText = lunaHsmCipher.doFinal(cipherText);
out.println("LunaProvider HSM decrypt result:nt" + new String(originalClearText));
HsmManager.logout();
}
//
//  KEK is generated on HSM.  We never know its value, just it's alias to
//  access it.
//
private static SecretKey createNewHsmKek()  throws GeneralSecurityException {
if (HsmManager.hasSavedKey(KEK_ALIAS)) {
return (SecretKey) HsmManager.getSavedKey(KEK_ALIAS);
}
KeyGenerator kg = KeyGenerator.getInstance("AES", "LunaProvider");
kg.init(KEK_NUM_KEY_BITS);
LunaSecretKey kek = (LunaSecretKey) kg.generateKey();
//
//  Since our KEK will only be used for wrap and unwrap operations, we should
//  disable encryption and decryption operations.
//
//  Note:  In theory, the commented out lines below will work on Luna SA
//         firmwares 5.2 and above, but on our AWS CloudHSM firmware disabling
//         encrypt and decrypt functionality will disable Cipher.WRAP_MODE
//         and Cipher.UNWRAP_MODE respectively.  This is makes sense.
//         If the unwrapped keys are not stored and protected on the HSM,
//         wrapping and unwrapping operations *are* providing somewhat general
//         encrypt and decrypt functionality.
//
//LunaTokenObject obj = LunaTokenObject.LocateObjectByHandle(kek.GetKeyHandle());
//obj.SetBooleanAttribute(LunaAPI.CKA_ENCRYPT, false);
//obj.SetBooleanAttribute(LunaAPI.CKA_DECRYPT, false);
HsmManager.saveKey(KEK_ALIAS, kek);
return kek;
}
private static SecretKey getExistingHsmKek() throws GeneralSecurityException {
// casting KEY -> SecretKey
return (SecretKey) HsmManager.getSavedKey(KEK_ALIAS);
}
//
//  Create software-only (not stored on HSM) key
//
private static SecretKey createSoftwareKey(String keyType) throws GeneralSecurityException, UnsupportedEncodingException {
//
// SunJCE would be used by default when running openjdk 1.7, but I decided
// to be explicit to ensure we are generating a key in software for this
// example.
String desKey = "0123456789abcdef0123456789abcdef0123456789abcdef"; // user value (24 bytes)  
byte[] keyBytes = DatatypeConverter.parseHexBinary(desKey);
SecretKeyFactory factory = SecretKeyFactory.getInstance("DESede");
SecretKey key = factory.generateSecret(new DESedeKeySpec(keyBytes));
return key;
//        KeyGenerator generator = KeyGenerator.getInstance(keyType, "SunJCE");
//        generator.init(new SecureRandom());
//        return generator.generateKey();
}
//
// Wrap the passed in key with the KEK on the HSM
//
private static byte[] wrapKeyWithKek(SecretKey hsmKek, SecretKey softwareKey) throws GeneralSecurityException {
Cipher wrappingCipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "LunaProvider");
AlgorithmParameters algParams = AlgorithmParameters.getInstance("IV", "LunaProvider");
algParams.init(new IvParameterSpec(FIXED_128BIT_IV_FOR_TESTS));
wrappingCipher.init(Cipher.WRAP_MODE, hsmKek, algParams);
return  wrappingCipher.wrap(softwareKey);
}
//
//  Unwrap the passed in key with the KEK on the HSM
//
private static SecretKey unwrapKeyWithKek(SecretKey hsmKey, String keyAlgorithm, byte[] wrappedKeyBytes) throws GeneralSecurityException {
Cipher wrappingCipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "LunaProvider");
AlgorithmParameters algParams = AlgorithmParameters.getInstance("IV", "LunaProvider");
algParams.init(new IvParameterSpec(FIXED_128BIT_IV_FOR_TESTS));
wrappingCipher.init(Cipher.UNWRAP_MODE, hsmKey, algParams);
return  (SecretKey) wrappingCipher.unwrap(wrappedKeyBytes, keyAlgorithm, Cipher.SECRET_KEY);
}
private static String getHex(byte array[]) {
return "0x" + LunaUtils.getHexString(array, false).toUpperCase();
}
}

参考：

https://thalesdocs.com/gphsm/luna/7.4/docs/network/Content/install/software/solaris_install.htm?Highlight=jre/lib/security/java.security#Java

https://thalesdocs.com/gphsm/luna/7.4/docs/network/Content/sdk/java/jsp_overview_install.htm

https://thalesdocs.com/gphsm/luna/7.4/docs/network/Content/sdk/java/luna_jsp_config.htm

https://github.com/dimalinux/HsmKeyWrappingExample/blob/master/src/main/java/to/noc/hsm/lunasa/example/KeyWrappingExample.java