我尝试将我的非对称密钥导入Google Cloud KMS HSM存储时遇到问题
我有一个测试用的钥匙:
-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAL0DDlf9RJbjHeB7
uQLtLSTMCj1bXmWHGs1YelKaejoJLfoHxhD4DhfTUJvtzv49+n81gyTV7qvFLKJE
BVqyn7Rv6MmTem+wnI9vAyfg46kAEkATRGFrma8ppC3Fdk7B/MCqFf4WidJdGIYd
WfDomR9oZIwU/2OU1jtfqF3FFBj3AgMBAAECgYAE1Bb1Ha3RFcMF1BAZSHCc/jvL
7qsBRV7kgtXriRfsQAXIdS0uWJflLFHLDShhJR/I4vFGhJ/EC/wK6fMh3dEa+8pn
7s3nnrL9JKOGe6w7Uy602ENftOWX0cC6NCt5kNJlKEHVUUlmnbSpV/CxyWLVTSRf
XkAymYKioeFiu+uT4QJBAPqiOCuTIttf71BfKNjh7VaWX9byocXPtlWpTbIyDnKE
vdYLlof4Sosl/6IC0IwYfPMO66KQ04eyodqiseegkacCQQDBDxLjNBZV7G8ASwPk
4Z9fKlc742oJ1lb/Yje9A5Sj4WYmXkN7jyEkDC0HpMjimbqXVIJKMQZDkbvA5gRa
PQgxAkAvr2+Kctsd6/nHS+OkqA+U+tVPOyimTye80pJyxe1Twoev0tKYGhhssxUZ
CPoOvZYAVKVmb7GfTtBWnb/FdxpfAkAiLhwG88rcjY6de6qF1FhWDfYB2WKFuVgP
wQDjSwX++cIPGvNRpeaVLj6ussMKM3NwpXqnzgQw5FVccpzkqReRAkB8KhrUHbND
Iflhmn/6frodVoBErTOX1Fq/K7P6arBTZytdMkKl3PWixxbANC7Xl1lg7FZ9z256
mU4t2PzVc2LE
-----END PRIVATE KEY-----
我将该键格式化为Der格式:
openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in ./nelson.pem -out ./nelson.der
接下来我在密钥环中创建了一个密钥
[analitica@az-test ImportJob]$ gcloud beta kms keys versions describe 1 --location us-central1 --keyring llavero1 --key sleeksign
algorithm: RSA_SIGN_PSS_2048_SHA256
attestation:
format: CAVIUM_V2_COMPRESSED
createTime: '2019-10-15T15:08:22.827921905Z'
generateTime: '2019-10-15T15:08:22.952909026Z'
name: projects/pruebas-analitica/locations/us-central1/keyRings/llavero1/cryptoKeys/sleeksign/cryptoKeyVersions/1
protectionLevel: HSM
state: ENABLED
接下来我创建了导入作业
[analitica@az-test ImportJob]$ gcloud beta kms import-jobs describe importacion3 --location us-central1 --keyring llavero1
attestation:
format: CAVIUM_V2_COMPRESSED
createTime: '2019-10-18T19:27:35.200866775Z'
expireTime: '2019-10-21T19:27:35.200866775Z'
generateTime: '2019-10-18T19:27:35.372380781Z'
importMethod: RSA_OAEP_3072_SHA1_AES_256
name: projects/pruebas-analitica/locations/us-central1/keyRings/llavero1/importJobs/importacion3
protectionLevel: HSM
publicKey:
pem: |
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAvKNaxUM+bNk51Qx012yb
uNh9LXdgTQkQLJjRiDc/ZsOSXfXcU/GnkV5uz52z/VPm3G923blN5pPd+8tk8gaU
j0YNgvh1BBtBJd41cUGpiXxIy8mhMLt2uqtM9xYnyv43cwUaAczYFFByhmmJpGHK
rzIpiwGAd0sY3ogaDz/dbUnXMc4QW8LU7BKa9LbYMXtAXlJOympYE4xVOqVVFttt
gncLLx5nNAV9Tflkq4bRePxiXm6dvZmXa7HMMTWWRxngYbNm+aBSrpZ30elrkbab
1xI8e1L+TWlP9ZGFSdHmDmJUzjXOsbydkKLErREPuXJ0SqoVWoRM6jEvBf/nLukT
AQ4NSRy/58mEBoRtQaBUJaKmCcVKR2/u6nGxLlgQYcA/XcIeX8hYy+aX4PDIhAeY
C2q/CoisVPuW86f/nWuoe2BYMBX7EIydL8y6nWQ3yXs0+EFIB7XVU+YCPtRQ5Koy
Z64uCVGHkdWcZxx7aA2zxg97Pyn16+Q4/ChZ2wvdr1UNAgMBAAE=
-----END PUBLIC KEY-----
state: ACTIVE
接下来,我拿了导入作业的公钥并包装了我的密钥:
OPENSSL_V110="$HOME/local/bin/openssl.sh"
TARGET_KEY="./nelson.der"
WRAP_PUB_KEY="./wrap.pem"
RSA_AES_WRAPPED_KEY="./nelsonwrap.bin"
BASE_DIR="./tmp"
TEMP_AES_KEY="${BASE_DIR}/temp_aes_key.bin"
TEMP_AES_KEY_WRAPPED="${BASE_DIR}/temp_aes_key_wrapped.bin"
TARGET_KEY_WRAPPED="${BASE_DIR}/target_key_wrapped.bin"
"${OPENSSL_V110}" rand -out "${TEMP_AES_KEY}" 32
"${OPENSSL_V110}" rsautl -encrypt -pubin -inkey "${WRAP_PUB_KEY}" -in "${TEMP_AES_KEY}" -out "${TEMP_AES_KEY_WRAPPED}" -oaep
"${OPENSSL_V110}" enc -id-aes256-wrap-pad -K $( hexdump -v -e '/1 "%02x"' < "${TEMP_AES_KEY}" ) -iv A65959A6 -in "${TARGET_KEY}" -out "${TARGET_KEY_WRAPPED}"
dd if=/dev/zero bs=32 count=1 of="${TEMP_AES_KEY}"; rm "${TEMP_AES_KEY}"
cat "${TEMP_AES_KEY_WRAPPED}" "${TARGET_KEY_WRAPPED}" > "${RSA_AES_WRAPPED_KEY}"
rm "${TEMP_AES_KEY_WRAPPED}"; rm "${TARGET_KEY_WRAPPED}"
最后,我尝试导入已包装的键“ nelson wrap.bin”
[analitica@az-test ImportJob]$ gcloud beta kms keys versions import --location us-central1 --keyring llavero1 --key sleeksign --import-job importacion3 --algorithm rsa-sign-pss-2048-sha256 --rsa-aes-wrapped-key-file=./nelsonwrap.bin
algorithm: RSA_SIGN_PSS_2048_SHA256
createTime: '2019-10-21T15:31:33.900767648Z'
importJob: projects/pruebas-analitica/locations/us-central1/keyRings/llavero1/importJobs/importacion3
name: projects/pruebas-analitica/locations/us-central1/keyRings/llavero1/cryptoKeys/sleeksign/cryptoKeyVersions/13
protectionLevel: HSM
state: PENDING_IMPORT
然后我寻找密钥的导入状态,但显示为“ IMPORT_FAILED”:
[analitica@az-test ImportJob]$ gcloud beta kms keys versions describe 13 --location us-central1 --keyring llavero1 --key sleeksign
algorithm: RSA_SIGN_PSS_2048_SHA256
createTime: '2019-10-21T15:31:33.900767648Z'
importFailureReason: The key material in the import request couldn't be unwrapped
or wasn't formatted correctly. Please see https://cloud.google.com/kms/docs/troubleshooting-failed-imports
importJob: projects/pruebas-analitica/locations/us-central1/keyRings/llavero1/importJobs/importacion3
name: projects/pruebas-analitica/locations/us-central1/keyRings/llavero1/cryptoKeys/sleeksign/cryptoKeyVersions/13
protectionLevel: HSM
state: IMPORT_FAILED
这是我使用的文件:
http://test.analitica.com.co/AZDigital_Pruebas/Temp/ImportJob.tar.gz
感谢您的帮助
您可以按照GCP KMS文档中的“将预包装的密钥导入Cloud KMS” [1]。您也可以按照Cloud KMS文档“对导入失败进行故障排除” [2]的步骤对错误进行故障排除。
[1]将预包装的密钥导入Cloud KMS:https://cloud.google.com/kms/docs/importing-a-pre-wrapped-key
[2]对导入失败进行故障排除:https://cloud.google.com/kms/docs/troubleshooting-failed-imports