I am new in AWS CloudHSM and document signing.
I want to sign a document via AWS CloudHSM using the JCE provider. I have found [an example][1] how to do it. The sign method in this example looks like the following:
public static byte[] sign(byte[] message, PrivateKey key, String signingAlgorithm)
throws SignatureException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException {
Signature sig = Signature.getInstance(signingAlgorithm, "CloudHSM");
sig.initSign(key);
sig.update(message);
return sig.sign();
}
As you can see, I need to pass PrivateKey parameter for signing the document, but I can't understand how I can get the PrivateKey wrapper from the CloudHSM.
I have the next incoming data:
- a byte array that I should sign;
- an alias of a key that is kept in the CloudHSM.
I try to extract the PrivateKey in the next way:
public PrivateKey getKey(String keyAlias) {
try {
if (Security.getProvider(CloudHsmProvider.PROVIDER_NAME) == null) {
Security.addProvider(new CloudHsmProvider());
}
KeyStore keyStore = KeyStore.getInstance(CloudHsmProvider.PROVIDER_NAME);
keyStore.load(null, null);
Key key = keyStore.getKey("test", null); // But I get only a CloudHsmRsaPublicKey
} catch (IOException e) {
}
}
and I get a CloudHsmRsaPublicKey, and I can't understand how can I get a PrivateKey wrapper by key allies via JCE provider.
Can anyone help me?
[1]: https://github.com/aws-samples/aws-cloudhsm-jce-examples/blob/c57ad1bd140598440b945b1057973f84868bd6e8/src/main/java/com/amazonaws/cloudhsm/examples/RSAOperationsRunner.java#L109