使用基于硬件安全模块的Java SDK¶
准备环境¶
确保将符合了GMT0018-2012规范的头文件和库文件安装在了动态库默认的搜索路径中。
确保头文件
gmt0018.h
在目录/usr/include
中,并保证所有用户都有读权限。请将库文件
libgmt0018.so
放在默认的库搜索路径下,并保证用户具有读和执行权限。如,放在Ubuntu操作系统的/usr/lib
目录下,放在CentOS操作系统,`/lib64``目录下。
使用基于硬件加密模块的Java SDK Demo。¶
下载Java SDK Demo¶
首先,下载并构建控制台。
mkdir ~/fisco
cd ~/fisco
# 下载源码
git clone https://github.com/FISCO-BCOS/java-sdk-demo -b release-2.8.0
cd java-sdk-demo
# 编译源码
./gradlew build -b build-hsm.gradle
注解
当网络无法访问GitHub时,请从https://gitee.com/FISCO-BCOS/java-sdk-demo的main-2.0分支下载源码。
配置和运行使用密码机内部密钥的java sdk demo¶
首先,根据密码机/密码卡厂商的指引,为SDK生成用于交易签名的SM2密钥,假设已生成了一对密钥索引为53的SM2签名密钥。
然后,请将SDK证书复制到java-sdk-demo的正确目录下。
cp -r ~/fisco/nodes/127.0.0.1/sdk/* ~/fisco/java-sdk-demo/dist/conf/
接着,配置java-sdk-demo,将config-example.toml
复制成config.toml
, 修改配置。
cd ~/fisco/java-sdk-demo/dist/
cp conf/config-example.toml config.toml
vim conf/config.toml
在[cryptoMaterial]
配置下,指定使用硬件加密模块cryptoProvider = "hsm"
cryptoProvider = "hsm" # Use hard ware secure module
并在[account]
配置下,指定发送交易所使用的内部密钥索引以及密钥访问的密码。如果没有密码则配置成password = ""
.
accountKeyIndex = "53"
password = "XXXXX" # The password used to load the account file or hsm internal
完整配置文件如下:
[cryptoMaterial]
certPath = "conf" # The certification path
# The following configurations take the certPath by default if commented
# caCert = "conf/ca.crt" # CA cert file path
# If connect to the GM node, default CA cert path is ${certPath}/gm/gmca.crt
# sslCert = "conf/sdk.crt" # SSL cert file path
# If connect to the GM node, the default SDK cert path is ${certPath}/gm/gmsdk.crt
# sslKey = "conf/sdk.key" # SSL key file path
# If connect to the GM node, the default SDK privateKey path is ${certPath}/gm/gmsdk.key
# enSslCert = "conf/gm/gmensdk.crt" # GM encryption cert file path
# default load the GM SSL encryption cert from ${certPath}/gm/gmensdk.crt
# enSslKey = "conf/gm/gmensdk.key" # GM ssl cert file path
# default load the GM SSL encryption privateKey from ${certPath}/gm/gmensdk.key
cryptoProvider = "hsm" # Use hardware secure module
[network]
peers=["127.0.0.1:20200", "127.0.0.1:20201"] # The peer list to connect
# AMOP configuration
# You can use following two methods to configure as a private topic message sender or subscriber.
# Usually, the public key and private key is generated by subscriber.
# Message sender receive public key from topic subscriber then make configuration.
# But, please do not config as both the message sender and the subscriber of one private topic, or you may send the message to yourself.
# Configure a private topic as a topic message sender.
# [[amop]]
# topicName = "PrivateTopic"
# publicKeys = [ "conf/amop/consumer_public_key_1.pem" ] # Public keys of the nodes that you want to send AMOP message of this topic to.
# Configure a private topic as a topic subscriber.
# [[amop]]
# topicName = "PrivateTopic"
# privateKey = "conf/amop/consumer_private_key.p12" # Your private key that used to subscriber verification.
# password = "123456"
[account]
# keyStoreDir = "account" # The directory to load/store the account file, default is "account"
# accountFilePath = "" # The account file path (default load from the path specified by the keyStoreDir)
# accountFileFormat = "pem" # The storage format of account file (Default is "pem", "p12" as an option)
# accountAddress = "" # The transactions sending account address
# Default is a randomly generated account
# The randomly generated account is stored in the path specified by the keyStoreDir
# password = "" # The password used to load the account file
accountKeyIndex = "53" # If use hardware inner key, please config the key index and password
password = "" # If use hardware inner key, please config the key index and password
[threadPool]
# channelProcessorThreadSize = "16" # The size of the thread pool to process channel callback
# Default is the number of cpu cores
# receiptProcessorThreadSize = "16" # The size of the thread pool to process transaction receipt notification
# Default is the number of cpu cores
maxBlockingQueueSize = "102400" # The max blocking queue size of the thread pool
接着,请根据硬件加密模块厂商的配置指引,配置好密码机,确保java SDK可以根据你的配置访问密码机。比如,如果您用的是密码机,那么需要根据密码机厂商的指引,配置好密码机的IP地址和端口等信息。
最后,运行Java SDK Demo
cd ~/fisco/java-sdk-demo/dist
# java -cp 'conf/:lib/*:apps/*' org.fisco.bcos.sdk.demo.perf.ParallelOkPerf [precompiled] [groupID] [add|transfer] [count] [tps] [file]
java -cp 'conf/:lib/*:apps/*' org.fisco.bcos.sdk.demo.perf.ParallelOkPerf precompiled 1 add 1000 100 user.txt