使用基于硬件加密模块的控制台和Java SDK

当您的应用需要与使用2.8.0-hsm版本的节点建立,需要使用基于硬件加密模块的Java SDK

准备环境

请确保将符合了GMT0018-2012规范的头文件和库文件安装在了动态库默认的搜索路径中,请确保动态库libswsds.so的版本为v1.4.06。

  1. 确保头文件swsds.h在目录/usr/include中,并保证所有用户都有读权限。
  2. 如果您使用的是Ubuntu操作系统,请将库文件libswsds.so放在/usr/lib目录下,保重用户具有读和执行权限。
  3. 如果您使用的是Centos操作系统,请将库文件libswsds.so以及/lib64目录下,保证用户具有读和执行权限。

下载swssl,请在-H后输入连接加密机的正确IP地址、端口、密码。

curl -#LO https://raw.githubusercontent.com/MaggieNgWu/FISCO-BCOS/newoct/tools/download_swssl.sh
bash download_swssl.sh -H 192.168.10.12,10000,XXXXX

使用基于硬件加密模块的控制台。

下载控制台

首先,下载并构建控制台。

mkdir ~/fisco
cd ~/fisco
git clone https://github.com/FISCO-BCOS/console.git -b release-2.8.0
# 需要连接fisco-bcos-2.8.0-hsm的节点,控制台也必须使用hsm版的Java SDK(fisco-bcos-java-sdk-2.8.0-hsm.jar)
./gradlew build -b build-hsm.gradle

配置和运行使用密码机内部密钥的控制台

首先,请参照扩容一个使用密码机的节点教程,使用gen_gm_hsm_node_cert.sh脚本为SDK生成密钥文件。 假设,您指定了使用31,32号密钥座位上SDK的签名密钥和加密密钥,那么你将得到以下文件:

sdk
|---gm
|    |----gmca.crt  
|    |----gmensdk.crt  
|    |----gmnode.serial  
|    |----gmsdk.crt  
|    |----gmsdk.publickey    
|
|---swssl.cnf
|---swsds.ini

然后,请将这些文件复制到console的正确目录下。

cp -r sdk/gm ~/fisco/console/dist/conf/
cp swsds.ini swsds.cnf ~/fisco/console/dist/

接着,配置console,将config-hsm-example.toml复制成config.toml, 修改配置。

cd ~/fisco/console/dist/
cp conf/config-hsm-example.toml config.toml
vim conf/config.toml

将config.toml中的sslKeyIndexenSslKeyIndex改成生成SDK时使用的签名密钥索引和加密密钥索引的值,在本例中是31、32.

如果您要使用密码机内部密钥进行交易签名,请在[account]下修改配置,改成正确的签名密钥索引,以及密码。如果没有密码则配置成password = "".

cryptoMaterial]
certPath = "conf"                           # The certification path

# The following configurations take the certPath by default if commented
# caCert = "conf/ca.crt"                    # CA cert file path
# If connect to the GM node, default CA cert path is ${certPath}/gm/gmca.crt

# sslCert = "conf/sdk.crt"                  # SSL cert file path
# If connect to the GM node, the default SDK cert path is ${certPath}/gm/gmsdk.crt

# sslKey = "conf/sdk.key"                   # SSL key file path
# If connect to the GM node, the default SDK privateKey path is ${certPath}/gm/gmsdk.key

# enSslCert = "conf/gm/gmensdk.crt"         # GM encryption cert file path
# default load the GM SSL encryption cert from ${certPath}/gm/gmensdk.crt

# enSslKey = "conf/gm/gmensdk.key"          # GM ssl cert file path
# default load the GM SSL encryption privateKey from ${certPath}/gm/gmensdk.key
cryptoProvider = "hsm"
sslKeyIndex = "31"
enSslKeyIndex = "32"

[network]
peers=["127.0.0.1:20200", "127.0.0.1:20201"]    # The peer list to connect

# AMOP configuration
# You can use following two methods to configure as a private topic message sender or subscriber.
# Usually, the public key and private key is generated by subscriber.
# Message sender receive public key from topic subscriber then make configuration.
# But, please do not config as both the message sender and the subscriber of one private topic, or you may send the message to yourself.

# Configure a private topic as a topic message sender.
# [[amop]]
# topicName = "PrivateTopic"
# publicKeys = [ "conf/amop/consumer_public_key_1.pem" ]    # Public keys of the nodes that you want to send AMOP message of this topic to.

# Configure a private topic as a topic subscriber.
# [[amop]]
# topicName = "PrivateTopic"
# privateKey = "conf/amop/consumer_private_key.p12"         # Your private key that used to subscriber verification.
# password = "123456"

[account]
# keyStoreDir = "account"         # The directory to load/store the account file, default is "account"
# accountFilePath = ""          # The account file path (default load from the path specified by the keyStoreDir)
# accountFileFormat = "pem"       # The storage format of account file (Default is "pem", "p12" as an option)

# accountAddress = ""           # The transactions sending account address
# Default is a randomly generated account
# The randomly generated account is stored in the path specified by the keyStoreDir

# password = ""                 # The password used to load the account file
accountKeyIndex = "53"           # If use hardware inner key, please config the key index and password
password = ""               # If use hardware inner key, please config the key index and password

[threadPool]
# channelProcessorThreadSize = "16"         # The size of the thread pool to process channel callback
# Default is the number of cpu cores

# receiptProcessorThreadSize = "16"         # The size of the thread pool to process transaction receipt notification
# Default is the number of cpu cores

maxBlockingQueueSize = "102400"             # The max blocking queue size of the thread pool

注解

您在配置文件的[Account]下指定了accountKeyIndex, 那么您在部署合约时将使用该密钥进行签名。因此,不需要手动在控制台生成账户。

最后,运行控制台

cd ~/fisco/console/dist
export LD_LIBRARY_PATH=~/.fisco/swssl/lib
export USE_SWSSL_HSM=true
./start.sh

注解

在使用控制台调用listAccount时,只显示软件密钥,暂不显示密码机内部密钥。当你进行权限管理时,你使用的是密码机内部密钥进行权限管理。如果你需要使用软件密钥进行权限管理,则请使用loadAccount进行切换。

配置和运行使用密码机外部密钥的控制台

如果你的控制台使用的是外部密钥

mkdir ~/fisco
cd ~/fisco
git clone https://github.com/FISCO-BCOS/console.git -b release-2.8.0
cd console
# 需要连接fisco-bcos-2.8.0-hsm的节点,控制台也必须使用hsm版的Java SDK(fisco-bcos-java-sdk-2.8.0-hsm.jar)
./gradlew build -b build-hsm.gradle
cd dist/
cp conf/config-example.toml config.toml
# 将节点sdk目录下的所有文件复制到conf目录下。
export LD_LIBRARY_PATH=~/.fisco/swssl/lib
./start.sh

使用基于硬件加密模块的Java SDK Demo。

下载Java SDK Demo

首先,下载并构建控制台。

mkdir ~/fisco
cd ~/fisco
# 下载源码
git clone https://github.com/FISCO-BCOS/java-sdk-demo -b release-2.8.0
cd java-sdk-demo
# 编译源码
./gradlew build -b build-hsm.gradle

注解

当网络无法访问GitHub时,请从https://gitee.com/FISCO-BCOS/java-sdk-demo处下载源码。

配置和运行使用密码机内部密钥的java sdk demo

首先,请参照扩容一个使用密码机的节点教程,使用gen_gm_hsm_node_cert.sh脚本为SDK生成密钥文件。 假设,您指定了使用31,32号密钥座位上SDK的签名密钥和加密密钥,那么你将得到以下文件:

sdk
|---gm
|    |----gmca.crt  
|    |----gmensdk.crt  
|    |----gmnode.serial  
|    |----gmsdk.crt  
|    |----gmsdk.publickey    
|
|---swssl.cnf
|---swsds.ini

然后,请将这些文件复制到java-sdk-demo的正确目录下。

cp -r sdk/gm ~/fisco/java-sdk-demo/dist/conf/
cp swsds.ini swsds.cnf ~/fisco/java-sdk-demo/dist/
sudo cp swsds.ini /etc/

接着,配置java-sdk-demo,将config-hsm-example.toml复制成config.toml, 修改配置。

cd ~/fisco/java-sdk-demo/dist/
cp conf/config-hsm-example.toml config.toml
vim conf/config.toml

将config.toml中的sslKeyIndexenSslKeyIndex改成生成SDK时使用的签名密钥索引和加密密钥索引的值,在本例中是31、32.

如果您要使用密码机内部密钥进行交易签名,请在[account]下修改配置,改成正确的签名密钥索引,以及密码。如果没有密码则配置成password = "".

cryptoMaterial]
certPath = "conf"                           # The certification path

# The following configurations take the certPath by default if commented
# caCert = "conf/ca.crt"                    # CA cert file path
# If connect to the GM node, default CA cert path is ${certPath}/gm/gmca.crt

# sslCert = "conf/sdk.crt"                  # SSL cert file path
# If connect to the GM node, the default SDK cert path is ${certPath}/gm/gmsdk.crt

# sslKey = "conf/sdk.key"                   # SSL key file path
# If connect to the GM node, the default SDK privateKey path is ${certPath}/gm/gmsdk.key

# enSslCert = "conf/gm/gmensdk.crt"         # GM encryption cert file path
# default load the GM SSL encryption cert from ${certPath}/gm/gmensdk.crt

# enSslKey = "conf/gm/gmensdk.key"          # GM ssl cert file path
# default load the GM SSL encryption privateKey from ${certPath}/gm/gmensdk.key
cryptoProvider = "hsm"
sslKeyIndex = "31"
enSslKeyIndex = "32"

[network]
peers=["127.0.0.1:20200", "127.0.0.1:20201"]    # The peer list to connect

# AMOP configuration
# You can use following two methods to configure as a private topic message sender or subscriber.
# Usually, the public key and private key is generated by subscriber.
# Message sender receive public key from topic subscriber then make configuration.
# But, please do not config as both the message sender and the subscriber of one private topic, or you may send the message to yourself.

# Configure a private topic as a topic message sender.
# [[amop]]
# topicName = "PrivateTopic"
# publicKeys = [ "conf/amop/consumer_public_key_1.pem" ]    # Public keys of the nodes that you want to send AMOP message of this topic to.

# Configure a private topic as a topic subscriber.
# [[amop]]
# topicName = "PrivateTopic"
# privateKey = "conf/amop/consumer_private_key.p12"         # Your private key that used to subscriber verification.
# password = "123456"

[account]
# keyStoreDir = "account"         # The directory to load/store the account file, default is "account"
# accountFilePath = ""          # The account file path (default load from the path specified by the keyStoreDir)
# accountFileFormat = "pem"       # The storage format of account file (Default is "pem", "p12" as an option)

# accountAddress = ""           # The transactions sending account address
# Default is a randomly generated account
# The randomly generated account is stored in the path specified by the keyStoreDir

# password = ""                 # The password used to load the account file
accountKeyIndex = "53"           # If use hardware inner key, please config the key index and password
password = ""               # If use hardware inner key, please config the key index and password

[threadPool]
# channelProcessorThreadSize = "16"         # The size of the thread pool to process channel callback
# Default is the number of cpu cores

# receiptProcessorThreadSize = "16"         # The size of the thread pool to process transaction receipt notification
# Default is the number of cpu cores

maxBlockingQueueSize = "102400"             # The max blocking queue size of the thread pool

最后,运行Java SDK Demo

cd ~/fisco/java-sdk-demo/dist
export LD_LIBRARY_PATH=~/.fisco/swssl/lib
export OPENSSL_CONF=swssl.cnf
export USE_SWSSL_HSM=true
java -cp 'conf/:lib/*:apps/*' org.fisco.bcos.sdk.demo.perf.ParallelOkPerf [precompiled] [groupID] [add] [count] [tps] [file]