使用 Cloud 篩選金鑰HSM CLI - AWS CloudHSM

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 Cloud 篩選金鑰HSM CLI

使用下列金鑰命令來使用適用於 CloudHSM CLI的標準化金鑰篩選機制。

  • key list

  • key delete

  • key share

  • key unshare

  • key set-attribute

若要使用 CloudHSM 來選取和/或篩選金鑰CLI,金鑰命令會使用以 為基礎的標準化篩選機制Cloud 的關鍵屬性HSM CLI。可以使用可識別單一金鑰或多個金鑰的一或多個 AWS CloudHSM 屬性,在金鑰命令中指定金鑰或一組金鑰。金鑰篩選機制只會在目前登入使用者擁有和共用的金鑰,以及 AWS CloudHSM 叢集中的所有公有金鑰上運作。

要求

若要篩選金鑰,您必須以加密使用者 () 身分登入CUs。

篩選以尋找單一金鑰

請注意,在下面的範例中,用作篩選條件的每個屬性都必須以 attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE 的形式寫入。例如,如果您想透過標籤屬性進行篩選,您會寫入 attr.label=my_label

範例 使用單個屬性來尋找單一金鑰

此範例示範如何篩選為僅使用單一識別屬性的單一唯一金鑰。

aws-cloudhsm > key list --filter attr.label="my_unique_key_label" --verbose { "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x00000000001c0686", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [ { "username": "alice", "key-coverage": "full" } ], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "my_unique_key_label", "id": "", "check-value": "0xae8ff0", "class": "private-key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": true, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1219, "public-exponent": "0x010001", "modulus": "0xa8855cba933cec0c21a4df0450ec31675c024f3e65b2b215a53d2bda6dcd191f75729150b59b4d86df58254c8f518f7d000cc04d8e958e7502c7c33098e28da4d94378ef34fb57d1cc7e042d9119bd79be0df728421a980a397095157da24cf3cc2b6dab12225d33fdca11f0c6ed1a5127f12488cda9a556814b39b06cd8373ff5d371db2212887853621b8510faa7b0779fbdec447e1f1d19f343acb02b22526487a31f6c704f8f003cb4f7013136f90cc17c2c20e414dc1fc7bcfb392d59c767900319679fc3307388633485657ce2e1a3deab0f985b0747ef4ed339de78147d1985d14fdd8634219321e49e3f5715e79c298f18658504bab04086bfbdcd3b", "modulus-size-bits": 2048 } } ], "total_key_count": 1, "returned_key_count": 1 } }
範例 使用多個屬性尋找單一金鑰

以下範例示範如何使用多個金鑰屬性尋找單一金鑰。

aws-cloudhsm > key list --filter attr.key-type=rsa attr.class=private-key attr.check-value=0x29bbd1 --verbose { "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x0000000000540011", "key-info": { "key-owners": [ { "username": "cu3", "key-coverage": "full" } ], "shared-users": [ { "username": "cu2", "key-coverage": "full" } ], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "my_crypto_user", "id": "", "check-value": "0x29bbd1", "class": "my_test_key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": true, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1217, "public-exponent": "0x010001", "modulus": "0x8b3a7c20618e8be08220ed8ab2c8550b65fc1aad8d4cf04fbf2be685f97eeb78fcbbad9b02cd91a3b15e990c2a7c7cdeff0b730576c6c5630a8509a778a96acbc7c36931e9a86e8956fbd07f0863404ce06c8bd68256784be9f5b258a35e229ce7f630228b9323b4e1f14a0384ead90bdf07dc762f710fc5663887d0787ad98d64bbe303134f545acb2ab194fee6edaecd4dd5cf31ff7f7491e37d7a850ab23247414b42d9abdd5de89b78fd464560df29a90607e9d462f21b22365da419021fb9f28ea7e6fdb1f40bf83aaf1636fba5e475ad19889cfe3f28186a969b4826c39466c0855c974d1fb723d111e4a32ab6e32b3129bc95c9206fced160015d8b2f", "modulus-size-bits": 2048 } } ], "total_key_count": 1, "returned_key_count": 1 } }
範例 篩選以尋找一組金鑰

以下範例示範如何篩選以尋找一組私有 rsa 金鑰。

aws-cloudhsm > key list --filter attr.key-type=rsa attr.class=private-key --verbose { "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x00000000001c0686", "key-info": { "key-owners": [ { "username": "my_crypto_user", "key-coverage": "full" } ], "shared-users": [ { "username": "cu2", "key-coverage": "full" }, { "username": "cu1", "key-coverage": "full" }, ], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "rsa_key_to_share", "id": "", "check-value": "0xae8ff0", "class": "private-key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": true, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1219, "public-exponent": "0x010001", "modulus": "0xa8855cba933cec0c21a4df0450ec31675c024f3e65b2b215a53d2bda6dcd191f75729150b59b4d86df58254c8f518f7d000cc04d8e958e7502c7c33098e28da4d94378ef34fb57d1cc7e042d9119bd79be0df728421a980a397095157da24cf3cc2b6dab12225d33fdca11f0c6ed1a5127f12488cda9a556814b39b06cd8373ff5d371db2212887853621b8510faa7b0779fbdec447e1f1d19f343acb02b22526487a31f6c704f8f003cb4f7013136f90cc17c2c20e414dc1fc7bcfb392d59c767900319679fc3307388633485657ce2e1a3deab0f985b0747ef4ed339de78147d1985d14fdd8634219321e49e3f5715e79c298f18658504bab04086bfbdcd3b", "modulus-size-bits": 2048 } }, { "key-reference": "0x0000000000540011", "key-info": { "key-owners": [ { "username": "my_crypto_user", "key-coverage": "full" } ], "shared-users": [ { "username": "cu2", "key-coverage": "full" } ], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "my_test_key", "id": "", "check-value": "0x29bbd1", "class": "private-key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": true, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1217, "public-exponent": "0x010001", "modulus": "0x8b3a7c20618e8be08220ed8ab2c8550b65fc1aad8d4cf04fbf2be685f97eeb78fcbbad9b02cd91a3b15e990c2a7c7cdeff0b730576c6c5630a8509a778a96acbc7c36931e9a86e8956fbd07f0863404ce06c8bd68256784be9f5b258a35e229ce7f630228b9323b4e1f14a0384ead90bdf07dc762f710fc5663887d0787ad98d64bbe303134f545acb2ab194fee6edaecd4dd5cf31ff7f7491e37d7a850ab23247414b42d9abdd5de89b78fd464560df29a90607e9d462f21b22365da419021fb9f28ea7e6fdb1f40bf83aaf1636fba5e475ad19889cfe3f28186a969b4826c39466c0855c974d1fb723d111e4a32ab6e32b3129bc95c9206fced160015d8b2f", "modulus-size-bits": 2048 } } ], "total_key_count": 2, "returned_key_count": 2 } }

篩選錯誤

某些金鑰作業一次只能在單一金鑰上執行。對於這些操作,如果過濾條件不夠完善且多個金鑰符合條件,則 CloudHSM CLI將提供錯誤。一個此類範例與金鑰刪除如下所示。

範例 匹配太多金鑰時篩選錯誤
aws-cloudhsm > key delete --filter attr.key-type=rsa { "error_code": 1, "data": "Key selection criteria matched 48 keys. Refine selection criteria to select a single key." }

相關主題