Developer's Guide
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
PKCS 11 Command Line Tool Reference Guide

Table of Contents

Introduction

P6R's PKCS11 library comes with a command line tool that can be used manage tokens. For example, the p6pkcs11tool can initialize a token, set its user PIN, and generate keys on a token. Below is a list of all currently provided functions the p6pkcs11tool can perform:

( USAGE: p6pkcs11Tool [-D i|w|d|a] <options>
* "-delete" delete a key on a token
* " -genkey" generate a symmetric key
* " -genkeypair" generate an asymmetric key pair
* " -h" get detailed help
* " -import" load a symmetric key
* " -ip" initialize CKO_USER PIN
* " -it" initialize a token
* " -lc" list a token's P6R configuration information
* " -list" list keys, certifcates stored in a token
* " -lm" list mechanisms supported by a token
* " -lp" list slot identifiers defined by an attached HSM
* " -ls" list defined slots with details
* " -lt" list token details
* " -rk" replace KMIP TLS credentials, for KMIP tokens only
* " -sp" modify the CKO_USER PIN
* " -test" test that a token can be accesses
*

For the most up to date commands and options type "p6pkcs11tool" or "p6pkcs11tool -h" on the command line to get the complete usage description.

PKCS 11 Attributes

The "-genkey", "-genkeypair", "-list", and "-import" commands will often need to specify the value of several PKCS 11 attributes. It is not possible to add these attributes all on the command line so a special configuration file is associated with our p6pkcs11tool. The "p6p11templates.conf" file defines tables of PKCS 11 attributes to be used with a tool command.

The user can specify the optional '-t <number>' onto the "-genkey", "-genkeypair", "-list", and "-import" commands. This option allows the user to select one out of many defined template files to apply to the operation. For example, '-t 5' selects the "p11templates5.conf" file. Thus the number specified as part of the '-t' option is appended to the end of the file name to select a template file. Note that 'number' can have the value {1..n}, where zero maps to the default "p6p11templates.conf" file.

Here is an example of a p6p11templates.conf file.

* # Based on the type of PKCS11 objects what default attributes
* # should be set
* #
* CKA_ENCRYPT = true
* CKA_DECRYPT = true
* CKA_TOKEN = true
* CKA_PRIVATE = false
*
* CKA_SIGN = true
* CKA_TOKEN = true
* CKA_PRIVATE = true
* CKA_SENSITIVE = true
* CKA_EXTRACTABLE = false
*
* CKA_VERIFY = true
* CKA_TOKEN = true
* CKA_PRIVATE = false
*
* [FIND_OBJECTS]
* # CKA_TOKEN = true
* # CKA_PRIVATE = true
*

The "-genkey" tool command maps to the C_GenerateKey() PKCS 11 API function. The section "[CKO_SECRET_KEY]" is used to define default attributes that will be passed to the call to C_GenerateKey(). The following PKCS 11 attributes can be added to this section: CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_TOKEN, CKA_PRIVATE, CKA_EXTRACTABLE, and CKA_SENSITIVE.

The "-import" tool command maps to the C_CreateObject() PKCS 11 API function. The section "[CKO_SECRET_KEY]" is used to define default attributes that will be passed to the call to C_CreateObject(). The following PKCS 11 attributes can be added to this section: CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_TOKEN, CKA_PRIVATE, CKA_EXTRACTABLE, and CKA_SENSITIVE.

The "-genkeypair" tool command maps to the C_GenerateKeyPai() PKCS 11 API function. The sections "[CKO_PRIVATE_KEY]" and "[CKO_PUBLIC_KEY]" are used to define default attributes that will be passed to the call to C_GenerateKey(). The following PKCS 11 attributes can be added to each of these sections: CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_TOKEN, CKA_PRIVATE, CKA_EXTRACTABLE, and CKA_SENSITIVE.

The "-list" tool command maps to the C_FindObjectsInit(), C_FindObjects(), and C_FindObjectsFinal() API functions. If no attributes are defined in the "[FIND_OBJECTS]" section then information about all objects in the token are displayed to the user. Otherwise, any attributes defined in the "[FIND_OBJECTS]" section can be used to narrow the returned results. For example of the attribute "CKA_CLASS = CKO_PRIVATE_KEY" add then only information about private key objects would be displayed to the user. The following PKCA 11 attribute can be added to this section: CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_TOKEN, CKA_PRIVATE, CKA_EXTRACTABLE, and CKA_SENSITIVE.