Closed maxchev closed 9 months ago
I believe it is because the keys that are generated are not being persistent. You will have to set the KeyAttribute.Token to true in the KeyAttributesMap.
Hi @maxchev !
This error occurs when the HSM contains multiple keys (session or token) that have the same label
property. The JCE KeyStore only allows a single key to be returned. If we detect multiple keys, we throw the exception.
You can use our SDK5 CLI to find these keys: https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html.
To fix this error, we recommend assigning each key a unique label using the set-attribute
command: https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-set-attribute.html
hi @rday ,
I can only see the key-reference using the CLI command but I want to get the key using the key-reference/handle so Is there any way to get the key-reference or handle after key generation using the JCE?
Thanks
Regards, Zeeshan
Thanks
As of SDK version 5.12 this is possible by using KeyStoreWithAttributes
with a KeyReferenceSpec
. See the sample here: https://github.com/aws-samples/aws-cloudhsm-jce-examples/blob/sdk5/src/main/java/com/amazonaws/cloudhsm/examples/KeyStoreExampleRunner.java#L297-L315.
@kladd , thanks for the reply but I already have seen this example to retrieve the key using the key-reference but I need that reference at the time of key generation then later on, I can get the get using that key-reference/handle.
@zeeshan-abid, My mistake. In that case the CLI is the only way to retrieve the key reference right now. The JCE SDK does not have a method to retrieve it.
Hi, I am using the examples in here to try to see if cloud HSM maes sense for me. Stating with a simple use case, I simply want to be able to store an AES key in a key store and retreive it.
I obviously wantrto cipher / decipher, but I am facing an issue before that.
After initial keystore and key creation, I reload a brand new keystore and want to use that one to "prove" I can retreive an previsously stored key.
I am able to see the alias I just created, but when I try to "getKey()", I am getting this error:
Exception in thread "main" java.security.UnrecoverableKeyException: KeyStore should return only one key for the provided alias aesAlias
Any Idea what I am doing wrong ?
Note: in order for the code tu run I had to add the VM arg as suggested here.