AWS CloudHSM
User Guide

Generate an RSA Asymmetric Key Pair

** Example code only - Not for production use **

This page includes example code that has not been fully tested. It is designed for test environments. Do not run this code in production.

This example shows how to generate an RSA asymmetric key pair and save the keys in an HSM. By default, the keys that the HSM generates are not saved. To save a key, call the makeKeyPersistant method below. You can save the key object and use the key handle in other operations.

Note

This example uses the loginWithEnvVars() method in the Log In To and Out Of an HSM sample to log in to the HSM. You can substitute the login method that you prefer. Also, the example assumes that the Cavium provider is included in your Java provider file. If it is not, create an instance of the provider and substitute it for the Cavium string.

package com.amazonaws.cloudhsm.examples.key.asymmetric; import java.math.BigInteger; import java.security.InvalidAlgorithmParameterException; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import com.amazonaws.cloudhsm.examples.operations.LoginLogoutExample; import com.cavium.cfm2.CFM2Exception; import com.cavium.cfm2.Util; import com.cavium.key.CaviumKey; import com.cavium.key.CaviumRSAPrivateKey; import com.cavium.key.CaviumRSAPublicKey; import com.cavium.key.parameter.CaviumRSAKeyGenParameterSpec; public class RSAAsymmetricKeyGeneration { public static void main(String[] z) { LoginLogoutExample.loginWithEnvVars(); new RSAAsymmetricKeyGeneration().generateRSAKeyPair(2048, new BigInteger("65537"), true); new RSAAsymmetricKeyGeneration().generateRSAKeyPair(2048, new BigInteger("65537"), "publicKeyLabel-1" , "privateKeyLabel-1" , false, true); LoginLogoutExample.logout(); } public KeyPair generateRSAKeyPair(int keySize, BigInteger exponent, boolean isPersistant) { KeyPairGenerator keyPairGen; try { // Create an instance of the provider. keyPairGen = KeyPairGenerator.getInstance("RSA", "Cavium"); // Generate the key pair. keyPairGen.initialize(new CaviumRSAKeyGenParameterSpec(keySize, exponent)); KeyPair kp = keyPairGen.generateKeyPair(); if (kp == null) { System.out.println("Failed to generate keypair"); } // Get the key pair. RSAPrivateKey privKey = (RSAPrivateKey) kp.getPrivate(); RSAPublicKey pubKey = (RSAPublicKey) kp.getPublic(); System.out.println("Generated RSA Key Pair!"); if (privKey instanceof CaviumRSAPrivateKey) { CaviumRSAPrivateKey cavRSAPrivateKey = (CaviumRSAPrivateKey) privKey; // Save the private key handle. You'll need this to perform future encryption and decryption operations. System.out.println("Private Key Handle = " + cavRSAPrivateKey.getHandle()); // Get the private key label generated by the SDK. System.out.println("Private Key Label = " + cavRSAPrivateKey.getLabel()); // Get the Extractable property of the private key. System.out.println("Is Private Key Extractalbe = " + cavRSAPrivateKey.isExtractable()); // Get the Persistent property of the private key. System.out.println("Is Private Key Persistent = " + cavRSAPrivateKey.isPersistent()); // By default, keys are not persistent. Make them Persistent here. if(isPersistant) { System.out.println("Setting Private Key as Persistent:"); makeKeyPersistant(cavRSAPrivateKey); System.out.println("Added RSA Private Key to HSM"); } System.out.println("Is Private Key Persistent = " + cavRSAPrivateKey.isPersistent()); // Verify the key type and size. System.out.println("Key Algo : " + cavRSAPrivateKey.getAlgorithm()); System.out.println("Key Size : " + cavRSAPrivateKey.getSize()); } if(pubKey instanceof CaviumRSAPublicKey) { CaviumRSAPublicKey cavRSAPublicKey = (CaviumRSAPublicKey) pubKey; // Save the public key handle. You'll need this to perform future encryption and decryption operations. System.out.println("Public Key Handle = " + cavRSAPublicKey.getHandle()); // Get the public key label generated by the SDK. System.out.println("Public Key Label = " + cavRSAPublicKey.getLabel()); // Get the Extractable property of the public key. System.out.println("Is Public Key Extractable = " +cavRSAPublicKey.isExtractable()); // Get the Persistent property of the public key. System.out.println("Is Public Key Persistent = " + cavRSAPublicKey.isPersistent()); // By default, keys are not persistent. Make them Persistent here. if(isPersistant) { System.out.println("Setting Public Key as Persistent:"); makeKeyPersistant(cavRSAPublicKey); System.out.println("Added RSA Public Key to HSM"); } System.out.println("Is Public Key Persistent = " + cavRSAPublicKey.isPersistent()); // Verify the key type and size. System.out.println("Public Key Algo : " + cavRSAPublicKey.getAlgorithm()); System.out.println("Public Key Size : " + cavRSAPublicKey.getSize()); } return kp; } catch (NoSuchAlgorithmException | NoSuchProviderException e) { e.printStackTrace(); } catch (InvalidAlgorithmParameterException e) { e.printStackTrace(); } return null; } //If invoking this method, you can specify public key label, private key label, if private key can be extracted and if key pair is Persistent // This method allows you to specify the following parameters: // - The key size in bits. // - The exponent. // - The public and private key labels. // - A Boolean value that specifies whether the keys can be extracted. // - A Boolean value that specifies whether the keys should be saved to an HSM. // public KeyPair generateRSAKeyPair(int keySize, BigInteger exponent, String publicKeyLabel, String privateKeyLabel, boolean isExtractable, boolean isPersistent) { KeyPairGenerator keyPairGen; try { // Create an instance of the provider. keyPairGen = KeyPairGenerator.getInstance("RSA", "Cavium"); // Generate the key pair. CaviumRSAKeyGenParameterSpec rsaKeyGenSpec= new CaviumRSAKeyGenParameterSpec(keySize,exponent, publicKeyLabel, privateKeyLabel, isExtractable, isPersistent); keyPairGen.initialize(rsaKeyGenSpec); KeyPair kp = keyPairGen.generateKeyPair(); if (kp == null) { System.out.println("Failed to generate keypair"); } // Get the key pair. RSAPrivateKey privKey = (RSAPrivateKey) kp.getPrivate(); RSAPublicKey pubKey = (RSAPublicKey) kp.getPublic(); System.out.println("Generated RSA Key Pair!"); if (privKey instanceof CaviumRSAPrivateKey) { CaviumRSAPrivateKey cavRSAPrivateKey = (CaviumRSAPrivateKey) privKey; // Save the private key handle. You'll need this to perform future encryption and decryption operations. System.out.println("Private Key Handle = " + cavRSAPrivateKey.getHandle()); // Get the private key label generated by the SDK. System.out.println("Private Key Label = " + cavRSAPrivateKey.getLabel()); // Get the Extractable property of the private key. System.out.println("Is Private Key Extractalbe = " + cavRSAPrivateKey.isExtractable()); // Get the Persistent property of the private key. System.out.println("Is Private Key Persistent = " + cavRSAPrivateKey.isPersistent()); // Verify the key type and size. System.out.println("Private Key Algo : " + cavRSAPrivateKey.getAlgorithm()); System.out.println("Private Key Size : " + cavRSAPrivateKey.getSize()); } if(pubKey instanceof CaviumRSAPublicKey) { CaviumRSAPublicKey cavRSAPublicKey = (CaviumRSAPublicKey) pubKey; // Save the public key handle. You'll need this to perform future encryption and decryption operations. System.out.println("Public Key Handle = " + cavRSAPublicKey.getHandle()); // Get the public key label generated by the SDK. System.out.println("Public Key Label = " + cavRSAPublicKey.getLabel()); // Get the Extractable property of the public key. System.out.println("Is Public Key Extractalbe = " +cavRSAPublicKey.isExtractable()); // Get the Persistent property of the public key. System.out.println("Is Public Key Persistent = " + cavRSAPublicKey.isPersistent()); // Verify the key type and size. System.out.println("Public Key Algo : " + cavRSAPublicKey.getAlgorithm()); System.out.println("Public Key Size : " + cavRSAPublicKey.getSize()); } return kp; } catch (NoSuchAlgorithmException | NoSuchProviderException e) { e.printStackTrace(); } catch (InvalidAlgorithmParameterException e) { e.printStackTrace(); } return null; } // Save the key to the HSM. protected void makeKeyPersistant(CaviumKey key) { CaviumKey rsaKey = (CaviumKey) key; try { Util.persistKey(rsaKey); System.out.println("Added Key to HSM") } catch (CFM2Exception e) { e.printStackTrace(); } } }