本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 使用 CloudHSM CLI 篩選金鑰
使用下列主要命令,將標準化金鑰篩選機制用於 [CloudHSM CLI](cloudhsm_cli.md)。
+ **key list**
+ **key delete**
+ **key share**
+ **key unshare**
+ **key set-attribute**
若要使用 CloudHSM CLI 選取和/或篩選金鑰,主要命令會根據 [CloudHSM CLI 的金鑰屬性](cloudhsm_cli-key-attributes.md) 使用標準化篩選機制。您可以使用可以識別單一金鑰或多個金鑰的一或多個 AWS CloudHSM 屬性,在金鑰命令中指定金鑰或一組金鑰。金鑰篩選機制只會在目前登入使用者擁有和共用的金鑰,以及 AWS CloudHSM 叢集中的所有公有金鑰上運作。
**Topics**
+ [要求](#chsm-cli-filtering-requirements)
+ [篩選以尋找單一金鑰](#chsm-cli-filtering-examples)
+ [篩選錯誤](#manage-keys-chsm-cli-filter-error)
+ [相關主題](#manage-keys-chsm-cli-filtering-seealso)
## 要求
若要篩選金鑰,您必須以加密使用者 (CU) 的身分登入。
## 篩選以尋找單一金鑰
請注意,在下面的範例中,用作篩選條件的每個屬性都必須以 `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` 的形式寫入。例如,如果您想透過標籤屬性進行篩選,您會寫入 `attr.label=my_label`。
**Example 使用單個屬性來尋找單一金鑰**
此範例示範如何篩選為僅使用單一識別屬性的單一唯一金鑰。
```
aws-cloudhsm > key list --filter attr.label="my_unique_key_label" --verbose
{
"error_code": 0,
"data": {
"matched_keys": [
{
"key-reference": "0x00000000001c0686",
"key-info": {
"key-owners": [
{
"username": "cu1",
"key-coverage": "full"
}
],
"shared-users": [
{
"username": "alice",
"key-coverage": "full"
}
],
"key-quorum-values": {
"manage-key-quorum-value": 0,
"use-key-quorum-value": 0
},
"cluster-coverage": "full"
},
"attributes": {
"key-type": "rsa",
"label": "my_unique_key_label",
"id": "",
"check-value": "0xae8ff0",
"class": "private-key",
"encrypt": false,
"decrypt": true,
"token": true,
"always-sensitive": true,
"derive": false,
"destroyable": true,
"extractable": true,
"local": true,
"modifiable": true,
"never-extractable": false,
"private": true,
"sensitive": true,
"sign": true,
"trusted": false,
"unwrap": true,
"verify": false,
"wrap": false,
"wrap-with-trusted": false,
"key-length-bytes": 1219,
"public-exponent": "0x010001",
"modulus": "0xa8855cba933cec0c21a4df0450ec31675c024f3e65b2b215a53d2bda6dcd191f75729150b59b4d86df58254c8f518f7d000cc04d8e958e7502c7c33098e28da4d94378ef34fb57d1cc7e042d9119bd79be0df728421a980a397095157da24cf3cc2b6dab12225d33fdca11f0c6ed1a5127f12488cda9a556814b39b06cd8373ff5d371db2212887853621b8510faa7b0779fbdec447e1f1d19f343acb02b22526487a31f6c704f8f003cb4f7013136f90cc17c2c20e414dc1fc7bcfb392d59c767900319679fc3307388633485657ce2e1a3deab0f985b0747ef4ed339de78147d1985d14fdd8634219321e49e3f5715e79c298f18658504bab04086bfbdcd3b",
"modulus-size-bits": 2048
}
}
],
"total_key_count": 1,
"returned_key_count": 1
}
}
```
**Example 使用多個屬性尋找單一金鑰**
以下範例示範如何使用多個金鑰屬性尋找單一金鑰。
```
aws-cloudhsm > key list --filter attr.key-type=rsa attr.class=private-key attr.check-value=0x29bbd1 --verbose
{
"error_code": 0,
"data": {
"matched_keys": [
{
"key-reference": "0x0000000000540011",
"key-info": {
"key-owners": [
{
"username": "cu3",
"key-coverage": "full"
}
],
"shared-users": [
{
"username": "cu2",
"key-coverage": "full"
}
],
"key-quorum-values": {
"manage-key-quorum-value": 0,
"use-key-quorum-value": 0
},
"cluster-coverage": "full"
},
"attributes": {
"key-type": "rsa",
"label": "my_crypto_user",
"id": "",
"check-value": "0x29bbd1",
"class": "my_test_key",
"encrypt": false,
"decrypt": true,
"token": true,
"always-sensitive": true,
"derive": false,
"destroyable": true,
"extractable": true,
"local": true,
"modifiable": true,
"never-extractable": false,
"private": true,
"sensitive": true,
"sign": true,
"trusted": false,
"unwrap": true,
"verify": false,
"wrap": false,
"wrap-with-trusted": false,
"key-length-bytes": 1217,
"public-exponent": "0x010001",
"modulus": "0x8b3a7c20618e8be08220ed8ab2c8550b65fc1aad8d4cf04fbf2be685f97eeb78fcbbad9b02cd91a3b15e990c2a7c7cdeff0b730576c6c5630a8509a778a96acbc7c36931e9a86e8956fbd07f0863404ce06c8bd68256784be9f5b258a35e229ce7f630228b9323b4e1f14a0384ead90bdf07dc762f710fc5663887d0787ad98d64bbe303134f545acb2ab194fee6edaecd4dd5cf31ff7f7491e37d7a850ab23247414b42d9abdd5de89b78fd464560df29a90607e9d462f21b22365da419021fb9f28ea7e6fdb1f40bf83aaf1636fba5e475ad19889cfe3f28186a969b4826c39466c0855c974d1fb723d111e4a32ab6e32b3129bc95c9206fced160015d8b2f",
"modulus-size-bits": 2048
}
}
],
"total_key_count": 1,
"returned_key_count": 1
}
}
```
**Example 篩選以尋找一組金鑰**
以下範例示範如何篩選以尋找一組私有 rsa 金鑰。
```
aws-cloudhsm > key list --filter attr.key-type=rsa attr.class=private-key --verbose
{
"error_code": 0,
"data": {
"matched_keys": [
{
"key-reference": "0x00000000001c0686",
"key-info": {
"key-owners": [
{
"username": "my_crypto_user",
"key-coverage": "full"
}
],
"shared-users": [
{
"username": "cu2",
"key-coverage": "full"
},
{
"username": "cu1",
"key-coverage": "full"
},
],
"key-quorum-values": {
"manage-key-quorum-value": 0,
"use-key-quorum-value": 0
},
"cluster-coverage": "full"
},
"attributes": {
"key-type": "rsa",
"label": "rsa_key_to_share",
"id": "",
"check-value": "0xae8ff0",
"class": "private-key",
"encrypt": false,
"decrypt": true,
"token": true,
"always-sensitive": true,
"derive": false,
"destroyable": true,
"extractable": true,
"local": true,
"modifiable": true,
"never-extractable": false,
"private": true,
"sensitive": true,
"sign": true,
"trusted": false,
"unwrap": true,
"verify": false,
"wrap": false,
"wrap-with-trusted": false,
"key-length-bytes": 1219,
"public-exponent": "0x010001",
"modulus": "0xa8855cba933cec0c21a4df0450ec31675c024f3e65b2b215a53d2bda6dcd191f75729150b59b4d86df58254c8f518f7d000cc04d8e958e7502c7c33098e28da4d94378ef34fb57d1cc7e042d9119bd79be0df728421a980a397095157da24cf3cc2b6dab12225d33fdca11f0c6ed1a5127f12488cda9a556814b39b06cd8373ff5d371db2212887853621b8510faa7b0779fbdec447e1f1d19f343acb02b22526487a31f6c704f8f003cb4f7013136f90cc17c2c20e414dc1fc7bcfb392d59c767900319679fc3307388633485657ce2e1a3deab0f985b0747ef4ed339de78147d1985d14fdd8634219321e49e3f5715e79c298f18658504bab04086bfbdcd3b",
"modulus-size-bits": 2048
}
},
{
"key-reference": "0x0000000000540011",
"key-info": {
"key-owners": [
{
"username": "my_crypto_user",
"key-coverage": "full"
}
],
"shared-users": [
{
"username": "cu2",
"key-coverage": "full"
}
],
"key-quorum-values": {
"manage-key-quorum-value": 0,
"use-key-quorum-value": 0
},
"cluster-coverage": "full"
},
"attributes": {
"key-type": "rsa",
"label": "my_test_key",
"id": "",
"check-value": "0x29bbd1",
"class": "private-key",
"encrypt": false,
"decrypt": true,
"token": true,
"always-sensitive": true,
"derive": false,
"destroyable": true,
"extractable": true,
"local": true,
"modifiable": true,
"never-extractable": false,
"private": true,
"sensitive": true,
"sign": true,
"trusted": false,
"unwrap": true,
"verify": false,
"wrap": false,
"wrap-with-trusted": false,
"key-length-bytes": 1217,
"public-exponent": "0x010001",
"modulus": "0x8b3a7c20618e8be08220ed8ab2c8550b65fc1aad8d4cf04fbf2be685f97eeb78fcbbad9b02cd91a3b15e990c2a7c7cdeff0b730576c6c5630a8509a778a96acbc7c36931e9a86e8956fbd07f0863404ce06c8bd68256784be9f5b258a35e229ce7f630228b9323b4e1f14a0384ead90bdf07dc762f710fc5663887d0787ad98d64bbe303134f545acb2ab194fee6edaecd4dd5cf31ff7f7491e37d7a850ab23247414b42d9abdd5de89b78fd464560df29a90607e9d462f21b22365da419021fb9f28ea7e6fdb1f40bf83aaf1636fba5e475ad19889cfe3f28186a969b4826c39466c0855c974d1fb723d111e4a32ab6e32b3129bc95c9206fced160015d8b2f",
"modulus-size-bits": 2048
}
}
],
"total_key_count": 2,
"returned_key_count": 2
}
}
```
## 篩選錯誤
某些金鑰作業一次只能在單一金鑰上執行。對於這些操作,CloudHSM CLI 會在篩選條件未充分細化且多個金鑰符合準則時報錯。一個此類範例與金鑰刪除如下所示。
**Example 匹配太多金鑰時篩選錯誤**
```
aws-cloudhsm > key delete --filter attr.key-type=rsa
{
"error_code": 1,
"data": "Key selection criteria matched 48 keys. Refine selection criteria to select a single key."
}
```
## 相關主題
+ [CloudHSM CLI 的金鑰屬性](cloudhsm_cli-key-attributes.md)