本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用 Cloud 中的key asymmetric-pair ec命令在HSMCLI集群中生成非对称椭圆曲线 (EC) 密钥对。 AWS CloudHSM
用户类型
以下类型的用户均可运行此命令。
-
加密用户 (CUs)
要求
要运行此命令,必须以 CU 身份登录。
语法
aws-cloudhsm >help key generate-asymmetric-pair ecGenerate an Elliptic-Curve Cryptography (ECC) key pair Usage: key generate-asymmetric-pair ec [OPTIONS] --public-label<PUBLIC_LABEL>--private-label<PRIVATE_LABEL>--curve<CURVE>Options: --cluster-id<CLUSTER_ID>Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --public-label<PUBLIC_LABEL>Label for the public key --private-label<PRIVATE_LABEL>Label for the private key --session Creates a session key pair that exists only in the current session. The key cannot be recovered after the session ends --curve<CURVE>Elliptic curve used to generate the key pair [possible values: prime256v1, secp256r1, secp224r1, secp384r1, secp256k1, secp521r1] --public-attributes [<PUBLIC_KEY_ATTRIBUTES>...] Space separated list of key attributes to set for the generated EC public key in the form of KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE --private-attributes [<PRIVATE_KEY_ATTRIBUTES>...] Space separated list of key attributes to set for the generated EC private key in the form of KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE --share-crypto-users [<SHARE_CRYPTO_USERS>...] Space separated list of Crypto User usernames to share the EC private key with --manage-private-key-quorum-value<MANAGE_PRIVATE_KEY_QUORUM_VALUE>The quorum value for key management operations for the private key --use-private-key-quorum-value<USE_PRIVATE_KEY_QUORUM_VALUE>The quorum value for key usage operations for the private key -h, --help Print help
示例
这些示例演示如何使用 key generate-asymmetric-pair ec 命令创建 EC 密钥对。
例 示例:创建 EC 密钥对
aws-cloudhsm >key generate-asymmetric-pair ec \ --curve secp224r1 \ --public-label ec-public-key-example \ --private-label ec-private-key-example{ "error_code": 0, "data": { "public_key": { "key-reference": "0x000000000012000b", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "key-quorum-values": { "manage-key-quorum-value": 0, "use-key-quorum-value": 0 }, "cluster-coverage": "full" }, "attributes": { "key-type": "ec", "label": "ec-public-key-example", "id": "", "check-value": "0xd7c1a7", "class": "public-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": false, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": false, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 57, "ec-point": "0x047096513df542250a6b228fd9cb67fd0c903abc93488467681974d6f371083fce1d79da8ad1e9ede745fb9f38ac8622a1b3ebe9270556000c", "curve": "secp224r1" } }, "private_key": { "key-reference": "0x000000000012000c", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "key-quorum-values": { "manage-key-quorum-value": 0, "use-key-quorum-value": 0 }, "cluster-coverage": "full" }, "attributes": { "key-type": "ec", "label": "ec-private-key-example", "id": "", "check-value": "0xd7c1a7", "class": "private-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 122, "ec-point": "0x047096513df542250a6b228fd9cb67fd0c903abc93488467681974d6f371083fce1d79da8ad1e9ede745fb9f38ac8622a1b3ebe9270556000c", "curve": "secp224r1" } } } }
例 示例:使用可选属性创建 EC 密钥对
aws-cloudhsm >key generate-asymmetric-pair ec \ --curve secp224r1 \ --public-label ec-public-key-example \ --private-label ec-private-key-example \ --public-attributes encrypt=true \ --private-attributes decrypt=true{ "error_code": 0, "data": { "public_key": { "key-reference": "0x00000000002806eb", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "key-quorum-values": { "manage-key-quorum-value": 0, "use-key-quorum-value": 0 }, "cluster-coverage": "full" }, "attributes": { "key-type": "ec", "label": "ec-public-key-example", "id": "", "check-value": "0xedef86", "class": "public-key", "encrypt": true, "decrypt": false, "token": true, "always-sensitive": false, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": false, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 57, "ec-point": "0x0487af31882189ec29eddf17a48e8b9cebb075b7b5afc5522fe9c83a029a450cc68592889a1ebf45f32240da5140d58729ffd7b2d44262ddb8", "curve": "secp224r1" } }, "private_key": { "key-reference": "0x0000000000280c82", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "key-quorum-values": { "manage-key-quorum-value": 0, "use-key-quorum-value": 0 }, "cluster-coverage": "full" }, "attributes": { "key-type": "ec", "label": "ec-private-key-example", "id": "", "check-value": "0xedef86", "class": "private-key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": false, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 122, "ec-point": "0x0487af31882189ec29eddf17a48e8b9cebb075b7b5afc5522fe9c83a029a450cc68592889a1ebf45f32240da5140d58729ffd7b2d44262ddb8", "curve": "secp224r1" } } } }
例 示例:使用法定值创建 EC key pair
生成带有法定人数控制的密钥时,该密钥必须与等于最大密钥法定值的最小用户数相关联。关联用户包括密钥所有者和与之共享密钥的加密用户。要确定与之共享密钥的最小用户数,请获取密钥使用法定值和密钥管理法定值之间的最大法定值,然后减去 1 以说明密钥所有者(默认情况下与密钥相关联)。要与更多用户共享密钥,请使用使用 Cloud 共享密钥 HSM CLI命令。
aws-cloudhsm >key generate-asymmetric-pair ec \ --curve secp224r1 \ --public-label ec-public-key-example \ --private-label ec-private-key-example \ --public-attributes verify=true \ --private-attributes sign=true --share-crypto-users cu2 cu3 cu4 \ --manage-private-key-quorum-value 4 \ --use-private-key-quorum-value 2{ "error_code": 0, "data": { "public_key": { "key-reference": "0x00000000002806eb", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "key-quorum-values": { "manage-key-quorum-value": 0, "use-key-quorum-value": 0 }, "cluster-coverage": "full" }, "attributes": { "key-type": "ec", "label": "ec-public-key-example", "id": "", "check-value": "0xedef86", "class": "public-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": false, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": false, "sign": false, "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 57, "ec-point": "0x0487af31882189ec29eddf17a48e8b9cebb075b7b5afc5522fe9c83a029a450cc68592889a1ebf45f32240da5140d58729ffd7b2d44262ddb8", "curve": "secp224r1" } }, "private_key": { "key-reference": "0x0000000000280c82", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [ { "username": "cu2", "key-coverage": "full" }, { "username": "cu3", "key-coverage": "full" }, { "username": "cu4", "key-coverage": "full" }, ], "key-quorum-values": { "manage-key-quorum-value": 4, "use-key-quorum-value": 2 }, "cluster-coverage": "full" }, "attributes": { "key-type": "ec", "label": "ec-private-key-example", "id": "", "check-value": "0xedef86", "class": "private-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": false, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 122, "ec-point": "0x0487af31882189ec29eddf17a48e8b9cebb075b7b5afc5522fe9c83a029a450cc68592889a1ebf45f32240da5140d58729ffd7b2d44262ddb8", "curve": "secp224r1" } } } }
参数
<CLUSTER_ID>-
要运行此操作的集群的 ID。
必需:如果已配置多个集群。
<CURVE>-
指定椭圆曲线的标识符。
prime256v1
secp256r1
secp224r1
secp384r1
secp256k1
secp521r1
必需:是
<PUBLIC_KEY_ATTRIBUTES>-
指定一个以空格分隔的密钥属性列表,以
KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE(例如verify=true)的形式为生成的 EC 公有密钥进行设置有关支持的密钥属性的列表,请参阅 云的关键属性 HSM CLI。
必需:否
<PUBLIC_LABEL>-
为公有密钥指定用户定义的标签。客户端 SDK 5.11 及更高版本允许的最大大小
label为 127 个字符。客户端 SDK 5.10 及之前的版本限制为 126 个字符。必需:是
<PRIVATE_KEY_ATTRIBUTES>-
以
KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE(例如sign=true)的形式指定要为生成的 EC 私有密钥设置的以空格分隔的密钥属性列表有关支持的密钥属性的列表,请参阅 云的关键属性 HSM CLI。
必需:否
<PRIVATE_LABEL>-
为私有密钥指定用户定义的标签。客户端 SDK 5.11 及更高版本允许的最大大小
label为 127 个字符。客户端 SDK 5.10 及之前的版本限制为 126 个字符。必需:是
<SESSION>-
创建仅在当前会话中存在的密钥。会话结束后,密钥无法恢复。
如果您只需要一个短暂的密钥,例如用于加密然后快速解密另一个密钥的包装密钥,请使用此参数。对于会话结束后可能需要解密的加密数据,切勿使用会话密钥。
默认情况下,生成的密钥是永久(令牌)密钥。传入 < SESSION > 可以改变这一点,确保使用此参数生成的密钥是会话(临时)密钥。
必需:否
<SHARE_CRYPTO_USERS>-
指定以空格分隔的 Crypto 用户名列表,以便与之共享 EC 私钥
必需:否
<MANAGE_PRIVATE_KEY_QUORUM_VALUE>-
私钥的密钥管理操作的法定值。此值必须小于或等于与该密钥关联的用户数。这包括与之共享密钥的用户和密钥所有者。最大值为 8。
必需:否
<USE_PRIVATE_KEY_QUORUM_VALUE>-
私钥密钥使用操作的法定值。此值必须小于或等于与该密钥关联的用户数。这包括与之共享密钥的用户和密钥所有者。最大值为 8。
必需:否
相关 主题
