本文以Java語言為例,為您介紹如何使用KMS Java SDK。
背景信息
準備工作
獲取Java SDK的依賴聲明,需要獲取的版本請參見SDK概覽。示例如下:
<dependency> <groupId>com.aliyun</groupId> <artifactId>aliyun-java-sdk-core</artifactId> <version>4.5.2</version> </dependency> <dependency> <groupId>com.aliyun</groupId> <artifactId>aliyun-java-sdk-kms</artifactId> <version>2.15.0</version> </dependency>
根據您使用的KMS地域,確認正確的KMS服務接入地址。更多信息,請參見調用方式。
說明如果您僅指定地域ID,SDK會默認通過該地域的公網接入。
如果需要通過VPC網絡接入,您需要手動指定VPC接入地址。
示例1:基于公網或VPC網絡訪問密鑰管理服務
阿里云賬號AccessKey擁有所有OpenAPI的訪問權限,建議您使用RAM用戶進行API訪問或日常運維。強烈建議不要把AccessKey ID和AccessKey Secret保存到工程代碼里,否則可能導致AccessKey泄露,威脅您賬號下所有資源的安全。
本示例以將AccessKey配置在環境變量ALIBABA_CLOUD_ACCESS_KEY_ID和ALIBABA_CLOUD_ACCESS_KEY_SECRET的方式來實現身份驗證為例。
更多認證信息配置方式,請參見Credentials 設置。
不同操作系統的環境變量配置方法不同,具體操作,請參見在Linux、macOS和Windows系統配置環境變量。
創建一個KmsClient(調用封裝類)。
說明如果加密內容中包含特殊字符
<>&
,建議您在解密時將代碼類型(Format)設置為XML,即定義decReq.setAcceptFormat(FormatType.XML)
,以避免解密時出現特殊字符轉義引發報錯。package com.aliyun.kms.samples; import java.util.*; import com.aliyuncs.DefaultAcsClient; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.http.*; //Current KMS SDK version:2016-01-20 import com.aliyuncs.kms.model.v20160120.*; import com.aliyuncs.kms.model.v20160120.ListKeysResponse.Key; import com.aliyuncs.profile.*; public class KmsClient { private DefaultAcsClient kmsClient; /** * 創建KmsClient,只需要指定RegionId,SDK自動配置相應地域的公網Endpoint。 */ public static KmsClient getClientForPublicEndpoint(String regionId, String accessKeyId, String accessKeySecret) { /** * Construct an Aliyun Client: * Set RegionId, AccessKeyId and AccessKeySecret */ IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret); DefaultAcsClient client = new DefaultAcsClient(profile); return new KmsClient(client); } /** * 創建KmsClient,使用自定義Endpoint,通常用于訪問VPC Endpoint。 */ public static KmsClient getClientForVpcEndpoint(String regionId, String accessKeyId, String accessKeySecret, String endpoint) { //添加自定義Endpoint DefaultProfile.addEndpoint(regionId, "kms", endpoint); IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret); HttpClientConfig clientConfig = HttpClientConfig.getDefault(); profile.setHttpClientConfig(clientConfig); DefaultAcsClient client = new DefaultAcsClient(profile); return new KmsClient(client); } private KmsClient(DefaultAcsClient acsClient) { this.kmsClient = acsClient; } public CreateKeyResponse CreateKey(String keyDesc, String keyUsage) throws ClientException { final CreateKeyRequest ckReq = new CreateKeyRequest(); ckReq.setProtocol(ProtocolType.HTTPS); ckReq.setAcceptFormat(FormatType.JSON); ckReq.setMethod(MethodType.POST); ckReq.setDescription(keyDesc); ckReq.setKeyUsage(keyUsage); final CreateKeyResponse response = kmsClient.getAcsResponse(ckReq); return response; } public DescribeKeyResponse DescribeKey(String keyId) throws ClientException { final DescribeKeyRequest decKeyReq = new DescribeKeyRequest(); decKeyReq.setProtocol(ProtocolType.HTTPS); decKeyReq.setAcceptFormat(FormatType.JSON); decKeyReq.setMethod(MethodType.POST); decKeyReq.setKeyId(keyId); final DescribeKeyResponse decKeyRes = kmsClient.getAcsResponse(decKeyReq); return decKeyRes; } public ListKeysResponse ListKey(int pageNumber, int pageSize) throws ClientException { final ListKeysRequest listKeysReq = new ListKeysRequest(); listKeysReq.setProtocol(ProtocolType.HTTPS); listKeysReq.setAcceptFormat(FormatType.JSON); listKeysReq.setMethod(MethodType.POST); listKeysReq.setPageNumber(pageNumber); listKeysReq.setPageSize(pageSize); final ListKeysResponse listKeysRes = kmsClient.getAcsResponse(listKeysReq); return listKeysRes; } public GenerateDataKeyResponse GenerateDataKey(String keyId, String keyDesc, int numOfBytes) throws ClientException { final GenerateDataKeyRequest genDKReq = new GenerateDataKeyRequest(); genDKReq.setProtocol(ProtocolType.HTTPS); genDKReq.setAcceptFormat(FormatType.JSON); genDKReq.setMethod(MethodType.POST); /** * Set parameter according to KMS openAPI document: * 1.KeyId * 2.KeyDescription * 3.NumberOfBytes */ genDKReq.setKeySpec(keyDesc); genDKReq.setKeyId(keyId); genDKReq.setNumberOfBytes(numOfBytes); final GenerateDataKeyResponse genDKRes = kmsClient.getAcsResponse(genDKReq); return genDKRes; } public EncryptResponse Encrypt(String keyId, String plainText) throws ClientException { final EncryptRequest encReq = new EncryptRequest(); encReq.setProtocol(ProtocolType.HTTPS); encReq.setAcceptFormat(FormatType.JSON); encReq.setMethod(MethodType.POST); encReq.setKeyId(keyId); encReq.setPlaintext(plainText); final EncryptResponse encResponse = kmsClient.getAcsResponse(encReq); return encResponse; } public DecryptResponse Decrypt(String cipherBlob) throws ClientException { final DecryptRequest decReq = new DecryptRequest(); decReq.setProtocol(ProtocolType.HTTPS); decReq.setAcceptFormat(FormatType.JSON); decReq.setMethod(MethodType.POST); decReq.setCiphertextBlob(cipherBlob); final DecryptResponse decResponse = kmsClient.getAcsResponse(decReq); return decResponse; } }
通過KmsClient調用KMS的接口,實現對密鑰的枚舉、加解密等操作。
說明假定您在杭州地域至少有一個KMS主密鑰。
KmsClient.getClientForPublicEndpoint
方法用于初始化KmsClient訪問KMS公網接入地址。KmsClient.getClientForVpcEndpoint
方法用于初始化KmsClient訪問KMS的VPC接入地址。
package com.aliyun.kms.samples; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.exceptions.ServerException; import com.google.gson.Gson; import java.util.*; import com.aliyuncs.kms.model.v20160120.*; import com.aliyuncs.kms.model.v20160120.ListKeysResponse.Key; public class KmsSample { public static void main(String[] args) { String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"); String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"); KmsClient kmsClient = KmsClient.getClientForPublicEndpoint("cn-hangzhou", accessKeyId, accessKeySecret); //KmsClient kmsClient = KmsClient.getClientForVpcEndpoint("cn-hangzhou-vpc", accessKeyId, accessKeySecret, "kms-vpc.cn-hangzhou.aliyuncs.com"); String keyId = null; String plainText = "hello world"; String cipherBlob = null; /*List all MasterKeys in your account*/ try { final ListKeysResponse listKeysRes = kmsClient.ListKey(1, 100); /** * Parse response and do more further */ System.out.println("TotalCount: " + listKeysRes.getTotalCount()); System.out.println("PageNumber: " + listKeysRes.getPageNumber()); System.out.println("PageSize: " + listKeysRes.getPageSize()); List<Key> keys = listKeysRes.getKeys(); Iterator<Key> iterator = keys.iterator(); while (iterator.hasNext()) { keyId = iterator.next().getKeyId(); System.out.println("KeyId: " + keyId); } System.out.println("List All MasterKeys success!\n"); } catch (ClientException eResponse) { System.out.println("Failed."); System.out.println("Error code: " + eResponse.getErrCode()); System.out.println("Error message: " + eResponse.getErrMsg()); } /*Describe the Key */ try { final DescribeKeyResponse decKeyRes = kmsClient.DescribeKey(keyId); /** * Parse response and do more further */ System.out.println("DescribeKey Response: "); DescribeKeyResponse.KeyMetadata meta = decKeyRes.getKeyMetadata(); System.out.println("KeyId: " + meta.getKeyId()); System.out.println("Description: " + meta.getDescription()); System.out.println("KeyState: " + meta.getKeyState()); System.out.println("KeyUsage: " + meta.getKeyUsage()); System.out.println("==========================================="); System.out.println("Describe the MasterKey success!"); System.out.println("===========================================\n"); } catch (ClientException eResponse) { System.out.println("Failed."); System.out.println("Error code: " + eResponse.getErrCode()); System.out.println("Error message: " + eResponse.getErrMsg()); } /*Generate DataKey*/ /** * Request and got response */ try { final GenerateDataKeyResponse genDKResponse = kmsClient.GenerateDataKey(keyId, "AES_256", 64); /** * Parse response and do more further */ System.out.println("CiphertextBlob: " + genDKResponse.getCiphertextBlob()); System.out.println("KeyId: " + genDKResponse.getKeyId()); System.out.println("Plaintext: " + genDKResponse.getPlaintext()); System.out.println("==========================================="); System.out.println("Generate DataKey success!"); System.out.println("===========================================\n"); } catch (ClientException eResponse) { System.out.println("Failed."); System.out.println("Error code: " + eResponse.getErrCode()); System.out.println("Error message: " + eResponse.getErrMsg()); } /** * Encrypt the plain text and got a cipher one */ try { EncryptResponse encResponse = kmsClient.Encrypt(keyId, plainText); cipherBlob = encResponse.getCiphertextBlob(); System.out.println("CiphertextBlob: " + cipherBlob); System.out.println("KeyId: " + encResponse.getKeyId()); System.out.println("==========================================="); System.out.println("Encrypt the plain text success!"); System.out.println("===========================================\n"); } catch (ClientException eResponse) { System.out.println("Failed."); System.out.println("Error code: " + eResponse.getErrCode()); System.out.println("Error message: " + eResponse.getErrMsg()); } /** * Decrypt the cipher text and verify result with original plain text. */ try { DecryptResponse decResponse = kmsClient.Decrypt(cipherBlob); System.out.println("Plaintext: " + decResponse.getPlaintext()); String verifyPlainText = decResponse.getPlaintext(); int isMatch = verifyPlainText.compareTo(plainText); System.out.println("KeyId: " + decResponse.getKeyId()); System.out.println("==========================================="); System.out.printf("Decrypt the cipher text success, result " + (isMatch == 0 ? "match" : "mismatch" + "\n")); System.out.println("===========================================\n"); } catch (ClientException eResponse) { System.out.println("Failed."); System.out.println("Error code: " + eResponse.getErrCode()); System.out.println("Error message: " + eResponse.getErrMsg()); } } }
示例2:基于Client Key的應用接入點訪問憑據管家
如果您通過基于Client Key的應用接入點使用阿里云KMS Java SDK訪問憑據管家,可以按照如下的示例代碼:
關于如何創建Client Key,請參見為AAP綁定Client Key。
package com.aliyuncs.kms.sample;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.IAcsClient;
import com.aliyuncs.auth.AlibabaCloudCredentialsProvider;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.kms.clientkey.utils.ClientKeyUtils;
import java.io.IOException;
public class ClientKeySample {
public static void main(String[] args) throws IOException {
String clientKeyPath = "<client-key-file-path>";
String password = System.getenv("<client-key-password-env-name>");
AlibabaCloudCredentialsProvider provider = ClientKeyUtils.getCredentialsProvider(clientKeyPath, password);
IClientProfile profile = DefaultProfile.getProfile("cn-hangzhou");
IAcsClient kmsClient = new DefaultAcsClient(profile, provider);
// invoke kmsClient
}
}
以上代碼中需要引用的ClientKeyUtils和ClientKeyCredentialsProvider代碼如下:
ClientKeyUtils
package com.aliyuncs.kms.clientkey.utils; import com.aliyuncs.auth.AlibabaCloudCredentialsProvider; import com.aliyuncs.kms.auth.ClientKeyCredentialsProvider; import com.aliyuncs.auth.KeyPairCredentials; import com.google.gson.Gson; import com.google.gson.annotations.SerializedName; import java.io.*; import java.security.*; import java.security.cert.CertificateException; import java.util.Base64; import java.util.Enumeration; public class ClientKeyUtils { private final static String PKCS12 = "PKCS12"; private final static Gson gson = new Gson(); private ClientKeyUtils() { // do nothing } public static AlibabaCloudCredentialsProvider getCredentialsProvider(String clientKeyFileName, String password) throws IOException { try (Reader reader = new InputStreamReader(new FileInputStream(clientKeyFileName), "utf-8")) { ClientKeyInfo clientKeyInfo = gson.fromJson(reader, ClientKeyInfo.class); if (clientKeyInfo != null) { byte[] pk12 = Base64.getDecoder().decode(clientKeyInfo.getPrivateKeyData()); try { String privateKey = getPrivateKeyPemFromPk12(pk12, password); return new ClientKeyCredentialsProvider(new KeyPairCredentials(clientKeyInfo.getKeyId(), privateKey)); } catch (Exception e) { throw new IOException(e); } } else { throw new IOException("ClientKey is invalid"); } } } private static String getPrivateKeyPemFromPk12(byte[] pk12, String password) throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException, UnrecoverableKeyException { KeyStore keyStore = KeyStore.getInstance(PKCS12); keyStore.load(new ByteArrayInputStream(pk12), password.toCharArray()); Enumeration<String> e = keyStore.aliases(); String alias = e.nextElement(); PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, password.toCharArray()); return Base64.getEncoder().encodeToString(privateKey.getEncoded()); } } class ClientKeyInfo { @SerializedName("KeyId") private String keyId; @SerializedName("PrivateKeyData") private String privateKeyData; public String getKeyId() { return this.keyId; } public void setKeyId(String keyId) { this.keyId = keyId; } public String getPrivateKeyData() { return this.privateKeyData; } public void setPrivateKeyData(String privateKeyData) { this.privateKeyData = privateKeyData; } }
ClientKeyCredentialsProvider
package com.aliyuncs.kms.auth; import com.aliyuncs.auth.AlibabaCloudCredentials; import com.aliyuncs.auth.AlibabaCloudCredentialsProvider; import com.aliyuncs.auth.KeyPairCredentials; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.exceptions.ServerException; public class ClientKeyCredentialsProvider implements AlibabaCloudCredentialsProvider { private KeyPairCredentials keyPairCredentials; public ClientKeyCredentialsProvider() { } public ClientKeyCredentialsProvider(KeyPairCredentials keyPairCredentials) { this.keyPairCredentials = keyPairCredentials; } @Override public AlibabaCloudCredentials getCredentials() throws ClientException, ServerException { return this.keyPairCredentials; } }