使用 CloudHSM CLI 生成非对称 RSA 密钥对 - AWS CloudHSM

使用 CloudHSM CLI 生成非对称 RSA 密钥对

使用 CloudHSM CLI 中的 key generate-asymmetric-pair rsa 命令在您的 AWS CloudHSM 集群中生成非对称 RSA 密钥对。

用户类型

以下类型的用户均可运行此命令。

  • 加密用户(CU)

要求

要运行此命令,必须以 CU 身份登录。

语法

aws-cloudhsm > help key generate-asymmetric-pair rsa Generate an RSA key pair Usage: key generate-asymmetric-pair rsa [OPTIONS] --public-label <PUBLIC_LABEL> --private-label <PRIVATE_LABEL> --modulus-size-bits <MODULUS_SIZE_BITS> --public-exponent <PUBLIC_EXPONENT> Options: --cluster-id <CLUSTER_ID> Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --public-label <PUBLIC_LABEL> Label for the public key --private-label <PRIVATE_LABEL> Label for the private key --session Creates a session key pair that exists only in the current session. The key cannot be recovered after the session ends --modulus-size-bits <MODULUS_SIZE_BITS> Modulus size in bits used to generate the RSA key pair --public-exponent <PUBLIC_EXPONENT> Public exponent used to generate the RSA key pair --public-attributes [<PUBLIC_KEY_ATTRIBUTES>...] Space separated list of key attributes to set for the generated RSA public key in the form of KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE --private-attributes [<PRIVATE_KEY_ATTRIBUTES>...] Space separated list of key attributes to set for the generated RSA private key in the form of KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE -h, --help Print help

示例

这些示例演示如何使用 key generate-asymmetric-pair rsa 创建 RSA 密钥对。

例 示例:创建 RSA 密钥对
aws-cloudhsm > key generate-asymmetric-pair rsa \ --public-exponent 65537 \ --modulus-size-bits 2048 \ --public-label rsa-public-key-example \ --private-label rsa-private-key-example { "error_code": 0, "data": { "public_key": { "key-reference": "0x0000000000160010", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "session" }, "attributes": { "key-type": "rsa", "label": "rsa-public-key-example", "id": "", "check-value": "0x498e1f", "class": "public-key", "encrypt": false, "decrypt": false, "token": false, "always-sensitive": false, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": false, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 512, "public-exponent": "0x010001", "modulus": "0xdfca0669dc8288ed3bad99509bd21c7e6192661407021b3f4cdf4a593d939dd24f4d641af8e4e73b04c847731c6dbdff3385818e08dd6efcbedd6e5b130344968c e89a065e7d1a46ced96b46b909db2ab6be871ee700fd0a448b6e975bb64cae77c49008749212463e37a577baa57ce3e574cb057e9db131e119badf50c938f26e8a5975c61a8ba7ffe7a1115a bcebb7d20bd6df1948ae336ae23b52d73b7f3b6acc2543edb6358e08d326d280ce489571f4d34e316a2ea1904d513ca12fa04075fc09ad005c81b7345d7804ff24c45117f0a1020dca7794df037a10aadec8653473b2088711f7b7d8b58431654e14e31af0e00511da641058fb7475ffdbe60f", "modulus-size-bits": 2048 } }, "private_key": { "key-reference": "0x0000000000160011", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "session" }, "attributes": { "key-type": "rsa", "label": "rsa-private-key-example", "id": "", "check-value": "0x498e1f", "class": "private-key", "encrypt": false, "decrypt": false, "token": false, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1217, "public-exponent": "0x010001", "modulus": "0xdfca0669dc8288ed3bad99509bd21c7e6192661407021b3f4cdf4a593d939dd24f4d641af8e4e73b04c847731c6dbdff3385818e08dd6efcbedd6e5b130344968ce89a065e7d1a46ced96b46b909db2ab6be871ee700fd0a448b6e975bb64cae77c49008749212463e37a577baa57ce3e574cb057e9db131e119badf50c938f26e8a5975c61a8ba7ffe7a1115abcebb7d20bd6df1948ae336ae23b52d73b7f3b6acc2543edb6358e08d326d280ce489571f4d34e316a2ea1904d513ca12fa04075fc09ad005c81b7345d7804ff24c45117f0a1020dca7794df037a10aadec8653473b2088711f7b7d8b58431654e14e31af0e00511da641058fb7475ffdbe60f", "modulus-size-bits": 2048 } } } }
例 示例:使用可选属性创建 RSA 密钥对
aws-cloudhsm > key generate-asymmetric-pair rsa \ --public-exponent 65537 \ --modulus-size-bits 2048 \ --public-label rsa-public-key-example \ --private-label rsa-private-key-example \ --public-attributes token=true encrypt=true \ --private-attributes token=true decrypt=true { "error_code": 0, "data": { "public_key": { "key-reference": "0x0000000000280cc8", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "rsa-public-key-example", "id": "", "check-value": "0x01fe6e", "class": "public-key", "encrypt": true, "decrypt": false, "token": true, "always-sensitive": false, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": false, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 512, "public-exponent": "0x010001", "modulus": "0xb1d27e857a876f4e9fd5de748a763c539b359f937eb4b4260e30d1435485a732c878cdad9c72538e2215351b1d41358c9bf80b599c 73a80fdb457aa7b20cd61e486c326e2cfd5e124a7f6a996437437812b542e3caf85928aa866f0298580f7967ee6aa01440297d7308fdd9b76b70d1b67f12634d f6e6296d6c116d5744c6d60d14d3bf3cb978fe6b75ac67b7089bafd50d8687213b31abc7dc1bad422780d29c851d5102b56f932551eaf52a9591fd8c43d81ecc 133022653225bd129f8491101725e9ea33e1ded83fb57af35f847e532eb30cd7e726f23910d2671c6364092e834697ec3cef72cc23615a1ba7c5e100156ae0ac ac3160f0ca9725d38318b7", "modulus-size-bits": 2048 } }, "private_key": { "key-reference": "0x0000000000280cc7", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "rsa-private-key-example", "id": "", "check-value": "0x01fe6e", "class": "private-key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1217, "public-exponent": "0x010001", "modulus": "0xb1d27e857a876f4e9fd5de748a763c539b359f937eb4b4260e30d1435485a732c878cdad9c72538e2215351b1d41358c9bf80b599c73a80fdb457aa7b20cd61e486c326e2cfd5e124a7f6a996437437812b542e3caf85928aa866f0298580f7967ee6aa01440297d7308fdd9b76b70d1b67f12634df6e6296d6c116d5744c6d60d14d3bf3cb978fe6b75ac67b7089bafd50d8687213b31abc7dc1bad422780d29c851d5102b56f932551eaf52a9591fd8c43d81ecc133022653225bd129f8491101725e9ea33e1ded83fb57af35f847e532eb30cd7e726f23910d2671c6364092e834697ec3cef72cc23615a1ba7c5e100156ae0acac3160f0ca9725d38318b7", "modulus-size-bits": 2048 } } } }

参数

<CLUSTER_ID>

要运行此操作的集群的 ID。

必需:如果已配置多个集群。

<MODULUS_SIZE_BITS>

指定模数的长度 (以位为单位)。最小值为 2048。

必需:是

<PRIVATE_KEY_ATTRIBUTES>

KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE(例如 token=true)的形式指定要为生成的 RSA 私有密钥设置的以空格分隔的密钥属性列表

有关支持的密钥属性的列表,请参阅 CloudHSM CLI 的密钥属性

必需:否

<PRIVATE_LABEL>

为私有密钥指定用户定义的标签。对于 Client SDK 5.11 及更高版本,label 允许的最大大小为 127 个字符。Client SDK 5.10 及更低版本的字符数限制为 126 个。

必需:是

<PUBLIC_EXPONENT>

指定公有指数。此值必须为大于或等于 65537 的奇数。

必需:是

<PUBLIC_KEY_ATTRIBUTES>

KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE(例如 token=true)的形式指定要为生成的 RSA 公有密钥设置的以空格分隔的密钥属性列表。

有关支持的密钥属性的列表,请参阅 CloudHSM CLI 的密钥属性

必需:否

<PUBLIC_LABEL>

为公有密钥指定用户定义的标签。对于 Client SDK 5.11 及更高版本,label 允许的最大大小为 127 个字符。Client SDK 5.10 及更低版本的字符数限制为 126 个。

必需:是

<SESSION>

创建仅在当前会话中存在的密钥。会话结束后,密钥无法恢复。

如果您只需要一个短暂的密钥,例如用于加密然后快速解密另一个密钥的包装密钥,请使用此参数。对于会话结束后可能需要解密的加密数据,切勿使用会话密钥。

默认情况下,生成的密钥是永久(令牌)密钥。传入 <SESSION> 会改变这一点,确保使用此参数生成的密钥是会话(临时)密钥。

必需:否

相关 主题