使用基于硬件安全模块的Java SDK

准备环境

确保将符合了GMT0018-2012规范的头文件和库文件安装在了动态库默认的搜索路径中。

  1. 确保头文件gmt0018.h在目录/usr/include中,并保证所有用户都有读权限。

  2. 请将库文件libgmt0018.so放在默认的库搜索路径下,并保证用户具有读和执行权限。如,放在Ubuntu操作系统的/usr/lib目录下,放在CentOS操作系统,`/lib64``目录下。

使用基于硬件加密模块的Java SDK Demo。

下载Java SDK Demo

首先,下载并构建控制台。

mkdir ~/fisco
cd ~/fisco
# 下载源码
git clone https://github.com/FISCO-BCOS/java-sdk-demo -b release-2.8.0
cd java-sdk-demo
# 编译源码
./gradlew build -b build-hsm.gradle

注解

当网络无法访问GitHub时,请从https://gitee.com/FISCO-BCOS/java-sdk-demo的main-2.0分支下载源码。

配置和运行使用密码机内部密钥的java sdk demo

首先,根据密码机/密码卡厂商的指引,为SDK生成用于交易签名的SM2密钥,假设已生成了一对密钥索引为53的SM2签名密钥。

然后,请将SDK证书复制到java-sdk-demo的正确目录下。

cp -r ~/fisco/nodes/127.0.0.1/sdk/* ~/fisco/java-sdk-demo/dist/conf/

接着,配置java-sdk-demo,将config-example.toml复制成config.toml, 修改配置。

cd ~/fisco/java-sdk-demo/dist/
cp conf/config-example.toml config.toml
vim conf/config.toml

[cryptoMaterial]配置下,指定使用硬件加密模块cryptoProvider = "hsm"

cryptoProvider = "hsm"                      # Use hard ware secure module

并在[account]配置下,指定发送交易所使用的内部密钥索引以及密钥访问的密码。如果没有密码则配置成password = "".

accountKeyIndex = "53"
password = "XXXXX"                 # The password used to load the account file or hsm internal 

完整配置文件如下:

[cryptoMaterial]
certPath = "conf"                           # The certification path

# The following configurations take the certPath by default if commented
# caCert = "conf/ca.crt"                    # CA cert file path
# If connect to the GM node, default CA cert path is ${certPath}/gm/gmca.crt

# sslCert = "conf/sdk.crt"                  # SSL cert file path
# If connect to the GM node, the default SDK cert path is ${certPath}/gm/gmsdk.crt

# sslKey = "conf/sdk.key"                   # SSL key file path
# If connect to the GM node, the default SDK privateKey path is ${certPath}/gm/gmsdk.key

# enSslCert = "conf/gm/gmensdk.crt"         # GM encryption cert file path
# default load the GM SSL encryption cert from ${certPath}/gm/gmensdk.crt

# enSslKey = "conf/gm/gmensdk.key"          # GM ssl cert file path
# default load the GM SSL encryption privateKey from ${certPath}/gm/gmensdk.key
cryptoProvider = "hsm"                      # Use hardware secure module

[network]
peers=["127.0.0.1:20200", "127.0.0.1:20201"]    # The peer list to connect

# AMOP configuration
# You can use following two methods to configure as a private topic message sender or subscriber.
# Usually, the public key and private key is generated by subscriber.
# Message sender receive public key from topic subscriber then make configuration.
# But, please do not config as both the message sender and the subscriber of one private topic, or you may send the message to yourself.

# Configure a private topic as a topic message sender.
# [[amop]]
# topicName = "PrivateTopic"
# publicKeys = [ "conf/amop/consumer_public_key_1.pem" ]    # Public keys of the nodes that you want to send AMOP message of this topic to.

# Configure a private topic as a topic subscriber.
# [[amop]]
# topicName = "PrivateTopic"
# privateKey = "conf/amop/consumer_private_key.p12"         # Your private key that used to subscriber verification.
# password = "123456"

[account]
# keyStoreDir = "account"         # The directory to load/store the account file, default is "account"
# accountFilePath = ""          # The account file path (default load from the path specified by the keyStoreDir)
# accountFileFormat = "pem"       # The storage format of account file (Default is "pem", "p12" as an option)

# accountAddress = ""           # The transactions sending account address
# Default is a randomly generated account
# The randomly generated account is stored in the path specified by the keyStoreDir

# password = ""                 # The password used to load the account file
accountKeyIndex = "53"           # If use hardware inner key, please config the key index and password
password = ""                    # If use hardware inner key, please config the key index and password

[threadPool]
# channelProcessorThreadSize = "16"         # The size of the thread pool to process channel callback
# Default is the number of cpu cores

# receiptProcessorThreadSize = "16"         # The size of the thread pool to process transaction receipt notification
# Default is the number of cpu cores

maxBlockingQueueSize = "102400"             # The max blocking queue size of the thread pool

接着,请根据硬件加密模块厂商的配置指引,配置好密码机,确保java SDK可以根据你的配置访问密码机。比如,如果您用的是密码机,那么需要根据密码机厂商的指引,配置好密码机的IP地址和端口等信息。

最后,运行Java SDK Demo

cd ~/fisco/java-sdk-demo/dist
# java -cp 'conf/:lib/*:apps/*' org.fisco.bcos.sdk.demo.perf.ParallelOkPerf [precompiled] [groupID] [add|transfer] [count] [tps] [file]
java -cp 'conf/:lib/*:apps/*' org.fisco.bcos.sdk.demo.perf.ParallelOkPerf precompiled 1 add 1000 100 user.txt