P6R's PKCS11 library comes with a command line tool that can be used manage tokens. For example, the p6pkcs11tool can initialize a token, set its user PIN, and generate keys on a token. Below is a list of all currently provided functions the p6pkcs11tool can perform:
For the most up to date commands and options type "p6pkcs11tool" or "p6pkcs11tool -h" on the command line to get the complete usage description.
The "-genkey", "-genkeypair", "-list", and "-import" commands will often need to specify the value of several PKCS 11 attributes. It is not possible to add these attributes all on the command line so a special configuration file is associated with our p6pkcs11tool. The "p6p11templates.conf" file defines tables of PKCS 11 attributes to be used with a tool command.
The user can specify the optional '-t <number>' onto the "-genkey", "-genkeypair", "-list", and "-import" commands. This option allows the user to select one out of many defined template files to apply to the operation. For example, '-t 5' selects the "p11templates5.conf" file. Thus the number specified as part of the '-t' option is appended to the end of the file name to select a template file. Note that 'number' can have the value {1..n}, where zero maps to the default "p6p11templates.conf" file.
Here is an example of a p6p11templates.conf file.
The "-genkey" tool command maps to the C_GenerateKey() PKCS 11 API function. The section "[CKO_SECRET_KEY]" is used to define default attributes that will be passed to the call to C_GenerateKey(). The following PKCS 11 attributes can be added to this section: CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_TOKEN, CKA_PRIVATE, CKA_EXTRACTABLE, and CKA_SENSITIVE.
The "-import" tool command maps to the C_CreateObject() PKCS 11 API function. The section "[CKO_SECRET_KEY]" is used to define default attributes that will be passed to the call to C_CreateObject(). The following PKCS 11 attributes can be added to this section: CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_TOKEN, CKA_PRIVATE, CKA_EXTRACTABLE, and CKA_SENSITIVE.
The "-genkeypair" tool command maps to the C_GenerateKeyPai() PKCS 11 API function. The sections "[CKO_PRIVATE_KEY]" and "[CKO_PUBLIC_KEY]" are used to define default attributes that will be passed to the call to C_GenerateKey(). The following PKCS 11 attributes can be added to each of these sections: CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_TOKEN, CKA_PRIVATE, CKA_EXTRACTABLE, and CKA_SENSITIVE.
The "-list" tool command maps to the C_FindObjectsInit(), C_FindObjects(), and C_FindObjectsFinal() API functions. If no attributes are defined in the "[FIND_OBJECTS]" section then information about all objects in the token are displayed to the user. Otherwise, any attributes defined in the "[FIND_OBJECTS]" section can be used to narrow the returned results. For example of the attribute "CKA_CLASS = CKO_PRIVATE_KEY" add then only information about private key objects would be displayed to the user. The following PKCA 11 attribute can be added to this section: CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_TOKEN, CKA_PRIVATE, CKA_EXTRACTABLE, and CKA_SENSITIVE.